ICS-CERT: Detection and Mitigation Recommendations

Wednesday, June 06, 2012

Infosec Island Admin


(part one - Preserving Forensic Data - here)

Cyber Intrusion Mitigation Strategies Part Two: Detection and Mitigation Recommendations

ICS-CERT developed this guidance to provide basic recommendations for owners and operators of critical infrastructure to enhance their network security posture.

It is not intended to be a detailed examination of all actions involved in incident response but is an attempt to provide high-level strategies that should can improve overall visibility of a cyber intrusion and aid in recovery efforts should an incident occur.

This guidance applies to both enterprise and control system networks, particularly where interconnectivity could allow movement between networks. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to implementing defensive measures to ensure there is no impact to normal operations.

The guidance is organized into topical areas within the major phases of incident response—detection, mitigation, and eradication/recovery—and closes with recommendations for long term security posture improvements.

The implementation of concepts discussed in this document is the responsibility of each organization and is dependent on the organization’s needs, network topology, and operational requirements.


Enhancing the organization’s overall network security posture can be an expensive and time consuming process. However, while responding to a suspected or confirmed intrusion, it makes sense to focus on the relatively low cost strategies that can positively impact security in the near term.


When an organization suspects that a network compromise has occurred, the primary concern should be to minimize lateral movement through networks, including possible migration into control system networks. Lateral movement can be identified by a number of tools and techniques including network intrusion prevention systems (IPS), intrusion detection systems (IDS), firewall logs, proxy logs, DNS logs, system logs, flow data, and packet captures.

Also, while it might seem reasonable to find and eliminate the intruder on a machine-by-machine basis as compromised hosts are identified, unless the response execution prevents lateral movement of the adversary across the network, the cleanup process will likely not succeed.

It is essential that the response team identify the extent of the intrusion—how many machines have been compromised and on which areas of the network—and isolate the affected machines from the network so the adversary cannot continue to spread while the response team deals with the known compromised systems.

Source:  http://www.us-cert.gov/control_systems/pdf/ICS-TIP-12-146-01.pdf

Possibly Related Articles:
Industrial Control Systems
SCADA Log Management Network Security Detection Mitigation Network Security Monitoring ICS-CERT Industrial Control Systems
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.