Live Webinar:

Join us Apr. 1st for a Town Hall as Robert M. Lee shares insights from his testimony before the U.S. House of Representatives Subcommittee on Cybersecurity and Infrastructure Protection.

Skip to main content
The Dragos Blog

10.06.20 | 1 min read

New Dragos Knowledge Pack: The Latest Industrial, Threat, and Device Data

Dragos, Inc.

Dragos’ latest Knowledge Pack is now available to Dragos Platform customers!

Dragos Knowledge Packs are monthly deliveries of the latest threat behavior analytics, ICS/OT device data, and investigation playbooks to ensure our customers are armed with the proactive, comprehensive information needed to better understand their ICS/OT environments and combat advanced threats.

With each new release, customers will also find that the Platform detections have MITRE ATT&CK® for ICS Tactics and Techniques mapped to them, giving them a common reference for known attacker behaviors. If you wish to learn more about this new framework and how you can put it to use in your organization, we invite you to download our recent whitepaper, “Mapping Industrial Cybersecurity Threats to MITRE ATT&CK for ICS”.

Key highlights of recent Knowledge Packs include:

New & Improved Protocol Information:

  • Expanded ICS/OT protocol inspection for the DeltaV Operate Protocol (DOP)
  • Expanded ICS/OT protocol inspection to identify communications between Schneider Electric Triconex devices
  • Expanded ICS/OT protocol inspection for Building Automation Systems devices utilizing BACnet, to include:
    • Firmware
    • Model
    • Device name
    • Application software version

New Threat Detections:

  • Tristation Halt command
    • Added detection related to high-risk Schneider Electric Triconex Safety System commands.
  • Metasploit CIP
    • Added detections for commands that attack EtherNet/IP CIP-based Rockwell PLCs in various ways.
  • BACnet
    • Added detections to identify firmware revisions and various protocol errors that indicate possible malicious behaviors.
  • Authentication Brute Force after Command & Control (C2)
    • Created a detection that is indicative of an actor successfully progressing through the cyber kill chain.
  • C2 after Exploitable File Download
    • Created detection that can be an indication that malware or lateral movement tools were dropped onto the host.
  • C2, Suspicious File Transfer, and PLC Impairment
    • Created detection around C2, suspicious file transfer, and PLC impairment events.
  • Port Sweep
    • Added various detections around port sweep behaviors.
  • SSH Reverse Tunneling Behaviors
    • Added threat behavior analytics to detect SSH tunneling of Dragos tracked activity groups.
  • GE SRTP Alerts
    • Several alerts added to detect operations on GE SRTP devices; for example: Program Download to PLC, Write System Memory, or Return Control Program Names.

New Characterizations:

  • GE Protocols & Applications
    • Improved port identification for over 2 dozen GE protocols and software applications.
  • Executable File Identification
    • Improved identification of different types of executable files.

Dragos’ Knowledge Packs also contain the latest indicators of compromise from the Dragos Threat Intelligence team.

To learn more about how Dragos Knowledge Packs work and how we continuously funnel our expertise into the Dragos Platform, read the Knowledge Packs Overview blog or contact sales@dragos.com.

Ready to put your insights into action?

Take the next steps and contact our team today.