Professional Documents
Culture Documents
• Language
• Other?
• Environment • Queries
Console
• Vantage
• Wrap-up
Introduce yourself
• Name
• Company
• Why you chose Nozomi Networks
• One thing you hope to learn this week
• Anything interesting you want to share about yourself
The exam can be taken online at the Nozomi Training Portal within 90 days.
• The questions are related to a preconfigured Guardian Exam-VM provided at the Training Portal to be
downloaded and installed in the attendee's environment.
The exam outcome is the Nozomi Networks Certified Engineer certificate (2 years validity)
• Within 6 months before its expiration the Nozomi Training Department will invite you to
participate in a recertification self-paced on-demand online course to cover:
• New features added in the last major releases
• Additional content
• You must pass the re-certification exam to extend your certification
• Open https://training.nozominetworks.com
• Use your Nozomi Support Portal credentials in order to
login to the Training Portal.
• During the registration process insert your first name,
last name as you would like them to appear on the
NNCE certificate when completing the final exam.
• After registration, your teacher will enroll you into your
course before you can access the related resources.
• These include the NNCE slide deck and additional
training material, the feedback form, and access to the
final exam.
first AI-powered ICS for network visualization, asset powerful combination delivery model for Nozomi Networks #1 in
visibility and inventory, vulnerability assessment of active + passive embedded deployment Gartner Peer Insights
cybersecurity solution and ICS threat detection asset discovery and efficiency
September March August June May
2013 2017 2018 2019 2020
Scalable Deployments
Across 6 Continents
Global Expertise
Worldwide Network of Partners
and 1,200+ Certified Professionals
Pharma
Automotive Logistics
5 of Top 10
Mining
Airports Smart Cities
5 of Top 10
Utilities Water Transportation
computation or operator
initiated) Fan
Pump
Read data
from
sensors
(inputs)
Control/protection
Yes No Yes
logics
• Industrial network
protocols are used for
these communications.
• Some examples:
Modbus, EthernetIP,
DNP3, etc.
S i t e bu s i ne s s
[3.5: Upper DMZ]: Transfer network between IT/OT
and l o g i s t i cs
3: Operations (ICT/DMZ) Network: Systems providing IT
services (AV, Patch, DNS, AD) and collect historical data.
[2.5: Lower DMZ]: Optional
2: Supervisory Control/Process*: Systems using IT
services from L3 and control/acquire data from the Control
Network (i.e. HMI, SCADA Consumer, MTU, Engineering
workstation).
1: Control: Systems to collect and transmit data between
field devices (actuators/sensors) via I/O interfaces and
Process Network (i.e. RTU, PLC, Safety equipment).
0: Field/Process**: Actuators/sensors directly connected
to controllers by close network connections (i.e. hard
wired, serial cable, fiber ring, proprietary protocols).
*Different concept of Process than in Guardians Process View
**As in Process View
System latency Low latency, real time deterministic systems Many network standards are non-deterministic
(such as LoRaWAN and WiFi)
Implementation Expensive. Vendor specific knowledge is In some cases, easier to install, with more
difficulty required, requires skilled personnel. Software standard and friendlier installation procedures.
licenses required.
Typical protocols Vendor proprietary, legacy protocols ”adapted” for Industry standard open communications.
TCP/IP networks, some open protocols Designed with Internet/Cloud communications in
mind
Vulnerabilities Lack of authentication, lack of encryption, Supply chain(many stakeholders)
backdoors, buffer overflows. Legacy code is not Targets of DDoS
secure by design and difficult to completely Internet/Cloud connectivity = bigger attack
eradicate over the years. surface
SERVICE OFFERINGS
Certified
Engineer
Training
Professional
Services
Customer
Support
Cost-effective
Operational monitoring
Asset
Asset inventory
inventory Network monitoring
on links and the process
Monitoring Ports Modular up to 16+1 Modular up to 16+1 Modular up to 8+1 Modular up to 8+1
2 slots available
Expansion Slots Not available Not available
2x1000Base-T | 2xSFP
Form Factor 3 rack unit DIN mountable Desktop with wall mount kit
100-240V AC
100-240V AC 90-240V AC
Power Supply Type 16.6-160 DC
12-36V DC 12-30V DC
DUAL
-40º / +70º C
Temperature Range -40º C / +75º C 0 / +60º C
(Max.40º when using SFP NIC)
* See Remote Collector tech specs for more details.
Hyper-V 2012+, KVM 1.2+, Hyper-V 2012+, KVM 1.2+, Hyper-V 2012+, KVM 1.2+, Hyper-V 2012+, KVM 1.2+,
Deployment Options VMware ESX 5.x+, XEN 4.4+, VMware ESX 5.x+, XEN VMware ESX 5.x+, XEN VMware ESX 5.x+, XEN
AWS* 4.4+, AWS * 4.4+, AWS * 4.4+, AWS *
Remote Collector
Not available
Support Hyper-V 2012+, KVM 1.2+,
Deployment Options
VMware ESX 5.x+, XEN 4.4+
2x1000BASE-T
Monitoring Ports
1xSFP
Storage 10 Gb
Expansion slots Not available
Deployment Options -
Amazon AWS and Microsoft Azure
Cloud
Deployment Options -
Hyper-V 2012+, KVM 1.2+, VMware ESX 5.x+, XEN 4.4+
Virtual
Storage 100+ Gb
NCMC-100
Max. Managed Appliances 50
Max. Protected Networks
200,000
Elements
Max. Throughput 1 Gbps
Storage 256 Gb
Vulnerability Assessment:
• Minimal identification of firmwares,
OS, and CPEs: Line Operator
/Engineering L2
Workstations
Network Visibility:
• Minimal
Threat Detection:
• Basic detection of threats coming PLCs
/RTUs L1
from higher levels, mainly via Sensors
signatures. Actuators L0
Vulnerability Assessment:
• Excellent identification of firmwares, GuardianB
OS, and CPEs Line Operator
/Engineering L2
Network Visibility: Workstations
• The initial machine setup has already been done by Nozomi Training:
• The management IP has been configured
• Licenses have been installed
• The Web UI password setup has been done
• The shell access has been configured to use ssh to the Guardian IP address
• Date/Time: The managing CMC is providing date & time 1. In System > General:
in most installations, a manual config is also possible • Set a uniq Hostname (your name.local will be
• The local Time zone setting will adjust the visualization perfect)
• Set a warning Login banner
Activities • Enter a Description and a Site name
2a
2. In System > Date and Time:
a. Set your Time zone & Save, then
b. Enable the NTP checkmark & Save
Licenses on Guardian
Retention tab
2. Under Users
• Click on +Add
Activities
• Source = Local
• Username = test_user
General permissions • Group = training_group
• Unckeck Must update password
• Click on New user to create
#cet
System - Audit
• Any configuration change, login and data operation
is stored in the Audit section
• Device security entries based on HIDS Objective Identify user login´s and configuration changes
• E.g., the log entry created when the formerly created
test_user logged in.
Go to the Audit Section in System > Audit
Use filters to answer the following questions:
1. Which users besides the admin user logged in
Activities in the past as well?
2. When was the CMC management for this
Guardian terminated and what was the IP
address of the CMC?
#cet
System - Upload traces
System à Upload traces
2 - Proceed 3 - Automatic
Reboot
• The main information processed from the monitored networks is stored within this section:
Asset inventory
Process variables
and supervision
Enable/disable
Field name (click to apply sorting)
visibility of fields
Live Filter textbox,
operators: >,<,==,!=
1 2 3 4 5
Protocol: Modbus
Configurations, Alerts related Download Request Events, Captured Manage Navigate to Trigger Smart
custom alerts to the entry trace trace Availability URLs Learning related tables Polling
LINK
SESSION
Public nodes
• Non RFC-1918 IP addresses
Asset Tabs
Nodes details,
e.g. network info Vulnerability
Status
Learning and
AI status
Host performance
details by SmartPolling
PROCESS
VARIABLE
Variable
name
Activity info
Flow control
• Choosing the right model of Nozomi Appliances is based on the networks monitored:
• Most of the customers don‘t have these numbers handy. After analyzing our pool of available support archives, we
discovered the following estimation does work for most of our clients.
• How to estimate the number of Networks Elements:
• Start with the number of Assets
• Estimate the number of Nodes: Equals Assets * 2 (worst case scenario considering L2 + L3 traffic)
• Estimate the number of Network elements: Equals Nodes * 20
Find the best technical proposal for the following NSG-M 1000 NSG-M 750 NSG-L 250 NSG-L 100
scenario: Max. Protected
600,000 200,000 90,000 20,000
Network Elements
One site with 200 devices (ca. 400 nodes, each Max Remote
50 50 20 20
device consists of one MAC & IP-address) to Collectors
SOLUTION
Max. Protected
Not
Scenario Network
Elements
600,000 200,000 90,000 20,000
applicable
consists of one MAC & IP-address); Monitoring 7x1000BASE- 7x1000BASE- 5x1000BASE- 5x1000BASE-
2x1000BASE-
• 300 Mbps throughput over 5 switches. Ports T + 4xSFP T + 4xSFP T T
T
1xSFP
Building 2 and 3:
• 50 devices each (ca. 100 nodes, each device
consists of one MAC- & IP-address);
• 0.1 Mbps throughput over 2 switches each.
Find the best technical proposal for the following NSG-HS 3500 NSG-HS 3000 NSG-H 2500 NSG-H 2000
scenario:
Max. Protected
2,000,000 1,500,000 1,200,000 1,000,000
Network Elements
Scenario Max. Throughput 6 Gbps 6 Gbps 3 Gbps 3 Gbps
A supervisory system monitors 100,000 devices
Max. Remote
(ca. 200,000 nodes, each device consists of one Collectors*
50 50 50 50
SOLUTION
1 2 3
1. IDENTIFY
• Means that we should be able to detect the critical information needed to uniquely characterize the
device and provide a set of minimum information such as:
o Vendor of the device
o Device Name/Product Code
o Firmware/Software version
• The result of this step is a list of CPEs assigned for a specific node.
2. MATCHING
• Guardian will use the group of CPEs that were identified for a specific node (on step 1) to calculate its
vulnerabilities (CVEs)
• Nozomi curates the CPE - CVEs assignments, enhancing the NIST NVD with the most accurate data.
The passive method is preferred as it does not require any human interaction
Passively
Smart Polling
Importing Asset info
CVE to be MATCHING
displayed
Summary
and reference
Example: CVE-2020-6457
Info added by Nozomi
1 2
1. Summary: display the plans configured and allows to create a new plan
2. Polled node: display information polled from the nodes
Define devices
to poll
Select data to
be collected
• Disabled plan:
Toggle to execute
immediately
Time of each
executions
Detailed polling
info for a single
node
6 1
Source | command1 | command2 | …
5 4 3 2
1. Expert/Standard: switch from Expert(default view) to Standard 4. Export: to export in CSV or Excel the query result
2. Save: save the query for future use 5. To assertion: to convert the query into an assertion
3. Live/Manual refresh: automatic or manual refresh of the result 6. History: to view all the previous, executed queries
7. Saved queries: to view the saved queries
Choose a field and filter the content: where - operators: ==, !=, >=, <= - field: is_empty()
nodes | where mac_vendor == Hewlett Packard
nodes | where mac_vendor != Hewlett Packard
nodes | where is_empty(mac_vendor) == false
Count
nodes | count
Pie chart
nodes | group_by mac_vendor | pie mac_vendor count
Sort
nodes | group_by mac_vendor | sort count desc
nodes | group_by mac_vendor | sort mac_vendor
Head
nodes | group_by mac_vendor | sort count desc | head 5
Column chart
nodes | group_by mac_vendor | sort count desc | column mac_vendor count
Compare field values
nodes | where mac_vendor == $vendor
4. The nodes table data is now being added into one new field within the links
table named joined_node_to_ip.
Original links one additional field incl.
Solution: and
table fields all the nodes table data
links | join nodes to ip |
where joined_node_to_ip.type == barcode_reader
© 2022 Nozomi Networks. All rights reserved. | www.nozominetworks.com 147
Queries - Use cases 1
1. Count how many variables were transmitted, using modbus protocol, on the monitored network.
2. Produce a column chart of assets running a Windows OS grouped by the Operating System
version. (The result will be used to plan patch installation).
3. Produce a tabular representation of HTTP links including the from, to, protocol,
first_activity_time and last_activity_time, sorted by transferred.bytes passing through the link.
5. Produce a table reporting from, to, function_codes name, last_activity_time of every links using
iec104 protocol.
6. Produce a table showing links that are likely being blocked by firewall (tip: this can be modelled
by the tcp_connection_attempts.total and tcp_handshaked_connections.total).
8. Produce a table showing from, to, protocol and tcp retransmission percentage of all links with
tcp retransmission percentage between 40 and 90 percent.
9. Produce a table showing the function codes seen on the monitored network for iec104 protocol
and sort them so to have the most used first (tip: work with the variables table).
11. How many links in within the same zone (source and destination) are in the monitored network.
12. Produce a pie chart showing the percentage of every transport protocol used in the monitored
network.
Global Filters
Folder
structure
2
User Manual Chapter 5 - User Interface Reference - Report
Dashboard configuration
Settings à Dashboards
Dashboard templates
1. Create and Save a new Dashboard based on
the Stats template.
• Add on top of the Stats Dashboard via +Add
row and +Add widget the previously saved
Activities
queries: [query] Mac Vendors and [query] Top 3
Source Zone
• Alert Operations
• Mitre ATT&CK Framework
Alerts
Alerts
Virtual Image Threat Intelligence &
• Behavioural Anomaly Built-in Checks
Detection
• Most alerts in protecting • Known Security Attacks Patterns
mode (Learned Behaviour) • Signatures
• Asset Intelligence
• Device fingerprinting
• Baseline strengthening
Alerts
WRONG-TIME
PROC
SYNC-ASKED-AGAIN
Protocol Validation
ARP-DUP
DDOS
DHCP-OPERATION
ILLEGAL-PARAMETERS
INVALID-IP
MAC-FLOOD
MALICIOUS-PROTOCOL
MULTIPLE-ACCESS-DENIED
MULTIPLE-OT_DEVICE- RESERVATIONS
MULTIPLE-UNSUCCESSFUL-LOGIN
NETWORK-MALFORMED
Protocol
Alerts
Alerts Validation
NETWORK-SCAN
PROC-MISSING-VAR
PROC-UNKNOWN-RTU
SIGN PROTOCOL-ERROR
PROTOCOL-FLOOD
SCADA-INJECTION
SCADA-MALFORMED
Alert type examples: TCP-SYN-FLOOD
§ PROC:WRONG-TIME UDP-FLOOD NEW
§ SIGN:TCP-SYN-FLOOD TCP-MALFORMED
UNSUPPORTED-FUNC
#advancedcet-alerts
Alerts
Custom Checks
NEW
GENERIC EVENT
ASRT FAILED
INACTIVE-PROTOCOL
NET LINK-RECONNECTION
Custom
Alerts TCP-SYN
Checks CRITICAL-STATE-OFF
CRITICAL-STATE-ON
PROC INVALID-VARIABLE-QUALITY
NOT-ALLOWED-INVALID-VARABLE
STALE-VARIABLE
Alert type examples:
§ ASRT:FAILED
§ PROC:STALE-VARIABLE
UNKNOWN-PROTOCOL
Learned Behaviour Asset Intelligence NEW-FUNC-CODE
GLOBAL * NEW-MAC-VENDOR
NEW-VAR-PRODUCER
CONF-MISMATCH * Using Adaptive Learning
NEW-ARP
NEW-FUNC-CODE
NEW-LINK
NEW-MAC
Virtual NEW-NET-DEV
Alerts VI
Image NEW-NODE
TARGET
NEW-NODE
MALICIOUS-IP
NEW-PROTOCOL
APPLICATION
NEW-PROTOCOL
CONFIRMED
Alert type examples: NEW-SCADA-NODE
§ VI:NEW-NODE PROC
NEW-VALUE
§ VI:PROC:NEW-VALUE NEW-VAR
PROTOCOL-FLOW-ANOMALY
VARIABLE-FLOW-ANOMALY
© 2022 Nozomi Networks. All rights reserved. | www.nozominetworks.com 169
#advancedcet-alerts
Incidents BRUTE-FORCE-ATTACK
ENG-OPERATIONS
FUNCTION-CODE-SCAN
Built-in ILLEGAL-PARAMETER-SCAN
INCIDENT
Checks MALICIOUS-FILE
SUSPICIOUS-ACTIVITY
WEAK-PASSWORDS
PORT-SCAN
Hybrid Threat NEW- COMMUNICATIONS
INCIDENT
Detection NEW-NODE
PRODUCER
Incidents VARIABLES-FLOW-ANOMALY
CONSUMER
VARIABLES-FLOW-ANOMALY
Alerts
Alerts
Alerts
Learned INCIDENT
INTERNET-NAVIGATION
PRODUCER
Behaviour VARIABLES-NEW-VARS
CONSUMER
VARIABLES-NEW-VARS
VARIABLES-NEW-VALUES
VARIABLES-SCAN
Protocol
INCIDENT ANOMALOUS-PACKETS
Validation
#advancedcet-alerts
Alert types descriptions
Objective Get familiar with the Alert types
= + +
• By detecting the asset´s details (e.g. product name and
vendor), further features of these devices are fed into
Guardian’s asset inventory and creating a more solid
baseline.
• The service is Subscription based (License is required).
• Updates can be installed manually or automatically.
• The content is created/curated by Nozomi Networks Labs.
• 3 different states:
(a) enriched asset: asset benefits from AI database info (b) asset not matched: asset is not part of the AI database
Threat
Intelligence
Packet Yara STIX Vulnerability
Rules Rules indicators DB
= + + +
• The service is Subscription based (License is required).
• Updates can be installed manually or automatically.
• The Rules and DB´s are created by Nozomi Networks Labs or obtained
by the infosec community, each verified by Nozomi Networks.
• Executed on every packet sent over the network, related Alerts are using the type-id SIGN:PACKET-RULE.
• Supporting the SNORT syntax allows users to easily add or import new rules using a well-known standard.
• Based on the engine written by Nozomi Networks.
SNORT syntax used for Packet Rules User Manual Chapter 6 - Security Profile - Packet Rules
The SNORT Packet Rules syntax allows to search for specific content within the packet's payload.
The content keyword specifies string(s) or binary data inside a packet to search for. Example:
alert tcp any any -> any any (content:"GET";) à searches for "GET" within tcp packets payload.
The following modifiers are available to influence the search:
• offset specifies where to start searching for a pattern within a packet:
alert tcp any any → any any (content:"GET"; offset:4;) à skips the first 4 bytes in the packet's payload, then
starts searching for ”GET”.
G E T
4 bytes
• depth specifies how far into a packet should be searched for a pattern:
alert tcp any any → any any (content:"GET"; depth:3;) à searches for the "GET" string within the first three
bytes of the tcp payload only.
G E T
3 bytes
© 2022 Nozomi Networks. All rights reserved. | www.nozominetworks.com 181
#cet
Built-in
Packet Rules - Search for content Checks
• distance specifies how many bytes to ignore before starting to search for a pattern relative to the end of the previous
match (minimum distance between the end of pattern-1 and start of searching for pattern-2):
alert tcp any any → any any (content:"GET"; content:"ONE"; distance:1;) à searches for the "GET" pattern,
skips one byte and looks for the "ONE" pattern within all following bytes, "GET ONE" or "GET-123-ONE" would
match.
G E T
Search for “ONE”
• within specifies how distant at most in relation to a previous pattern, a new pattern should be searched for (search
from the end of pattern-1 within the number of bytes specified for pattern-2):
alert tcp any any → any any (content:"GET"; content:"ONE"; within:10;) à searches for the "GET" string in
the packet and looks for the "ONE" string within the following 10 bytes.
G E T
Search for “ONE”
1.
When monitoring TCP segments with destination port 21 having the ”MENDRISIO" string as its payload, which
of the following rules would produce an alert:
A. alert udp any any → any 21 (content:"MENDRISIO";)
B. alert tcp any any → any 22 (content:"MENDRISIO";)
C. alert tcp any any → any any (content:”MEN";)
D. alert tcp any any → any any (content:”MEN"; content:”DRISIO"; distance:1;)
Activities
2.
When monitoring TCP segments with destination port 80 having the “Nozomi-Training” or “Nozomi_-_Training”
string as its payload, which of the following rules would produce an alert:
A. alert tcp any any → any any (content:”Nozomi"; content:”Training"; distance:7;)
B. alert tcp any any → any 80 (content:”Nozomi"; content:”T"; within:1;)
C. alert tcp any any → any 80 (content:”Training"; content:”Noz"; distance:1; content:”omi"; distance:1;)
D. alert tcp any any → any 80 (content:”Nozomi"; content:”Training"; distance:1;)
• Executed on every file transferred, also on .zip/.tar archives, via smb, ftp, http, and using the alert type-id
SIGN:MALWARE-DETECTED.
• Detecting malicious artifacts (e.g., executables or exploits), searching for specific patterns inside the files.
• Using the original YARA engine.
Conditions logics
Different conditions are checked on reconstructed files: if the logical statement made by the condition matches
(returns true), the rule triggers the alert.
• Conditions on strings:
STIX (Structured Threat Information Expression) are available under Settings à Threat Intelligence
• Language and serialization format used to exchange cyber threat intelligence (CTI)
• Executed on every IP, URL, and domain detected in the network, and connected to alert types:
• SIGN:MALICIOUS-IP
• SIGN:MALICIOUS-URL
• SIGN:MALICIOUS-DOMAIN
• SIGN:MALWARE-DETECTED
• Available in two versions: V1 (XML-based) and V2 (JSON-based)
NET:LINK-
RECONNECTION
NET:TCP-SYN
NET:INACTIVE-
PROTOCOL
PROC:STALE-
VARIABLE
PROC:INVALID-
VARIABLE-QUALITY
PROC:NOT-
ALLOWED-INVALID-
VARIABLE
• An Assertion is a query with a special command appended that converts the query into a logical statement
to be satisfied (become TRUE).
• The moment the logical statement is not satisfied, the Assertion fails.
• If configured, a failed Assertion generates an Alert and creates a PCAP file.
The assertion
gives a TRUE
YES result
Is assertion
satisfied? The assertion If configured,
NO gives a FALSE generate an
result alert / pcap
• The Assertion fails when the logical statement results in a FALSE output.
E.g.: we want to make sure not one session`s status using protocol iec104 is closed:
sessions | where protocol == iec104 | where status == CLOSED | assert_empty
The assertion is satisfied, and nothing will happen The assertion has failed, the failure will be logged
and, if configured, an alert/trace is created
• Assertion options:
1. assert_empty - The assertion will be satisfied when the query returns an empty result
2. assert_not_empty - The assertion will be satisfied when the query returns a non-empty result
3. assert_all - The assertion will be satisfied when each element in the query result matches the
<field> <op> <value> given condition
4. assert_any - The assertion will be satisfied when at least one element in the query result
<field> <op> <value> matches the given condition
1. Produce an alert when a Node is down for at least one day, excluding nodes representing
broadcast addresses.
2. Produce an alert when an ACTIVE vnc session is present in the monitored network.
3. In order to upgrade critical equipment produce an alert when PLC´s are suffering critical vulnerabilities
(assuming critical means a CVE score of 9 or higher, and a likelihood of 0.8 or higher).
4. Produce an alert when the minimum value of at least one variable named ioa-2-2 belonging to
192.168.231.107 is less than 0.2 - (try not to use the ‘assert_empty’ keyword).
Set global
Security profiles Manage Learning Map
managing Alert Set specific
visibility Alert rules
1 2 3 4 5
Set global
Configure zone- Custom Reason
Learning
based controls for closing
parameters
#cet
Virtual
Learning and Protecting Image
Guardian is running in two modes to create the baseline and protect the network:
Learning mode Protecting mode
When learning is applied, every new Guardian switched Every new event that was not included in 𝑩 is
event is included into 𝑩 to Protecting mode considered to be an anomaly and added to 𝑽𝑰
𝑽𝑰
E E
NodeA VI New VI
Node
Node C
NodeA
B B
S7
Link
New
Link S7
Link
NodeB
NodeB
Event (E ): Any activity possible that can be detected
e.g.:
• A new node, link, protocol, or variable appearing
• A new variable value appearing
Virtual Image (VI ): All events in the monitored network
Baseline (𝑩): Learned or added Events in the monitored
network © 2022 Nozomi Networks. All rights reserved. | www.nozominetworks.com 203
#cet
1 Learning
Settings à Security Control Panel
Set global
Learning
parameters
How it works:
• Learning is applied at site (network) level, events are
considered to be good or malicious depending on the
installed infrastructure.
• New Event alerts are:
• VI:GLOBAL:NEW-FUNC-CODE
• VI:GLOBAL:NEW-MAC-VENDOR
• VI:KB:UNKNOWN-FUNC-CODE Anomaly Detection: Adaptive
• VI:KB:UNKNOWN-PROTOCOL
Strict Learning
Rationale:
• Addressing a stable (classic) OT network where users
know in detail the network and want to operate the
Learning with maximum granularity.
How it works:
• Learning is applied to single nodes, so events are
considered to be good or malicious at a node (device)
level.
• Any new event is being alerted on, for example:
• VI:NEW-FUNC-CODE
• VI:NEW-MAC
• VI:NEW-LINK Anomaly Detection: Strict
• …..
NO ALERT Case 1: After an update, the existing PLCs support the new protocol DNP3 VI:NEW-COMMUNICATION
PLC 1 PLC 1
Vendor A Vendor A
Modbus Modbus
DNP3 DNP3
Modbus PLC 2 Modbus PLC 2
Vendor A DNP3 Vendor A
DNP3
Modbus Modbus
PLC 3 DNP3 PLC 3
DNP3
Vendor A Vendor A
VI:NEW-NODE
NO ALERT Case 2: An additional PLC of the existing make (Vendor A) is introduced VI:NEW-COMMUNICATION
VI:NEW-NODE
VI:GLOBAL:NEW-MAC-VENDOR Case 3: An additional PLC of the new Vendor X is introduced VI:NEW-COMMUNICATION
How it works:
• Learning: a global learning is applied to all events in the
environment.
• Protecting: After the Learning is evaluated to be finished,
the Protecting phase is set manually to start, all Events
not covered by the baseline are now alerted on.
• Learning and Protecting are two completely separated Two phase switching
states.
Dynamic
Rationale:
• Make the management easier
• Decrease false positives
How it works:
• The Learning window is defined upfront (Default 1m).
• Learning: the dedicated learning periods are applied per
nodes.
• Protecting: Applied automatically accordingly the
chosen learning window.
• Learning and Protecting happen together during
multiple states Dynamic switching
1 month
False positives - Events detected as anomalies can manually be added into 𝑩 (three ways):
Option 1 Option 2 Option 3
From the Environment table From the Manage Network Learning Closing the related alert
True positives - Events added to 𝑩 considered as anomalies can be deleted from the VI by:
Option 1 Option 2
From the Environment table From the Manage Network Learning
added value
Behavioural Anomaly Detection
Case Threat Intelligence Adaptive Learning
Strict
with Asset Intelligence
Known malwares and other signature-
Alert Possible Alert Possible Alert
related events transmitted
New Node of an existing Vendor (while
n/a Alert No Alert
in Protecting)
New event deviating from a known
n/a Alert Alert (confirmed, higher precision)
device profile* (while in Protecting)
• *Device profile: Type, Manufacturer, Behaviour, Configuration (installed software), Protocols in use
• For each case, the cell related to the most important engine is in green
From tables
Go to the Nodes table:
Manage Learning from tables • Select a set of Nodes free to choose
• Delete the selected nodes using Bulk Learning
Go to the Links table:
• Select a set of links free to choose
Activities • Delete the selected links using Bulk Learning
• Press Reset
Set global
Security profiles
managing Alert
visibility
Set global
Learning
parameters
• Incidents: all Alerts composing an Incident are shown within its details for Low
completeness reasons, independently from the single Alert´s visibility. Most important
• Profile changes are not retroactive. Alerts
• The CMC synchronisation includes all Alerts, but can be limited to the
ones following the Security Profile chosen.
Set global
Security profiles
managing Alert
visibility
Set global
Configure zone-
Learning
based controls
parameters
Set global
Security profiles
managing Alert Set specific
visibility Alert rules
Set global
Configure zone-
Learning
based controls
parameters
Logics (AND-
related)
Notes
Actions
Set global
Security profiles
managing Alert Set specific
visibility Alert rules
Set global
Configure zone- Custom Reason
Learning
based controls for closing
parameters
1 2 3 4 5
Action for a
single alert
Few Filtering
options
Alert details
Details (static)
Description (dynamic)
Risk is weighted based Audit alert operation
on several logics
MITRE ATT&CK
Alerted Link
Show program differences on PLC code User Manual Chapter 6 - Security Profiles - Alerts
3. Analysis:
• How many alerts are showing up?
• Which type of Alerts are displayed?
Run previous traces
• Is the Risk of OT_DEVICE-STOP alert now
different than before and why is that the case?
Reference: https://attack.mitre.org/matrices/enterprise
1. Loading a Snapshot 3
1
2. Choose a snapshot or LIVE
2 3. Create a Diff
1.
1. Go back in time by clicking the Load Snapshot
icon of an entry in the past:
2.
• Revert back to the LIVE environment by clicking
Load snapshot / create Diff the arrow icon right to the timestamp entry in
Activities
the top bar:
User information
Firewall configuration
Data exchange
AD configuration
#cet
User Integration with SAML
• Multi-layer supported: a Guardian does not need a direct connection to the
SAML server as long as it is connected to a CMC that does have it
Guardian own
address Schema to match
roles
XML containing
the Single Sign
On configuration
#cet
Firewall Integration
1 Monitor
A threat is detected by Guardian
and an alert is generated.
2 Detect
2
User-defined policies are rapidly
examined, and the appropriate
3
corresponding action is triggered.
3 Protect
Firewall responds according to the
user-configured action (Node
Blocking, Link Blocking, or Kill
1 Session) and mitigates the issue.
2. Links blocking
• Guardian detects a New Connection that does not belong to its baseline
• Guardian raises an alert
• Guardian sends a filter rule to the Firewall in order to block this connection
3. Session kill
• Guardian detects a New Function-Code not being learned before within a session
• Guardian raises an alert
• Guardian sends a command to the Firewall in order to kill only this specific session, no rule is added.
See the illustration below:
192.168.10.1:34563 Modbus FC=3 192.168.20.16:502
Fortinet Check PaloAlto PaloAlto PaloAlto Storm TX One Cisco Cisco Cisco
Fortigate Point v8.0+ v9.0+ V10.0+ shield OT ASA FTD ISE
v6 Gateway Defence
Console
Enable nodes
OK OK OK OK OK OK OK OK N/A OK
blocking
Enable links
OK OK OK OK OK OK OK OK N/A N/A
blocking
Enable session
OK N/A N/A OK OK N/A N/A OK OK N/A
kill
Enable logging
(on Firewall filter OK OK N/A N/A N/A N/A N/A N/A N/A N/A
rule)
#cet
Data Integration
• FireEye CloudCollector à Alerts, Health Logs, DNS Logs, HTTP Logs, File transfer Logs, Connection Logs
• IBM QRadar (LEEF) à Alerts, Health Logs, Asset information
• ServiceNow à Alerts (bidirectional), Asset information
PULL:
• Microsoft Endpoint Configuration Manager à Asset Data
#cet
Data Integration - Generic
• Generic integration
PUSH:
• Syslog Forwarder à to forward to a server the syslog traffic captured from the monitored network
• As an SNMP daemon à Health Logs (the SNMP manager needs to query the daemon)
#cet
Custom Fields and Nodes
Information
#cet
Create Nodes’ custom fields
Objective Add custom fields to your assets/nodes tables
• Open API is used by third party applications to pull data from Guardian automatically:
• Service Graph Connector for Nozomi Networks available on Service Now Store
• Nozomi Networks Sensor Add-on available on Splunk App
On the Guardian:
• Enable the management interface to accept the connection on port 6000
(running n2os-enable-rc).
• Connection to port 443 is already allowed.
• Copy the Sync token (Setting > Synchronization settings).
RC´s list
• RC´s are managed under the WebUI Appliances menu, listing all
connected RC´s incl. its status and configuration settings.
• Choosing one RC to open and verify its details on the right: 1
1. RC Info & Traffic sync: General info and forwarded traffic statistics.
Pressing the Arrows starts the initial traffic synchronization:
RC will automatically
update the software (default)
• Update propagation
• N2OS
• Threat/Asset Intelligence
• Authentication/Connection:
Guardian(client) and CMC(server)
• Server: authenticates by TLS
certificate
• Client: authenticates by token
• Guardian connects to CMC using
TLS tunnel
Connection using
reverse proxy
from Global CMC
to Guardian
2. On your Guardian
In Settings > Synchronization Settings > Upstream
Activities Connection configure the connection to the CMC:
• Turn the connection to ON and choose Optional
use of the TLS Certificate
• Enter the CMC IP as host
• Paste the copied Sync token
• Use Check CMC connection to verify and Save
the config
On Guardian: Setup the CMC connection User Manual Chapter 11 - CMC - Settings
CMC
Allow/Disallow Go To Delete the
Guardian appliance Appliance Force appliance
Guardian + SP update
On the CMC
Threat Asset
N2OS Software
Intelligence TI Intelligence AI
(1) The data is then propagated to the connected appliances by the CMC
Assertions No Yes
• Guardian sends data to one of the CMC, which takes care Data sync
to synchronize all the data with the other CMC; Main CMC Replica CMC
Asymmetrical
• In case that one CMC is not available, Guardian sends it´s link
data directly to the other CMC, until the situation come back
to normal status
Data sync Data sync
(main link) (backup link)
• Both CMC are accessible and are constantly being sync’d
to provide both the same set of data;
Switch
Switch
Vantage
• Central Cloud Management
• Configure and operationalize any number
of sensors in any number of locations
Guardian
Central
Management
Console
• Local Sensors
• Monitor physical and logical assets
• Detect threats and operational anomalies
• identify and mitigate threats
Remote
Collectors Guardian Guardian
Sensors - List's
sensors configured
Visual – Provides
visual summary based
on geographical
location
Summary – Provides
summary for specific
page
Multiline
queries
Auto-refresh
data
Sort Group by
Output of
the query
Auto filter
Visual – Provides
visual summary based
on geographical
location
Add comments
Recommended
actions to lower risk
* support@nozominetworks.com and Support Portal are available for partners and users with an active SLA
3 4
For more info please refer to the Global Customer Support brochure
© 2022 Nozomi Networks. All rights reserved. | www.nozominetworks.com 309
Ask support
• When a support ticket needs to be opened, the support department will need to be provided enough data to understand the
problem:
• A detailed description of the problem
• The compressed Support archive provided by Guardian.
The archive can be generated in 2 ways:
• from the Web UI System > Support, downloaded via Browser
• from the Shell console executing the n2os-asksupport command with root privileges then download it via scp from
/data/tmp/
*
*If you want to run the command using the Anonymize option
please use n2os-asksupport --anonymize
Information Gathering 2 3
Solution Design 5 1
Nozomi Guardian from installation The second stage consists of tuning After the go-live, Nozomi Networks’
increases the visibility of the network, the Guardian baseline and defining Guardian permits:
enabling the opportunity to observe security rules to check the • Real-time industrial operations and
and act, securing network zones, compliance to the company security monitoring
which had until that moment standards or to find the gaps with
• Control over the remediation
remained unknown or uncontrolled. security best practices
activities in place to enforce
The Activation phase consist of 4 security
different sub-phases: • Impact analysis of the planned and
unplanned changes in the ICS
Information Gathering Fine Tuning environment
Solution Design Go-Live
Site Preparation
Installation
Information Solution Site
and Basic Fine Tuning Go-Live
Gathering Design Preparation
Config
ICS network Identification of the Commitment of Activation and Alert Tuning, Close-out
information and best device resources and commissioning of customizations meeting and
documentation deployment access the Nozomi and configuration transfer of the
gathering in order topology and permissions Guardian of integrations installation
to define and to configuration required for the appliances documentation
characterize activities required appliance (virtual or to end users
project activities for installation implementation physical)
HEADQUARTER
https, ssh
(tcp-443,-22)
Workstation https (tcp-443)
REGION Vantage
Guardian
Workstation Operator
https, ssh
(tcp-443,-22)
Workstation
Threat Asset
SITE B https, ssh TLS tunnel (tcp-443) Intelligence Intelligence
(tcp-443,-22)
Time Server
ntp (udp-123)
TLS tunnel TLS tunnel
(tcp-443) CMC HQ
(tcp-443)
AD/LDAP Nozomi Appliances Network connections
TLS tunnel ldap(s) (tcp/udp-389,tcp--636)
Guardian (tcp-443)
tcp-443
CMC regional Secure TLS tunnel from
SIEM Guardian/CMC to Management
CMC local ldap(s)
ntp syslog, cef, leef (tcp/udp-514)
(tcp/udp-389, tcp-443/-6000
(udp-123) Central Management
tcp-636)
Console (CMC) Secure TLS tunnel
Mail Relay from RC to Guardian
Guardian
smtp (tcp-25)
tcp-443/-22
TLS tunnel
tcp-22
(tcp-443,-6000)
Other Integrations Admin access to Web UI (https)
SITE B e.g. snmp, api and to Shell console (ssh)
Remote location Guardian
AD / LDAP NTP
Dashed lines indicating
optional network connections
ssh (tcp--22)
Mirrored network
traffic to monitor
Remote
Collector
Solution communication: Remote Collector (RC)
plc151.ACME0.corporationnet.com
Interface1 192.168.1.28
SCADA
CONSUMER 192.168.162.1/24
192.168.162.22 Mac: 00:0a:dc:85:11:01
switch
switch
RUGGEDCOM
Router
Interface2
192.168.1.1/24
Mac: 00:0a:dc:85:11:05
Scenario 2
- Building 1 - NSG-L 250
- Building 2 - NRC-5 connected over internet to NSG-L 250 (TLS)
- Building 3 - NRC-5 connected over internet to NSG-L 250 (TLS)
- Central management: by the NSG-L 250
Scenario 3
- Switch 1 - NSG-HS 3500 + 1 Expansion slot 4xSFP+
- Switch 2 - NSG-HS 3500 + 1 Expansion slot 4xSFP+
- Central management: Vantage
• Question1: Answer: C /// alert tcp any any → any any (content:”MEN";) /// >> A: udp - B: 22. - D: "distance:1" needs to
be exact
• Question2: Answer: D /// alert tcp any any → any 80 (content:”Nozomi"; content:”Training"; distance:1;)
Yara Rule:
• Question1: No
• Question2: Yes
• Question3: No
• Question4: Yes
2. Produce an alert when an ACTIVE vnc session is present in the monitoring network.
sessions |where status == ACTIVE | where protocol == vnc | assert_empty
3. In order to upgrade critical equipment produce an alert when PLC´s are suffering critical vulnerabilities
(assuming critical means a CVE score of 7 or higher, and a likelihood of 0.8 or higher).
node_cves | where cve_score >= 7 | where likelihood >= 0.8 | where node_type == PLC | assert_empty
4. Produce an alert when the minimum value of at least one variable named ioa-2-2 belonging to 192.168.231.107 is less than 0.2 -
(try not to use the ‘assert_empty’ keyword).
variables | where host == 192.168.231.107 | where name == ioa-2-2 | assert_all min_value > 0.2