50 CHAPTER 3 Introduction to Industrial Network Security DATAC. 35 Additional vulnerabilities and exploit code, including nine zero-days, was released by the Russian firm Gleg as part of the Agora exploit pack for the CANVAS toolkit. 36 Luckily, many tools are already available to defend against these sophisticated attacks, and the results can be very positive when they are used appropriately in a blended, sophisticated defense based upon "Advanced Persistent Diligence." 37 Defending Against APT As mentioned in Chapter 2, "About Industrial Networks," the security practices that are recommended herein are aimed high, and this is because the threat environ- ment in industrial networks has already shifted to these types of APTs, if not out- right cyber war. These recommendations are built around the concept of "Advanced Persistent Diligence" and a much higher than normal level of situational awareness. This is because APT is evolving specifically to avoid detection by known security measures. 38 Advanced Persistent Diligence requires a strong Defense-in-Depth approach, both in order to reduce the available attack surface exposed to an attacker, and in order to provide a broader perspective of threat activity for use in incident analy- sis, investigation, and response. That is, because APT is evolving to avoid detection even through advanced event analysis, it is necessary to examine more data about network activity and behavior from more contexts within the network. 39 More traditional security recommendations are not enough, because the active network defense systems such as firewalls, UTMs, and IPS are no longer capable of blocking the same threats that carry with them the highest consequences. APT threats can easily slide through these legacy cyber defenses. Having situational awareness of what is attempting to connect to the system, as well as what is going on within the system is the only way to start to regain control of the system. This includes information about systems and assets, network commu- nication flows and behavior patterns, organizational groups, user roles, and policies. Ideally, this level analysis will be automated and will provide an active feedback loop in order to allow IT and OT security professionals to successfully mitigate a detected APT. Responding to APT Ironically, the last thing that you should do upon detecting an APT is to clean the system of infected malware. This is because, as mentioned under section "Advanced Persistent Threats," there may be subsequent levels of infection that exist, dormant, that will be activated as a result. Instead, a thorough investigation should be per- formed, with the same sophistication as the APT itself. First, logically isolate the infected host so that it can no longer cause any harm. Allow the APT to communicate over established C2 channels, but isolate the host