Dragos’ November Knowledge Pack is now available to Dragos Platform customers!
Dragos Knowledge Packs are monthly deliveries of the latest threat behavior analytics, ICS/OT device data, and investigation playbooks to ensure our customers are armed with the proactive, comprehensive information needed to better understand their ICS/OT environments and combat advanced threats. This ICS-focused knowledge comes from our expert team of industrial consultants and intelligence & vulnerability analysts and is codified into software updates that are delivered to customers via the Dragos Customer Portal.
Key areas of focus for this month’s update are:
Enhanced visibility of OT device communications
This month’s knowledge pack features improvements to the way the Platform analyzes Common Industrial Protocol (CIP) traffic in order to assist in identifying when devices connect to PLCs. Users will also notice that there is now better fidelity in identifying Open Platform Communications (OPC) Foundation protocols, which are used to communicate data between devices on an OT network, such as from PLCs to HMIs. This includes OPCDA (for real-time data transmission), OPCHDA (for historical data), and OPCAE (for alarms & events).
While these communications are, of course, completely normal and integral to a plant’s standard operations, having the ability to see connections that aren’t expected is an important factor in ensuring your OT network – and ultimately industrial processes – remain uninterrupted.
New threat behavior analytics
Various threat behavior analytics have been added to identify evidence of potentially malicious activity, such as CIP program file download, file upload, and modify control logic. A CIP program file download that falls outside of a planned device upgrade, for example, could indicate that an adversary may be attempting to disrupt a response function or process control.
In order to accelerate the investigation process, the Dragos Platform can now identify suspicious files using heuristics. Transferred files are analyzed against a reference list of known files of interest, flagging those that may be suspect. For example, an attacker may create files that appear to be masquerading as legitimate files. Similarly, files may appear that are not on the vendor/system allowed list or may contain legitimate code that can be leveraged by malware to interact with control systems.
With each new release, customers will find that the Platform detections have MITRE ATT&CK® for ICS Tactics and Techniques mapped to them, providing a common reference for known attacker behaviors. If you wish to learn more about this new framework and how you can put it to use in your organization, we invite you to download our recent whitepaper, “Mapping Industrial Cybersecurity Threats to MITRE ATT&CK for ICS”.
Dragos’ Knowledge Packs also contain the latest indicators of compromise from the Dragos Threat Intelligence team, automating the detection of pieces of forensic data that may identify malicious activity on an OT network.
Ready to put your insights into action?
Take the next steps and contact our team today.