Analytics Story: Router and Infrastructure Security

Date: 2017-09-12 ID: 91c676cf-0b23-438d-abee-f6335e177e77 Author: Bhavin Patel, Splunk Product: Splunk Enterprise Security

Description

Validate the security configuration of network infrastructure and verify that only authorized users and systems are accessing critical assets. Core routing and switching infrastructure are common strategic targets for attackers.

Why it matters

Networking devices, such as routers and switches, are often overlooked as resources that attackers will leverage to subvert an enterprise. Advanced threats actors have shown a proclivity to target these critical assets as a means to siphon and redirect network traffic, flash backdoored operating systems, and implement cryptographic weakened algorithms to more easily decrypt network traffic. This Analytic Story helps you gain a better understanding of how your network devices are interacting with your hosts. By compromising your network devices, attackers can obtain direct access to the company's internal infrastructure effectively increasing the attack surface and accessing private services/data.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Detect New Login Attempts to Routers	None	TTP
Detect ARP Poisoning	Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning	TTP
Detect IPv6 Network Infrastructure Threats	Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning	TTP
Detect Port Security Violation	Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning	TTP
Detect Rogue DHCP Server	Hardware Additions, Network Denial of Service, Adversary-in-the-Middle	TTP
Detect Software Download To Network Device	TFTP Boot, Pre-OS Boot	TTP
Detect Traffic Mirroring	Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication	TTP

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼

References

Source: GitHub | Version: 1