Last week, Dragos Threat Intelligence team members Selena Larson (Intel Analyst), Joe Slowik (Sr. Adversary Hunter), and Amy Bejtlich (Sr. Adversary Hunter) discussed the recently-released 2018 ICS Year in Review report covering the eight (public) threat activity groups targeting ICS globally. This webinar gives a brief overview of each activity group, their victimologies, trends observed, and any new activity the Dragos Threat Intelligence team has tracked since 2017. The webinar concludes with recommendations for improved defenses, as well as a question and answer session.
View the full webinar and slide presentation here:
Below are the questions and answers from the webinar:
Q: How confident is Dragos that these 8 activity groups are mutually exclusive? Is it possible that they overlap in terms of organizational structure, leadership, or membership?
A: Dragos does not attribute activity to states, organizations, or individuals; rather we use a variety of observables to create activity groups based off behaviors. This can include things like methods of operation, command and control infrastructure, and targets or victimology. We use the Diamond Model of Intrusion Analysis as a reference for creating these groups. It’s possible there are overlaps or similarities between groups — for instance DYMALLOY and ALLANITE have some similarities, but their targeting and behavior within target environments is much different. Some of the items we track may overlap from a traditional attribution standpoint, such as government links or leadership, but in terms of how they operate on a fundamental level, each are sufficiently differentiated enough to be considered their own group.
Q: When saying Dragos discovered “X” attack, does that mean the Dragos Platform detected this attack in reference to these 8 activity groups? Or is Dragos doing it with other sources?
A: Dragos uses a variety of methods to discover attacker behaviors and events. We can use information detected by the Dragos Platform, working directly with our intel clients, leveraging information provided by the Dragos Threat Operations Center from threat hunting or incident response engagements, information gleaned from sharing partners, and our own internal hunting methods.
To read the 2018 ICS Year in Review reports covering ICS activity groups, as well as vulnerabilities and lessons learned from industrial threat hunting and responding, go here.
If you’d like to learn more about how the Dragos Threat Intelligence team tracks activity groups, please view these resources: