Latest Dragos Platform Knowledge Pack Release Includes Expanded IoT Asset Categorization, High Severity Playbooks, Plus Critical Threat Detections

In the ever-evolving landscape of cybersecurity, staying ahead of threats is paramount. At Dragos, we are committed to providing our users with the most up-to-date threat context to protect their operational technology (OT) environments. Our Dragos Platform Knowledge Pack Plus (KP_Plus) updates are designed to deliver the latest Indicators of Compromise (IOCs), vulnerabilities, protocol dissection engines, detections, playbooks, and dashboards.

We are excited to announce the availability of our latest knowledge pack update, including expanded IoT support, over 20+ new high severity playbooks, and thousands of new advisories, vulnerabilities, and threat detections.

What Is a Knowledge Pack?

Dragos releases weekly Knowledge Packs to push the latest IOCs, detections and vulnerabilities for near-immediate coverage into the Dragos Platform. With Knowledge Pack Plus (KP_Plus), we expand the content push to include new protocol dissection engines, detections, playbooks, and dashboards. By staying current with KP_Plus, Platform users can maintain a comprehensive asset inventory and up-to-date analytics to identify and mitigate emerging threats effectively. Additionally, the latest protocols enhance asset information, providing a more detailed and accurate understanding of the assets within industrial control systems (ICS) networks.

Key Highlights of the Latest Knowledge Pack Plus

Following is a quick view of the latest Knowledge Pack updates and the benefit to Dragos Platform users.

Visibility in OT Environments with Expanded IoT Support

With the growing prevalence of IoT devices in OT environments, securing these devices is crucial. The Dragos Platform automatically identifies and builds an inventory of OT, IT, and IoT assets in OT environments and provides the ability to monitor and track communication, map vulnerabilities to those assets, and analyze those communications for threats. The latest KP_Plus update includes expanded IoT categorizations support, providing enhanced security measures for a broader range of IoT devices. This ensures that users can maintain robust security across their entire network – including identifying devices that should not be present in these environments, which is often the case with IoT devices.

Extensive Threat Detections with Actionable Guidance

Dragos differentiates from other vendors in the market with our ability to turn industry-leading OT threat intelligence into actionable steps within the Dragos Platform. Knowledge Packs are the delivery method for new detections, advisories, vulnerabilities, and playbooks with step-by-step guidance for response.

The latest Knowledge Pack Plus included 688 Detections, 3,700 advisories, and 9,900 vulnerabilities impacting more than 23,000 industrial systems from vendors such as Siemens, Bosch, Rockwell Automation, SEL, and Phoenix Contact to help users identify and mitigate potential threats and vulnerabilities more efficiently.

Through in-depth research and analysis of current and emerging threats, Dragos WorldView reports on new tactics and vulnerabilities used by adversaries. Below are real-world examples of how threat intelligence research from WorldView has led to the development of new analytics and response guidance, empowering our customers to proactively defend against critical OT cyber threats.

Threats Specifically Targeting OT Environments

The latest Knowledge Pack Plus includes analytics for OT-specific cyber threats such as the FrostyGoop malware recently discovered by Dragos and employed in an attack impacting a Ukraine electric entity. FrostyGoop is the ninth known OT-specific malware. Additionally, it contains playbooks to investigate attacks like DNP3 flooding (DoS) attacks in the electric sector and Modbus anomalies. These playbooks provide step-by-step guidance for investigating detections reported in the Dragos Platform to determine if an Incident Response should be activated and for collecting the information required to enable the IR team’s investigation.

Threats Hiding within Legitimate Tools and Protocols to Skirt Detection

Adversaries often use legitimate tools and protocols in potentially malicious ways to go undetected. This is known as living off the land (LOTL). The latest KP_Plus update includes detections and playbooks for dual-use tools like PsExec, BITSAdmin, Sysinternals, CCleaner, and ConnectWise ScreenConnect. These tools can be used legitimately but are frequently exploited by various threat groups for lateral movement.

The update also includes the following analytics:

• Identify attempts by Kali Linux hosts, a penetration testing distribution, to gain unauthorized access to OT networks. Playbooks are included for pen testing tools like Metasploit/Meterpreter and Nmap to discern whether their use is benign or malicious.
• Detect remote access, privilege escalation, and lateral movement techniques commonly used by adversaries, such as Impacket NTLM relay attacks and Windows Remote Management (WinRM) access attempts.
• Identify attempts to exploit remote protocols like RDP (remote desktop protocol), VNC (virtual network computing), and SMB (server message block), which are critical pathways for adversaries aiming to infiltrate systems or escalate privileges.

Coverage for IT/IOT Entry Point into OT

Attacks on OT systems often start with adversaries gaining a foothold in IT. In 2023, 70 percent of cyber attacks in OT started in IT networks. The KP_Plus update includes several analytics that detect components from phishing kits and commodity malware used by adversaries targeting industrial organizations. For instance, phishing kits like ‘Greatness’ phishing-as-a-service and information stealers like Racoon Stealer are now detected, which helps in addressing malicious payloads in OT environments.

Vulnerabilities and Exploits

The latest KP_Plus also includes coverage for vulnerabilities and exploits across platforms and software. This includes Common Vulnerabilities and Exposures (CVEs) such as CVE-2022-29303 (SolarView), CVE-2024-21413 (an Outlook exploit), and CVE-2024-6242 (affecting Rockwell Automation). The Knowledge Pack emphasizes identifying and mitigating known vulnerabilities that can be exploited across various platforms within OT networks.

How We Keep Dragos Platform Customers Up to Date

At Dragos, we ensure our customers are equipped with the most current OT threat intelligence to reduce their cyber risk and stay ahead of adversaries. Enhanced Weekly Knowledge Packs now provide regular updates, including new detections and asset enrichments, in addition to quarterly releases, offering more timely and frequent protection. These weekly updates ensure that users have continuous coverage against emerging threats.

Neighborhood Keeper, our Collective Intelligence Network, allows anonymous, real-time data sharing across industries to stay ahead of threats without exposing sensitive information. Opted-in participants benefit from KP Auto Apply, which automatically applies the latest Knowledge Pack updates. Other features include Partner Intelligence Exchange for real-time “detections on demand” from trusted advisors and Trusted Insight Response, which alerts users to anomalous activities detected in telemetry to help them stay aware of potential risks.