Incident of the Month: Zero Day Exploit Detection

In the past, several of our customers have witnessed zero day vulnerabilities in their OT networks. One manufacturing company became witness to both, zero day vulnerabilities that were already known but not patched yet and a zero day exploit that was novel at that time. 

They had been running our ICS monitoring and anomaly detection Rhebo Industrial Protector when they were informed about both anomalies in short succession.

What is your System's Risk Exposure?

The first notification they got was a report on an existing vulnerability in their infrastructure as documented in the CVE database. Rhebo Industrial Protector screens OT environments to create a comprehensive map of all devices and communication active within the infrastructure. In that process of plant asset inventory, devices are analyzed for their firmware versions and relevant properties. Those are compared to the CVE documentation to find matches with known vulnerabilities. In this case the vulnerability CVE-2012-1816 was detected and reported.

The operators decided to update the affected workstations in their next maintenance window. Until then the workstations were closely monitored with Rhebo Industrial Protector. For that purpose they created a customized view for both workstations in Rhebo Industrial Protector to specifically follow their communication, in case the vulnerability gets exploited.

Suspicious Behavior of Web Server

A few weeks later, the operators got notified about a suspicious yet unknown behavior of one of their web servers. Rhebo Industrial Protector reported a client error and an untypical increase in HTTP traffic. Immediate analysis revealed that an external attacker had sent a manipulated header string to the server which allowed them to change parameters in the application. Even though the attacker was able to affect a small part of the production for a short period of time, the Cybersecurity Manager was able to prevent further spreading and disruption. The forensic data and real-time notification by Rhebo Industrial Protector allowed him to quickly block the communication, upgrade the web server’s firmware and reconfigure the Firewall.

Solution: Anomaly Detection for Holistic Protection

Conventional cybersecurity solutions like Firewalls or Intrusion Detection Systems are blind to vulnerabilities and novel attack methods. Anomaly detection systems like Rhebo Industrial Protector analyze the whole network communication in real-time and report every deviation from legitimate communication in the OT infrastructure.