New Knowledge Pack Released (KP-2023-001)

The Dragos Platform receives regular updates through Knowledge Packs which include enhancements to threat detections, protocol support, asset visibility, and response playbooks to equip customers with better OT visibility in their environments and the tools to respond. Each Knowledge Pack contains the latest insight from Dragos intelligence teams, streamlining the detection of devices and potential malicious activity across industrial networks.

Full release notes are available for registered customers in the Dragos Customer Portal, here are some highlights of what you can find there:

Detection and Characterization Updates

While preparing this Knowledge Pack, Dragos assessed newly disclosed vulnerabilities in 900+ products from various vendors, including: Mitsubishi Electric, Siemens, Phoenix Contact, Moxa, Rockwell Automation, and Digital Alert Systems. It includes updates to identify serial devices behind an SEL Port Server as well as devices utilizing the CoDeSys version 3 protocol. On the threat visibility side, a detection has been added for malware that utilizes a modified LZMA algorithm within multiple layers of shellcode, often an obfuscation technique to thwart detection and hinder analysis of remote access tools (RATs) loaded into memory on victim hosts. Also included is a detection for a possible Boa Webserver exploit, which results in an arbitrary file access for the attacker.

Over 280 characterizations and 540 detections are included in KP-2023-001 for customers running Platform 2.x.

New and Updated Dashboards – including NERC-CIP

This Knowledge Pack includes three new dashboards for: Environment Overview, Vulnerability Assessment, and NERC-CIP. The Environment Overview dashboard is the main dashboard in the Dragos Platform and replaces the original Dragos Platform Asset Communications and Protocols Communications dashboards. The Environment Overview dashboard has four key sub-section views: 1) Asset Inventory, 2) Asset Identification, 3) Network Traffic Analysis, and 4) Findings.

• The Asset Inventory page provides an initial count of the number of assets, then breaks them down by Sensor, Type, and Vendor, and provides details on when they were observed.
• The Asset Identification view provides a more in-depth view of how the assets in the environment have been characterized and presents the most common asset hardware and types.
• The Network Traffic Analysis view provides a brief overview of the traffic that is being observed in the environment, broken down by protocols, changes over time, and the top communicators observed in the network.
• The Findings view is an overview of findings on the network that customers are often concerned about such as “Unsecured Protocol Activity”, “Clear Text Authentication Metrics”, SMB and SNMP Protocol versions and analysis, and “Top 10 NTLM Anonymous Authentication Analysis by Destination.”

The Vulnerability Assessment Dashboard provides a quick overview of vulnerabilities detected in the environment, grouped by Zone, Sensor, Type, and Vendor. We designed this dashboard with speed and utility in mind and would love your feedback!

Of particular interest to certain regulated customers, the NERC CIP dashboard contains supporting information for compliance with North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) standards. This dashboard contains supporting information for Electronic Security Perimeter, System Security Management, and BES Cyber System Categorization.

This dashboard isn’t intended to replace a fully resourced compliance program, but will definitely assist customers with identifying many of the key data points required:

• CIP-005-7 – Electronic Security Perimeter(s) – R1.5
• CIP-005-7 – Electronic Security Perimeter(s) – R2.4
• CIP-007-6 – System Security Management – R2.4
• CIP-002 – BES Cyber System Categorization – R5.1a

To learn more about Dragos Knowledge Packs and how we continuously incorporate our industry-leading OT expertise into the Dragos Platform, we invite you to read this overview or contact sales@dragos.com.