Identifying BOD 23-02 Network Management Interfaces with Splunk

-

 Security Software & Solutions | Splunk

What Is BOD 23-02 Meant To Achieve?

CISA is prohibiting the remote management of federal information systems’ network devices defined as “routers, switches, firewalls, VPN concentrators, proxies, load balancers, and out of band server management interfaces (such as iLo and iDRAC)” over common management protocols (HTTPS, SSH, etc.)

Agencies, within 14 days of discovery or CISA notification of the existence of one or more of these interfaces must do one of the following:

  1. Remove the internet accessibility of that device (e.g., take it offline)
  2. Protect the device through technical means (e.g., implement Zero Trust concepts such as enforcing access control through a point outside of the interface itself)

How Can Splunk Help?

First, it’s important to recognize that Splunk is not a traditional Zero Trust policy enforcement point or tool for access control. That being said, Splunk Cloud or Splunk Enterprise does help identify misconfigurations such as these unprotected interfaces, however. 

Using Splunk, you can ingest network traffic, firewall logs, and even wire data that can help identify source or destination traffic that is permitted when it should not be. An example would be running searches that identify SSH (port 22) traffic being allowed inside from outside the organization’s internal network and approved IP address ranges.

As a brief example, a Common Information Model (CIM) normalized search using data models such as one below can be modified to be applied to your environment (e.g., customizing source/destination) looking at specific network segments for allowed network traffic to common management ports called out in BOD 23-02.

| tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.action = allowed AND All_Traffic.src_ip != "10.0.0.0/8" AND All_Traffic.dest_port IN ("20", "21", "22", "23", "69","161", "162") by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.action 

You can of course write a datasource specific search without CIM, but the SPL necessary will be dependent on the data you’re hunting through. Enterprise Security customers can take advantage of the Interesting Ports lookup and customize it to fit your needs. Once this lookup is customized, you could implement one of the Splunk Threat Research Team’s detections “Prohibited Network Traffic Allowed” to be alerted when new traffic is seen. Like the search above, you would want to customize either the tstats base search or update the filter macros to reduce any false positives observed.

What if I Need a Little Bit More of an Assist?

CISA has released specific guidance for BOD 23-02 here that would be a great next step towards complying with their instructions. 

If you need further assistance from Splunk experts on how to use our technology for pre-emptively identifying this type of traffic, or ingesting and searching these types of data sources, please reach out to your account team as they are well familiar with these types of use cases and data sources. We have a multitude of resources available to help ensure your success!

 

Reference link

 

A.K 

 

 

Comments

Post a Comment

Popular posts from this blog

CISA and ENISA enhance their Cooperation

-
Image
  The European Union Agency for Cybersecurity (ENISA) has signed a Working Arrangement with the Cybersecurity and Infrastructure Security Agency (CISA) of the US, in the areas of capacity-building, best practices exchange and boosting situational awareness. Geopolitics have shaped the cyber threat landscape, bringing like-minded partners closer together in the wake of common cyber challenges and advances in digital technologies. Today at the EU-US Cyber Dialogue, ENISA and CISA announced the signing of their Working Arrangement as an important milestone in the overall cooperation between the United States and the European Union in the field of cybersecurity, also following the Joint Statement of European Commissioner Thierry Breton and U.S. Secretary for Homeland Security Alejandro Mayorkas of January 2023. ENISA’s International Strategy directs the Agency to be selective in engaging with international partners and to limit its overall approach in international cooperation to those are
Read more

The Imperva Content Delivery Network (CDN) to Improve website experience globally

-
Image
Today’s website visitors expect a fast and efficient user experience with no delays or site performance issues. However, high traffic volumes and global reaching websites mean website managers are faced with the challenge of added latency and slow page load times, which can result in lost business. According to WebSiteBuilderExpert.com, 1 in 4 site visitors would abandon a website that takes more than 4 seconds to load. And 46% of site visitors do not revisit poorly performing websites, according to Unbounce.com. A strong Content Delivery Network   (CDN) is critical for website managers and businesses that rely on their websites for success, and here are ten reasons why. Improve your engagement Faster site speed times and more responsive websites bring results in more conversions. As little as a  one-second delay  in page load time can reduce customer satisfaction by 16%. Slow page load times According to  Unbounce , ‘Nearly 70% of consumers admit that page speed influences their likel
Read more

SmartScreen Vulnerability: CVE-2024-21412 Facts and Fixes

-
Image
On Feb. 13, 2024, Microsoft issued a  patch  for CVE-2024-21412, a  Microsoft Defender SmartScreen  vulnerability revolving around internet shortcuts. Previously, we discovered that an advanced persistent threat (APT) group we track under the name Water Hydra has been exploiting CVE-2024-21412 in a sophisticated campaign targeting financial market traders, allowing the group to bypass Microsoft Defender SmartScreen and infect its victims with the DarkMe remote access trojan (RAT). Threat actors are constantly finding new ways of identifying and exploiting gaps to bypass security measures. We found that the bypass of CVE-2023-36025 (a previously patched SmartScreen vulnerability) led to the discovery and exploitation of CVE-2024-21412. This highlights how threat actors can circumvent patches by identifying new vectors of attack around a patched software component. It is important that organizations are able to identify and mitigate vulnerabilities, especially zero-days, in a timely mann
Read more