At Dragos we regularly interact with members across the industrial community who are curious about what other organizations are experiencing when it comes to cybersecurity operations. This includes both gaining insight into what “normal” looks like, and also a desire to connect with others to share insights in a way that doesn’t compromise their own need to maintain operational integrity and privacy. It was with this in mind that we put together the infrastructure that makes it possible for community participants to help each other through what we call Neighborhood Keeper.
In this first of a series of blog posts we’ll share some of the foundational elements that make up Neighborhood Keeper, and start to explore some of the key use cases related to concepts like “collective defense”, and “hypothesis driven threat hunting”. We hope this behind-the-scenes perspective of how certain Dragos teams, and the customers who are participating in the Neighborhood Keeper program, will provide insight into how we engage with and enable organizations to ask questions of their own data, while collectively allowing others to do the same at an aggregated level.
What Is Neighborhood Keeper?
Neighborhood Keeper is a community-wide visibility solution that provides collective defense by sharing aggregated threat intelligence at machine-speed across industries and geographic regions. Each participating organization’s defensive capability is made stronger than what they can achieve on their own. Neighborhood Keeper is a free, opt-in, information-sharing network available only to Dragos Platform customers, capable of detecting potential supply chain risks, vulnerabilities, and cyber threats that may require further investigation and remediation. Through the participation of trusted industry and government partners, it also enables a cyber broadcasting service of sorts.
All this is done while ensuring the identities of participants are technologically irreversible from the data to allow anonymized and secure sharing. The additional visibility provided by participation in Neighborhood Keeper is inherently valuable for the insights it can provide into community-wide events and trends – but this use case shouldn’t be the only way in which industrial network defenders seek to integrate Neighborhood Keeper into their broader Cyber Threat Intelligence (CTI) program.
One of the most obvious ways in which Neighborhood Keeper can be a value add for network defenders, and which requires little to no action on their part, is the integration of trusted advisors into the larger system. This allows select governmental agencies, Information Sharing and Analysis Centers (ISACs), and Computer Emergency Response Teams (CERTs) to directly disseminate information on threats, trends, and research to the Neighborhood Keeper community. It also allows Neighborhood Keeper participants to anonymously submit targeted, encrypted requests for assistance to other participants or trusted advisors in a time of need. This functionality provides participants with multiple avenues to receive and consume disseminated threat intelligence, as well as request additional resources and expertise on a case-by-case basis.
Types of Threat Intelligence
Beyond these valuable use cases at the core of Neighborhood Keeper, there are a variety of proactive ways in which industrial defenders can leverage the data and insights within Neighborhood Keeper to bolster their organization’s overall defensive posture. In considering these potential use cases, it is helpful to place them within the wider context of the Cyber Threat Intelligence discipline. Threat intelligence is generally categorized into three types, or levels: Tactical, Operational, and Strategic. These intelligence categories are determined not by the type of information they encompass, but rather by the intended audience, sphere of influence, and required action inferred by the category. The data within Neighborhood Keeper can have implications for all three types of threat intelligence, depending on how the information is visualized, consumed, and ultimately operationalized.
For all these potential applications, one of the most critical initial requirements is a baseline understanding over time – not only of the Neighborhood Keeper data, but also of an individual organization’s Operational Technology (OT) network. The data contained in Neighborhood Keeper can provide valuable context for what network defenders observe within their own environments, but these insights will be most valuable if they can also be placed in the larger perspective of events and changes over the longer term and across the community of participants.
Additionally, having a familiarity with the Neighborhood Keeper portal and functionality in advance of a potential incident or investigation could prove critical for an organization’s ability to bring Neighborhood Keeper’s resources to bear during a crisis. To accomplish this, network defenders should learn what information is contained within the portal, how to access it, and how to securely request community assistance if needed. Consider incorporating Neighborhood Keeper’s capabilities into tabletop exercises and incident response playbooks.
Upcoming Blog Posts to Consider
With all of this in mind, how can we use the data in Neighborhood Keeper to address needs and use cases across the types of threat intelligence? Dragos has identified several approaches for participants to extract more insights and value out of Neighborhood Keeper, which will be covered over a series of forthcoming blogs to share the knowledge with the community and enable Neighborhood Keeper participants to extract maximal benefit from their involvement:
- Trend Analysis (now available) – How do the detections in my organization’s environment relate to what is happening in the broader community? Could community observations help formulate a specific and actionable threat hunting hypothesis to identify, or ideally preempt, adversary activity?
- Long Tail Analysis (now available) – How can uncommon events and detections help to identify advanced adversaries and misconfigurations, and how can Neighborhood Keeper data help to extend this type of analysis to triage and contextualize these types of detections on a higher plane?
- Strategic Content for an Executive Audience (now available) – What does community data over time tell an organization’s OT security team about their defensive posture relative to peers? How can detection and vulnerability trends inform an organization regarding areas to prioritize for resourcing or capital investment?
- Context Around Observed Vulnerabilities – What is the delta between vulnerabilities observed in my OT network and across the community more widely? Are there vulnerabilities in my environment that are uncommon, and if so, why? Does the changing prevalence of a vulnerability across the community have implications for how an organization should approach patching or mitigation?
Stay tuned for the rest of the series!
Ready to put your insights into action?
Take the next steps and contact our team today.