Detecting Malware Operating Within My IT/OT Networks

Download the Case Study
CHALLENGE

Detecting Advanced Malware Operating Within My IT/OT Networks

Pharmaceutical companies are attractive targets for cyber criminals, thanks to their valuable intellectual property on drugs and research.

The convergence of OT, IT, and IoT environments gives bad actors more opportunities to exploit. They take advantage of the expanded threat surface created by increased connectivity between these systems. The integration of physical machines with networked sensors and software means that these industrial assets connect, communicate and interact within new cyber-physical systems (CPS).

This means that while a malware attack might begin in your IT network, it could ultimately migrate to the OT network via systems accessible to both environments.

The Asset Intelligence and Threat Intelligence subscriptions continuously update Guardian™ appliances so you can detect and respond to cyber threats and operational anomalies before they disrupt production lines or lead to theft of intellectual property.

SOLUTION

Automated Monitoring of the Pharma OT Network to Identify Threats

Nozomi Networks Solution: Alerts List The Nozomi Networks solution alerts pharma security teams to early stage reconnaissance and compromise activities, and provides the information needed to respond before damage occurs. The Threat Intelligence service delivers up-to-date threat and vulnerability information to stay on top of the dynamic threat landscape and reduce mean-time-to-detection (MTTD).

An important part of neutralizing threats before they can migrate from IT to OT, or vice versa, involves early warning.

Advanced persistent threat malware goes through different phases during an attack. The Nozomi Networks solution uses behavior-based anomaly detection and multiple types of signature and rule-based detection to detect malware at each phase. It alerts operators to early stage infection and reconnaissance activities, and provides the information needed to take action before a final attack occurs.

  • In Phase I, anomaly detection identifies malware that is beaconing out to an external Command and Control server (C&C) through its connections to a new public IP address. Then, using Yara rules, its built-in analysis toolkit immediately identifies specific files associated with the malware. Assertions can also be used to detect data and events in network traffic related to the presence of the malware at a particular site.
  • In Phase 2, the malware prepares for attack by triggering a learning process. During this phase, the solution’s anomaly detection identifies new commands in the host network and generates alerts that include command sources. Even if the malware uses regular industrial protocols to communicate, its messages will vary from the system’s baseline behavior, allowing them to be singled out.
  • In Phase 3, if an attack occurs, it is quickly identified and an alert is sent out. This enables you to implement new firewall rules, or take other actions to stop further attack commands.

Thanks to integration with multiple firewalls, the Nozomi Networks solution can go beyond detection to tackle prevention, by automatically triggering the implementation of rules that block an attack upon detection of irregular commands.

Stay Up-to-date on Emerging Threats with Threat Intelligence

The Threat Intelligence subscription delivers up-to-date industrial threat intelligence to the Nozomi Networks solution, making it easy for you to detect threats and identify vulnerabilities in your environment.

When new information is received, Vantage rapidly checks your network for the presence of new malware and vulnerabilities. If a threat is found, you are immediately notified.

Let's get started

Discover how easy it is to anticipate, diagnose and respond to cyber threats by automating your IoT and OT asset discovery, inventory, and management.

Request a Demo