Transferring Knowledge to Customers Through Software Technology

By: Robert M. Lee and Daniel Michaud-Soucy

At Dragos, Inc., what we pride ourselves on, use as our technology differentiation, and offer as our most valued asset to our customers is knowledge transfer. We have put together the industry’s all-star industrial cybersecurity team with a heavy focus on understanding and responding to threats. In 2017, the team investigated and released public reports on both CRASHOVERRIDE and TRISIS as two of the three samples of ICS-tailored malware to have ever disrupted industrial operations. However, our goal at Dragos is not simply having a team of smart people; our goal is to transfer our team’s knowledge to the industrial community. We have been training the community in our headquarters, performing threat hunting and incident response while customers learn side-saddle, and releasing intelligence reports focused on adversary tradecraft—not just indicators of compromise—that defenders can learn from to help counter the next attack. But today, we are releasing something truly unique to codify all of that knowledge into our Dragos Platform software technology. We simply call these additions “content packs.”

Content packs are a regular release of content for the Dragos Platform that customers can download and add to their platform. The content packets capture the knowledge of our intelligence team and our Threat Operations Center. This allows all customers, especially those with our on-premise software who do not take advantage of any of our services or otherwise interact with us, to still take advantage of all the knowledge of our team. These are not simply upgrades; those still happen as part of our continued release cycle where we add new features and depth to the technology. Instead, content packs are the knowledge that enables defense while also training defenders. It is continual, on-the-job training that also presents everything required to identify and respond to threats in the industrial environment. Content packs add new content, including protocol dissectors and network or asset characterizations, but the prime focus is the threat behavior analytics and investigation playbooks. These are explained briefly below and will be explained more in-depth in blogs, a whitepaper, and webcast throughout the following months.

Threat Behavior Analytics

Threat behavior analytics, or threat analytics for short, are searches across data that focus on adversary behaviors. Threat behavior analytics can be thought of as the codification of adversary tactics, techniques, and procedures (TTPs), instead of static pieces of information such as indicators of compromise (IOCs) that search for atomic or computed data points, or combinations of the two. As an example, an IOC would search for a specific IP address or digital hash as it relates to adversary infrastructure and capabilities. A threat analytic instead focuses on the behavior of the adversary and does not consider the static values, i.e. the IP address and digital hash are not considered and are irrelevant to the behavior. This allows the threat analytic to be much more scalable than an indicator and serves as an amazing primary threat detection method, whereas IOCs don’t provide context and aren’t an effective way to perform threat detection.

As an example, earlier this year, the threat activity group DYMALLOY compromised electric energy providers in North America. Once they gained access to the operations technology networks, the adversary took screenshots off of the human machine interfaces (HMIs) and exfiltrated them out of the network. An IOC-based approach would look for the IP addresses the adversary used for exfiltration of the screenshots. The defender’s use of IOCs might be useful to scope their environment once they discovered the threat in their network, but sharing those IOCs would be mostly useless. Other defenders that tried to use the IOCs in their networks as a detection method found that DYMALLOY consistently changed the IP addresses used for exfiltration from victim to victim. IOCs are mostly unique to the individual victim and, therefore, at scale aren’t effective. However, the threat analytic would be a detection searching for any instance anyone took screenshots of an HMI and attempted to exfiltrate them out of the network. The threat analytic could be further honed to search for the specific techniques an adversary would use, such as DNS exfiltration, regardless of the external IP address. Whereas the IOC was not effective in detecting DYMALLOY from one victim to another, the threat analytic not only detected all DYMALLOY’s efforts across victims, but was also useful in detecting other activity groups using similar tradecraft against different victims. Adversary tradecraft is not specific to individual activity groups or campaign and, therefore, represents the most effective and efficient form of threat detection.

There is a cost associated with creating threat behavior analytics; defenders must take an intelligence-driven approach and learn from adversary tradecraft before creating the threat analytic. Machine learning and other types of modeling cannot create threat behavior analytics. This makes them inherently valuable. Defenders are provided with context when an alert occurs that anomaly and change detection cannot provide. Instead of requiring our customers to make analytics and correlations, the Dragos intelligence team and Threat Operations Center focus on producing threat analytics. The behind-the-scenes team producing analytics for the industry allows the Dragos Platform to be the most cost-effective technology, considering total cost of ownership, while affording our customers the most significant threat coverage and breadth of any technology on the market.

In each content packet, customers will receive threat analytics that effectively lower the true cost of ownership for defenders, while providing them access to a full intelligence and threat operations team that is codifying their knowledge into the platform—all enabled without having to connect to our team in any way.

Investigation Playbooks

Threat behavior analytics make threat detection more effective by bringing context to the detection. Combined with investigation playbooks, the pair makes defenders more efficient. Investigation playbooks are the step-by-step actions a defender should take when investigating a detection and what to do if incident response is needed. These can be thought of as “what would Dragos do” type playbooks. The Dragos Threat Operations Center is staffed with industrial security practitioners, and as they perform threat hunting and incident response, they capture their knowledge into investigation playbooks. Each threat analytic that is either created and paired with the appropriate investigation playbook, or a new one is created for it, so that when a detection occurs, the defender not only knows what they are looking at but also how to investigate and respond to it. However, investigation playbooks are not merely a checklist. They also contain a level of automation where many of the initial queries and correlations an analyst would perform are already executed. These queries represent the concept of Query Focused Datasets (QFD), which is introduced here but will be covered in detail in a future blog post. A QFD is a pared down dataset that combines disparate data to enable analysts to prove or disprove a given hypothesis quickly.

As an example, if the threat analytic for DNS exfiltration of screenshots from an HMI alerted, there would already be an investigation playbook associated with that alert. When the alert triggers, the queries and correlations the Dragos threat operations analysts would have performed in that scenario are executed by the Dragos Platform. The high-level and simplified steps and associated QFDs for this playbook are as follows:

1. Identify and validate which hosts are at each end of the exfiltration activity
   1. Associated QFD: list of hosts which made a large number (and byte size) of DNS queries as well as the destination of these requests
2. Identify what protocol(s) are involved in the activity
   1. Associated QFD: list of protocols used by the hosts involved
3. Based on those characteristics, identify and validate any change in activity
4. Identify the exfiltrated data
   1. Associated QFD: File transfers and data moved out of the network
   2. Associated data: PCAP already collected and ready for the analyst for optional validation
5. Analyze hosts involved to understand the source of the activity
   1. Associated QFD: Focused host data related to the observed network activity

In this example, the Dragos Platform performs many steps, but each step and data set is presented to an analyst to help them understand why each query was run and lets them validate the data before moving on. The steps are a guideline for the analyst to investigate the alert further. While the Dragos Platform will present most of this information to the defender, human analysis is required to validate assumptions and confirm malicious activity; this is true for every technology. Our job is not to replace the human, but to make them operate as if senior Dragos analysts were there working the case with them. A future blog post will explain the finer details of these playbook steps.

Playbooks can also be used proactively as a hunting tool. In this case, the playbook is initiated with a hypothesis (for example: “An adversary is exfiltrating data from my ICS environment through DNS tunneling”). The defender can then hunt through their environment and look for threats while attempting to prove or disprove their hypothesis. In this way, the analysts leveraging the Dragos Platform can be entirely disconnected from Dragos or any other help, but they can work through investigations as if our analysts were side-saddling with them. This not only allows them to be more effective and efficient at their security jobs, but also allows them to learn while performing them.

Looking Ahead

At Dragos, we consider knowledge transfer one of our key missions. We consider our technology the key to making it scalable. By continually releasing content packs, we hope to provide defenders of industrial environments the codified knowledge of our threat intelligence and Threat Operations Center teams. Threat Behavior Analytics help defenders identify adversary-like behaviors in their environments and provide them the required context to respond properly. Investigation Playbooks paired with Query Focused Datasets will guide analysts through the core steps that should be taken after a detection occurs. Dragos Platform users will be receiving their first content pack in the coming weeks. Look for more details on playbooks and QFDs in future blog posts.