Professional Documents
Culture Documents
TABLE OF CONTENTS
18-May-2023 Page 2 of 46
CTD Alert Behavior
18-May-2023 Page 3 of 46
CTD Alert Behavior
18-May-2023 Page 4 of 46
CTD Alert Behavior
18-May-2023 Page 5 of 46
CTD Alert Behavior Alert Creation and Resolution Proc-
ess
The following is a high-level explanation of the Alert creation and resolution process:
1. An Event is created.
2. The Event receives a score from the Scoring Mechanism.
• If the score is below 80, the Event becomes a Master Event.
a. Until resolved, CTD can add new Events to the Master Event or Alert. Each addition
returns the Alert to the scoring mechanism.
b. If, after 24 hours, additional events are not added to the Master Event, it is Resolved by
CTD as Unqualified.
• If the score is above 80, the Event becomes an Alert. What happens next depends on
whether CTD is in Training Mode or Operational Mode.
• In Training Mode
• CTD immediately resolves four alert types (New Asset, Asset Information Change, New
Conflict Asset, and Policy Violation) to prevent alert flooding since CTD cannot score
them optimally when in training mode.
• The Baseline Rule alert type is not created.
• All other alerts behave as in Operational Mode.
• In Operational Mode
• The Alert can be resolved manually.
For further information, see https://docs.claroty.com/ctd/en/continuous-threat-detec-
tion--ctd--reference-guide/threat-detection/alert-resolution-options.html
• The Alert can be resolved using Auto Resolve Rules.
For further information, see https://docs.claroty.com/ctd/en/continuous-threat-detec-
tion--ctd--user-guide/threat-detection/alert-rules/auto-resolve.html
NOTE
The score of 80 as the threshold for Alert creation
can be controlled by using the Alert Sensitivity setting.
See https://docs.claroty.com/ctd/en/continuous-threat-detection--ctd--adminis-
tration-guide/configuration/configuring-alert-settings/alert-sensitivity.html.
18-May-2023 Page 6 of 46
CTD Alert Behavior Alert Creation and Resolution Proc-
ess
18-May-2023 Page 7 of 46
CTD Alert Behavior Alerts Table
2. Alerts Table
This table summarizes all the alerts currently available in CTD, including the following:
Asset Infor- This alert detects Integri- Automati- • Approve Forever No Yes
mation changes to asset- ty cally ap- All
Change related informa- proved by • Approve
(page 10) tion (such as Firm- CTD Selected
ware, OS, Host- • Archive
name, and Slot
Cards)
Denial of Serv- This alert detects Securi- • Approve • Approve 12 Yes Yes
ice (page 17) DoS attacks ty • Archive • Archive months
File System This alert detects Integri- • Approve • Approve 12 Yes Yes
Change events related to ty • Archive • Archive months
(page 20) changes to the File
System
18-May-2023 Page 8 of 46
CTD Alert Behavior Alerts Table
Host Scan This alert detects Securi- • Approve • Approve 3 Yes Yes
(page 24) Host Scan events ty • Archive • Archive months
by sending TCP
SYN or UDP re-
quests to multiple
hosts on the same
port
Memory Reset This alert detects Securi- • Approve • Approve 12 Yes Yes
(page 28) Memory Reset ty • Archive • Archive months
events
Mode Change This alert detects Integri- • Approve • Approve 12 Yes Yes
(page 29) events related to ty • Archive • Archive months
changes to the de-
vice Mode (Run,
Stop, Program)
New Asset This alert detects Integri- Automati- • Approve Forever No Yes
(page 32) new assets in the ty cally ap- and Up-
environment proved by date Poli-
CTD cy
• Ignore
• Acknowl-
edge
New Conflict This alert detects Integri- Automati- • Approve Forever No Yes
Asset conflicts between ty cally ap- and Up-
(page 35) assets having iden- proved by date Poli-
tical information CTD cy
(IP, MAC) • Ignore
• Acknowl-
edge
18-May-2023 Page 9 of 46
CTD Alert Behavior Asset Information Change
Port Scan This alert detects Securi- • Approve • Approve 3 Yes Yes
(page 41) Port Scan events ty • Archive • Archive months
by sending TCP
SYN or UDP re-
quests to different
server ports on a
host to see which
ports it answers
on
Suspicious Ac- This alert detects Securi- • Approve • Approve 3 Yes Yes
tivity suspicious events ty • Archive • Archive months
(page 43) based on OT pro-
tocol anomalies
Suspicious File This alert detects Securi- • Approve • Approve 12 Yes Yes
Transfer suspicious events ty • Archive • Archive months
(page 45) based on Yara
Rule matching
An Information Change alert occurs when information about an asset is changed. Every asset
information change must be verified and approved. When a software version changes, the system
also reports that change.
• Firmware
• OS
• Hostname
• Slot Cards
18-May-2023 Page 10 of 46
CTD Alert Behavior Asset Information Change
• Inspect the Asset Information Changes section to find the information that has changed for the
asset.
• Understand whether this information change was expected or planned.
• Understand the purpose of the change (such as Firmware, OS, Hostname, and Slot Cards), and
determine if anyone has been notified about an upcoming modification.
• Look into changes and whether they can affect the operation or safety of the process.
• Check the Event Details section for the events that led to change in the information.
NOTE
Events will not be present if the change is detected by Active Query or AppDB.
• If changes seem suspicious, look into the asset that initiated the changes. Check if it is an
internal or external asset.
• Check if these changes appear as human error or malicious activity.
• In case of any doubt check with the respective asset owner, plant engineer, or IT for validation.
• Approve All
• Approve Selected
• Archive
• Approve All - Approves all information about the changes to the Asset that triggered this
alert. Because this alert is linked to network changes, it is generated again whenever there are
network changes related to the relevant Asset.
When approving in Bulk Action or Auto Resolve Rule, it will Approve All.
• Approve Selected - Approves selected information about the changes that occurred in the Asset
and triggered this alert. Since this Alert is linked to network changes, it will be generated again
whenever there are network changes related to the relevant Asset.
• Archive - Rejects all the information about the changes in the Asset. Since this Alert is linked
to network changes, it will be generated again whenever network changes are related to the
relevant Asset.
18-May-2023 Page 11 of 46
CTD Alert Behavior Baseline Rule
NOTE
This alert is only generated if the New Asset Alert linked to the relevant Asset is
unresolved. In that case, all Asset Information Changes will appear in the relevant
New Asset Alert.
Alert Example:
Baseline “E/IP: Get Network Request” has been inactive for more than xxx seconds/hours
• Understand the baseline rule that triggered the alert (inactive for / upon appearance). Of note,
after an alert is generated, all future events or triggers will be added to the same alert, until it’s
approved or archived.
• Review the original baseline and understand the activity that is being monitored.
• Contact the asset owner and notify him of the event.
• Ask the asset owner if this is due to a planned activity, maintenance, or an emergency activity.
• If not part of the planned activity, maintenance or an emergency activity, ask the asset owner to
verify the operations based on priority.
18-May-2023 Page 12 of 46
CTD Alert Behavior Configuration Download
• Approve
• Archive
• Approve - Approves the action that triggered the alert. Since this is a custom alert (based on
parameters you specify in Baseline Rules), alerts of the same type will always be generated
again.
• Archive - Rejects the action that triggered the alert. Since this is a custom alert (based on
parameters you specify in Baseline Rules), alerts of the same type will always be generated
again.
NOTE
The Configuration Change section, on the Alert page, includes the new configuration
files only for the 5 most recent alerts.
Alert Example:
In another scenario, the configuration or program could be altered in such a way that it can result
in incorrect process execution or alarm suppressions. All of these effects can result in unexpected
production outcomes, safety incidents, and loss of production.
18-May-2023 Page 13 of 46
CTD Alert Behavior Configuration Upload
• Review the Configuration Change section to view, code segments being uploaded, code differen-
ces, users performing code changes, and project name / identifier.
• Confirm if the Configuration Change could be related to any ongoing, planned or emergency
maintenance, deployment project or activity.
• If it was a scheduled/planned activity, verify that the actual change that was done is the change
that was planned.
• Identify the system from which this activity is performed and if possible, the user who per-
formed this activity, validate if they are authorized to perform such an activity.
• In the Root Cause Analysis section, check past instances of similar activity being performed
between the same devices or on other controllers from the same system and/or zone.
• In case of doubt or suspicion, work with process and/or OT engineers, provide them with code
changes and understand what is the impact that the change can have on the process or OT
operations.
• Approve
• Archive
• Approve - Approves the action that triggered the alert. If an identical action or communication is
performed among the same group of Assets or Zones, an Alert with identical characteristics will
not be generated for 30 days.
• Archive - Rejects the action that triggered the alert. Since this is a Security Alert, alerts of the
same type will always be generated again.
NOTE
The Configuration Change section, on the Alert page, includes the new configuration
files only for the 5 most recent alerts.
18-May-2023 Page 14 of 46
CTD Alert Behavior Configuration Upload
Alert Example:
• Approve
• Archive
• Approve - Approves the action that triggered the alert. If an identical action or communication is
performed among the same group of Assets or Zones, an Alert with identical characteristics will
not be generated for 30 days.
• Archive - Rejects the action that triggered the alert. Since this is a Security Alert, alerts of the
same type will always be generated again.
18-May-2023 Page 15 of 46
CTD Alert Behavior DCS Configuration Change Alert
A DCS Configuration Change alert occurs when the system detects any actions between the Dis-
tributed Control System (DCS) and the assets it manages. These include both those performed by
the DCS on the managed assets and those performed by the assets on the DCS.
For example:
Alert Example:
For example, a command such as a 'stop' to a DCS could cause significant damage.
2.6.2. ANALYSIS
You can use the Alerts page to find the necessary information when analyzing the alert.
18-May-2023 Page 16 of 46
CTD Alert Behavior Denial of Service
• In case of doubt or suspicion, work with process and/or OT engineers. Providing them with the
changes will help to understand the impact that the change could have on the process or on OT
operations.
• Approve
• Archive
• Approve - Approves the action that triggered the alert. If an identical action or communication is
performed among the same group of Assets or Zones, an Alert with identical characteristics will
not be generated for 30 days.
• Archive - Rejects the action that triggered the alert. Since this is a Security Alert, alerts of the
same type will always be generated again.
In a SYN flood attack, the attacker sends repeated SYN packets to every port on the targeted
server, often using a fake IP address. The server, unaware of the attack, receives multiple, appa-
rently legitimate requests to establish communication. It responds to each attempt with a SYN-ACK
packet from each open port.
The malicious client either does not send the expected ACK, or—if the IP address is spoofed—
never receives the SYN-ACK in the first place. Either way, the server under attack will wait for
acknowledgement of its SYN-ACK packet for some time.
During this time, the server cannot close down the connection by sending an RST packet, and the
connection stays open. Before the connection can time out, another SYN packet will arrive. This
leaves an increasingly large number of connections half-open – and SYN flood attacks are also
referred to as “half-open” attacks. Eventually, as the server’s connection overflow tables fill, service
to legitimate clients will be denied, and the server may even malfunction or crash.
Alert Example:
18-May-2023 Page 17 of 46
CTD Alert Behavior Failed Login
• Review the device from where the SYN Flood is originating. Note, this information may or may
not be trustful. In fact, in such attacks usually fake IP addresses are used since attackers don't
want to respond to the SYN request.
• Use other tools or solutions such as NetFlow logs to identify where the communication is
actually originating from, which switch the traffic is coming from, which asset is connected to the
switch port from which this traffic is originating.
• Understand the asset that is being attacked, and the services that are provided by that asset.
• Approve
• Archive
• Approve - Approves the action that triggered the alert. Since this is a Security Alert, alerts of the
same type will always be generated again.
• Archive - Rejects the action that triggered the alert. Since this is a Security Alert, alerts of the
same type will always be generated again.
A failed login is when a user attempts to login multiple times in a row and fails each time. This alert
is generated when CTD detects a failed login.
Alert Example:
Failed Login: SMB Failed Login attempts were made to asset 141.122.111.218 from 10.77.106.12
18-May-2023 Page 18 of 46
CTD Alert Behavior Failed Login
For the most part these are common occurrences, however in some cases where it relates to an
adversary, these alerts could be an indicator of something malicious taking place. In fact, this alert
could represent an attacker attempting to gain access to an asset through a brute force attack or
use of valid accounts.
• Review the username that appears in the alert Description (where available).
• Review the multiple indicators to help understand the context and help with decision making
• Evaluate the details of the failed login attempts to determine if it is a user inputting incorrect
credentials, or if it is a malicious attempt. This can normally be determined by the source and
frequency of the authentication attempts:
• If the source of the authentication attempts is not a normal access point for a PLC (for
example, an engineering workstation or HMI), this may indicate malicious traffic.
• If the frequency of failed login attempts is significantly faster than a normal user would
attempt, this would also indicate malicious behavior.
• Check the Root Cause Analysis section, which shows other similar events and if multiple assets
are involved.
• Approve
• Archive
• Approve - Approves the action that triggered the alert. If an identical action or communication is
performed among the same group of Assets or Zones, an Alert with identical characteristics will
not be generated for 30 days.
• Archive - Rejects the action that triggered the alert. Since this is a Security Alert, alerts of the
same type will always be generated again.
18-May-2023 Page 19 of 46
CTD Alert Behavior File System Change
• T0883: Internet Accessible Device - if the source Asset is in an external network with Non-RFC
1918 IP address
• T0859: Default Credentials - If the source has a default username
• T0812: Valid Accounts - If the source has Valid Accounts
A File System Change alert is triggered when the system detects the editing/deletion of files from
the PLC file system.
Alert Example:
• Approve
18-May-2023 Page 20 of 46
CTD Alert Behavior Firmware Download
• Archive
• Approve - Approves the action that triggered the alert. If an identical action or communication is
performed among the same group of Assets or Zones, an Alert with identical characteristics will
not be generated for 30 days.
• Archive - Rejects the action that triggered the alert. Since this is a Security Alert, alerts of the
same type will always be generated again.
Alert Example:
• Delayed Attack - The adversary might stage an attack in advance and choose when to launch it,
such as at a particularly damaging time.
• Brick the Ethernet Card - Malicious firmware might be programmed to result in an Ethernet
card failure, requiring a factory return.
• "Random" Attack or Failure - The adversary might load malicious firmware onto multiple field
devices. Execution of an attack and the time it occurs is generated by a pseudo-random number
generator.
• A Field Device Worm - The adversary may choose to identify all field devices of the same model,
with the end goal of performing a device-wide compromise.
18-May-2023 Page 21 of 46
CTD Alert Behavior Firmware Download
• Attack Other Cards on the Field Device - Although it is not the most important module in a
field device, the Ethernet card is most accessible to the adversary and malware. Compromise of
the Ethernet card may provide a more direct route to compromising other modules, such as the
CPU module.
• Approve
• Archive
• Approve - Approves the action that caused the alert. If an identical action or communication is
performed among the same group of Assets or Zones, an Alert with identical characteristics will
not be generated for 30 days.
18-May-2023 Page 22 of 46
CTD Alert Behavior Firmware Download
• Archive - Rejects the action that triggered the alert. Since this is a Security Alert, alerts of the
same type will always be generated again.
• Delayed Attack - The adversary might stage an attack in advance and choose when to launch it,
such as at a particularly damaging time.
• Brick the Ethernet Card - Malicious firmware might be programmed to result in an Ethernet
card failure, requiring a factory return.
• "Random" Attack or Failure - The adversary might load malicious firmware onto multiple field
devices. Execution of an attack and the time it occurs is generated by a pseudo-random number
generator.
• A Field Device Worm - The adversary may choose to identify all field devices of the same model,
with the end goal of performing a device-wide compromise.
• Attack Other Cards on the Field Device - Although it is not the most important module in a
field device, the Ethernet card is most accessible to the adversary and malware. Compromise of
the Ethernet card may provide a more direct route to compromising other modules, such as the
CPU module.
18-May-2023 Page 23 of 46
CTD Alert Behavior Host Scan
• Confirm if this could be related to any ongoing, planned or emergency maintenance, deploy-
ment project or activity.
• Confirm that firmware download was planned, also the activity was done properly with all the
required security steps and as planned.
• Identify the system and if possible, the user who performs this activity, validate if they are
authorized to perform such activity.
• If the firmware download was not planned:
• Look into the asset that initiated the download, and whether it is possible that this asset
would be initiating a malicious activity. Also ascertain the criticality of the target asset, and
what would a malicious entity with the asset's firmware be able to do.
• In the Root Cause Analysis section, check past instances of similar activity being performed
between the same devices or on other controllers from the same system and/or zone.
• In case of doubt or suspicion, work with process and/or OT engineers, provide them with code
changes and understand the impact that the change can have on process or OT operations.
• Approve
• Archive
• Scan Time Frame – The time frame that the threshold should pass in order to create a network
scan alert.
• Min Requests – Minimum requests required to trigger a scan alert.
Alert Example:
TCP Host scan: Asset 192.168.1.26 sent packets to different IP destinations on the same port: 80
18-May-2023 Page 24 of 46
CTD Alert Behavior Known Threat Alerts
• Review the source of the host scan, and the affected assets including the port which was
scanned on those assets.
• Check indicators that show:
• Whether similar scans were previously approved
• Whether the scan was performed on common or uncommon port
• Whether the scan was within or across subnets
• Whether the source asset was previously involved in network scans
• When a host scan occurs within the network, evaluate the asset that performed this scan,
notably:
• The pathway the attacker used, and the affected machine to ensure they are not vulnerable to
remote network attacks.
• Inspect the asset's last activities in the network, and whether this asset seems malicious.
• Inspect the assets that were scanned, notably:
• What services do they provide?
• Are the assets critical to any process or do other services depend on them?
• Inspect the port that was scanned on those hosts. Are there any vulnerabilities known in these
ports?
• Approve
• Archive
• Approve - Approves the action that triggered the alert. To prevent Alert flooding, even though
this is a Security Alert, if an identical scan is performed among the same group of Assets, an
Alert with identical characteristics will not be generated for 30 days.
• Archive - Rejects the action that triggered the alert. Since this is a Security Alert, alerts of the
same type will always be generated again.
18-May-2023 Page 25 of 46
CTD Alert Behavior Known Threat Alerts
Alert Example:
Known Threat: Threat ET TROJAN Approx. Form Submission to C&C was detected from 10.0.0.130
to 216.150.79.226
• Review the Indicators section which shows whether this signature was triggered in the environ-
ment in the last 30 days and whether this alert is related to another alert.
• Check the Event Details section to view what is matched. Look at the individual events and
understand the signature that has resulted in this alert.
• Understand the nature of the threat that is linked to the Network Rule, such as whether the
malware referenced in the rule is ransomware or something else, and which vulnerabilities it
uses.
• Review both the source and destination asset involved in this communication, and whether they
are actually exposed to the vulnerability that is exploited by this threat vector. Check whether
this threat has been seen on other devices with which these assets are communicating.
• Consider scanning the assets involved in communication via AV software, to ensure that they are
not compromised.
• Approve
• Archive
18-May-2023 Page 26 of 46
CTD Alert Behavior Man-in-the-Middle Attack
This alert is triggered when the system detects that a potential attacker inserted a new machine
into the communication pathway between two assets.
• Approve
• Archive
• Approve - Approves the action that triggered the alert. Since this is a Security Alert, alerts of the
same type will always be generated again.
• Archive - Rejects the action that triggered the alert. Since this is a Security Alert, alerts of the
same type will always be generated again.
18-May-2023 Page 27 of 46
CTD Alert Behavior Memory Reset
A memory reset consists of the overwrite of the controller memory (RAM memory). This alert is
triggered when detecting a Memory Reset Operation.
Alert Example:
Depending on the action being performed, the effect could be from minor process disruption
to total loss of control. For example, if a program is erased, then no program remains in the
controller memory and the controller doesn’t control the production line and its equipment any
more.
• Approve
• Archive
• Approve - Approves the action that triggered the alert. If an identical action or communication is
performed among the same group of Assets or Zones, an Alert with identical characteristics will
not be generated for 30 days.
18-May-2023 Page 28 of 46
CTD Alert Behavior Mode Change
• Archive - Rejects the action that triggered the alert. Since this is a Security Alert, alerts of the
same type will always be generated again.
• Program - This mode must be enabled before changes can be made to a device’s program. This
allows program uploads and downloads between the device and an engineering workstation.
Often the PLC’s logic is halted, and all outputs may be forced off.
• Run - Execution of the device’s program occurs in this mode. Input and output (values, points,
tags, and elements) are monitored and used according to the program’s logic. Program Upload
and Program Download are disabled while in this mode.
• Remote - Allows for remote changes to a PLC’s operation mode.
• Stop - The PLC and program is stopped, while in this mode, outputs are forced off.
• Reset - Conditions on the PLC are reset to their original states. Warm resets may retain some
memory while cold resets will reset all I/O and data registers.
• Test / Monitor mode - Similar to run mode, I/O is processed, although this mode allows for
monitoring, force set, resets, and more general tuning or debugging of the system. Often moni-
tor mode may be used as a trial for initialization.
Alert Example:
Mode Change operation was performed for the first time by 192.168.152.153 on 192.168.45.129
• Review the Event Details section, which contains the details of the PLC’s mode that was changed,
and other associated events before or after the mode change if applicable.
18-May-2023 Page 29 of 46
CTD Alert Behavior Monitor/Debug Mode
• Confirm if this could be related to any ongoing, planned, or emergency maintenance, deploy-
ment project or activity.
• Identify the system and if possible, the user who usually performs this activity, validate if they
are authorized to perform such activity.
• Look into the asset that was changed, the assets criticality, and whether a mode change can
cause immediate damage to the process.
• If the activity was not planned, look at what kind of asset it is and whether it's external or
internal.
• In case of doubt or suspicion, work with process and/or OT engineers, provide them with code
changes and understand the impact that the change can have on process or OT operations.
• Approve
• Archive
• Approve - Approves the action that triggered the alert. If an identical action or communication is
performed among the same group of Assets or Zones, an Alert with identical characteristics will
not be generated for 30 days.
• Archive - Rejects the action that triggered the alert. Since this is a Security Alert, alerts of the
same type will always be generated again.
This alert occurs if a user uses an engineering workstation or other software package to put a
controller into monitor or debug mode. This is typically a troubleshooting function built into some
controllers. This alert is triggered when such activity is detected.
NOTE
This alert does not occur for every controller model, and should rarely occur during
normal operation.
18-May-2023 Page 30 of 46
CTD Alert Behavior Monitor/Debug Mode
Alert Example:
• Approve
• Archive
• Approve - Approves the action that triggered the alert. If an identical action or communication is
performed among the same group of Assets or Zones, an Alert with identical characteristics will
not be generated for 30 days.
• Archive - Rejects the action that triggered the alert. Since this is a Security Alert, alerts of the
same type will always be generated again.
18-May-2023 Page 31 of 46
CTD Alert Behavior New Asset
A new asset alert occurs when a new asset is added. A new asset is learned by detecting its
communications. Examples of new assets are Vendor laptops, Virtual Machines, Physical servers,
and PLCs.
Although the asset is new, its communication could be familiar because it was seen within the
same Virtual Zone. Therefore, it is possible the policy already contains rules that address this
communication. Virtual Zone criticality and asset type significantly contribute to the triggering of
the alert. For instance:
• If a new asset with type endpoint (low criticality type) is detected in a Virtual Zone with low
criticality and that asset is not communicating with any critical assets or critical virtual zones,
then no alert will be generated.
• If a new asset with type endpoint (low criticality type) is detected in a Virtual Zone with low
criticality and that asset is communicating with any critical assets or critical virtual zones, then
an alert will be generated.
• If a new asset with type endpoint (low criticality type) is detected in an External Virtual Zone and
that asset is communicating with an internal asset, then an alert will be generated.
• If a new PLC asset (high criticality type) is detected in a Virtual Zone with low criticality, then an
alert will be generated.
Alert Example:
New asset detected: A new RTU was detected in OT operations permitted zone: "RTU: IEC104",
performing data acquisition operation communication: 172.20.65.25
Some of these changes can result in increased threat exposure and unknown risk, while some are
a direct indication of an attack in progress.
18-May-2023 Page 32 of 46
CTD Alert Behavior New Asset
• View the Asset Details section to get more information about the new asset, such as the vendor,
the nature of the communication (who is talking to who), and the baselines.
• Check the Root Cause Analysis section, which provides assets involved in the communication
and any other associated alerts.
• In the Event Details section, analyze events that led to this alert.
• View the Asset Communication section, which shows if the communication is addressed by
existing policy rules.
• View the Baselines section, which shows baselines associated with the alert.
• Understand the zone where the asset is identified and whether it aligns with the zone.
• Confirm if the new asset detected is part of any ongoing, planned, or or emergency mainte-
nance, deployment project, or activity.
• In case of any doubt, check with the respective asset owner, plant engineer or IT for validation.
• If permitted, try to connect to the asset to obtain more details.
• Approve & Update Policy - Approves the Asset and add this information to CTD Baseline and
Assets List.
• When approving from the Alerts page, the system allows the option to choose which Zone
Rules (Policies) are linked to the Asset to approve.
• When approving in Bulk Action or Auto Resolve Rule (Approve), all Zone Rules (Policies) are
approved. Once approved, the Alert is not recreated for the same Asset.
NOTE
Until a New Asset Alert is approved, Asset Information Changes and new Zone
Rules (Policies) are added to this alert and will not generate new alerts. (All other
Alerts will be generated regardless of the approval). Until this Alert is approved,
the Asset will not appear in the Asset List.
• Ignore/Acknowledge/Archive (Bulk Action or Auto Resolve Rule) - Rejects the asset that trig-
gered the alert, and delete the Asset from the CTD Network. Since this Alert is linked to network
changes, it is generated again whenever there are network changes related to this asset (in oth-
er words, if the asset does exist in the network, the alert is created again). The only difference
between the three actions is how they are logged to help with auditing.
Example: An asset is deleted from the CTD Baseline and is the Primary Asset or the only
Non-Primary Asset of an Alert. In this case, the alert becomes irrelevant and is deleted within
24 hours, with no exceptions, to avoid a situation of an Alert without content. Accordingly,
18-May-2023 Page 33 of 46
CTD Alert Behavior New Asset
we recommend Ignoring/Acknowledging/Archiving only Assets that are not online and for
which you want to receive an Alert when they connect again, such as laptops or mobile
phones.
Some of these changes can result in increased threat exposure and unknown risk, while some are
a direct indication of an attack in progress.
18-May-2023 Page 34 of 46
CTD Alert Behavior New Conflict Asset
A new conflict asset alert occurs when information about a new asset conflicts with an existing as-
set information. This could occur because an asset has an identical IP address, MAC address, or
other information, with another asset.
Alert Example:
A new asset has been detected AssetID1 and is conflicting with AssetID2.
For example, a change in your asset details may be done by attackers to perform authentication
based on an IP address. A common attack is to impersonate a highly privileged IP address, such as
an engineering station, and use it to run changes on critical equipment.
• Check the Assets to Merge section, which shows the asset information, the conflicting informa-
tion highlighted in RED, and allows selections of which assets to keep or merge.
• Check the Asset Information Changes section to view changes in asset information.
• Review attributes of the assets that have conflicting values. Verify whether this information
change was expected and understand what has led to the conflict.
• Review notifications of an upcoming change and information about the change.
• Check for MAC modifications. They are uncommon and might be suspicious.
• Review the Asset Communication section which shows if the communication is addressed by
existing policy rules.
• In case of any doubt, validate with the respective asset owner, plant engineer or IT.
18-May-2023 Page 35 of 46
CTD Alert Behavior Online Edit
• Ignore
• Acknowledge
• Approve & Update Policy - Approves the Asset merge and adds the information that triggered
the alert.
• When approving from the Alert page, the system also provides the option to choose which
Zone Rules (Policies) to approve.
• When approving in Bulk Action or by Auto Resolve Rule (Approve), it will approve all Zone
Rules (Policies). Since this Alert is linked to network changes, it will be generated again when-
ever there are network changes related to the relevant Assets.
• Ignore/Acknowledge/Archive (Bulk Action or Auto Resolve Rule) - Rejects the Asset merge and
adds this information to CTD Baseline. Since this Alert is linked to network changes, it will be
generated again whenever there are network changes related to the relevant Assets.
The only difference between the three actions is how they are logged to help with auditing.
Alert Example:
• Adversaries can use the online edit to modify or add a program on a controller to affect how it
interacts with the physical process, peripheral devices, and other hosts on the network.
• Adversaries may perform a program download to transfer a user program to a controller or
might modify the task of a controller to allow for the execution of their own programs using the
online edit mode.
18-May-2023 Page 36 of 46
CTD Alert Behavior Policy Rule Match
• Check the Events Details section, to see the actions performed in online edit mode.
• Review the Configuration change to see code changes, where applicable.
• Confirm that detected communication was actually an Online Edit Operation.
• Confirm if this could be related to any ongoing, planned or emergency maintenance, deploy-
ment project or activity. If it was a scheduled/planned activity, verify that the actual change that
was done is the change that was planned.
• Identify changes performed as part of this activity.
• Identify the system where this activity is performed and if possible, the user who performed this
activity, validate if they are authorized to perform such activity
• In the Root Cause Analysis section, check past instances of similar activity being performed
between the same devices or on other controllers from the same system and/or zone.
• In case of doubt or suspicion, work with process and/or OT engineers, provide them with code
changes and understand the impact that the change can have on process or OT operations.
• Approve
• Archive
• Approve - Approves the action that triggered the alert. If an identical action or communication is
performed among the same group of Assets or Zones, an Alert with identical characteristics will
not be generated for 30 days.
• Archive - Rejects the action that triggered the alert. Since this is a Security Alert, alerts of the
same type will always be generated again.
Alert Example:
18-May-2023 Page 37 of 46
CTD Alert Behavior Policy Rule Match
Communication matching policy rule ID 182 was detected from 10.234.125.254 to 10.121.70.151
• Ignore
• Acknowledge
• Ignore - Rejects the action that triggered the alert. Since this is a custom alert (based on
parameters you specify in Zone Rules), alerts of the same type will always be generated again.
• Acknowledge - Rejects the action that triggered the alert. Since this is a custom alert (based on
parameters you specify in Zone Rules), alerts of the same type will always be generated again.
The only difference between the two actions is how they are logged to help with auditing.
18-May-2023 Page 38 of 46
CTD Alert Behavior Policy Violation
The Policy Violation mechanism automatically generates rules that control alert strategies. These
rules differentiate between allowed versus suspicious communication. A Policy Violation alert is
triggered when the communication detected between assets did not match any explicit ‘Allow’ or
‘Alert’ rules. The implicit ‘Alert on Anything’ rule is matched by default.
Alert Example:
Policy Violation: New authentication operation communication parameters were detected from
10.234.125.254 to 10.121.70.151
18-May-2023 Page 39 of 46
CTD Alert Behavior Policy Violation
• View the Alert Graph section for a graphical view of assets involved and helps in understanding
the detected communication.
• Understand which assets are involved and their role, use this information to understand wheth-
er the communication that resulted in policy violation is expected between these systems.
• Understand the detected communication and policy which has been violated, including if it’s a
communication that was not seen previously.
• Find the closest existing policy rules and see how the detected communication differs from
them.
• Check the Baselines Summary sections for a summary of baselines for alerts.
• Understand which rules should be created/updated if any and added to the policy in order to
approve the detected communication so it does not trigger an alert if seen again
• Try to understand the consequences of the change. If the alert is identified as an unauthorized
communication, alert the relevant stakeholders on its priority.
• Ignore - Rejects the action that triggered the alert. Since this is a custom alert (based on
parameters you specify in Zone Rules), alerts of the same type will always be generated again.
• Acknowledge - Rejects the action that triggered the alert. Since this is a custom alert (based
on parameters you specify in Baseline Rules), alerts of the same type will always be generated
again.
The only difference between the two actions is how they are logged to help with auditing.
18-May-2023 Page 40 of 46
CTD Alert Behavior Port Scan
Port Scan is a network scanning technique, where a single asset tries to reach or scan multiple
ports on another host. This alert is generated when CTD detects a Port Scan in the environment.
Network scanning is a procedure for identifying active devices on a network by employing a
functionality in the network protocol to initiate a conversation with different devices and await a
response.
• Scan Time Frame – The time frame that the threshold should pass in order to create a network
scan alert.
• Min Requests – Minimum requests required to trigger a scan alert.
• Relevant Ports– Ports above this are not considered as part of the port count
Alert Example:
TCP Port Scan: Asset 193.26.166.166 sent probe packets to 10.9.158.196 IP address on different
ports.
• When a port scan occurs within the network, evaluate the machine that performed this scan,
the pathway the attacker used, and the affected machine to ensure they are not vulnerable to
remote network attacks.
18-May-2023 Page 41 of 46
CTD Alert Behavior Settings Change
• Look into the asset that was scanning and its last activities in the network - whether this asset or
its activities seems malicious
• Look into the ports that were scanned - are there any vulnerabilities known in these ports?
• Look into the assets that were scanned - is there anything common to these assets? Are they all
in the same subnet? Are they all of the same kind? Are they critical to the process?
• Check Indicators showing, for instance:
• Whether a similar scan was approved previously.
• Whether the scan was performed on a common or uncommon port.
• Whether the scan was within or across subnets.
• Whether the source asset was previously involved in network scans.
• Approve
• Archive
Alert Example:
18-May-2023 Page 42 of 46
CTD Alert Behavior Suspicious Activity
• Approve
• Archive
• Approve - Approves the action that triggered the alert. If an identical action or communication is
performed among the same group of Assets or Zones, an Alert with identical characteristics will
not be generated for 30 days.
• Archive - Rejects the action that triggered the alert. Since this is a Security Alert, alerts of the
same type will always be generated again.
• Malformed Packets
• Operational Error
18-May-2023 Page 43 of 46
CTD Alert Behavior Suspicious Activity
• Invalid Sessions
• Unknown Object
• Protocol DDoS
• Review the Event Details section of the alert, which contains the details of the suspicious/mali-
cious activity that was detected.
• Identify the assets that exhibit the suspicious activity and determine whether this activity is the
result of a misconfiguration, or if it is potentially malicious.
• In case of doubt or suspicion, work with process and/or OT engineers to get access to the
affected assets and further investigate.
• Understand the impact on process or OT operations and develop a suitable response plan.
• Approve
• Archive
• Approve - Approves the action that triggered the alert. Since this is a Security Alert, alerts of the
same type will always be generated again.
• Archive - Rejects the action that triggered the alert. Since this is a Security Alert, alerts of the
same type will always be generated again.
18-May-2023 Page 44 of 46
CTD Alert Behavior Suspicious File Transfer
CTD is able to identify the transfer of malicious files, by matching them against signatures of
known malicious files via out-of-the-box Yara rules.
Alert Example:
Suspicious file transfer found! File 'unknown_file_name' was transferred via 'http' and matched
the following Yara rules: ['RANSOM_Kraken.yar/kraken_cryptor_ransomware'], Transferred from
10.243.188.213
• Review the alert Title, which provides the malicious file name. The title also includes the detail of
the Yara rule that led to this detection.
• Inspect the Event Details section, to review the signature that was matched in this alert.
• Understand the nature of the threat that is linked to the Yara rule, such as whether the malware
referenced in the rule is ransomware or something else, and which vulnerabilities it uses.
• Review both the source and destination asset involved in this communication, whether they
have the vulnerability that is exploited by this threat. Is this threat seen on other devices with
which these assets are communicating?
• Consider scanning the assets involved in communication with AV software, to ensure that they
are not compromised.
• Approve
• Archive
• Approve - Approves the action that triggered the alert. Since this is a Security Alert, alerts of the
same type will always be generated again.
• Archive - Rejects the action that triggered the alert. Since this is a Security Alert, alerts of the
same type will always be generated again.
18-May-2023 Page 45 of 46
CTD Alert Behavior Suspicious File Transfer
18-May-2023 Page 46 of 46