the dragos ics cybersecurity ecosystem … · knowledge and understanding of the industrial ......
TRANSCRIPT
The sustained, rapid advancement of many aspects of our civilization, particularly over the past century is, in many ways attributable to the strength and resilience of industrial infrastructure. Built and operated with a dedication to safety and reliability, it has remained a constant in society’s forward progress, from the industrial age, to the space age, the information age and beyond.
As industrial infrastructure has evolved with the world around it, so too have the opportunities and challenges facing those responsible for it. The rise of networked industrial control systems (ICS) and the increasing interconnectivity of industrial infrastructure to the Internet is the latest example, where numerous enhanced capabilities must be incorporated in ways that sustain the safety and reliability of the system. Today’s industrial infrastructure is at a high level of strength and resiliency, but facing a new kind of challenge – cyber threats – that require new approaches and additional measures to keep it that way. Dragos’ sole focus is to provide them, and to work as your trusted partner in safeguarding civilization.
Putting the Industrial Infrastructure Cyber-Threat Landscape in ContextThere is persistent hype and speculation about industrial infrastructure’s vulnerabilities to cyber attack and the dire consequences that would follow. Dragos’ view is that for the most part the true nature of both the general situation and specific incidents are being overstated and mischaracterized, largely discounting the strength and resilience industrial infrastructure possess. However, the threat is real, and while not a cause for fear among asset owners and their customers, it should be a cause of concern that drives a well-informed, targeted, and proactive response. Such a response requires more, and better intelligence about the threat landscape than has been generally available.
Arguably the most revealing fact about the current state of knowledge and understanding of the industrial infrastructure threat landscape is shown here – the most frequently reported attack vector used against industrial infrastructure environments is actually “unknown” because both asset-owner and governmental security teams have generally lacked adequate staff and ICS-focused technology to identify them. However, the specific tools and methods required to effectively map the threat landscape, increase situational awareness, and mount a strong, targeted defense are now available. Their deployment is acting as a force-multiplier to front-line ICS defenders, helping bring added strength and resilience to the world’s industrial infrastructure.
Safeguarding Civilization
The most frequently reported attack vector used against industrial infrastructure environments is actually “unknown” because both asset-owner and governmental security teams have generally lacked adequate staff and ICS-focused technology to identify them.
Spear Phishing, 35%
Unknown, 37%
All Other, 28%
ICS CERT Reported Incidents
(In a typical year)
The Challenges of Securing Industrial Infrastructure From Cyber ThreatsThere is a critical shortage of staff with deep ICS cybersecurity knowledge across all industrial sectors today. This fact, coupled with the general lack of available ICS-focused cybersecurity technology solutions, and increasing connectivity to enterprise networks and the Internet (IIoT/Industry 4.0) contributes to a broadening range of potential security vulnerabilities including:
■■ incomplete asset visibility
■■ insecure products and protocols
■■ infrequent patching of known vulnerabilities
■■ insufficient industrial cyber-threat visibility and situational awareness
■■ insufficient incident response and recovery preparation
Why Choose Dragos as Your Industrial Cybersecurity Partner?The Dragos team knows ICS systems and industrial cybersecurity through direct experience in industry and government, and include some of the world’s foremost experts in this highly-specialized area. They come to Dragos because what they are the industry’s best at is our sole focus as a company.
We are practitioners who have lived through and solved real security challenges rather than observed them from a distance. Our team members have responded to incidents including the Ukraine 2015 power grid attack, built and led the National Security Agency mission to identify nation-states breaking into ICS, and performed assessments on hundreds of assets around the world.
Our products and services make this knowledge and expertise available to our customers in many ways that enhance their efficiency and effectiveness as ICS defenders. It is codified into our software, written into our ICS-focused threat intelligence reports, onsite with security teams hunting and responding to threats, and transferred through our Industrial cybersecurity training classes.
We understand the differences between the enterprise IT and ICS domains, and the logical boundary between them. Our products and services focus on filling the need for the knowledge and capabilities required to provide support in the ICS/OT domain, including its mission, MTTR-driven metrics, and safety and resilience-oriented priorities.
Enterprise
Enterprise/IT Domain ICS Domain
Supervisory Control Field
■ External and Partner services■ Email Services■ Printers■ VoIP■ Workstations
■ Engineer workstations■ Auxilary Systems■ Operator HMIs■ SCADA Front End
■ RTUs■ PLCs■ IEDs
■ IEDs■ Actuators■ Sensors
Dragos ICS Focus
IT Solutions Focus
There’s Nothing Artificial About Dragos’ IntelligenceA Dragos core principle is that industrial cybersecurity technology should be backed by a team constantly learning about the threat landscape, to adapt and evolve its security technology appropriately. That is why our solutions portfolio, or ecosystem, includes dedicated threat hunting and incident response teams from a 24x7 Threat Operations Center, and a dedicated Threat Intelligence team that gathers and analyzes global threat information to produce the industry’s leading ICS intelligence product, Dragos WorldView.
In addition to the valuable services and intelligence they provide customers, the ever-expanding knowledge of our highly specialized teams is shared internally and continuously codified and integrated into the Dragos Platform. The synergy among the three dimensions of the Dragos Ecosystem provides the strongest, most capable and complete industrial cybersecurity solution available today.
Dragos ThreatIntelligence
Dragos ThreatOperations
Center
Dragos Platform
Dragos Threat Intelligence Intelligence products specializing in identifying, analyzing and understanding ICS threats
Dragos Threat Operations Center ICS-focused threat hunting services, incident response services and cybersecurity training
Dragos Platform Industrial control system (ICS) security incident and event management sustem (SEIM) that utilizes threat behavior analytics to identify threats and guide how they are responded to
Dragos Solutions Span the Entire Industrial Cybersecurity Best-Practice Framework Given the developing nature of industrial cybersecurity tools and practices, many organizations find it useful to apply best practice methodologies to better understand, manage and reduce their cybersecurity-related risk. While there are various solid frameworks, Dragos’ view is that “know thyself, know thy enemy, and know what to do” covers the core tenets of them all.
Identify Protect Detect Respond Recover
Dragos Threatview Dragos Incident Response
Dragos ICS WorldView
Dragos ICS Cybersecurity Training
Dragos Platform
Know Thyself Know Thy Enemy Know What to Do
What processes and assets need
protection?
What safeguards are available?
What techniques can detect threats
and incidents?
What techniques can contain incident
impact?
What techniques can quickly and safely
restore capabilities
Dragos provides the only industrial cybersecurity portfolio that spans the entire ICS cybersecurity best-practices continuum. It combines human intelligence analysts, ICS operations experts and advanced technologies to enable asset owners to build and maintain the most effective cyber-defenses possible.
Frameworks
DragosSolutions
OverviewDragos ICS WorldView is the industrial cybersecurity industry’s only product exclusively focused on ICS threat intelligence. Prepared by Dragos’ expert ICS/OT threat intelligence analysts, it is the essential supplement to any IT-focused intelligence product used by IT or OT professionals with responsibility for an ICS network. Dragos WorldView calls out and cuts through the hype and speculation surrounding ICS cybersecurity, providing an effective antidote to the fear, uncertainty and doubt it sows.
Who it’s ForDragos ICS WorldView is for IT and OT ICS defenders seeking ICS-focused intelligence to support both tactical decisions and strategic recommendations on ICS cybersecurity quickly, and with confidence.
What it doesDragos ICS WorldView threat intelligence provides a range of ICS specific content to subscribers via e-mail, webinars, and the Dragos Intel Portal, including:
■■ ICS-themed malware identification and analysis
■■ ICS vulnerability disclosures and analysis
■■ ICS adversary behavior trends
■■ ICS threat/incident media report analysis and commentary
■■ Cybersecurity conference presentations and researcher discoveries with Dragos expert perspective
Key BenefitsImmediacy – critical threat alerts inform you of rapidly escalating ICS threat situations
Efficiency – expert threat identification and analysis combats alert fatigue
Effectiveness – reduce adversary dwell time and mean time to recovery (MTTR)
Insight – ICS vulnerability, threat and incident assessments promote informed, timely, and confident decision making
Comprehensiveness – broad span of ICS intelligence gathering sources and techniques, including exclusive access to intelligence gained through the proactive ICS threat hunting performed by Dragos Threat Operations Center
Know Thy Enemy Know what to do
“ Dragos ICS Worldview provides National Grid with clearly articulated intelligence, backed by evidence and specific information to help us mitigate threats. The clear understanding Dragos has of the environment in which we operate, allows us to cut through the hype around many potential industry vulnerabilities, so we can focus on the ones that matter most as we look after vital infrastructure and ensure supply to our customers.”
Phil Tonkin Global Head of Cyber Operational Technology, National Grid
Dragos ICS WorldView Page 1 of 8
COVELLITE ACTIVITY AGAINST US GRID OPERATORS
Questions? Reach us at [email protected]
Summary Dragos became aware of a threat actor targeting US electric grid operators during the week of 17 September. Once learning of this activity, Dragos was able to identify related malware to the campaign and established hunting rules to identify additional samples. Since that time, another vendor released a private report covering the same activity, which was leaked to the media.
At this time, Dragos has no evidence indicating a successful ICS attack against US grid operators. Reviewing available information, Dragos is only aware of phishing activity to gain initial access, followed by a remote access tool (RAT) to persist on target. All malware identified to date covers Stage 1 of the ICS Cyber Kill Chain, with no ICS-specific items observed to this point. While Dragos does not perform attribution, and cannot corroborate this assignment, Dragos does recognize this group as a unique activity group, referred to as COVELLITE.
An analysis of available malware indicates a sophisticated payload with multiple anti-analysis techniques. Although Dragos was unable to analyze full functionality as the malware is designed to pull resources from its command and control (C2) infrastructure, Dragos was able to identify sufficient indicators of activity for initial defense.
Details Dragos identified initial COVELLITE samples soon after the first phishing attempts. The malware sample immediately appeared suspicious, given a file extension mismatch (the sample is labeled as a DLL, but is an EXE), and a spurious creation date indicating timestamp manipulation.
A further review identified almost no outwardly appearing items of suspicion beyond the above. However, once subjected to more advanced analysis, additional features clearly indicating malicious intent began to emerge.
When executed, the malware attempts to retrieve an external resource by creating a raw network socket to three internet protocol (IP) addresses (see indicators of compromise table). The IP addresses in question are interesting, as they belong to legitimate institutions such as a Mexican university. The other two are Internet Service Provider (ISP) addresses in Brazil and Italy. Based on this information, Dragos concludes
Dragos ICS WorldView Page 1 of 8
COVELLITE ACTIVITY AGAINST US GRID OPERATORS
Questions? Reach us at [email protected]
Summary Dragos became aware of a threat actor targeting US electric grid operators during the week of 17 September. Once learning of this activity, Dragos was able to identify related malware to the campaign and established hunting rules to identify additional samples. Since that time, another vendor released a private report covering the same activity, which was leaked to the media.
At this time, Dragos has no evidence indicating a successful ICS attack against US grid operators. Reviewing available information, Dragos is only aware of phishing activity to gain initial access, followed by a remote access tool (RAT) to persist on target. All malware identified to date covers Stage 1 of the ICS Cyber Kill Chain, with no ICS-specific items observed to this point. While Dragos does not perform attribution, and cannot corroborate this assignment, Dragos does recognize this group as a unique activity group, referred to as COVELLITE.
An analysis of available malware indicates a sophisticated payload with multiple anti-analysis techniques. Although Dragos was unable to analyze full functionality as the malware is designed to pull resources from its command and control (C2) infrastructure, Dragos was able to identify sufficient indicators of activity for initial defense.
Details Dragos identified initial COVELLITE samples soon after the first phishing attempts. The malware sample immediately appeared suspicious, given a file extension mismatch (the sample is labeled as a DLL, but is an EXE), and a spurious creation date indicating timestamp manipulation.
A further review identified almost no outwardly appearing items of suspicion beyond the above. However, once subjected to more advanced analysis, additional features clearly indicating malicious intent began to emerge.
When executed, the malware attempts to retrieve an external resource by creating a raw network socket to three internet protocol (IP) addresses (see indicators of compromise table). The IP addresses in question are interesting, as they belong to legitimate institutions such as a Mexican university. The other two are Internet Service Provider (ISP) addresses in Brazil and Italy. Based on this information, Dragos concludes
Dragos ICS WorldView Page 1 of 8
COVELLITE ACTIVITY AGAINST US GRID OPERATORS
Questions? Reach us at [email protected]
Summary Dragos became aware of a threat actor targeting US electric grid operators during the week of 17 September. Once learning of this activity, Dragos was able to identify related malware to the campaign and established hunting rules to identify additional samples. Since that time, another vendor released a private report covering the same activity, which was leaked to the media.
At this time, Dragos has no evidence indicating a successful ICS attack against US grid operators. Reviewing available information, Dragos is only aware of phishing activity to gain initial access, followed by a remote access tool (RAT) to persist on target. All malware identified to date covers Stage 1 of the ICS Cyber Kill Chain, with no ICS-specific items observed to this point. While Dragos does not perform attribution, and cannot corroborate this assignment, Dragos does recognize this group as a unique activity group, referred to as COVELLITE.
An analysis of available malware indicates a sophisticated payload with multiple anti-analysis techniques. Although Dragos was unable to analyze full functionality as the malware is designed to pull resources from its command and control (C2) infrastructure, Dragos was able to identify sufficient indicators of activity for initial defense.
Details Dragos identified initial COVELLITE samples soon after the first phishing attempts. The malware sample immediately appeared suspicious, given a file extension mismatch (the sample is labeled as a DLL, but is an EXE), and a spurious creation date indicating timestamp manipulation.
A further review identified almost no outwardly appearing items of suspicion beyond the above. However, once subjected to more advanced analysis, additional features clearly indicating malicious intent began to emerge.
When executed, the malware attempts to retrieve an external resource by creating a raw network socket to three internet protocol (IP) addresses (see indicators of compromise table). The IP addresses in question are interesting, as they belong to legitimate institutions such as a Mexican university. The other two are Internet Service Provider (ISP) addresses in Brazil and Italy. Based on this information, Dragos concludes
Dragos ICS WorldView Page 1 of 8
COVELLITE ACTIVITY AGAINST US GRID OPERATORS
Questions? Reach us at [email protected]
Summary Dragos became aware of a threat actor targeting US electric grid operators during the week of 17 September. Once learning of this activity, Dragos was able to identify related malware to the campaign and established hunting rules to identify additional samples. Since that time, another vendor released a private report covering the same activity, which was leaked to the media.
At this time, Dragos has no evidence indicating a successful ICS attack against US grid operators. Reviewing available information, Dragos is only aware of phishing activity to gain initial access, followed by a remote access tool (RAT) to persist on target. All malware identified to date covers Stage 1 of the ICS Cyber Kill Chain, with no ICS-specific items observed to this point. While Dragos does not perform attribution, and cannot corroborate this assignment, Dragos does recognize this group as a unique activity group, referred to as COVELLITE.
An analysis of available malware indicates a sophisticated payload with multiple anti-analysis techniques. Although Dragos was unable to analyze full functionality as the malware is designed to pull resources from its command and control (C2) infrastructure, Dragos was able to identify sufficient indicators of activity for initial defense.
Details Dragos identified initial COVELLITE samples soon after the first phishing attempts. The malware sample immediately appeared suspicious, given a file extension mismatch (the sample is labeled as a DLL, but is an EXE), and a spurious creation date indicating timestamp manipulation.
A further review identified almost no outwardly appearing items of suspicion beyond the above. However, once subjected to more advanced analysis, additional features clearly indicating malicious intent began to emerge.
When executed, the malware attempts to retrieve an external resource by creating a raw network socket to three internet protocol (IP) addresses (see indicators of compromise table). The IP addresses in question are interesting, as they belong to legitimate institutions such as a Mexican university. The other two are Internet Service Provider (ISP) addresses in Brazil and Italy. Based on this information, Dragos concludes
Dragos ICS WorldView Page 1 of 8
COVELLITE ACTIVITY AGAINST US GRID OPERATORS
Questions? Reach us at [email protected]
Summary Dragos became aware of a threat actor targeting US electric grid operators during the week of 17 September. Once learning of this activity, Dragos was able to identify related malware to the campaign and established hunting rules to identify additional samples. Since that time, another vendor released a private report covering the same activity, which was leaked to the media.
At this time, Dragos has no evidence indicating a successful ICS attack against US grid operators. Reviewing available information, Dragos is only aware of phishing activity to gain initial access, followed by a remote access tool (RAT) to persist on target. All malware identified to date covers Stage 1 of the ICS Cyber Kill Chain, with no ICS-specific items observed to this point. While Dragos does not perform attribution, and cannot corroborate this assignment, Dragos does recognize this group as a unique activity group, referred to as COVELLITE.
An analysis of available malware indicates a sophisticated payload with multiple anti-analysis techniques. Although Dragos was unable to analyze full functionality as the malware is designed to pull resources from its command and control (C2) infrastructure, Dragos was able to identify sufficient indicators of activity for initial defense.
Details Dragos identified initial COVELLITE samples soon after the first phishing attempts. The malware sample immediately appeared suspicious, given a file extension mismatch (the sample is labeled as a DLL, but is an EXE), and a spurious creation date indicating timestamp manipulation.
A further review identified almost no outwardly appearing items of suspicion beyond the above. However, once subjected to more advanced analysis, additional features clearly indicating malicious intent began to emerge.
When executed, the malware attempts to retrieve an external resource by creating a raw network socket to three internet protocol (IP) addresses (see indicators of compromise table). The IP addresses in question are interesting, as they belong to legitimate institutions such as a Mexican university. The other two are Internet Service Provider (ISP) addresses in Brazil and Italy. Based on this information, Dragos concludes
Dragos ICS WorldView Page 1 of 8
COVELLITE ACTIVITY AGAINST US GRID OPERATORS
Questions? Reach us at [email protected]
Summary Dragos became aware of a threat actor targeting US electric grid operators during the week of 17 September. Once learning of this activity, Dragos was able to identify related malware to the campaign and established hunting rules to identify additional samples. Since that time, another vendor released a private report covering the same activity, which was leaked to the media.
At this time, Dragos has no evidence indicating a successful ICS attack against US grid operators. Reviewing available information, Dragos is only aware of phishing activity to gain initial access, followed by a remote access tool (RAT) to persist on target. All malware identified to date covers Stage 1 of the ICS Cyber Kill Chain, with no ICS-specific items observed to this point. While Dragos does not perform attribution, and cannot corroborate this assignment, Dragos does recognize this group as a unique activity group, referred to as COVELLITE.
An analysis of available malware indicates a sophisticated payload with multiple anti-analysis techniques. Although Dragos was unable to analyze full functionality as the malware is designed to pull resources from its command and control (C2) infrastructure, Dragos was able to identify sufficient indicators of activity for initial defense.
Details Dragos identified initial COVELLITE samples soon after the first phishing attempts. The malware sample immediately appeared suspicious, given a file extension mismatch (the sample is labeled as a DLL, but is an EXE), and a spurious creation date indicating timestamp manipulation.
A further review identified almost no outwardly appearing items of suspicion beyond the above. However, once subjected to more advanced analysis, additional features clearly indicating malicious intent began to emerge.
When executed, the malware attempts to retrieve an external resource by creating a raw network socket to three internet protocol (IP) addresses (see indicators of compromise table). The IP addresses in question are interesting, as they belong to legitimate institutions such as a Mexican university. The other two are Internet Service Provider (ISP) addresses in Brazil and Italy. Based on this information, Dragos concludes
Dragos Threat Intelligence
Dragos ICS WorldView Threat Intelligence
Know Thyself Know Thy Enemy Know what to do
The Dragos Platform is the most technologically complete solution in the industrial cyber-threat detection and response market today. It provides security teams with unprecedented knowledge of their industrial control system (ICS) assets and activity, the threats and adversaries they face, and the tools and knowledge to defend against them. It is the industry’s first and only solution to codify and integrate the knowledge of the industry’s most trusted ICS security experts and an intelligence-driven approach with software technology.
Who it’s For The Dragos Platform is for industrial organizations seeking a highly effective cybersecurity solution expressly built for industrial networks, particularly those facing the challenge of building and retaining a high-performing industrial network/ICS security team.
What it Does The Dragos Platform provides all of the necessary capabilities to gain visibility into industrial networks across the entire industrial cybersecurity framework. It operates as a security incident and event management (SIEM) solution, purpose built for industrial environments, and can be deployed in a security operations center (SOC) model. It is modularly designed so that it can be deployed in whole or in parts to address both immediate and longer-term needs.
Dragos Software
Dragos Platform
Asset Discovery■■■■■Passively identify all assets and communications on the network
■■■■Visualize and map network security zones and identify attack paths
■■■■Set one or more network baselines against which to monitor changes
■■■■Scalable to hundreds of thousands of assets across multiple sites
Threat Detection■■■■■Dragos threat behavior analytics provide rich context as to what is
occurring and what to do next
■■■■■■■Indicator of Compromise and Query-Focused Datasets support threat hunting
■■■■■■Collects, stores and analyzes logs and data from host systems, logic controllers and data historians, not just data traffic
Investigation Playbooks & Workbench■■■■Use case management tools to manage incident response case
notes, forensics and collaboration
■■■■Playbooks from Dragos experts drive standardized, best practice response
■■■■Automation and orchestration between different security tools reduces workload
■■■■Reporting and Dashboards monitor analyst and system activity
Key Benefits
ICS Focused – designed for ICS environments by ICS operations and cybersecurity experts
Passive – no active scanning or querying of ICS
Scalable – designed to monitor as many as hundreds of thousands of assets across multiple sites
Intelligent – threat alerts contextually enhanced with behavioral analytics for faster, more effective incident investigation and response
Superior TCO – threat behavior analytics and investigation playbooks drive down hard and soft security operations costs
Not All ICS Cybersecurity Solutions are the SameThe Dragos Platform was designed and built by recognized ICS security practitioners who have lived the challenges that security teams face securing industrial control systems and their surrounding infrastructure. Our deep understanding of those challenges and the ICS threat landscape is reflected in our differentiated approach to providing a solution to them, as shown below:
Dragos Platform Typical Industry Solutions
Principal threat detection method Threat Behavior Analytics Anomaly Detection
Ongoing system/training adjustment Minimal Significant
Alert/threat response capabilities Automated/Integrated into Platform Manual/On Operator
False positives Few Many
Threat intelligence Integrated into Platform Manual/On Operator
Detailed threat context with alerts Yes No
Potential for alert fatigue Low High
Ongoing cost of ownership Low High
The Dragos Platform provides us with a level of real-time, situational awareness and monitoring capabilities unparalleled in the industry today, which was never before possible within our Windfarm networks. It has become an integral part of our day-to-day cybersecurity, OT network monitoring, and asset management program and has eliminated a number of manual processes while increasing our speed of incident response. A high-value system for any organization whose operations are dependent upon ICS technology, processes, and protocols.
Marc DeNarie, Chief Information Officer NaturEner USA
Dragos Threat Operations Center
Dragos ThreatView ServiceOverviewThe unique architectures and protocols of ICS networks and the developing state of ICS cybersecurity pose new challenges for many asset owners, confronting them with an unclear threat landscape and a shortage of ICS/OT security expertise to help bring it into sharper focus. Dragos ThreatView combines seasoned threat hunters, unparalleled ICS threat intelligence and advanced technology to find hidden threats inside ICS networks - so they can be neutralized.
Who it’s For Dragos ThreatView service is for ICS security stakeholders that recognize the challenges of truly knowing their ICS networks and the potential risks, unknown threats, or gaps in security coverage present to safe and reliable operations.
What it Does
A Dragos ThreatView engagement evaluates the visibility and defensibility of an ICS Network and its related processes over an approximately six-week period. It identifies likely attack vectors, determines strengths of defenses, and identifies previously unrecognized malicious activity efficiently and non-invasively, working as an extension of the local ICS security team. Upon completion of the engagement Dragos provides a findings report outlining the extent of the threat hunt, key observations made and recommendations for improvement.
Know Thyself Know Thy Enemy
Plan: define engagement scope, review information, discuss goals, expectations, form ThreatView hypothesis
Collect: aggregate ICS network activity and log data
Analyze: analyze data to discover hidden threats and other issues
Report: report any threats found as well as other observations
Automate: provide recommendations to resolve discovered issues and improve defenses on a sustained basis
Key BenefitsReliability – minimize network downtime and reduce costs
Better Informed Decisions – understand the threat landscape for a specific ICS network with additional context related to the environment
Secure – ICS network and related sensitive data never leaves company premises
Non-Invasive – engagement activity does not interfere with regular operations
Dragos Threat Operations Center
Dragos Incident Response ServiceOverview Dragos Incident Response Service helps asset owners prepare for, respond to and recover from cyber incidents. Its elite team of experienced incident responders are available 24x7 to assist ICS operations and security personnel resolve crisis situations as quickly as possible, and with the confidence of knowing that the situation has been truly resolved. Like insurance, Dragos Incident Response Service manages the risks associated with the unknown and speeds the recovery when incidents happen.
Who it’s For Dragos Incident Response Service is to supplement existing OT and IT staff with responsibility for reliability of ICS operations.
What it Does Dragos Incident Response Service provides a range of services that help ICS security teams prepare for, respond to, and recover from cyber incidents. The service can reduce the time it takes to recover and resume operations when incidents occur, reducing the potential safety, financial and/or reputational consequences.
Key BenefitsReduced Risk – increases preparedness before incidents and provides rapid mitigation when they happen
Immediate – 24/7 telephone support and on-site support as quickly as within 24 hours
Flexible – options to support a wide range of needs and budgets, with hours applicable to towards incident response, training and threat hunting services
Trusted – Dragos provides the most experienced ICS threat responders, best ICS threat intelligence, and advanced threat detection and response tools in the industry
Prepare: define key personnel, roles, processes, communication paths and key constraints
Identify: classify incident and its cause(s), the extent of the breach and operations impact
Contain: analyze, secure and stabilize the impacted ICS, gather relevant forensics
Eradicate: remove threat completely, including its root cause, and deploy improved defenses
Recover: bring ICS back online safely, monitor its behavior and validate mitigations
Review & Adjust: interpret findings and lessons learned and adjust policies, procedures and preparation to prevent reoccurrence
Know what to do
Dragos Threat Operations Center
Dragos ICS Cybersecurity Training OverviewDragos ICS Cybersecurity Training increases the skills and capabilities of security teams operating in industrial environments. Our principal course, Assessing Monitoring and Hunting ICS Threats is an intensive five day, hands-on course that covers industrial control system (ICS) basics, ICS cybersecurity best practices, assessing industrial environments, ICS threat hunting, and industrial network monitoring. Courses are offered at Dragos’ state-of-the-art training center in Hanover, MD.
Who it’s For ICS and OT security professionals seeking to increase their knowledge of ICS cybersecurity best practices and Dragos’ industrial security methodologies and technologies, as well as IT security professionals who want to expand their knowledge of industrial environments and how securing them differs from IT environments.
What it DoesStudents learn through hands-on and instructor-led training incorporating real-world case studies and exercises designed to reinforce concepts learned. Students will be placed in various roles designed to give context to the learning, as well as frame hands-on activities including an OT engineer role, a Red Team role, and a Security Operations Center (SOC) analyst role, using real control systems and industrial data through labs and exercises.
Know Thyself Know Thy Enemy Know what to do
Key BenefitsIntensive – students learn a wide-range of critical skills in five days
Hands-On – classroom instruction is reinforced through labs, activities and role playing
Expert Instruction – Course instructors are drawn from Dragos team of ICS cybersecurity experts
Assessing, Monitoring and Hunting ICS Threats Course Overview
DAY 1: Industrial Systems and Networks
DAY 2: Assessing ICS Environments
DAY 3: ICS Threat Hunting
DAY 4: Industrial Network Monitoring
DAY 5: Capstone – Defending Against Real-World ICS Attack Scenarios
Training Center Student Workstations
The Dragos Team
Leading Industrial CybersecurityHeadquartered in metropolitan Washington DC, Dragos’ team of industrial cybersecurity experts are practitioners who’ve lived the problems the industry faces, hailing from across the U.S. Intelligence Community to private sector industrial companies. The team has over 100 years of combined experience relating to securing ICS and countering industrial security threats, by far, the largest concentration of such expertise in the industry today. That experience includes:
■■ leading the U.S. intelligence community team that developed analytics, tools, and best practices for identifying nation-state cyber-adversaries targeting U.S. government and critical infrastructure networks
■■ leading the U.S. intelligence team in charge of developing advanced analytics to detect threats targeting ICS/SCADA networks
■■ advising a wide range of tactical ICS defenders up through all levels of national security leadership on nation-state adversaries targeting industrial infrastructure
■■ leading cyber-analysis for the Electricity Information Sharing and Analysis Center
■■ building and leading a major energy company’s network security monitoring, forensics and incident response teams
■■ developing the world’s only ICS-specific incident response, and the cyber-threat intelligence training courses for SANS
■■ co-creating the Diamond Model of Intrusion Analysis, one of the most widely-used methodologies for organizing and verifying advance persistent threats
■■ direct incident response involvement for virtually every major power-grid cyber-attack worldwide
■■ lead role in uncovering and analyzing major malware threats to industrial infrastructure including Trisis, and CrashOverride
“ Dragos offers industrial customers industry-leading technology, services, and intelligence products, but our most important differentiator is our team, and its ability to bring a practitioner’s perspective to all that we do. In addition to the depth of valuable functional and industry knowledge each team member brings to Dragos, they bring the insights that only come from experience, and the deep commitment to safeguarding civilization that drives the Dragos mission.”
Robert M. Lee Dragos CEO and Founder
Contact Information1745 Dorsey RoadHanover, MD, 21076 USA dragos.com | [email protected]
“ The passive, cybersecurity defenses used in most industrial cybersecurity programs may be adequate for low-risk facilities. But operators in critical industries need to recognize that, increasingly, they are on “the radar” of sophisticated attackers and must be able to ensure that their programs can defend against non-traditional, targeted attacks. Active monitoring and management of anomalies by qualified people is essential.
Adopting a context-aware, intelligence-driven approach, like that offered by Dragos, can help ensure that these resources have the information and tools they need to be both effective and efficient.”
Arc Advisory Group, December, 2017
v.2.0 2/18 | Copyright © 2018 Dragos, Inc. All Rights Reserved.