ACD-KRITIS meets requirements for the use of systems for attack detection (SzA) according to the BSI orientation guide
by Tina Siering
The IT Security Act 2.0 (IT-SiG), which came into force on 28 May 2021, brings with it far-reaching changes and new obligations, especially for operators of critical infrastructures (KRITIS) and operators of energy supply networks. For example, the use of a holistic system for attack detection (SzA) is required, which must be proven to the Federal Office for Information Security (BSI) from 1 May 2023. (§ 8a para. 3 BSIG).
In order to support affected companies and institutions in implementing these requirements, the BSI published an orientation guide at the end of September 2022. This document describes the requirements for implementing and operating a suitable system for attack detection (SzA) and is intended to support organisations in selecting and implementing suitable systems to effectively combat cyber threats.
The guidance includes recommendations for system selection, an overview of technical requirements and an assessment of the functionality of systems available on the market. The BSI emphasises the importance of developing a comprehensive security concept that integrates attack detection systems into a larger context and adapts the selection of systems to the specific needs and requirements of the organisation.
With its managed detection and response service "ACD-KRITIS", Allgeier secion offers a suitable, BSI-compliant solution for detecting compromises in one's own network in good time and preventing successful cyber attacks.
Monitoring of network traffic by attack detection systems (SzA)
An important function of attack detection systems is the monitoring of network traffic. For this purpose, they collect data from various sources and analyse them in order to detect and prevent possible attacks at an early stage.
The BSI has divided the implementation and operation of an attack detection system into three phases:
- Logging
- Detection
- Reaction
On the one hand, the systems to be protected must recognise security-relevant events (detection) through continuous evaluation of the collected information (logging). This can be done, for example, through misuse detection (signature-based detection) or anomaly detection.
On the other hand, the systems for attack detection (SzA) must also be suitable for preventing disruptions as a result of attacks or for reacting to attacks (reaction). This can be implemented through both technical and organisational measures.
Evaluation with the help of an implementation level model
The implemented measures of systems for attack detection are proven by means of a 3-stage implementation degree model (MUST/CAN/SOUL)
In principle, the following applies to the entirety of all areas (logging, detection and response):
- the necessary technical, organisational and personnel conditions MUST be created,
- information on current attack patterns for technical vulnerabilities MUST be obtained continuously for the systems used in the area of application,
- all hardware and software required for effective attack detection MUST be kept up-to-date,
- the signatures of detection systems MUST always be up-to-date,
- all relevant systems MUST be configured in such a way that attempts to exploit known vulnerabilities can be detected, unless there are serious reasons not to do so.
Companies are therefore required to first create a comprehensive logging concept. The internal dependencies, criticality and necessity for the functionality of the critical service must be taken into account. It must be determined on which systems/machines which information is to be logged. Requirements from data protection and other laws shall be observed, e.g.
- OPS.1.1.5 Logging, NET1.2 Network management
- DER.1 Detection of security-relevant events
Log information shall be evaluated in an automated and continuous manner, taking into account threat and industry specific events and malicious code detection systems.
Automation of the evaluation can be carried out. Transitions between networks must be supplemented by network-based intrusion detection systems. Uniform system time on all components must be ensured. In particular, the central logging servers must be synchronized in time in order to be able to correlate and match the logging data.
ACD-KRITIS - the fully managed service from Allgeier secion
With Active Cyber Defense (ACD)-KRITIS, Allgeier secion fulfils all the essential MUST requirements (logging, detection and reaction) of the BSI orientation guide for the use of systems for attack detection and is implemented and ready for operation within 6 weeks.
Attack detection is carried out by comparing the data processed in an information technology system with information and technical patterns that indicate attacks.
- Customised solution for searching for suspicious activities in one's own network (network management)
- Early detection of malicious attack patterns
- Managed detection and response by Allgeier secion SOC team
- Effective attack detection at network level (anomaly detection) according to ACD-KRITIS standard
- Attack detection on system level (Witness Server Pro)
- Risk analysis of network traffic using MITRE ATT&CK
- Protection of information systems against malware and successful cyber attacks
- Damage response and prevention
- Handling security incidents
- Compliance with reporting requirements in case of detection of security incidents
In the event of a suspicious action requiring intervention, our security analysts immediately inform our clients who have ACD-KRITIS in place. This enables a direct response to the situation. In the event of an IT security incident caused by cybercrime, a direct report to the BSI is possible.
Conclusion: With ACD-KRITIS, you fulfil your corporate precautionary obligations - on time by the deadline of 1 May 2023.
ACD-KRITIS is a permanent and proactive 24/7 service for attack detection.
Our 24/7 Threat Hunting service proactively and continuously analyses your network for anomalies, identifying attackers' communications to their Command & Control Servers (C&Cs). Such attacks usually remain undetected for a long time without appropriate detection measures: On average, it takes six months for companies to identify attacks of this kind on their networks. With ACD-KRITIS, you close this critical area in your IT security and ensure that attackers in your own network are immediately detected and removed before any damage is done. In the event of identified attack activity on your network that requires immediate action, you will be notified immediately by our SOC team, achieving security incident identification immediately after compromise has occurred.
With ACD-KRITIS you meet the immediate reporting obligation
In the event of a suspicious action requiring action, our ACD-KRITIS SOC team will inform you immediately. This allows a direct response to the situation and - in the case of an IT security incident caused by cybercrime - a direct report to the BSI. By using ACD-KRITIS, you fulfil the legal requirement for a system for the early detection of attacks. In case of detected attack activities, the immediate reporting of the cyber attack is ensured.
With ACD-KRITIS, you can implement the legal requirements within a few days.
The IT-SiG 2.0 is accompanied by additional obligations for CRITIS operators: from 01.05.2023, systems for attack detection (SzA) must be implemented and this must be proven to the Federal Office for Information Security (BSI). In addition to technical measures, organisational measures are also required in particular. With ACD-KRITIS, together with us, you will meet all requirements on time: the implementation and commissioning of Active Cyber Defense-KRITIS only takes a maximum of 6 weeks.
Need help upgrading your IT security for 2023? Contact us!
Related articles
For several days now, there has been a strong accumulation of successful compromises by the "QakBot" malware (also known as "QBot" and "QuackBot") worldwide. We have also already identified successful attacks as part of our ACD monitoring. After infection, criminals can gain access to online banking accounts, leak user data, and reload further malware. As one measure to mitigate the risk, we urgently recommend adjustments to the Group Policy Objects (GPO).
Cybercriminals are true masters at constantly adapting their attack mechanisms to effective IT security measures. New tools and iterative changes to existing malware are used to mercilessly exploit security vulnerabilities. Among the numerous threats, ransomware stands out as one of the biggest. More and more companies have to face extortion Trojans. A completely new threat called LockFile now relies on intermittent encryption. LockFile not only encrypts much faster than previous ransomware, but also bypasses security solutions that work reliably. This article shows why criminals are increasingly relying on intermittent encryption and how companies should react to the new threat.
Read more … New ransomware trend: Why criminals increasingly rely on intermittent encryption
Due to the war in Ukraine, secion provides an assessment of the threat situation for companies and examines the question of whether increased Russian attacks on companies in Germany, Austria and Switzerland can be identified. There is currently no evidence of an acute increase in the threat posed by Russian state actors in Western Europe, but there is increased public awareness of these cyberattacks. In addition, "third-party actors" are creating a new dynamic.