When it comes to improving OT (operational technology) cybersecurity, a vulnerability assessment provides insightful information so businesses can have a better understanding of their infrastructure and security risks. A vulnerability assessment analyzes the environment to discover potential issues that might compromise security, overall business operations, compliance and/or network privacy. The purpose is to use this insight to address these issues before a malicious actor gains unauthorized access.
Vulnerability Assessments identify vulnerabilities, misconfigurations and gaps against OT security best practices. Each finding gets assigned a severity level along with direction on how to remediate or mitigate the issues so they can be fixed before it becomes an issue.
Red Trident’s Vulnerability Assessments are broken up into four modules: domain enumeration, workstation enumeration, network enumeration, and configuration analysis.
It is nearly impossible to enter an environment today that does not leverage Active Directory domain services somewhere within the environment. While Active Directory has many benefits to help improve security by controlling access to network resources from a centralized location, organizational capabilities offered in a way that aligns with the organizational structure and business needs, and centrally manage user identities and access privileges across the organization, helping simplify management and reduce operations expenses, there are oversights that can be abused by malicious actors.
The goal of domain enumeration by Red Trident is not to compromise the security of a network, but rather to assess its exposure to potential attacks, improving security measures, and assisting organizations with maintaining a well-organized network infrastructure.
Some examples of findings commonly associated with domain enumeration activities consist of how elevated privileges are handled on a domain, if there are any user, service, or computer objects with overly excessive privileges, if there are any user, service, or computer objectives susceptible to kerberoasting, unconstrained or constrained delegation, as-rep roasting, and more.
As OT environments are generally referred to as a system of systems, there is a high likelihood that there is a large presence of Microsoft Windows-based systems in the environment. Workstation enumeration plays a crucial role in maintaining a secure and well-managed network environment. By analyzing workstations operating systems, software applications, and security configurations, Red Trident is able to assess the security posture of the endpoints directly. This effort results in identifying vulnerabilities, misconfigurations, and potential risks that could be exploited by a malicious actor.
Some examples of findings commonly associated with workstation enumeration activities consist of how the local administrator accounts are managed on the workstations, if there are any services or applications present on the workstations that offer an opportunity for privilege escalation and/or lateral movement, and more.
As mentioned, enumerating a network safely in an OT environment requires careful planning and considerations of the unique characteristics of OT systems. The primary goal of this module is to gather information about the network’s assets, topology, and configurations without causing disruptions to the operational processes. Red Trident starts this module by obtaining proper authorization from the relevant stakeholders to ensure that the team has the necessary permissions to conduct the activities. The Red Trident team will walk the team through the plans, how it is done, and ensure that the effort is coordinated to respond to any adverse impacts.
Red Trident also uses non-intrusive methods for network enumeration to avoid disrupting the operational processes. Some of these methods consist of passive techniques such as network sniffing and passive DNS analysis as these can provide insights without generating network traffic.
Some examples of findings commonly associated with network enumeration activities consist of devices being configured with default or common credentials, devices communicating (or attempting to communicate) to the internet, insecure protocols in use, and more.
Configuration analysis refers to the process of evaluating and analyzing the settings and parameters of hardware, software, and network components within an OT environment. The goal of configuration analysis is to ensure that these components are properly configured according to the established best practices, security guidelines, industry standards, and organizational policies. This module also helps identify any deviations or vulnerabilities that might expose the environment to security risks or operational issues.
Red Trident reviews customer-provided firewall and/or switch configurations and other network-related artifacts to accomplish this module.
Some examples of findings commonly associated with configuration analysis consist of overly permissive firewall rules, firewall management best practices, overly exposed services, and more.
There are many cybersecurity companies that offer vulnerability assessments, but very few focus on ICS environments and OT security. The Red Trident Team has decades of experience across multiple ICS environments and verticals. We understand that production environments are sensitive and often very complex. We recognize that even potential small interruptions to the operation can have a profound impact on the outputs.
We understand that common mitigation controls, such as patching, might not be possible due to the sensitivities of solutions and technology commonly found within ICS environments. For reasons like this, our vulnerability assessment process includes collaboration and working with your team to make sure we’re addressing your concerns and unique business environments.
Once the assessment is concluded, customers can expect to receive a report consisting of the following components:
We work with you and do our best to be your cybersecurity partner. We listen to your concerns and make sure that we’re aligned with your business priorities. We don’t just come in, sell a service, write a report and walk away. We’re here for you. We explain our findings, answer any questions you might have and work with you to help where needed.
Unlike most vulnerability assessment companies, we have the expertise to offer remediation services, especially when it comes to critical infrastructure. And if you have your own team, that’s great! We’re happy to take a step back as your team handles the remediation (or parts of it). We can also provide training to your team if they need some assistance. We’re flexible.
Our team consists of leaders in the ICS field with decades of combined experience in the public sector, private sector, and military. We’ve presented at major security conferences such as DEF CON, BlackHat, various ISAC’s, SANS ICS Summits, etc. We also understand how to communicate in a way that is easy to understand so you don’t end up feeling overwhelmed or confused.
We can conduct network vulnerability assessments either onsite or remotely. We typically recommend remote but in rare cases that involve very complex environments, an onsite visit can be arranged. Remote also lets us do the assessment with less set-up time and is more cost effective, while still providing vital insight into the threat landscape of your organization.
We work with you to develop rules of engagement such as respecting windows of time where the assessment should not be performed, not using tools that may result in high volume network traffic or could cause denial of service situations, etc. Our goal is to discover your vulnerabilities without negatively impacting your operations. We’re happy to work with whatever constraints you have.
Yes, we offer many options. We can take care of remediation for you or work together with your team to handle components that are outside their expertise. We also offer training options if that’s something that you’re interested in.
Once remediation is complete, you can send the assessment back over to Red Trident to now conduct penetration testing of the environment to test the validity of the implemented controls and remediations. Once complete, you will receive a report referencing the network vulnerability assessment report and findings associated with the engagement. Security is an ongoing matter… we recommend you continue with maintaining security updates, regular scans and incorporate security best practices. It’s also great to schedule ahead for your next assessment.
The minimum recommended interval is once per year or after significant changes to infrastructure or business operations have been made. However, depending on the business criticality of the systems being tested, some businesses opt for quarterly or monthly testing. Organizations with high-security requirements may also be required to complete a vulnerability assessment at specific intervals for compliance or when a merger or acquisition (M&A) is being considered.
© 2024 Red Trident. All Rights Reserved.
