We’re pleased to announce the April 2021 Knowledge Pack is now available to Dragos Platform customers.
In cybersecurity, detection and prevention are almost always preferred over remediation. Thankfully, even when attackers resort to new techniques, we are often able to incorporate knowledge from old, or related, methods to improve new detections. When those attacks can be detected and thwarted, costly cybersecurity fire drills can be avoided. In this month’s Knowledge Pack update, we continue to provide customers with additional capability to stay a step ahead of attackers, while also strengthening their overall asset visibility.
Some highlights of detections updated or added in the April 2021 Knowledge Pack include:
- Droppers – a type of malware used to deliver payloads for other tools like Cobalt Strike, scraping for credentials, executing “pass-the-hash” types of commands, or propagating inside compromised networks. Raindrop is one such example, associated with the Solarwinds Orion compromise. Others include PoetRAT (associated with STIBNITE) and GREYENERGY backdoors (used by KAMACITE)
- File transfers – once systems are compromised, lateral movement and the ability to distribute files are classic behaviors that attackers exhibit. With this update we have added detections for transfer of files like Windows Credential Editor, P.A.S. web shell, Mimikatz, and Exaramel (an updated version of CRASHOVERRIDE). We even monitor for files signed with once legitimate but more recently compromised certificates.
In addition to these detection updates, there are some notable characterizations that have been added for equipment from Foxboro and Honeywell which we know will be appreciated by customers in the manufacturing and oil & gas industries.
Each Knowledge Pack contains the latest indicators of compromise from the Dragos Threat Intelligence team, automating the detection of pieces of forensic data that may identify malicious activity on an industrial network. They provide regular updates of the latest protocols, threat intelligence analytics, ICS/OT device data, and investigation playbooks to equip our customers with the proactive, comprehensive information to better understand their environments and detect advanced threats. This ICS-focused knowledge is codified into software updates that are delivered to customers via the Dragos Customer Portal.
With each new release, customers will find that the Platform detections have MITRE ATT&CK® Tactics and Techniques mapped to them, providing a common reference for known attacker behaviors. If you wish to learn more about this framework and how you can put it to use in your organization, we invite you to download our whitepaper, “Mapping Industrial Cybersecurity Threats to MITRE ATT&CK for ICS”.
Ready to put your insights into action?
Take the next steps and contact our team today.