Tag: iot

Getting Started With Defender for IoT/OT

Pressure is increasing on manufacturers to monitor their shop floors in order to avoid major disruptions in supply chains. A recent example of such a risk is CVE-2023-3595. This vulnerability has a CVSS score of 9.8 (i.e., very bad).

It involves the use of CIP (Common Industrial Protocol). As such, you wouldn’t expect there to be your typical IOCs like IP addresses and hashes that you could add to your SIEM to detect this vulnerability. You would need to sniff your factory network, looking for malicious use of the CIP protocol. This is where OT security tools like Defender for OT come in. (Since we’re just talking about OT here I’m going to drop the IoT…)

Here’s a quick walkthrough to getting started with Defender for OT:

Getting Started with Defender for OT

  • Login to the Azure portal and search for Defender for OT and select ‘Set up OT/ICS Security’
  • Download the sensor and install the ISO in a hypervisor like Hyper-V or VMWare. (when setting up your VM, make sure to use at least 2 network interfaces – 1 for management and 1 for sniffing)
  • Connect the ‘sniffing’ network interface from your VM to a SPAN port on your network. If you’re just playing around with the sensor you can just have it sniff your home network or whatever is safe for you to monitor.
  • After the sensor installation you will be provided 3 unique credentials to login to the sensor’s web interface, so don’t lose those credentials.
  • Get a license – there’s a 60 day trial license here in the M365 admin center:
    https://learn.microsoft.com/en-us/azure/defender-for-iot/organizations/getting-started
  • Go back to the Azure portal and register your sensor. Once the sensor is registered it will give you a zip file which is the license key for that sensor.

How to Test Your Sensor:

  • Download some sample pcap files like from here: https://github.com/EmreEkin/ICS-Pcaps
  • Login to your sensor (https://<ip address of sensor>) with the username ‘cyberx’ and the password that was given to you during the sensor installation.
  • Go to System Settings > Play Pcap, and upload one of your sample pcap files.
  • After selecting ‘play all’, your sensor will begin analyzing your pcap traffic.
  • If nothing interesting is seen in the alerts tab you may need to create a custom alert to trigger some alerts. Some experience with network traffic analysis and Wireshark can be very useful.

Next Steps: Connect Defender for OT to Sentinel

  • Back in the Azure portal, go to the Content Hub and install the Defender for OT solution bundle.
  • Now go to Connectors and enable the Defender for IoT connector
  • Finally go to Analytics, search the templates for all of the OT rules and enable whatever you like.
References:
https://learn.microsoft.com/en-us/azure/defender-for-iot/organizations/ot-deploy/install-software-ot-sensor

https://www.netresec.com/?page=PcapFiles