The Dragos Blog

Read the latest from the Dragos Team

Recap of the Dragos Industrial Security Conference (DISC) 2018

A meeting of like-minded ICS asset owners and operators

Dragos Team - November 12, 2018

Dragos Webinar Series: Secrets of ICS Cybersecurity

A 3-part series on detecting and responding to ICS threats

Dragos Team - October 17, 2018

Meet the Dragos Team in A City Near You

16 conferences to meet industrial control systems (ICS) cybersecurity experts in person

Dragos Team - September 27, 2018

Remarks to WAPA 2018: Cyber Threats and Response in Regional Electric Utilities

Notes from remarks at the 2018 Western Area Power Administration (WAPA) Technology Security Symposium.

Sergio Caltagirone - August 21, 2018

Threats to Electric Grid are Real; Widespread Blackouts are Not

The US electric grid is not about to go down. Though it’s understandable if someone believed that. Over the last few weeks, numerous media reports suggest state-backed hackers have infiltrated the US electric grid and are capable of manipulating the flow of electricity on a grand scale and cause chaos.

Selena Larson - August 6, 2018


Dragos has identified a new activity group targeting access operations in the electric utility sector. We call this activity group RASPITE. Analysis of RASPITE tactics, techniques, and procedures (TTPs) indicate the group has been active in some form since early- to mid-2017.

Dragos, Inc. - August 2, 2018

EvtxToElk: A Python Module to Load Windows Event Logs into ElasticSearch

On a recent threat hunt, we found ourselves in a position out in the field at a place with limited internet bandwidth and only our laptops for approved hardware resources for data. One of the datasets supplied for the engagement comprised of 5-6 GB of Windows Event Logs stored as .evtx files.

Dan Gunter & Marc Seitz - July 17, 2018

Questions and Considerations from Alleged Ukraine Chemical Plant Event

On 11 July 2018, Interfax-Ukraine released a short, somewhat ambiguous, but very concerning press release from the Security Service of Ukraine (SBU) on a thwarted attack on a chlorine production plant.

Joe Slowik - July 16, 2018

TRISIS Takeaways: Defensive Techniques and Trench-Building for the Blue Team

TRISIS was an interesting piece of malware to analyze and represents a lot of “firsts” regarding both ICS attacks and embedded systems exploitation.

Jimmy Wylie and Reid Wightman - June 26, 2018


While initial media coverage treated MAGNALLIUM as a significant threat to critical infrastructure, Dragos analysis suggests that the group lacks ICS-specific capabilities and focuses exclusively on information gathering at this time.

Dragos, Inc. - June 21, 2018

The Myth of the Adversary Advantage

The Adversary Advantage is a illusory myth where it is believed adversaries have an inherent advantage due to needing to succeed only once, while defenders must succeed every time. Dragos aims to challenge the myth of the adversary advantage by providing tools to help defenders shape the landscape in which adversaries must operate.

Joe Slowik - June 19, 2018


DYMALLOY activity stretches back to 2015 and includes associations with activity into 2011. The activity focuses on intelligence gathering from industrial control system networks with an unknown intent.

Dragos, Inc. - June 14, 2018

Making ICS Training Accessible to the Greater InfoSec Community

Every twelve weeks, Dragos hosts “Assessing, Hunting and Monitoring Industrial Control System Networks,” a five-day course at its Hanover, Maryland headquarters.

Selena Larson - June 12, 2018


In December 2016, in Kiev, Ukraine, a significant malware incident blacked out a portion of the city’s electricity for about an hour. ELECTRUM is the activity group responsible for the 2016 power outage event caused by the ICS malware CRASHOVERRIDE.

Dragos, Inc. - June 7, 2018


COVELLITE compromises networks associated with civilian electric energy worldwide and gathers intelligence on intellectual property and internal industrial operations. COVELLITE lacks an industrial control system (ICS) specific capability at this time.

Dragos, Inc. - May 31, 2018

Indicators and ICS Network Defense

The notion that omitting IOCs from a report – whether public or private – may actively harm or disadvantage defenders really hits home, but in responding to this assertion I feel we can arrive at an even better understanding of the limitations of an IOC approach.

Joe Slowik - May 31, 2018


XENOTIME is easily the most dangerous threat activity publicly known. It is the only activity group intentionally compromising and disrupting industrial safety instrumented systems, which can lead to scenarios involving loss of life and environmental damage.

Dragos, Inc. - May 24, 2018

Supply Chain Threats to Industrial Control: Third-Party Compromise

Adversaries possess multiple options for attacking an organization via third-party compromise: Network pivoting, spear phishing, weaponized installs and certificate/credential theft.

Thomas Pope - May 22, 2018


The CHRYSENE activity group developed from long-running cyberespionage activity that first came into the general public’s consciousness after a destructive cyberattack in 2012 impacting Saudi Aramco.

Dragos, Inc. - May 17, 2018


ALLANITE accesses business and industrial control (ICS) networks, conducts reconnaissance, and gathers intelligence in United States and United Kingdom electric utility sectors.

Dragos, Inc. - May 10, 2018

The Current Industrial Threat Landscape: Reality Above Theory

The current industrial threat landscape is very concerning. All of our intelligence suggests industrial security entering a massive growth of threat activity which will likely last at least the next decade.

Sergio Caltagirone - May 2, 2018

Query Focused Datasets

Query focused datasets (QFDs) provide analysts with powerful tools for both proactive threat hunts and investigations.

Dan Gunter & Justin Cavinee - April 26, 2018

Dragos at RSAC 2018

Dragos made the annual cybersecurity pilgrimage to San Francisco, California on April 16-20 where each year thousands of people from the security industry gather for a week at the RSA Conference.

Selena Larson - April 25, 2018

Investigation Playbooks in the Dragos Platform

In the most stressful situations, effective training and well-documented processes and procedures are absolutely essential to reliable and uniform response.

Lesley Carhart - March 29, 2018

The Disappearing IT-IoT Divide and the Malware Poised to Take Advantage

By adopting a whole-network, defense-in-depth approach, asset owners and defenders can reduce their threat surface from such attacks.

Joe Slowik - March 28, 2018

Threat Hunting With Python Part 4

This week, we will look at a protocol commonly overlooked by many but crucial to control system operation: The Tabular Data Stream (TDS) protocol.

Dan Gunter - March 6, 2018

Threat Analytics and Activity Groups

In developing an analytic, the resulting detection methodology should not focus on a specific implementation of a behavior, but rather seek to cover multiple implementations of the behavior type.

Joe Slowik - February 26, 2018

Transferring Knowledge to Customers Through Software Technology

At Dragos, Inc., what we pride ourselves on, use as our technology differentiation, and offer as our most valued asset to our customers is knowledge transfer.

Robert M. Lee and Daniel Michaud-Soucy - February 14, 2018

Threat Hunting With Python Part 3

This week we will focus on the Server Message Block (SMB) protocol that enabled Wannacry, Petya, and Bad Rabbit attacks to be lethal at the global level and what defenders can do to hunt within this protocol.

Dan Gunter - January 30, 2018

Threat Hunting With Python Part 2

This week we will move away from hard-coded indicators and begin to look at behavioral indicators. Behavioral indicators allow identification of scanning in an environment beyond just that of Nmap.

Dan Gunter - Nov 28, 2017

Threat Hunting With Python Part 1

Over the next few weeks, we will look at basic analytic approaches that can be taken to examine some of the most common protocols found on typical networks. This week we will get started with basic HTTP analysis using Python and Jupyter notebooks.

Dan Gunter - Nov 20, 2017

Threat Hunting Part 2: Hunting on ICS Networks

In this edition of the Dragos Threat Hunting on ICS network series, we will compare threat hunting on industrial networks with concepts from the wider threat hunting community. We will also look at how the unique characteristics of industrial networks can be used to an advantage as network defense professionals

Dan Gunter - October 3, 2017

Threat Hunting Part 1: Improving Through Hunting

This post is a first in series that will describe hunting, discuss best practices and explain our approach and lessons. Because hunting in industrial infrastructure is important to all of us and with focus and effort we can accomplish it.

Ben Miller - August 31, 2017

Stop Breaches, Safeguard Civilization

Today Crowdstrike and Dragos issued a joint press release to finally announce the partnership we’ve developed over the course of the last year.

Ben Miller - July 19, 2017


This webcast explores what is known and not known about the CRASHOVERRIDE framework and how it affects our understanding of how grid operations can be impacted.

Dan Gunter, Ben Miller, Joe Slowik - June 19, 2017

Project MIMICS - Stage One

What can the community learn in terms of realistic metrics and data points around malware in modern industrial control systems (MIMICS) from completely public datasets? That’s what project MIMICS sets out to do.

Robert M. Lee - April 2, 2017

Contact Us

Industrial Control Systems