routers_and_infrastructure.yml

category:
  - Best Practices
channel: ESCU
creation_date: '2017-06-01'
description: Validate the security configuration of network infrastructure and verify
  that only authorized users and systems are accessing critical assets. Core routing
  and switching infrastructure are common strategic targets for attackers.
detections:
  - detection_id: 104658f4-afdc-499e-9719-17243rr826f1
    name: Detect New Login Attempts to Routers
    type: splunk
id: 91c676cf-0b23-438d-abee-f6335e177e77
maintainers:
  - company: Splunk
    email: bpatel@splunk.com
    name: Bhavin Patel
modification_date: '2017-09-12'
name: Router & Infrastructure Security
narrative: 'Networking devices, such as routers and switches, are often overlooked
  as resources that attackers will leverage to subvert an enterprise. Advanced threats
  actors have shown a proclivity to target these critical assets as a means to siphon
  and redirect network traffic, flash backdoored operating systems, and implement
  cryptographic weakened algorithms to more easily decrypt network traffic.\

  This Analytic Story helps you gain a better understanding of how your network devices
  are interacting with your hosts. By compromising your network devices, attackers
  can obtain direct access to the company''s internal infrastructure— effectively
  increasing the attack surface and accessing private services/data.'
original_authors:
  - company: Splunk
    email: bpatel@splunk.com
    name: Bhavin Patel
references:
  - https://www.fireeye.com/blog/executive-perspective/2015/09/the_new_route_toper.html
  - https://www.cisco.com/c/en/us/about/security-center/event-response/synful-knock.html
spec_version: 2
usecase: Security Monitoring
version: '1.0'