Today we are releasing three new reports detailing lessons learned from
our intelligence team and threat operations team over the past year. These reports cover important
metrics and findings across vulnerabilities, threat activity groups, and incident response and
hunting lessons learned.
Meaningful metrics and insights into the ICS vulnerabilities of
Ben Miller and Robert M. Lee worked throughout 2016 and published their findings in early 2017
to determine base, census-like, metrics of IT malware infecting industrial networks. This
was specifically done to push back on under reporting while also pushing against hyped out
numbers. Read the blog and see their SANS ICS Summit Keynote on the topic.
A three-part blog series by Dan Gunter diving into the technical aspects of hunting using
python in industrial networks. Dan released code, gave examples, and showed use-cases
including how to identify adversary behaviors, utilize Jupyter notebooks, and hunt for
activity abusing SMB inside of industrial control networks.
A two-part series by Ben Miller and Dan Gunter on exploring the value of threat hunting in
industrial networks. They highlighted the value to asset owners and operators and their
security teams while also highlighting how to get started.
Sergio Caltagirone authored the preeminent whitepaper on understanding industrial
control threat intelligence’s value, its unique nature, and how to measure its
effectiveness for organizations. This whitepaper sets forth a unique look pushing
the community beyond indicators and to intelligence.
This whitepaper analyzes the first ICS-tailored malware to cause disruptions in
electric grid operations. Dragos released this report after learning news of the
malware was to be made public by others, though we informed the asset owner and
operator community ahead of the publication.
This whitepaper analyzes the first ICS-tailored malware to target safety
instrumented systems (SIS), which failed in its attempt to shut down plant
operations at a site in the Middle East. Dragos released this report after learning
news of the malware was to be made public by others.
This panel discussion with Robert M. Lee as well as Richard Clarke, Kevin Mandia,
and Liam O’Murchu moderated by Ted Koppel explores cyber threats to the power grid
and what their real impact could be. Robert took the position that the threats are
real and becoming more aggressive, but the U.S. electric power grids are some of
the most defensible systems on the planet and we should appreciate it is not as
fragile as others (such as Ted Koppel) would like to imagine.
Joe Slowik took the CS3Sthlm Summit audience through an exploration of what it means
to do strategic network defense in industrial networks and how to weave together
proactive approaches with intelligence to stay ahead of the adversary. He further
showed case-studies of how ICS specific threats as well as non-ICS specific
malware such as those propagating with the ETERNALBLUE exploit could impact operations.
Dan Gunter delivered a presentation on CRASHOVERRIDE at the CyberDEF Dojo in his
hometown of San Antonio, Texas with a focus on a deep technical exploration of the
malware and its impacts. He educated on power grids, the malware, and the IEC104
module it used as well as showing packet captures and data taken from the Dragos
industrial range where he tested and recreated the Ukraine 2016 attack.
Ron Fabela gives a presentation to CREDC on CRASHOVERRIDE with a specific focus on
understanding the events in the community leading up to CRASHOVERRIDE. This is a
great look at the historical side of the ICS security community including
the hyped up news stories as well as the real threats.
Brian Stucker delivered this presentation at BSides Augusta with a focus on how to
securely build networks for DevOps inside a corporate environment. He educated the
audience on Docker, Puppet, and other technologies to help securely set up an
environment to perform development.
Robert M. Lee presented as the Keynote for the 2017 SANS Cyber Threat Intelligence
Summit and positioned to the audience that there is a distinct and important
difference between generating and consuming threat intelligence. He gave examples
along the Sliding Scale of Cybersecurity.
In this episode of Down the Security Rabbit Hole, Robert M. Lee joined guests Rafal Los and
James Jardine to explore the topic of IIoT and understand that it is a closer extension of
ICS than it is IoT. The focus of the discussion was along helping to raise awareness and
research into the area with a special focus on understanding industrial security threats
to drive our best practices.
Sergio Caltagirone joined the DtSR hosts to explore TRISIS and the impact of safety targeted
malware. Sergio managed to guide the audience through his experiences working the case as
well as educating the national security audience who was eager to understand it. He
masterfully captures the nuance without the hype even though the malware and threat are
aggressive and an industry first.