This blog is the second in a three-part series defining Cyber Threat Intelligence (CTI). The first part explained the concepts of CTI, including its history, emergence, and challenges. The third part covered recent activity in Dragos Threat Groups.
Cyber Threat Intelligence (CTI) in Operational Technology (OT) relies heavily upon context to detect, describe, and mitigate threats, as threats differ across industry verticals. The combination of a defense in depth (DiD) posture for a given infrastructure, the components used in that infrastructure, and the systems comprising the Information Technology (IT) and OT infrastructures, help to determine this context.
The DiD is an approach to cybersecurity in which a series of defensive mechanisms are layered on top of each other to protect valuable information on a network. In this scenario, if one mechanism fails, another steps up immediately to stop the attack. The Diamond Model is a useful tool that organizations commonly use to respond to incidents quickly and efficiently. In this blog, we present a case study example of an applied CTI to illustrate how threat detection and mitigation works. This blog refers to methodologies and terms that are important to OT cybersecurity with links to definitions and further resources on each.
Several public utilities were compromised in the past year using spear phishing emails. The emails contained a malicious Word document that successfully exploited a Microsoft vulnerability, MS08-067, on unpatched workstations. This created a worm that started spreading through the network via SMBv1, looking to cross network segments. SMBv1 is an older version of the Server Message Block protocol Windows uses for file sharing on a local network, which is still found in many networks. The worm actively looks for historian applications and other evidence of operational networks involved in electric power transmission. Once the worm discovers an operational network, it contacts a command-and-control server at an adversary-controlled internet host x, via HTTPS, registering the victim with the adversary. The adversary would then use the worm’s remote access capabilities to access the network and use local PowerShell resources to begin further internal reconnaissance and targeting.
In this attack, Dragos assessed with high confidence that the adversary was in the process of Stage 1 of the ICS Cyber Kill Chain—information gathering prior to developing or deploying capabilities to disrupt electric power transmission. A Cyber Kill Chain, which was developed from the military kill chain concept, reveals the phases of a cyber-attack from early reconnaissance to the goal of data exfiltration.
Dragos gave defenders the context and action recommendations to mitigate and prevent further instances of the threat. Threat intelligence provides the technical and policy recommendations customized for and based on the context of the threat. Actions sourced from threat intelligence recommendations typically include:
Indicators of compromise (IOCs) are technical elements of information used to enable threat detection, and they include IP addresses, domain names, file names, file hashes, etc. Security Incident and Event Management (SIEM) tools use these to trigger alerts for security operations centers. In a similar manner, Threat Behavior Analytics identify system or user actions indicating suspicious or malicious activity. These analytics detect adversary tradecraft (trained behaviors) and can provide contextual knowledge of an environment such as assets or users. Behavioral analytics drive the cost of ownership lower due to better false-positive and true-positive rates, which can be aa challenge based on current machine-learning or anomaly-based approaches.
Next, we will provide an example of a threat intelligence actions, where we mitigate the threats described above.
Operational networks share some of the same cybersecurity approaches of enterprise IT networks, however, they are not the same. Most notably, Industrial Control System (ICS) threat intelligence considers a much different set of impacts and consequences from successful adversary breaches. ICS threat intelligence falls into the following three categories:
The roles of Network Operations Centers, Security Operations Centers, and a comprehensive understanding of assets in the organization (asset management) all play a critical role in CTI and Threat Intelligence Action. Some important tools used in threat intelligence include: The MITRE ATT&CK framework for both enterprise and ICS; and the ICS Cyber Kill Chain. Threat intelligence alone cannot protect critical assets, but instead complements every component of cybersecurity best practice: Detect, respond, and prevent. Threat intelligence, when appropriately used, will greatly reduce the harm and attack surfaces for an organization.