the dragos ics cybersecurity ecosystem … · knowledge and understanding of the industrial ......

The Dragos ICS Cybersecurity Ecosystem Safeguarding Civilization

The sustained, rapid advancement of many aspects of our civilization, particularly over the past century is, in many ways attributable to the strength and resilience of industrial infrastructure. Built and operated with a dedication to safety and reliability, it has remained a constant in society’s forward progress, from the industrial age, to the space age, the information age and beyond.

As industrial infrastructure has evolved with the world around it, so too have the opportunities and challenges facing those responsible for it. The rise of networked industrial control systems (ICS) and the increasing interconnectivity of industrial infrastructure to the Internet is the latest example, where numerous enhanced capabilities must be incorporated in ways that sustain the safety and reliability of the system. Today’s industrial infrastructure is at a high level of strength and resiliency, but facing a new kind of challenge – cyber threats – that require new approaches and additional measures to keep it that way. Dragos’ sole focus is to provide them, and to work as your trusted partner in safeguarding civilization.

Putting the Industrial Infrastructure Cyber-Threat Landscape in ContextThere is persistent hype and speculation about industrial infrastructure’s vulnerabilities to cyber attack and the dire consequences that would follow. Dragos’ view is that for the most part the true nature of both the general situation and specific incidents are being overstated and mischaracterized, largely discounting the strength and resilience industrial infrastructure possess. However, the threat is real, and while not a cause for fear among asset owners and their customers, it should be a cause of concern that drives a well-informed, targeted, and proactive response. Such a response requires more, and better intelligence about the threat landscape than has been generally available.

Arguably the most revealing fact about the current state of knowledge and understanding of the industrial infrastructure threat landscape is shown here – the most frequently reported attack vector used against industrial infrastructure environments is actually “unknown” because both asset-owner and governmental security teams have generally lacked adequate staff and ICS-focused technology to identify them. However, the specific tools and methods required to effectively map the threat landscape, increase situational awareness, and mount a strong, targeted defense are now available. Their deployment is acting as a force-multiplier to front-line ICS defenders, helping bring added strength and resilience to the world’s industrial infrastructure.

Safeguarding Civilization

The most frequently reported attack vector used against industrial infrastructure environments is actually “unknown” because both asset-owner and governmental security teams have generally lacked adequate staff and ICS-focused technology to identify them.

Spear Phishing, 35%

Unknown, 37%

All Other, 28%

ICS CERT Reported Incidents

(In a typical year)

The Challenges of Securing Industrial Infrastructure From Cyber ThreatsThere is a critical shortage of staff with deep ICS cybersecurity knowledge across all industrial sectors today. This fact, coupled with the general lack of available ICS-focused cybersecurity technology solutions, and increasing connectivity to enterprise networks and the Internet (IIoT/Industry 4.0) contributes to a broadening range of potential security vulnerabilities including:

■■ incomplete asset visibility

■■ insecure products and protocols

■■ infrequent patching of known vulnerabilities

■■ insufficient industrial cyber-threat visibility and situational awareness

■■ insufficient incident response and recovery preparation

Why Choose Dragos as Your Industrial Cybersecurity Partner?The Dragos team knows ICS systems and industrial cybersecurity through direct experience in industry and government, and include some of the world’s foremost experts in this highly-specialized area. They come to Dragos because what they are the industry’s best at is our sole focus as a company.

We are practitioners who have lived through and solved real security challenges rather than observed them from a distance. Our team members have responded to incidents including the Ukraine 2015 power grid attack, built and led the National Security Agency mission to identify nation-states breaking into ICS, and performed assessments on hundreds of assets around the world.

Our products and services make this knowledge and expertise available to our customers in many ways that enhance their efficiency and effectiveness as ICS defenders. It is codified into our software, written into our ICS-focused threat intelligence reports, onsite with security teams hunting and responding to threats, and transferred through our Industrial cybersecurity training classes.

We understand the differences between the enterprise IT and ICS domains, and the logical boundary between them. Our products and services focus on filling the need for the knowledge and capabilities required to provide support in the ICS/OT domain, including its mission, MTTR-driven metrics, and safety and resilience-oriented priorities.

Enterprise

Enterprise/IT Domain ICS Domain

Supervisory Control Field

■ External and Partner services■ Email Services■ Printers■ VoIP■ Workstations

■ Engineer workstations■ Auxilary Systems■ Operator HMIs■ SCADA Front End

■ RTUs■ PLCs■ IEDs

■ IEDs■ Actuators■ Sensors

Dragos ICS Focus

IT Solutions Focus

There’s Nothing Artificial About Dragos’ IntelligenceA Dragos core principle is that industrial cybersecurity technology should be backed by a team constantly learning about the threat landscape, to adapt and evolve its security technology appropriately. That is why our solutions portfolio, or ecosystem, includes dedicated threat hunting and incident response teams from a 24x7 Threat Operations Center, and a dedicated Threat Intelligence team that gathers and analyzes global threat information to produce the industry’s leading ICS intelligence product, Dragos WorldView.

In addition to the valuable services and intelligence they provide customers, the ever-expanding knowledge of our highly specialized teams is shared internally and continuously codified and integrated into the Dragos Platform. The synergy among the three dimensions of the Dragos Ecosystem provides the strongest, most capable and complete industrial cybersecurity solution available today.

Dragos ThreatIntelligence

Dragos ThreatOperations

Center

Dragos Platform

Dragos Threat Intelligence Intelligence products specializing in identifying, analyzing and understanding ICS threats

Dragos Threat Operations Center ICS-focused threat hunting services, incident response services and cybersecurity training

Dragos Platform Industrial control system (ICS) security incident and event management sustem (SEIM) that utilizes threat behavior analytics to identify threats and guide how they are responded to

Dragos Solutions Span the Entire Industrial Cybersecurity Best-Practice Framework Given the developing nature of industrial cybersecurity tools and practices, many organizations find it useful to apply best practice methodologies to better understand, manage and reduce their cybersecurity-related risk. While there are various solid frameworks, Dragos’ view is that “know thyself, know thy enemy, and know what to do” covers the core tenets of them all.

Identify Protect Detect Respond Recover

Dragos Threatview Dragos Incident Response

Dragos ICS WorldView

Dragos ICS Cybersecurity Training

Dragos Platform

Know Thyself Know Thy Enemy Know What to Do

What processes and assets need

protection?

What safeguards are available?

What techniques can detect threats

and incidents?

What techniques can contain incident

impact?

What techniques can quickly and safely

restore capabilities

Dragos provides the only industrial cybersecurity portfolio that spans the entire ICS cybersecurity best-practices continuum. It combines human intelligence analysts, ICS operations experts and advanced technologies to enable asset owners to build and maintain the most effective cyber-defenses possible.

Frameworks

DragosSolutions

OverviewDragos ICS WorldView is the industrial cybersecurity industry’s only product exclusively focused on ICS threat intelligence. Prepared by Dragos’ expert ICS/OT threat intelligence analysts, it is the essential supplement to any IT-focused intelligence product used by IT or OT professionals with responsibility for an ICS network. Dragos WorldView calls out and cuts through the hype and speculation surrounding ICS cybersecurity, providing an effective antidote to the fear, uncertainty and doubt it sows.

Who it’s ForDragos ICS WorldView is for IT and OT ICS defenders seeking ICS-focused intelligence to support both tactical decisions and strategic recommendations on ICS cybersecurity quickly, and with confidence.

What it doesDragos ICS WorldView threat intelligence provides a range of ICS specific content to subscribers via e-mail, webinars, and the Dragos Intel Portal, including:

■■ ICS-themed malware identification and analysis

■■ ICS vulnerability disclosures and analysis

■■ ICS adversary behavior trends

■■ ICS threat/incident media report analysis and commentary

■■ Cybersecurity conference presentations and researcher discoveries with Dragos expert perspective

Key BenefitsImmediacy – critical threat alerts inform you of rapidly escalating ICS threat situations

Efficiency – expert threat identification and analysis combats alert fatigue

Effectiveness – reduce adversary dwell time and mean time to recovery (MTTR)

Insight – ICS vulnerability, threat and incident assessments promote informed, timely, and confident decision making

Comprehensiveness – broad span of ICS intelligence gathering sources and techniques, including exclusive access to intelligence gained through the proactive ICS threat hunting performed by Dragos Threat Operations Center

Know Thy Enemy Know what to do

“ Dragos ICS Worldview provides National Grid with clearly articulated intelligence, backed by evidence and specific information to help us mitigate threats. The clear understanding Dragos has of the environment in which we operate, allows us to cut through the hype around many potential industry vulnerabilities, so we can focus on the ones that matter most as we look after vital infrastructure and ensure supply to our customers.”

Phil Tonkin Global Head of Cyber Operational Technology, National Grid

Dragos ICS WorldView Page 1 of 8

COVELLITE ACTIVITY AGAINST US GRID OPERATORS

Questions? Reach us at [email protected]

Summary Dragos became aware of a threat actor targeting US electric grid operators during the week of 17 September. Once learning of this activity, Dragos was able to identify related malware to the campaign and established hunting rules to identify additional samples. Since that time, another vendor released a private report covering the same activity, which was leaked to the media.

At this time, Dragos has no evidence indicating a successful ICS attack against US grid operators. Reviewing available information, Dragos is only aware of phishing activity to gain initial access, followed by a remote access tool (RAT) to persist on target. All malware identified to date covers Stage 1 of the ICS Cyber Kill Chain, with no ICS-specific items observed to this point. While Dragos does not perform attribution, and cannot corroborate this assignment, Dragos does recognize this group as a unique activity group, referred to as COVELLITE.

An analysis of available malware indicates a sophisticated payload with multiple anti-analysis techniques. Although Dragos was unable to analyze full functionality as the malware is designed to pull resources from its command and control (C2) infrastructure, Dragos was able to identify sufficient indicators of activity for initial defense.

Details Dragos identified initial COVELLITE samples soon after the first phishing attempts. The malware sample immediately appeared suspicious, given a file extension mismatch (the sample is labeled as a DLL, but is an EXE), and a spurious creation date indicating timestamp manipulation.

A further review identified almost no outwardly appearing items of suspicion beyond the above. However, once subjected to more advanced analysis, additional features clearly indicating malicious intent began to emerge.

When executed, the malware attempts to retrieve an external resource by creating a raw network socket to three internet protocol (IP) addresses (see indicators of compromise table). The IP addresses in question are interesting, as they belong to legitimate institutions such as a Mexican university. The other two are Internet Service Provider (ISP) addresses in Brazil and Italy. Based on this information, Dragos concludes














































Dragos Threat Intelligence

Dragos ICS WorldView Threat Intelligence

Know Thyself Know Thy Enemy Know what to do

The Dragos Platform is the most technologically complete solution in the industrial cyber-threat detection and response market today. It provides security teams with unprecedented knowledge of their industrial control system (ICS) assets and activity, the threats and adversaries they face, and the tools and knowledge to defend against them. It is the industry’s first and only solution to codify and integrate the knowledge of the industry’s most trusted ICS security experts and an intelligence-driven approach with software technology.

Who it’s For The Dragos Platform is for industrial organizations seeking a highly effective cybersecurity solution expressly built for industrial networks, particularly those facing the challenge of building and retaining a high-performing industrial network/ICS security team.

What it Does The Dragos Platform provides all of the necessary capabilities to gain visibility into industrial networks across the entire industrial cybersecurity framework. It operates as a security incident and event management (SIEM) solution, purpose built for industrial environments, and can be deployed in a security operations center (SOC) model. It is modularly designed so that it can be deployed in whole or in parts to address both immediate and longer-term needs.

Dragos Software

Dragos Platform

Asset Discovery■■■■■Passively identify all assets and communications on the network

■■■■Visualize and map network security zones and identify attack paths

■■■■Set one or more network baselines against which to monitor changes

■■■■Scalable to hundreds of thousands of assets across multiple sites

Threat Detection■■■■■Dragos threat behavior analytics provide rich context as to what is

occurring and what to do next

■■■■■■■Indicator of Compromise and Query-Focused Datasets support threat hunting

■■■■■■Collects, stores and analyzes logs and data from host systems, logic controllers and data historians, not just data traffic

Investigation Playbooks & Workbench■■■■Use case management tools to manage incident response case

notes, forensics and collaboration

■■■■Playbooks from Dragos experts drive standardized, best practice response

■■■■Automation and orchestration between different security tools reduces workload

■■■■Reporting and Dashboards monitor analyst and system activity

Key Benefits

ICS Focused – designed for ICS environments by ICS operations and cybersecurity experts

Passive – no active scanning or querying of ICS

Scalable – designed to monitor as many as hundreds of thousands of assets across multiple sites

Intelligent – threat alerts contextually enhanced with behavioral analytics for faster, more effective incident investigation and response

Superior TCO – threat behavior analytics and investigation playbooks drive down hard and soft security operations costs

Not All ICS Cybersecurity Solutions are the SameThe Dragos Platform was designed and built by recognized ICS security practitioners who have lived the challenges that security teams face securing industrial control systems and their surrounding infrastructure. Our deep understanding of those challenges and the ICS threat landscape is reflected in our differentiated approach to providing a solution to them, as shown below:

Dragos Platform Typical Industry Solutions

Principal threat detection method Threat Behavior Analytics Anomaly Detection

Ongoing system/training adjustment Minimal Significant

Alert/threat response capabilities Automated/Integrated into Platform Manual/On Operator

False positives Few Many

Threat intelligence Integrated into Platform Manual/On Operator

Detailed threat context with alerts Yes No

Potential for alert fatigue Low High

Ongoing cost of ownership Low High

The Dragos Platform provides us with a level of real-time, situational awareness and monitoring capabilities unparalleled in the industry today, which was never before possible within our Windfarm networks. It has become an integral part of our day-to-day cybersecurity, OT network monitoring, and asset management program and has eliminated a number of manual processes while increasing our speed of incident response. A high-value system for any organization whose operations are dependent upon ICS technology, processes, and protocols.

Marc DeNarie, Chief Information Officer NaturEner USA

Dragos Threat Operations Center

Dragos ThreatView ServiceOverviewThe unique architectures and protocols of ICS networks and the developing state of ICS cybersecurity pose new challenges for many asset owners, confronting them with an unclear threat landscape and a shortage of ICS/OT security expertise to help bring it into sharper focus. Dragos ThreatView combines seasoned threat hunters, unparalleled ICS threat intelligence and advanced technology to find hidden threats inside ICS networks - so they can be neutralized.

Who it’s For Dragos ThreatView service is for ICS security stakeholders that recognize the challenges of truly knowing their ICS networks and the potential risks, unknown threats, or gaps in security coverage present to safe and reliable operations.

What it Does

A Dragos ThreatView engagement evaluates the visibility and defensibility of an ICS Network and its related processes over an approximately six-week period. It identifies likely attack vectors, determines strengths of defenses, and identifies previously unrecognized malicious activity efficiently and non-invasively, working as an extension of the local ICS security team. Upon completion of the engagement Dragos provides a findings report outlining the extent of the threat hunt, key observations made and recommendations for improvement.

Know Thyself Know Thy Enemy

Plan: define engagement scope, review information, discuss goals, expectations, form ThreatView hypothesis

Collect: aggregate ICS network activity and log data

Analyze: analyze data to discover hidden threats and other issues

Report: report any threats found as well as other observations

Automate: provide recommendations to resolve discovered issues and improve defenses on a sustained basis

Key BenefitsReliability – minimize network downtime and reduce costs

Better Informed Decisions – understand the threat landscape for a specific ICS network with additional context related to the environment

Secure – ICS network and related sensitive data never leaves company premises

Non-Invasive – engagement activity does not interfere with regular operations


Dragos Incident Response ServiceOverview Dragos Incident Response Service helps asset owners prepare for, respond to and recover from cyber incidents. Its elite team of experienced incident responders are available 24x7 to assist ICS operations and security personnel resolve crisis situations as quickly as possible, and with the confidence of knowing that the situation has been truly resolved. Like insurance, Dragos Incident Response Service manages the risks associated with the unknown and speeds the recovery when incidents happen.

Who it’s For Dragos Incident Response Service is to supplement existing OT and IT staff with responsibility for reliability of ICS operations.

What it Does Dragos Incident Response Service provides a range of services that help ICS security teams prepare for, respond to, and recover from cyber incidents. The service can reduce the time it takes to recover and resume operations when incidents occur, reducing the potential safety, financial and/or reputational consequences.

Key BenefitsReduced Risk – increases preparedness before incidents and provides rapid mitigation when they happen

Immediate – 24/7 telephone support and on-site support as quickly as within 24 hours

Flexible – options to support a wide range of needs and budgets, with hours applicable to towards incident response, training and threat hunting services

Trusted – Dragos provides the most experienced ICS threat responders, best ICS threat intelligence, and advanced threat detection and response tools in the industry

Prepare: define key personnel, roles, processes, communication paths and key constraints

Identify: classify incident and its cause(s), the extent of the breach and operations impact

Contain: analyze, secure and stabilize the impacted ICS, gather relevant forensics

Eradicate: remove threat completely, including its root cause, and deploy improved defenses

Recover: bring ICS back online safely, monitor its behavior and validate mitigations

Review & Adjust: interpret findings and lessons learned and adjust policies, procedures and preparation to prevent reoccurrence

Know what to do


Dragos ICS Cybersecurity Training OverviewDragos ICS Cybersecurity Training increases the skills and capabilities of security teams operating in industrial environments. Our principal course, Assessing Monitoring and Hunting ICS Threats is an intensive five day, hands-on course that covers industrial control system (ICS) basics, ICS cybersecurity best practices, assessing industrial environments, ICS threat hunting, and industrial network monitoring. Courses are offered at Dragos’ state-of-the-art training center in Hanover, MD.

Who it’s For ICS and OT security professionals seeking to increase their knowledge of ICS cybersecurity best practices and Dragos’ industrial security methodologies and technologies, as well as IT security professionals who want to expand their knowledge of industrial environments and how securing them differs from IT environments.

What it DoesStudents learn through hands-on and instructor-led training incorporating real-world case studies and exercises designed to reinforce concepts learned. Students will be placed in various roles designed to give context to the learning, as well as frame hands-on activities including an OT engineer role, a Red Team role, and a Security Operations Center (SOC) analyst role, using real control systems and industrial data through labs and exercises.

Know Thyself Know Thy Enemy Know what to do

Key BenefitsIntensive – students learn a wide-range of critical skills in five days

Hands-On – classroom instruction is reinforced through labs, activities and role playing

Expert Instruction – Course instructors are drawn from Dragos team of ICS cybersecurity experts

Assessing, Monitoring and Hunting ICS Threats Course Overview

DAY 1: Industrial Systems and Networks

DAY 2: Assessing ICS Environments

DAY 3: ICS Threat Hunting

DAY 4: Industrial Network Monitoring

DAY 5: Capstone – Defending Against Real-World ICS Attack Scenarios

Training Center Student Workstations

The Dragos Team

Leading Industrial CybersecurityHeadquartered in metropolitan Washington DC, Dragos’ team of industrial cybersecurity experts are practitioners who’ve lived the problems the industry faces, hailing from across the U.S. Intelligence Community to private sector industrial companies. The team has over 100 years of combined experience relating to securing ICS and countering industrial security threats, by far, the largest concentration of such expertise in the industry today. That experience includes:

■■ leading the U.S. intelligence community team that developed analytics, tools, and best practices for identifying nation-state cyber-adversaries targeting U.S. government and critical infrastructure networks

■■ leading the U.S. intelligence team in charge of developing advanced analytics to detect threats targeting ICS/SCADA networks

■■ advising a wide range of tactical ICS defenders up through all levels of national security leadership on nation-state adversaries targeting industrial infrastructure

■■ leading cyber-analysis for the Electricity Information Sharing and Analysis Center

■■ building and leading a major energy company’s network security monitoring, forensics and incident response teams

■■ developing the world’s only ICS-specific incident response, and the cyber-threat intelligence training courses for SANS

■■ co-creating the Diamond Model of Intrusion Analysis, one of the most widely-used methodologies for organizing and verifying advance persistent threats

■■ direct incident response involvement for virtually every major power-grid cyber-attack worldwide

■■ lead role in uncovering and analyzing major malware threats to industrial infrastructure including Trisis, and CrashOverride

“ Dragos offers industrial customers industry-leading technology, services, and intelligence products, but our most important differentiator is our team, and its ability to bring a practitioner’s perspective to all that we do. In addition to the depth of valuable functional and industry knowledge each team member brings to Dragos, they bring the insights that only come from experience, and the deep commitment to safeguarding civilization that drives the Dragos mission.”

Robert M. Lee Dragos CEO and Founder

Contact Information1745 Dorsey RoadHanover, MD, 21076 USA dragos.com | [email protected]

“ The passive, cybersecurity defenses used in most industrial cybersecurity programs may be adequate for low-risk facilities. But operators in critical industries need to recognize that, increasingly, they are on “the radar” of sophisticated attackers and must be able to ensure that their programs can defend against non-traditional, targeted attacks. Active monitoring and management of anomalies by qualified people is essential.

Adopting a context-aware, intelligence-driven approach, like that offered by Dragos, can help ensure that these resources have the information and tools they need to be both effective and efficient.”

Arc Advisory Group, December, 2017

v.2.0 2/18 | Copyright © 2018 Dragos, Inc. All Rights Reserved.

the dragos ics cybersecurity ecosystem … · knowledge and understanding of the industrial ......

Documents