Live Webinar:

Join us Apr. 1st for a Town Hall as Robert M. Lee shares insights from his testimony before the U.S. House of Representatives Subcommittee on Cybersecurity and Infrastructure Protection.

Skip to main content
The Dragos Blog

11.12.21 | 1 min read

New Knowledge Pack Released (KP-2021-008-M)

Dragos, Inc.

Each Knowledge Pack contains the latest updates from the Dragos Threat Intelligence team, automating the detection of potential malicious activity on an industrial network. They provide regular updates related to protocols, threat intelligence analytics, ICS/OT device data, and investigation playbooks to equip our customers with comprehensive visibility into their environments.

Knowledge Pack KP-2021-008-M is an especially significant collection of updates that broadly addresses ransomware in ICS/OT environments, along with a number of key OEM vendor and protocol coverage enhancements. The following is a representative sample:

Characterizations

  • Synchrophasor – to dissect and summarize Synchrophasor (IEEE C37.118) traffic, most commonly used in power systems
  • S7comm – to identify hardware modules and summarize traffic between Siemen’s PLCs in the S7 300/400 family
  • Honeywell – characterization and dissection for Experion FTE and MERCOR traffic, improving visibility into family asset properties
  • OPC – uses OPC traffic to characterize device manufacturer, model, and role from multiple vendors and builds a Query Focused Dataset (QFD) to support further analysis

Detections

  • BACnet – detects a “Length Value Type” error which could negatively affect data transfer and actions expected by BACnet devices
  • Vnet/IP (Yokogawa) – many detections across Vnet/IP, a real-time plant network system for process automation and used as the core network for Yokogawa CENTUM distributed control systems (DCS)
  • Ransomware – one of our biggest updates related to ransomware detections, including: RYUK, BitPaymer, CLOP, DarkSide, Egregor, LockBit 2.0, LockerGoga, Maze, Mount Locker, Netwalker, Nefilim, Netwalker, Ragnar Locker, Sodinokibi, and WastedLocker
  • Administrative activities – RDP to critical enterprise management assets (domain controllers, File/Syslog Servers, etc …), non-standard RDP ports, remote usage of xp_cmdshell on Microsoft SQL Server, “PowerShell Empire” C2 signatures and traffic, could all signal malicious activity

With each release, customers will find that the Platform detections have MITRE ATT&CK® Tactics and Techniques mapped to them, providing a common reference for known attack behaviors. Earlier this year, Dragos participated in the 2021 MITRE Engenuity ATT&CK® Evaluations for Industrial Control Systems with strong results. If you could like to learn more about the MITRE ATT&CK framework and how to put it to use in your organization, we invite you to download our whitepaper, “Mapping Industrial Cybersecurity Threats to MITRE ATT&CK for ICS”.

Dragos Platform Knowledge Packs are available for download from the Dragos Customer Portal.  Registered users get access to Platform documentation, integration guides, tech notes, best practices, Dragos Academy online learning center, and support case creation.  Users with additional Dragos subscriptions, including Neighborhood Keeper and WorldView Threat Intelligence, access those services using their Customer Portal credentials.  Customers can login or register for a Customer Portal account at portal.dragos.com.

For more background on Dragos Knowledge Packs and how we continuously funnel our expertise into the Dragos Platform, we welcome you to read this overview or contact sales@dragos.com.

Protect Your ICS Environment from Ransomware with Risk Assessments
Learn how to stop ransomware before it becomes a problem in this on-demand webinar.

Ready to put your insights into action?

Take the next steps and contact our team today.