A Qualitative View of 2017

Across vulnerabilities, threats, and lessons learned in hunting and incident response.


Today we are releasing three new reports detailing lessons learned from our intelligence team and threat operations team over the past year. These reports cover important metrics and findings across vulnerabilities, threat activity groups, and incident response and hunting lessons learned.

Vulnerabilities

Meaningful metrics and insights into the ICS vulnerabilities of 2017

Download Report

Listen to the Webcast

March 20, 2018

Threat Activity Groups

The Dragos Intelligence team’s report on the industrial threat landscape

Download Report

Listen to the Webcast

March 06, 2018

Hunting and Responding

Dragos Threat Operations Center hunting and incident response insights

Download Report

Listen to the Webcast

March 13, 2018

Infographics

In addition to our new research above, below is a selection of our favorite content from the Dragos team throughout 2017

Blog Highlights

Project MIMICS

Ben Miller and Robert M. Lee worked throughout 2016 and published their findings in early 2017 to determine base, census-like, metrics of IT malware infecting industrial networks. This was specifically done to push back on under reporting while also pushing against hyped out numbers. Read the blog and see their SANS ICS Summit Keynote on the topic. here.

Read More

Threat Hunting With Python (Series)

A three-part blog series by Dan Gunter diving into the technical aspects of hunting using python in industrial networks. Dan released code, gave examples, and showed use-cases including how to identify adversary behaviors, utilize Jupyter notebooks, and hunt for activity abusing SMB inside of industrial control networks.

Read More

Threat Hunting (Series)

A two-part series by Ben Miller and Dan Gunter on exploring the value of threat hunting in industrial networks. They highlighted the value to asset owners and operators and their security teams while also highlighting how to get started.

Read More

Whitepapers

Industrial Control Threat Intelligence

Sergio Caltagirone authored the preeminent whitepaper on understanding industrial control threat intelligence’s value, its unique nature, and how to measure its effectiveness for organizations. This whitepaper sets forth a unique look pushing the community beyond indicators and to intelligence.

Read More

CRASHOVERRIDE: Analysis of the Threat to Electric Grid Operations

This whitepaper analyzes the first ICS-tailored malware to cause disruptions in electric grid operations. Dragos released this report after learning news of the malware was to be made public by others, though we informed the asset owner and operator community ahead of the publication.

Read More

TRISIS: Analysis of Safety System Targeted Malware

This whitepaper analyzes the first ICS-tailored malware to target safety instrumented systems (SIS), which failed in its attempt to shut down plant operations at a site in the Middle East. Dragos released this report after learning news of the malware was to be made public by others.

Read More

Recorded Presentations

What is the Extent of the Problem (2 Parts)

This panel discussion with Robert M. Lee as well as Richard Clarke, Kevin Mandia, and Liam O’Murchu moderated by Ted Koppel explores cyber threats to the power grid and what their real impact could be. Robert took the position that the threats are real and becoming more aggressive, but the U.S. electric power grids are some of the most defensible systems on the planet and we should appreciate it is not as fragile as others (such as Ted Koppel) would like to imagine.

Watch Now

Strategic Network Defense in ICS Environments

Joe Slowik took the CS3Sthlm Summit audience through an exploration of what it means to do strategic network defense in industrial networks and how to weave together proactive approaches with intelligence to stay ahead of the adversary. He further showed case-studies of how ICS specific threats as well as non-ICS specific malware such as those propagating with the ETERNALBLUE exploit could impact operations.

Watch Now

CRASHOVERRIDE

Dan Gunter delivered a presentation on CRASHOVERRIDE at the CyberDEF Dojo in his hometown of San Antonio, Texas with a focus on a deep technical exploration of the malware and its impacts. He educated on power grids, the malware, and the IEC104 module it used as well as showing packet captures and data taken from the Dragos industrial range where he tested and recreated the Ukraine 2016 attack.

Watch Now

How We Got To CRASHOVERRIDE

Ron Fabela gives a presentation to CREDC on CRASHOVERRIDE with a specific focus on understanding the events in the community leading up to CRASHOVERRIDE. This is a great look at the historical side of the ICS security community including the hyped up news stories as well as the real threats.

Watch Now

Building a Secure Environment for Operations Using Docker

Brian Stucker delivered this presentation at BSides Augusta with a focus on how to securely build networks for DevOps inside a corporate environment. He educated the audience on Docker, Puppet, and other technologies to help securely set up an environment to perform development.

Watch Now

Knowing When to Consume Intelligence and When to Generate It

Robert M. Lee presented as the Keynote for the 2017 SANS Cyber Threat Intelligence Summit and positioned to the audience that there is a distinct and important difference between generating and consuming threat intelligence. He gave examples along the Sliding Scale of Cybersecurity.

Watch Now

Podcasts

Industrial Internet of Things (IIoT)
DtSR Episode 269

In this episode of Down the Security Rabbit Hole, Robert M. Lee joined guests Rafal Los and James Jardine to explore the topic of IIoT and understand that it is a closer extension of ICS than it is IoT. The focus of the discussion was along helping to raise awareness and research into the area with a special focus on understanding industrial security threats to drive our best practices.

Listen Now

Game Changer in ICS (no FUD)
DtSR Episode 276

Sergio Caltagirone joined the DtSR hosts to explore TRISIS and the impact of safety targeted malware. Sergio managed to guide the audience through his experiences working the case as well as educating the national security audience who was eager to understand it. He masterfully captures the nuance without the hype even though the malware and threat are aggressive and an industry first.

Listen Now

CyberWire: TRISIS Malware

Robert M. Lee joins the CyberWire podcast to talk about the TRISIS malware and his lessons learned as well as what the industry should be concerned with.

Listen Now

Contact Us

Industrial Control Systems

info@dragos.com

Interested in Learning More?

We don't require you to submit your information but if you would like to stay up to date with the latest news and events from Dragos, Inc then let us know who you are.


 

Interested in Learning More?

We don't require you to submit your information but if you would like to stay up to date with the latest news and events from Dragos, Inc then let us know who you are.


 

Interested in Learning More?

We don't require you to submit your information but if you would like to stay up to date with the latest news and events from Dragos, Inc then let us know who you are.


 

Interested in Learning More?

We don't require you to submit your information but if you would like to stay up to date with the latest news and events from Dragos, Inc then let us know who you are.


 

Interested in Learning More?

We don't require you to submit your information but if you would like to stay up to date with the latest news and events from Dragos, Inc then let us know who you are.


 

Interested in Learning More?

We don't require you to submit your information but if you would like to stay up to date with the latest news and events from Dragos, Inc then let us know who you are.