Skip to main content
 
 
 
Splunk Lantern

Monitoring remote access to Operational Technology environments

 

Remote desktop connections (otherwise known as Remote Desktop Protocol, or RDP) are often used for support staff and vendors for access into the Operational Technology (OT) environment. OT systems often control critical equipment and handle sensitive data, and they need to be protected against threats that could shut down critical operations. A security breach through remote access can create production shutdowns, data loss and safety risks in these environments. This article shows you how to use the Splunk platform to detect RDP traffic in your environment.

It is strongly recommended to use more secure alternatives to RDP, such as solutions with MFA or specialized remote access software that is designed for OT environments.

Data required

Data from manufacturing hosts to monitor the Windows security logs is required for this use case. To bring in events from the Windows event store, it is recommended to use the Splunk Add-on for Microsoft Windows, which ensures these events are Common Information Model (CIM) compliant. This add-on is most often used with a Splunk universal forwarder on the host or on a Windows event collector (WEC) host.

How to use Splunk software for this use case

Stage 1: Identify critical remote access hosts

Access to OT environments often occurs by accessing specific hosts (often known as jump servers). In order to identify remote access from external environments, you'll need to create a macro that limits searches to only those hosts that are exposed externally. If access is allowed to any host, then the macro can be adjusted to specify any host.

Create a macro called is_remote_access_host . This should take in a host and then return true or false to confirm whether the host can be used to connect externally to the OT environment.

To do this, you can:

  • Use a lookup table that has a list of remote access hosts.
  • Use a lookup table that has a list of IP ranges for OT devices (for example, specific networks that can be used within an OT DMZ).
  • Use a static list of OT devices or characteristics (such as host name pattern or asset type).

Stage 2: Identify remote desktop connections with Windows Security logs

Windows security logs provide details on any authentication attempts made to hosts, whether internal or external. In addition, specific event IDs and login types are associated with successful local and remote access. Because many OT environments include both legacy and newer Windows operating systems, you'll use event IDs for both legacy and newer Windows operating systems.

Run the following search. You can optimize it by specifying an index and adjusting the time range.

source=WinEventLog:Security Logon_Type=10 ((EventCode=4624 OR EventCode=528) OR (EventCode=4625 OR EventCode=529))
| eval action=CASE(EventCode=4624 OR EventCode=528, "Success", EventCode=4625 OR EventCode=529, "Failure")
| search `is_remote_access_host(dest)`=true
| table _time, user, src, dest,action

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search

Explanation

source=WinEventLog:Security

Search only Windows Security logs.

Logon_Type=10

Search for logon type 10, which indicates remote logons.

((EventCode=4624 OR EventCode=528) OR

Search for event codes 4624 and 528, which indicate successful logins.

(EventCode=4625 OR EventCode=529))

Search for event codes 4625 and 529, which indicate failed logins.

| eval action=CASE(EventCode=4624 OR EventCode=528, "Success", EventCode=4625 OR EventCode=529, "Failure")

Enumerate the login results as success or failure.

Stage 3: Identify remote desktop connections with network traffic logs

Network traffic logs provide details on any connections made to hosts whether internal or external. However, they might be less reliable than Windows security events since many firewalls might only be able to identify a port and not a specific application.

Run the following search. You can optimize it by specifying an index and adjusting the time range.

tag=network tag=communicate (dest_port=3389 OR app=RDP)
| search `is_remote_access_host(dest)`=true
| table _time, user, src, dest

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search

Explanation

tag=network tag=communicate

Search only network traffic logs.

(dest_port=3389 OR app=RDP)

Search port 3389 for traffic that has been labeled as RDP.

| search `is_remote_access_host(dest)`=true

Search for connections to the remote access host as a destination.

| table _time, user, src, dest

Show the time, user, source, and destination.

Next steps

The following dashboard shows an example of how you might monitor remote access hosts in OT environments:

MFG_RemoteAccess.png

Using this data, excessive login failures can be analyzed to determine if they are attempts to compromise critical OT systems. Excessive login failures can also represent poor practices like disconnecting RDP sessions versus logging out of the system.

In addition, it is important to monitor other kinds of remote access such VPN, screen sharing software (such as VNC), or logins for non-Windows based systems. These data types could be added to the above dashboard and tagged with the appropriate application.

The following dashboard shows an example of monitoring remote access in the OT Security Add-on for Splunk:

MFG_RemoveAccess_OTSecurityApp.png

Other resources you might be interested in include:

Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at ondemand@splunk.com if you would like assistance.