Try in Splunk Security Cloud

Description

Validate the security configuration of network infrastructure and verify that only authorized users and systems are accessing critical assets. Core routing and switching infrastructure are common strategic targets for attackers.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Authentication, Network_Traffic
  • Last Updated: 2017-09-12
  • Author: Bhavin Patel, Splunk
  • ID: 91c676cf-0b23-438d-abee-f6335e177e77

Narrative

Networking devices, such as routers and switches, are often overlooked as resources that attackers will leverage to subvert an enterprise. Advanced threats actors have shown a proclivity to target these critical assets as a means to siphon and redirect network traffic, flash backdoored operating systems, and implement cryptographic weakened algorithms to more easily decrypt network traffic.
This Analytic Story helps you gain a better understanding of how your network devices are interacting with your hosts. By compromising your network devices, attackers can obtain direct access to the company’s internal infrastructure— effectively increasing the attack surface and accessing private services/data.

Detections

Name Technique Type
Detect ARP Poisoning Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning TTP
Detect IPv6 Network Infrastructure Threats Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning TTP
Detect New Login Attempts to Routers   TTP
Detect Port Security Violation Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning TTP
Detect Rogue DHCP Server Hardware Additions, Network Denial of Service, Adversary-in-the-Middle TTP
Detect Software Download To Network Device TFTP Boot, Pre-OS Boot TTP
Detect Traffic Mirroring Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication TTP

Reference

source | version: 1