SlideShare a Scribd company logo

The Four Types of Threat Detection and Use Cases in Industrial Security

Download as PPTX, PDF
Dragos, Inc.
Dragos, Inc.

Dragos' Sergio Caltagirone and Robert M. Lee discuss the four types of threat detection methods for industrial control systems operations, while providing ICS-specific use cases, to help you determine which detection strategy is most effective for your organization. The recorded webinar can be found here: hhttps://youtu.be/zqvDu0OaY8k Aslo check out: Four Types of Threat Detection White Paper: https://dragos.com/blog/FourTypesOfTh... Part of the Secrets of ICS Cybersecurity webinar series: https://dragos.com/blog/20181017Webin... More info www.dragos.com Follow us on LinkedIn: https://www.linkedin.com/company/drag.... Follow us on Twitter: https://twitter.com/dragosinc

Technology
1 of 21
DetectionStrategies Understanding and Using the 4Types of ThreatDetection Sergio Caltagirone and Robert M. Lee
Detection is themost Important thingyoudo. Develop and implement appropriate activities to identify the occurrence of a cybersecurity event. NISTCybersecurityFrameworkv1.1 ASSUMEBREACH MEANS ALL ELSE FAILS. NIST CYBERSECURITY FRAMEWORK IDENTIFY PROTECT DETECTRESPOND RECOVER
Detection Strategies How &Where Howyoudetectmattersas muchas whereyou detect. Deploying“networkdetection”and“host detection”isnota completedetectionstrategy. Nor doall resourcesrequirethesamedetection! Detection Costs Falsenegativesandfalsepositivesbothleadtolossof control! ASOC inundatedwithlow-qualityalertsis thesame as aSOC lacking alerts. HowandWhere determineyourdetectionquality. Detection is Multi-Use Securityoperationsismorethanrapidresponseand incorporateshunting,investigation,andeachuse caserequiresdifferentdetectionstrategies. A detection strategy matches the appropriate detection approach to risks, resources, and use-case ensuring full detective coverage while minimizingcost.
A Detection Strategy - How Asset Event Location Use-Case Detection Human-MachineInterface (HMI) NewFiles Host NovelAttack Behavioral OPCServer Enumeration Network SimilarAttack ScanningModels(Anomaly) VPNConcentrator VPN-to-Known-C2 Network Scoping Indicator 01 IdentifyAssets,Events,Location,andUse-CasewithDetectionApproach–Each linebecomesa “DetectionTarget”
A Detection Strategy Recon Delivery Exploitation Action on Objectives P4 VPN.ID VPN.PWD_REUSE VPN.CONFIG_CHG P3 EW.ID EW.SMB EW.NEW_ACCT P2 HMI.ID HMI.NEW_FILES HMI.CHANGE_VAL P1/0 PLC.ID PLC.CHANGE_VAL * For Some Definition of the Purdue Model and Kill Chain 02 GenerateDetectionMaptoTestandMeasureCoverage–forICS,placeeach detectiontargetonthemap using thePurdueModel &KillChain
4 Detection Types
Configuration-Based Detection Configuration-based detection identifies deviations from aknown architecture. Example: Two fielddevices(e.g.,PLCs)communicatingwitheachother,counterarchitectureanddesignexpectations Benefits: • Withperfectvisibilityandcoverage,itcan hypotheticallydetectallmaliciousactivity • Accessible forindividualswithawiderangeofexperience • Easytomaintainin staticenvironments • Addssignificantvaluetootherdetectiontypesin responsesituations Challenges: • Difficulttomaintainindynamicenvironments • Limitedvisibilityandcoveragereduce effectiveness • Assumesa knowledgeofinfrastructureandconfiguration • False-positiveproneduetolikelyconfigurationchanges
Modeling-Based Detection Modeling-baseddetection uses mathematical models to classify assets andactivity identifying elements inconsistent with the model. Example: AbnormalnumberofWriterequestsinModbusTCPoutsideofnormalgiventhe averageoverthelast30days Benefits: • Canidentifynoveladversaryactivity • Easiertomaintainin verystaticenvironments • Addssignificantvaluetootherdetectiontypesin responsesituations Challenges: • Difficulttomaintainwhenenvironmentschange • Limitedvisibilityandcoveragereducestheeffectiveness • Nocontextofthreatactivitytosupportinvestigations • Assumesanalystshavein-depthknowledgeofinfrastructureandconfiguration • False-positiveprone duetolikelyconfigurationchanges • Potentiallyincorporatesexistingmaliciousactivityintothemodel
Indicator-Based Detection Indicator-based detection searches for elements of information known about previously andare often seen in the form of Indicators of Compromise (IOCs). Example: A specificIPaddressthatisaccessinganinternalasset Benefits: • Thequickestformofdetectiontocreateand deploy • Containsspecificthreatcontextrelatedtotheindicator • Usefulforenrichingotherdatasourcesandthreatdetections • Highlyeffectiveforscopinganenvironmentpostobservationoftheindicator Challenges: • Thevalueishighlydependentontheadversary’srateofchange • Retroactivein naturegiventheneedtoobservetheindicatorfirst • Doesnotscalewellbetweenvictims • Upperlimitsastohowmanyindicatorscanbe processed • Unknownindicatorexpiryleadstoinaccuratedetection
Threat Behavior-Based Detection Threat behavior analytics examine activity in environments and compares single actions and aggregate actions against aset of known malicious or suspicious activities. Example: LegitimateVPN accessfollowedbyuseraccount creationandfiledownloadon anengineeringworkstationandfinallyloginfromtheworkstationtoanHMI Benefits: • Excellent durabilityagainstadversarychange • Easytotuneforeachorganizationandenvironment • Lowfalsepositiverates • Immediatetransparencyforanalyststodiagnosethealertagainstexpectedbehavior • Onlyrequiresa fewanalyticstodetectmostknownmaliciousbehaviorusedsomewhere inan intrusion • Integrateswellwithdefensiveplaybooksandautomatedinvestigation/remediation Challenges: • Moderatelydifficulttoimplement • Manyanalyticsrequiredtoprovidecompletecoverage • Onlydetectssimilarthreatbehavioratthelimitofanalyticimagination • Are notfullyreusableacrossallindustries
Analytic Properties
Comparing Detection Approaches
Threat Detection Applications
Comparing Detection Approaches to Applications
Detection Strategy Use-Case IT Land SPEARPHISHINGEMAIL KEY LOGGER & RAT ENGINEER CREDENTIALTHEFT
CONTROLLER CONTROLLER CONTROLLER CONTROLLER Detection Strategy Use-Case VPN ENGINEERING WORKSTATION NEW FILE (S) SCANSSTARTED IT Land SPEARPHISHINGEMAIL KEY LOGGER & RAT ENGINEER CREDENTIALTHEFT
Detection Strategy Use-Case VPN ENGINEERING WORKSTATION NEW FILE (S) SCANSSTARTED CONTROLLER CONTROLLER CONTROLLER CONTROLLER OPC SERVER OPC SCAN ENUMERATION IT Land SPEARPHISHINGEMAIL KEY LOGGER & RAT ENGINEER CREDENTIALTHEFT
Detection Strategy Use-Case VPN ENGINEERING WORKSTATION NEW FILE (S) SCANSSTARTED CONTROLLER CONTROLLER CONTROLLER CONTROLLER OPC SERVER OPC SCAN ENUMERATION OPC VALUE OVERWRITE IT Land SPEARPHISHINGEMAIL KEY LOGGER & RAT ENGINEER CREDENTIALTHEFT
CONTROLLER VALUE OVERWRITE Detection Strategy Use-Case VPN ENGINEERING WORKSTATION NEW FILE (S) SCANSSTARTED CONTROLLER CONTROLLER CONTROLLER CONTROLLER OPC SERVER OPC SCAN ENUMERATION OPC VALUE OVERWRITE IT Land SPEARPHISHINGEMAIL KEY LOGGER & RAT ENGINEER CREDENTIALTHEFT
Detection Strategy with the 4 Types of Detection Develop a detection strategy! • Utilizeall detection methods • Support all youruse cases • Detection is multi-use • Consider How, Why, Where How do yougeneratea detection strategy? 1. Develop “detection targets” 2. Createyour analytics map 3. Implement using costs & benefits ofeach type 4. Test &measure coverage
Thank you info@dragos.com

Recommended

Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cycle
penetration Tester
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
Adrian Sanabria
 
Threat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainThreat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill Chain
Suwitcha Musijaral CISSP,CISA,GWAPT,SNORTCP
 
Cyber security awareness
Cyber security awarenessCyber security awareness
Cyber security awareness
Jason Murray
 
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Michael Gough
 
Endpoint Protection
Endpoint ProtectionEndpoint Protection
Endpoint Protection
Sophos
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
Andrew McNicol
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
Infosec
 

Recommended

Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cycle
penetration Tester
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
Adrian Sanabria
 
Threat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainThreat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill Chain
Suwitcha Musijaral CISSP,CISA,GWAPT,SNORTCP
 
Cyber security awareness
Cyber security awarenessCyber security awareness
Cyber security awareness
Jason Murray
 
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Michael Gough
 
Endpoint Protection
Endpoint ProtectionEndpoint Protection
Endpoint Protection
Sophos
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
Andrew McNicol
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
Infosec
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
SoftServe
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
Digit Oktavianto
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
Prakashchand Suthar
 
VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )
Kashyap Mandaliya
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
bartblaze
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
Dhruv Majumdar
 
CISSP - Chapter 4 - Network Topology
CISSP - Chapter 4 - Network TopologyCISSP - Chapter 4 - Network Topology
CISSP - Chapter 4 - Network Topology
Karthikeyan Dhayalan
 
Cyber Attack Methodologies
Cyber Attack MethodologiesCyber Attack Methodologies
Cyber Attack Methodologies
Geeks Anonymes
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
securityxploded
 
The Current ICS Threat Landscape
The Current ICS Threat LandscapeThe Current ICS Threat Landscape
The Current ICS Threat Landscape
Dragos, Inc.
 
Coding Security: Code Mania 101
Coding Security: Code Mania 101Coding Security: Code Mania 101
Coding Security: Code Mania 101
Narudom Roongsiriwong, CISSP
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
Suvrat Jain
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
Rashad Aliyev
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionals
Krishna Srikanth Manda
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
asherad
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And Analysis
Lalit Kale
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
Ankita Ganguly
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
Amine SAIGHI
 
PPT-Security-for-Management.pptx
PPT-Security-for-Management.pptxPPT-Security-for-Management.pptx
PPT-Security-for-Management.pptx
RSAArcher
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101
Shahee Mirza
 
How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)
Scott Sutherland
 
RMS Security Breakfast
RMS Security BreakfastRMS Security Breakfast
RMS Security Breakfast
Rackspace
 

More Related Content

What's hot

Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
SoftServe
 

What's hot (20)

Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 
CISSP - Chapter 4 - Network Topology
CISSP - Chapter 4 - Network TopologyCISSP - Chapter 4 - Network Topology
CISSP - Chapter 4 - Network Topology
 
Cyber Attack Methodologies
Cyber Attack MethodologiesCyber Attack Methodologies
Cyber Attack Methodologies
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
 
The Current ICS Threat Landscape
The Current ICS Threat LandscapeThe Current ICS Threat Landscape
The Current ICS Threat Landscape
 
Coding Security: Code Mania 101
Coding Security: Code Mania 101Coding Security: Code Mania 101
Coding Security: Code Mania 101
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionals
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And Analysis
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
PPT-Security-for-Management.pptx
PPT-Security-for-Management.pptxPPT-Security-for-Management.pptx
PPT-Security-for-Management.pptx
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101
 

Similar to The Four Types of Threat Detection and Use Cases in Industrial Security

Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
Intergen
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
Empired
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
Anne Oikarinen
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdf
ssuser4237d4
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdf
ssuser4237d4
 

Similar to The Four Types of Threat Detection and Use Cases in Industrial Security (20)

How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)
 
RMS Security Breakfast
RMS Security BreakfastRMS Security Breakfast
RMS Security Breakfast
 
Doten apt presentaiton (2)
Doten apt presentaiton (2)Doten apt presentaiton (2)
Doten apt presentaiton (2)
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda Security
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formal
 
C4I cyber secuirty by Eric Eifert - Keynote 9.pptx
C4I cyber secuirty by Eric Eifert - Keynote 9.pptxC4I cyber secuirty by Eric Eifert - Keynote 9.pptx
C4I cyber secuirty by Eric Eifert - Keynote 9.pptx
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
 
NCC Group Pro-active Breach Discovery: Network Threat Assessment
NCC Group Pro-active Breach Discovery: Network Threat AssessmentNCC Group Pro-active Breach Discovery: Network Threat Assessment
NCC Group Pro-active Breach Discovery: Network Threat Assessment
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdf
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdf
 
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
 
Advantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity FrameworkAdvantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity Framework
 
What is Penetration & Penetration test ?
What is Penetration & Penetration test ?What is Penetration & Penetration test ?
What is Penetration & Penetration test ?
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best Practices
 
Adaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber AttacksAdaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber Attacks
 
Understanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfUnderstanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdf
 
Threat Intelligence: State-of-the-art and Trends - Secure South West 2015
Threat Intelligence: State-of-the-art and Trends - Secure South West 2015Threat Intelligence: State-of-the-art and Trends - Secure South West 2015
Threat Intelligence: State-of-the-art and Trends - Secure South West 2015
 
Penetration Testing for Cybersecurity Professionals
Penetration Testing for Cybersecurity ProfessionalsPenetration Testing for Cybersecurity Professionals
Penetration Testing for Cybersecurity Professionals
 

More from Dragos, Inc.

How to Increase ICS Cybersecurity Return on Investment (ROI)
How to Increase ICS Cybersecurity Return on Investment (ROI) How to Increase ICS Cybersecurity Return on Investment (ROI)
How to Increase ICS Cybersecurity Return on Investment (ROI)
Dragos, Inc.
 
Reassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber AttackReassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber Attack
Dragos, Inc.
 
Securing Electric Utility Infrastructure
Securing Electric Utility InfrastructureSecuring Electric Utility Infrastructure
Securing Electric Utility Infrastructure
Dragos, Inc.
 
Neighborhood Keeper - Introduction
Neighborhood Keeper - Introduction Neighborhood Keeper - Introduction
Neighborhood Keeper - Introduction
Dragos, Inc.
 
Dressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDressing up the ICS Kill Chain
Dressing up the ICS Kill Chain
Dragos, Inc.
 
Consequence Informed Cyber Security
Consequence Informed Cyber Security Consequence Informed Cyber Security
Consequence Informed Cyber Security
Dragos, Inc.
 
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
Dragos, Inc.
 
Industrial Control Systems Cybersecurity Technology Selection
Industrial Control Systems Cybersecurity Technology SelectionIndustrial Control Systems Cybersecurity Technology Selection
Industrial Control Systems Cybersecurity Technology Selection
Dragos, Inc.
 
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Dragos, Inc.
 
How Long to Boom: Understanding and Measuring ICS Hacker Maturity
How Long to Boom: Understanding and Measuring ICS Hacker MaturityHow Long to Boom: Understanding and Measuring ICS Hacker Maturity
How Long to Boom: Understanding and Measuring ICS Hacker Maturity
Dragos, Inc.
 

More from Dragos, Inc. (20)

How to Increase ICS Cybersecurity Return on Investment (ROI)
How to Increase ICS Cybersecurity Return on Investment (ROI) How to Increase ICS Cybersecurity Return on Investment (ROI)
How to Increase ICS Cybersecurity Return on Investment (ROI)
 
Dragos 2019 ICS Year in Review
Dragos 2019 ICS Year in ReviewDragos 2019 ICS Year in Review
Dragos 2019 ICS Year in Review
 
Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware
 
Dragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations CenterDragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations Center
 
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack FrameworkDragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
 
Reassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber AttackReassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber Attack
 
Solving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric IndustrySolving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric Industry
 
Purple Teaming ICS Networks
Purple Teaming ICS NetworksPurple Teaming ICS Networks
Purple Teaming ICS Networks
 
Securing Electric Utility Infrastructure
Securing Electric Utility InfrastructureSecuring Electric Utility Infrastructure
Securing Electric Utility Infrastructure
 
Rising Cyber Escalation US Iran Russia ICS Threats and Response
Rising Cyber Escalation US Iran Russia ICS Threats and Response Rising Cyber Escalation US Iran Russia ICS Threats and Response
Rising Cyber Escalation US Iran Russia ICS Threats and Response
 
Neighborhood Keeper - Introduction
Neighborhood Keeper - Introduction Neighborhood Keeper - Introduction
Neighborhood Keeper - Introduction
 
Dressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDressing up the ICS Kill Chain
Dressing up the ICS Kill Chain
 
Consequence Informed Cyber Security
Consequence Informed Cyber Security Consequence Informed Cyber Security
Consequence Informed Cyber Security
 
Dragos year in review (yir) 2018
Dragos year in review (yir) 2018Dragos year in review (yir) 2018
Dragos year in review (yir) 2018
 
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
 
2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups
 
Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...
Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...
Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...
 
Industrial Control Systems Cybersecurity Technology Selection
Industrial Control Systems Cybersecurity Technology SelectionIndustrial Control Systems Cybersecurity Technology Selection
Industrial Control Systems Cybersecurity Technology Selection
 
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
 
How Long to Boom: Understanding and Measuring ICS Hacker Maturity
How Long to Boom: Understanding and Measuring ICS Hacker MaturityHow Long to Boom: Understanding and Measuring ICS Hacker Maturity
How Long to Boom: Understanding and Measuring ICS Hacker Maturity
 

Recently uploaded

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Recently uploaded (20)

Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 

The Four Types of Threat Detection and Use Cases in Industrial Security

  • 1. DetectionStrategies Understanding and Using the 4Types of ThreatDetection Sergio Caltagirone and Robert M. Lee
  • 2. Detection is themost Important thingyoudo. Develop and implement appropriate activities to identify the occurrence of a cybersecurity event. NISTCybersecurityFrameworkv1.1 ASSUMEBREACH MEANS ALL ELSE FAILS. NIST CYBERSECURITY FRAMEWORK IDENTIFY PROTECT DETECTRESPOND RECOVER
  • 3. Detection Strategies How &Where Howyoudetectmattersas muchas whereyou detect. Deploying“networkdetection”and“host detection”isnota completedetectionstrategy. Nor doall resourcesrequirethesamedetection! Detection Costs Falsenegativesandfalsepositivesbothleadtolossof control! ASOC inundatedwithlow-qualityalertsis thesame as aSOC lacking alerts. HowandWhere determineyourdetectionquality. Detection is Multi-Use Securityoperationsismorethanrapidresponseand incorporateshunting,investigation,andeachuse caserequiresdifferentdetectionstrategies. A detection strategy matches the appropriate detection approach to risks, resources, and use-case ensuring full detective coverage while minimizingcost.
  • 4. A Detection Strategy - How Asset Event Location Use-Case Detection Human-MachineInterface (HMI) NewFiles Host NovelAttack Behavioral OPCServer Enumeration Network SimilarAttack ScanningModels(Anomaly) VPNConcentrator VPN-to-Known-C2 Network Scoping Indicator 01 IdentifyAssets,Events,Location,andUse-CasewithDetectionApproach–Each linebecomesa “DetectionTarget”
  • 5. A Detection Strategy Recon Delivery Exploitation Action on Objectives P4 VPN.ID VPN.PWD_REUSE VPN.CONFIG_CHG P3 EW.ID EW.SMB EW.NEW_ACCT P2 HMI.ID HMI.NEW_FILES HMI.CHANGE_VAL P1/0 PLC.ID PLC.CHANGE_VAL * For Some Definition of the Purdue Model and Kill Chain 02 GenerateDetectionMaptoTestandMeasureCoverage–forICS,placeeach detectiontargetonthemap using thePurdueModel &KillChain
  • 7. Configuration-Based Detection Configuration-based detection identifies deviations from aknown architecture. Example: Two fielddevices(e.g.,PLCs)communicatingwitheachother,counterarchitectureanddesignexpectations Benefits: • Withperfectvisibilityandcoverage,itcan hypotheticallydetectallmaliciousactivity • Accessible forindividualswithawiderangeofexperience • Easytomaintainin staticenvironments • Addssignificantvaluetootherdetectiontypesin responsesituations Challenges: • Difficulttomaintainindynamicenvironments • Limitedvisibilityandcoveragereduce effectiveness • Assumesa knowledgeofinfrastructureandconfiguration • False-positiveproneduetolikelyconfigurationchanges
  • 8. Modeling-Based Detection Modeling-baseddetection uses mathematical models to classify assets andactivity identifying elements inconsistent with the model. Example: AbnormalnumberofWriterequestsinModbusTCPoutsideofnormalgiventhe averageoverthelast30days Benefits: • Canidentifynoveladversaryactivity • Easiertomaintainin verystaticenvironments • Addssignificantvaluetootherdetectiontypesin responsesituations Challenges: • Difficulttomaintainwhenenvironmentschange • Limitedvisibilityandcoveragereducestheeffectiveness • Nocontextofthreatactivitytosupportinvestigations • Assumesanalystshavein-depthknowledgeofinfrastructureandconfiguration • False-positiveprone duetolikelyconfigurationchanges • Potentiallyincorporatesexistingmaliciousactivityintothemodel
  • 9. Indicator-Based Detection Indicator-based detection searches for elements of information known about previously andare often seen in the form of Indicators of Compromise (IOCs). Example: A specificIPaddressthatisaccessinganinternalasset Benefits: • Thequickestformofdetectiontocreateand deploy • Containsspecificthreatcontextrelatedtotheindicator • Usefulforenrichingotherdatasourcesandthreatdetections • Highlyeffectiveforscopinganenvironmentpostobservationoftheindicator Challenges: • Thevalueishighlydependentontheadversary’srateofchange • Retroactivein naturegiventheneedtoobservetheindicatorfirst • Doesnotscalewellbetweenvictims • Upperlimitsastohowmanyindicatorscanbe processed • Unknownindicatorexpiryleadstoinaccuratedetection
  • 10. Threat Behavior-Based Detection Threat behavior analytics examine activity in environments and compares single actions and aggregate actions against aset of known malicious or suspicious activities. Example: LegitimateVPN accessfollowedbyuseraccount creationandfiledownloadon anengineeringworkstationandfinallyloginfromtheworkstationtoanHMI Benefits: • Excellent durabilityagainstadversarychange • Easytotuneforeachorganizationandenvironment • Lowfalsepositiverates • Immediatetransparencyforanalyststodiagnosethealertagainstexpectedbehavior • Onlyrequiresa fewanalyticstodetectmostknownmaliciousbehaviorusedsomewhere inan intrusion • Integrateswellwithdefensiveplaybooksandautomatedinvestigation/remediation Challenges: • Moderatelydifficulttoimplement • Manyanalyticsrequiredtoprovidecompletecoverage • Onlydetectssimilarthreatbehavioratthelimitofanalyticimagination • Are notfullyreusableacrossallindustries
  • 15. Detection Strategy Use-Case IT Land SPEARPHISHINGEMAIL KEY LOGGER & RAT ENGINEER CREDENTIALTHEFT
  • 16. CONTROLLER CONTROLLER CONTROLLER CONTROLLER Detection Strategy Use-Case VPN ENGINEERING WORKSTATION NEW FILE (S) SCANSSTARTED IT Land SPEARPHISHINGEMAIL KEY LOGGER & RAT ENGINEER CREDENTIALTHEFT
  • 17. Detection Strategy Use-Case VPN ENGINEERING WORKSTATION NEW FILE (S) SCANSSTARTED CONTROLLER CONTROLLER CONTROLLER CONTROLLER OPC SERVER OPC SCAN ENUMERATION IT Land SPEARPHISHINGEMAIL KEY LOGGER & RAT ENGINEER CREDENTIALTHEFT
  • 18. Detection Strategy Use-Case VPN ENGINEERING WORKSTATION NEW FILE (S) SCANSSTARTED CONTROLLER CONTROLLER CONTROLLER CONTROLLER OPC SERVER OPC SCAN ENUMERATION OPC VALUE OVERWRITE IT Land SPEARPHISHINGEMAIL KEY LOGGER & RAT ENGINEER CREDENTIALTHEFT
  • 19. CONTROLLER VALUE OVERWRITE Detection Strategy Use-Case VPN ENGINEERING WORKSTATION NEW FILE (S) SCANSSTARTED CONTROLLER CONTROLLER CONTROLLER CONTROLLER OPC SERVER OPC SCAN ENUMERATION OPC VALUE OVERWRITE IT Land SPEARPHISHINGEMAIL KEY LOGGER & RAT ENGINEER CREDENTIALTHEFT
  • 20. Detection Strategy with the 4 Types of Detection Develop a detection strategy! • Utilizeall detection methods • Support all youruse cases • Detection is multi-use • Consider How, Why, Where How do yougeneratea detection strategy? 1. Develop “detection targets” 2. Createyour analytics map 3. Implement using costs & benefits ofeach type 4. Test &measure coverage