Dragos' Sergio Caltagirone and Robert M. Lee discuss the four types of threat detection methods for industrial control systems operations, while providing ICS-specific use cases, to help you determine which detection strategy is most effective for your organization.
The recorded webinar can be found here: hhttps://youtu.be/zqvDu0OaY8k
Aslo check out: Four Types of Threat Detection White Paper: https://dragos.com/blog/FourTypesOfTh...
Part of the Secrets of ICS Cybersecurity webinar series: https://dragos.com/blog/20181017Webin...
More info www.dragos.com
Follow us on LinkedIn: https://www.linkedin.com/company/drag....
Follow us on Twitter: https://twitter.com/dragosinc
2. Detection is themost
Important thingyoudo.
Develop and implement appropriate activities to identify the occurrence of a
cybersecurity event. NISTCybersecurityFrameworkv1.1
ASSUMEBREACH MEANS ALL ELSE FAILS.
NIST
CYBERSECURITY
FRAMEWORK
IDENTIFY
PROTECT
DETECTRESPOND
RECOVER
3. Detection Strategies
How &Where
Howyoudetectmattersas muchas whereyou
detect. Deploying“networkdetection”and“host
detection”isnota completedetectionstrategy. Nor
doall resourcesrequirethesamedetection!
Detection Costs
Falsenegativesandfalsepositivesbothleadtolossof
control! ASOC inundatedwithlow-qualityalertsis
thesame as aSOC lacking alerts. HowandWhere
determineyourdetectionquality.
Detection is Multi-Use
Securityoperationsismorethanrapidresponseand
incorporateshunting,investigation,andeachuse
caserequiresdifferentdetectionstrategies.
A detection strategy matches the appropriate detection approach to risks, resources, and use-case ensuring full detective
coverage while minimizingcost.
5. A Detection Strategy
Recon Delivery Exploitation Action on Objectives
P4 VPN.ID VPN.PWD_REUSE VPN.CONFIG_CHG
P3 EW.ID EW.SMB EW.NEW_ACCT
P2 HMI.ID HMI.NEW_FILES HMI.CHANGE_VAL
P1/0 PLC.ID PLC.CHANGE_VAL
* For Some Definition of the Purdue Model and Kill Chain
02 GenerateDetectionMaptoTestandMeasureCoverage–forICS,placeeach detectiontargetonthemap using
thePurdueModel &KillChain
9. Indicator-Based Detection
Indicator-based detection searches for elements of information known about
previously andare often seen in the form of Indicators of Compromise (IOCs).
Example: A specificIPaddressthatisaccessinganinternalasset
Benefits:
• Thequickestformofdetectiontocreateand deploy
• Containsspecificthreatcontextrelatedtotheindicator
• Usefulforenrichingotherdatasourcesandthreatdetections
• Highlyeffectiveforscopinganenvironmentpostobservationoftheindicator
Challenges:
• Thevalueishighlydependentontheadversary’srateofchange
• Retroactivein naturegiventheneedtoobservetheindicatorfirst
• Doesnotscalewellbetweenvictims
• Upperlimitsastohowmanyindicatorscanbe processed
• Unknownindicatorexpiryleadstoinaccuratedetection
10. Threat Behavior-Based Detection
Threat behavior analytics examine activity in environments and compares single actions and aggregate actions against aset of known
malicious or suspicious activities.
Example: LegitimateVPN accessfollowedbyuseraccount creationandfiledownloadon
anengineeringworkstationandfinallyloginfromtheworkstationtoanHMI
Benefits:
• Excellent durabilityagainstadversarychange
• Easytotuneforeachorganizationandenvironment
• Lowfalsepositiverates
• Immediatetransparencyforanalyststodiagnosethealertagainstexpectedbehavior
• Onlyrequiresa fewanalyticstodetectmostknownmaliciousbehaviorusedsomewhere
inan intrusion
• Integrateswellwithdefensiveplaybooksandautomatedinvestigation/remediation
Challenges:
• Moderatelydifficulttoimplement
• Manyanalyticsrequiredtoprovidecompletecoverage
• Onlydetectssimilarthreatbehavioratthelimitofanalyticimagination
• Are notfullyreusableacrossallindustries
16. CONTROLLER CONTROLLER CONTROLLER CONTROLLER
Detection Strategy Use-Case
VPN ENGINEERING WORKSTATION
NEW FILE (S)
SCANSSTARTED
IT Land
SPEARPHISHINGEMAIL KEY LOGGER & RAT ENGINEER CREDENTIALTHEFT
17. Detection Strategy Use-Case
VPN ENGINEERING WORKSTATION
NEW FILE (S)
SCANSSTARTED
CONTROLLER CONTROLLER CONTROLLER CONTROLLER
OPC SERVER
OPC SCAN
ENUMERATION
IT Land
SPEARPHISHINGEMAIL KEY LOGGER & RAT ENGINEER CREDENTIALTHEFT
18. Detection Strategy Use-Case
VPN ENGINEERING WORKSTATION
NEW FILE (S)
SCANSSTARTED
CONTROLLER CONTROLLER CONTROLLER CONTROLLER
OPC SERVER
OPC SCAN
ENUMERATION
OPC VALUE
OVERWRITE
IT Land
SPEARPHISHINGEMAIL KEY LOGGER & RAT ENGINEER CREDENTIALTHEFT
19. CONTROLLER VALUE
OVERWRITE
Detection Strategy Use-Case
VPN ENGINEERING WORKSTATION
NEW FILE (S)
SCANSSTARTED
CONTROLLER CONTROLLER CONTROLLER CONTROLLER
OPC SERVER
OPC SCAN
ENUMERATION
OPC VALUE
OVERWRITE
IT Land
SPEARPHISHINGEMAIL KEY LOGGER & RAT ENGINEER CREDENTIALTHEFT
20. Detection Strategy with the 4 Types of Detection
Develop a detection strategy!
• Utilizeall detection methods
• Support all youruse cases
• Detection is multi-use
• Consider How, Why, Where
How do yougeneratea detection strategy?
1. Develop “detection targets”
2. Createyour analytics map
3. Implement using costs & benefits ofeach type
4. Test &measure coverage