Six Steps to Effective ICS Threat Hunting

Overview

On November 22, Dragos Principal Threat Analysts Dan Gunter and Marc Seitz were joined by Tim Conway, Technical Director – ICS and SCADA Programs at SANS, to introduce a 6-step ICS threat hunting model. They demonstrated how to apply it to real-world threat hunting scenarios, pinpoint adversary behavior patterns, and stop ICS threats from going undiscovered.

Topics covered:

• Why proactive threat hunting is necessary for ICS cybersecurity defense
• How to complete effective threat hunting
• What adversary behavior patterns look like
• How to apply the model to real-world threat hunting scenarios
• How to measure the effectiveness of threat hunts

Speaker Bios

Tim Conway

Technical Director – ICS and SCADA programs at SANS. Responsible for developing, reviewing, and implementing technical components of the SANS ICS and SCADA product offerings. Formerly, the Director of CIP Compliance and Operations Technology at Northern Indiana Public Service Company (NIPSCO). Responsible for Operations Technology, NERC CIP Compliance, and the NERC training environments for the operations departments within NIPSCO Electric. Previously, an EMS Computer Systems Engineer at NIPSCO for eight years, with responsibility over the control system servers and the supporting network infrastructure. Former Chair of the RFC CIPC, current Chair of the NERC CIP Interpretation Drafting Team, member of the NESCO advisory board, current Chair of the NERC CIPC GridEx Working Group, and Chair of the NBISE Smart Grid Cyber Security panel.

Marc Seitz

Mark coordinates industrial control system cyber test lab functions and performs ICS threat hunting services for Dragos customers.

He designs and implements innovative simulated industrial environments to provide a safe and realistic training and attack simulation experience for internal and external analysts. He also conducts onsite vulnerability assessments and threat hunting services. Marc studied Cyber Operations while at the United States Naval Academy where he was exposed to a wide variety of topics including networking, programming, legal, and cyber warfare.

Dan Gunter

Dan Gunter is a Principal Threat Analyst and discovers, analyzes and neutralizes threats inside of ICS/SCADA networks. He performs threat hunting, incident response, and malware analysis mission for the industrial community. Previously he served in a variety of Information Security roles as a Cyber Warfare Officer in the US Air Force and as a technical advisor on security and acquisition issues. Dan is a graduate of the Department of Defense’s elite Computer Network Operations Development Program (CNODP) and the Air Force Research Lab’s Advanced Course in Engineering Cyber Security Boot Camp (ACE). He has spoken at Blackhat, Shmoocon and local information security events.