By Gregory Hale
Visibility on to the network remains the key area for end users these days along with threat detection and there is now an updated platform that can give end users a boost.
Dragos, Inc. released Dragos Platform 1.2 Tuesday. The Dragos Platform contains capabilities to gain visibility into industrial networks, monitor them for threats, and perform investigations. The platform analyzes network traffic and it also collects, stores, and correlates logs and data from host systems, logic controllers, and data historians.
The enhancements in the Dragos Platform 1.2 include content packs containing threat behavior analytics, and investigation playbooks that enable faster and effective threat investigation and mitigation.
Threat behavior analytics is a form of detection focused on adversary tradecraft that is more scalable and efficient. The Dragos Platform threat behavior analytics provide immediate value without requirements of a baseline and contain rich context, enabling the operator to know what is occurring and what to do next. These threat behavior analytics are created by Dragos’ intelligence team specialists who constantly monitor for and analyze new threats.
Each threat behavior analytic in the Dragos Platform is paired with an investigation playbook created by the Dragos’ threat operations center. This “what would Dragos do” styled playbook contains step-by-step guides for customers to follow for each specific alert and automatically correlates and delivers appropriate datasets for the analyst. This feature reduces the degree of ICS experience and expertise required of existing security practitioners to become effective in industrial environments as well as the amount of time even experienced analysts require to complete investigations.
“When we think about exploits and vulnerabilities we mislead ourselves, but when we think about adversary intrusions or attacks we find ourselves in a defensible position.”
— Robert Lee
“This is a showcase of a codification of knowledge on a regular basis down to the platform. While operations could use this, it really should be used by a security professional because at the end of the day you always want a human in the loop, and before everyone starts to freak out about what is going on, there has to be a human that helps them,” said Robert M. Lee, chief executive and founder of Dragos. “That being said, the output that is occurring here could absolutely get to operations very quickly. We are taking this context-driven way to do detection, the time and effort required to get to and understand what is going on using a route cause analysis for example is significantly decreased. The ability to get things to the operations staff to make decisions is amplified.”
Threat hunting is a key strategy for reducing “adversary dwell time” and the corresponding safety, financial, regulatory or reputational risks that could accompany a serious incident, but is often a challenge for resource-stretched security teams. Investigation playbooks can be used as a guide to facilitate efficient, proactive hunting of hidden threats by security teams.
In addition, Dragos ICS WorldView focuses on cyber threat intelligence. These weekly reports contain insights into threats, adversaries, and indicators of compromise, as well as context and recommended actions for industrial security professionals. These IOCs, and those from other sources, can now be imported directly into the Dragos Platform and security teams can execute IOC sweeps across the data as a scoping and forensics tool while facilitating community information sharing.
“In the investigation of any incident, there is always something novel,” Lee said. “In the case of Trisis with the safety system, the modification of the safety logic was novel, so it wasn’t knowledge that we previously had. The misleading part was that you couldn’t detect it. Nothing else about that adversary’s kill chain wasn’t novel. Even in Trisis, the moving through the IT environment down to the engineering workstation and exfiltrating data off, nothing was novel except for the end result. If you are able to detect any aspect of the adversary’s steps, you can pivot through the investigation to find everything else including the novel thing. While our threat analytics are detecting adversary behaviors, our investigation playbooks will lead you through the process of finding anything including novel or Zero Day issues. To make it simple, there has never been an attack that has been 100 percent novel. Any given component or step could be novel or have Zero Day exploits, but the entire thing is not novel. When we think about exploits and vulnerabilities we mislead ourselves, but when we think about adversary intrusions or attacks we find ourselves in a defensible position.”