Using Threat Intelligence to Build a Mature OT Network Defense
Understanding how to use threat intelligence reporting for visibility into threats to your operational technology (OT) network and how to implement defensive recommendations is a critical step in building a mature OT network defense.
This blog will walk you through the key components of using threat intelligence to better secure OT environments and to develop a more mature industrial control systems (ICS) and operational technology (OT) cyber defense. It will demonstrate how the Dragos WorldView solution supports industrial organizations in maturing their network defense. It will use Dragos WorldView threat intelligence as an example to show how a full suite of threat intelligence offerings can help OT cyber security professionals develop a more mature OT network defense.
How to Identify Intelligence Requirements
The first step in understanding how to best use threat intelligence is knowing your intelligence requirements. An intelligence requirement is simply something you want to know more about. This can be any number of topics ranging from understanding threat groups, to knowing details about a new malware strain or ransomware group, to staying abreast of the latest indicators of compromise or industry-specific threats.
If you don’t know how to begin with this, see what information in previously published intelligence reports has jumped out at you in the past, identify why that information was so useful, who in your organization used it, and make note if you implemented any of the defensive recommendations. Every organization has intelligence requirements and identifying and prioritizing them is an important first step in developing a more mature use of intelligence in order to best protect your OT networks and operations.
Dragos works with WorldView intelligence reporting customers to help them identify intelligence requirements.
Communicating Intelligence Needs
Once you have defined and prioritized your intelligence needs, the next step is to communicate them to your intelligence team. Because they work pro-actively to find threats before they have an impact, Intelligence teams typically can’t guarantee what they will be able to report on, but their jobs are made a lot easier if they understand directly from customers what their intelligence needs and priorities are. These details help intelligence teams review their collection requirements, schedule hunts, prioritize reports, and much more. Without direct input from customers, intelligence teams are operating on their best presumption of your requirements. Chances are their presumptions are good, but there is always an appetite for direct input from customers.
Identifying your intelligence requirements will also save you time when reviewing published threat intelligence in WorldView and other publications. If you have not prioritized your intelligence requirements, then someone on your team will likely need to sift and sort through countless intelligence reports to find information of interest. However, if you have taken the time to fully understand your organization’s needs, you can prioritize which reporting to review in a timely fashion and what can wait until later, creating a more efficient workflow.
Using Threat Intelligence to Move Up the Maturity Curve
Once you have defined and shared your intelligence requirements, you are in a better place to know how you will use threat intelligence in your organization to meet your specific goals. You may find that the easiest path to mature usage of threat intelligence is linear. You can start with directly actionable intelligence and implement the given recommendations into your existing organizational practices or processes, and then incorporate more nuanced usages as you go. Some example use cases are as follows:
First Steps – Building Your Knowledge Base with Intelligence
Understanding the Threat Landscape
Before you even consider how to ingest indicators of compromise (IOCs) or implement defensive recommendations, you can use threat intelligence reporting to better understand your organization’s threat landscape. This foundational information includes what threat groups target your industry, geography, technologies, and how they target them. By having a better baseline understanding of the threats specific to your company and industry, you can start to narrow the scope of what you need to follow and better understand where to focus your time, energy, and defenses.
Ingesting Indicators of Compromise – Threat Detection
A logical next step (or even concurrent) is to ingest published indicators of compromise (IoCs) from an intelligence provider. This will give you a fundamental element of threat detection by allowing you to better hunt and monitor for communications with known or suspected bad infrastructure and provide early indications of malicious activities. Dragos WorldView customers can do this using the WorldView API into their existing security stack.
Indicators of compromise provide computing artifacts analysts use to identify malicious activity. This could be a hash value, IP address, malicious domain name, IPs, URLs, or malware. Industrial cyber security professionals use indicators of compromise to help them detect malware infections, data breaches, or other malicious activity. By monitoring for indicators of compromise, industrial organizations can detect attacks or attempted attacks and act quickly to prevent breaches from occurring.
As you progress in maturity and better understand how to use threat intelligence, and better understand what is “normal” in your OT environment, you will naturally move from indicator-based usage to a more proactive approach, such as threat hunting. This differs significantly from the passive approach of deploying indicators in your security tools but will provide meaningful insight into your own specific environment. Some use cases are as follows:
Threat Hunting/Incident Response
Once you have a good handle of what your threat landscape looks like and what threats to detect as a baseline (which Dragos customers can do by ingesting the IOCs from WorldView), you can start actively hunting for threats. A good way to begin a threat hunt or be prepared for incident response is to review intelligence reporting that includes tactics, techniques, and procedures (TTP) and other technical details about adversary behaviors and their campaigns. It is important to note the relevant report details, such as industry or region-specific information. Based on this information, you would then develop a hypothesis to use in your own hunts. For example, you could use threat group and TTP intelligence reporting to hypothesize which threat groups would target your company based on reporting of historic targeting and TTP usage. You can then hunt for that behavior in your own environment. Dragos WorldView reports provide this type of intelligence to help you scope your hunt along with defensive recommendations so you can begin to remediate any discovered threats.
Another way to strengthen your OT defenses is to use vulnerability assessments to help you prioritize and mitigate your vulnerabilities. The best way to do this is to review and assess the relevance of vulnerabilities reported on against the technologies that you use in your networks and environments. This will help you to plan and prioritize outages for patching (which can be a cumbersome process) and to follow defensive recommendations when a patch is not available or feasible to implement. Understanding and implementing these defensive recommendations will reduce the risk to your OT networks and allow you to make ongoing improvements to them based on any mitigations that may be provided.
Dragos customers receive vulnerability assessment reports with mitigations and corrected vulnerability severity scores in Dragos Worldview. For example, In Dragos 2021 Year in Review Report, Dragos Threat Intelligence assessed 1,703 ICS/OT common vulnerabilities and exposures (CVE) reported by various sources including independent researchers, vendors, and ICS-CERT. In 2021 Dragos found that 38% of those advisories contained incorrect data. Dragos provided mitigation advice for 69% of vulnerability advisories that lacked any such advice.
Additional Ways to Use Intelligence
As you become more familiar with the intelligence products you receive and understand how to incorporate them into your daily workflows, you should consider the bigger picture and less technical ways that the intelligence can help you, including the following:
Socialization of Threats
It can be very difficult to know how or when to share threat intelligence with a wider audience outside your immediate team. It can be even more challenging to translate technical and esoteric information to a wider audience, such as your corporate leadership, in a way that effectively captures their attention and tells them what they need to know. On the flip side, it can be equally frustrating when leadership gets spun up about something they hear on the news; for instance, you may need to de-escalate their concern.
There is a quarterly report in WorldView, the Executive Threat Insights Report, that is written to help ease the burden of knowing what to share with your leadership. This report is intended to help you capitalize on your time with leadership and help to highlight intelligence of importance. It provides relevant threat intelligence, written succinctly and in a way for non-OT security professionals to understand.
Justification of OT Cybersecurity Investment
Intelligence reporting, combined with your expert knowledge about issues specific to your industry and geography, will help you to easily build a case about the threat landscape. This will enable you to define the cybersecurity investment needed to adequately combat threats to your OT network and operations.
Feedback to the Intelligence Providers
Finally, don’t forget to provide ongoing feedback to your intelligence providers. If you are not seeing what you want to see in reporting, there is no way for them to know that without hearing directly from you. If you have specific intelligence needs defined, share those, as well. The intelligence cycle works best when intelligence customers are vocal and feel empowered to share their thoughts often. The more you can tell your intelligence provider what you need, the more likely you are to see something of interest in intelligence reporting.
Read next blog post
Ready to put your insights into action?
Take the next steps and contact our team today.