On June 13, 2023, the United States Cybersecurity and Infrastructure Security Agency (CISA) released Binding Operational Directive 23-02 titled Mitigating the Risk from Internet-Exposed Management Interfaces. This BOD is aimed at reducing the risk posed by having the ability to configure or control federal agency’s networks from the public internet. If you are curious about this threat, you should review MITRE ATT&CK’s T1133- External Remote Services. They have over 40 reports stretching back to 2017 around the subject! Adversaries have been leveraging these internet-exposed interfaces for years and this is a great step forward in securing them for the federal government.
CISA is prohibiting the remote management of federal information systems’ network devices defined as “routers, switches, firewalls, VPN concentrators, proxies, load balancers, and out of band server management interfaces (such as iLo and iDRAC)” over common management protocols (HTTPS, SSH, etc.)
Agencies, within 14 days of discovery or CISA notification of the existence of one or more of these interfaces must do one of the following:
First, it’s important to recognize that Splunk is not a traditional Zero Trust policy enforcement point or tool for access control. That being said, Splunk Cloud or Splunk Enterprise does help identify misconfigurations such as these unprotected interfaces, however.
Using Splunk, you can ingest network traffic, firewall logs, and even wire data that can help identify source or destination traffic that is permitted when it should not be. An example would be running searches that identify SSH (port 22) traffic being allowed inside from outside the organization’s internal network and approved IP address ranges.
As a brief example, a Common Information Model (CIM) normalized search using data models such as one below can be modified to be applied to your environment (e.g., customizing source/destination) looking at specific network segments for allowed network traffic to common management ports called out in BOD 23-02.
| tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.action = allowed AND All_Traffic.src_ip != "10.0.0.0/8" AND All_Traffic.dest_port IN ("20", "21", "22", "23", "69","161", "162") by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.action
You can of course write a datasource specific search without CIM, but the SPL necessary will be dependent on the data you’re hunting through. Enterprise Security customers can take advantage of the Interesting Ports lookup and customize it to fit your needs. Once this lookup is customized, you could implement one of the Splunk Threat Research Team’s detections “Prohibited Network Traffic Allowed” to be alerted when new traffic is seen. Like the search above, you would want to customize either the tstats base search or update the filter macros to reduce any false positives observed.
CISA has released specific guidance for BOD 23-02 here that would be a great next step towards complying with their instructions.
If you need further assistance from Splunk experts on how to use our technology for pre-emptively identifying this type of traffic, or ingesting and searching these types of data sources, please reach out to your account team as they are well familiar with these types of use cases and data sources. We have a multitude of resources available to help ensure your success!
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.