router_and_infrastructure_security.yml

name: Router and Infrastructure Security
id: 91c676cf-0b23-438d-abee-f6335e177e77
version: 1
date: '2017-09-12'
author: Bhavin Patel, Splunk
status: production
description: Validate the security configuration of network infrastructure and verify
  that only authorized users and systems are accessing critical assets. Core routing
  and switching infrastructure are common strategic targets for attackers.
narrative: 'Networking devices, such as routers and switches, are often overlooked
  as resources that attackers will leverage to subvert an enterprise. Advanced threats
  actors have shown a proclivity to target these critical assets as a means to siphon
  and redirect network traffic, flash backdoored operating systems, and implement
  cryptographic weakened algorithms to more easily decrypt network traffic.

  This Analytic Story helps you gain a better understanding of how your network devices
  are interacting with your hosts. By compromising your network devices, attackers
  can obtain direct access to the company''s internal infrastructure— effectively
  increasing the attack surface and accessing private services/data.'
references:
- https://web.archive.org/web/20210420020040/https://www.fireeye.com/blog/executive-perspective/2015/09/the_new_route_toper.html
- https://www.cisco.com/c/en/us/about/security-center/event-response/synful-knock.html
tags:
  category:
  - Best Practices
  product:
  - Splunk Enterprise
  - Splunk Enterprise Security
  - Splunk Cloud
  usecase: Security Monitoring