This blog is a summary of a case study detailing how the Dragos Platform, threat intelligence, and professional services helped an oil and gas organization combat XENOTIME-related threats in their environment.
In 2018, a large North American oil refinery suspected that its industrial control systems (ICS) environment had XENOTIME-related activity (the threat activity group behind the 2017 TRISIS attack) and engaged Dragos to investigate.
When the Dragos team assessed this organization’s environment, there were several, critical challenges it faced, including:
- No visibility into its ICS environment, the threats to its assets, or the potential risks to its operations
- Vulnerabilities to its Safety Instrumented System (SIS) that protects its critical system processes during emergencies
- A shortage of experienced OT Security Operations Center (SOC) staff to understand ICS-specific threats and how to respond to them
Through a customized, intelligence-driven threat scenario created for this organization’s unique ICS environment, the Dragos team demonstrated how adversaries (e.g., XENOTIME) could gain access into its environment from the business IT network, pivot into its ICS network, and execute an attack, revealing potentially catastrophic risks including:
To prevent these potentially catastrophic events, this organization deployed the Dragos Platform in its environment to get in-depth visibility of its assets and communications, to rapidly identify threats, and to respond before they have the chance to cause significant impacts.
- In-depth visibility: With Dragos’ best practices and intelligence-driven approach, Dragos expert threat hunters, incident responders, and adversary hunters demonstrated the vulnerability of this organization’s SIS by recreating the steps an attacker would take to alter or shut down its safety processes. After deployment of the Dragos Platform, critical visibility was provided via its automated, in-depth asset identification capabilities–enabling this provider’s security team to passively view its network traffic, asset communications, and view thousands of network aspects at high speeds to gain a comprehensive understanding of its environment.
- Accurate threat detection: With the Dragos Platform’s threat analytics, this organization has continuous detection capabilities of the latest ICS-specific threats. Threat analytics provide rapid, accurate detection of adversary behaviors, arming this organization’s analysts with in-depth context of alerts generated and reducing the amount of time they spend investigating potential incidents.
- Rapid response and scalability: Coupled with in-depth environmental visibility and continuous threat detection capabilities, the Dragos Platform provides this organization’s security team with Dragos-authored investigation playbooks to guide its analysts step-by-step throughout the investigation process–enabling more efficient incident response and strengthening its team’s ICS best-practice knowledge.
Download the full case study here: case study