March 2021 Knowledge Pack Released – with a CIP of goodness and a dash of herpaderping!

We’re pleased to announce the March 2021 Knowledge Pack is now available to Dragos Platform customers.

Each Knowledge Pack contains the latest indicators of compromise from the Dragos Threat Intelligence team, automating the detection of pieces of forensic data that may identify malicious activity on an industrial network. They provide regular updates of the latest protocols, threat behavior analytics, ICS/OT device data, and investigation playbooks to ensure our customers are armed with the proactive, comprehensive information needed to better understand their environments and detect advanced threats. This ICS-focused knowledge is codified into software updates that are delivered to customers via the Dragos Customer Portal.

Key areas of focus for this update include:

• Windows Host Event detections have been extended to provide additional coverage for possible attacker activity. This includes both discrete and sequenced steps that could be benign administrative operational tasks, but sometimes signal malicious behavior. Common Windows command line tools for network scanning, sniffing, and enumeration are now evaluated, as well as key web shells like Behinder and China Chopper. And yes … we even care about any herpaderping that might be going on in your environment. You should too!

• Composite Analytics – further to the “sequenced steps” detections mentioned above, we have added a number of composite analytics that combine signals from multiple sources to identify scenarios not typically caught by dedicated NIDS (network intrusion detection systems), anomaly detection systems watching for specific indicators of compromise (IoCs), or endpoint detection and response (EDR) agents which are rarely deployed in and not very well suited for OT environments. A generic example of this could go something like:
  
  
  • an interactive session to a host
  • a suspicious file transfer to that host
  • a program download from the host to a PLC
  • execution of the program on the PLC
  • a second program download from the host to a PLC

This combination of activities may indicate that a threat actor has accessed an EWS and is using it to manipulate a PLC.

• Common Industrial Protocol (CIP) – enhancements to threat behaviors and characterizations. Many industrial companies have devices in their environment that use CIP for network communications. In support of this, we’ve added new capability around key-state parsing, as well as detections for status errors and repeated command loops.

• Activity Group updates added for detections and threat indicators resulting from changes in patterns observed with XENOTIME, KAMACITE, and HEXANE – particularly related to GREYENERGY and BLACKENERGY backdoors and file transfer footholds. As adversaries evolve, we continue to incorporate new intel for improved visibility and threat management.

• Customers with Yokogawa equipment in their environments will appreciate new threat indicator updates around directory traversal, CAMS Logs Server DoS attacks and test user accounts

With each new release, customers will find that the Platform detections have MITRE ATT&CK® Tactics and Techniques mapped to them, providing a common reference for known attacker behaviors. If you wish to learn more about this framework and how you can put it to use in your organization, we invite you to download our whitepaper, “Mapping Industrial Cybersecurity Threats to MITRE ATT&CK for ICS”. To learn more about how Dragos Knowledge Packs work and how we continuously funnel our expertise into the Dragos Platform, read the Knowledge Packs Overview blog or contact sales@dragos.com.