Skip to main content
The Dragos Blog

12.23.24 | 4 min read

Get On-Demand, Actionable Cyber Threat Insights with Dragos WorldView Request for Intelligence (RFI) Service 

Dragos, Inc.

In today’s interconnected industrial environments, OT networks are more vulnerable than ever to cyber threats. Even with robust monitoring and threat detection tools in place, responding to suspicious activity in your OT environment can be challenging – especially when you have limited in-house expertise in managing OT cyber threats. However, responding quickly to the potential threat is imperative. 

Our Dragos WorldView Request for Intelligence (RFI) service was developed to provide the OT cyber threat intelligence support that WorldView subscribers require to quickly assess the threat and provide actionable guidance. Let’s walk through a real-world scenario where a company uses the Dragos Platform networking monitoring and threat detection to flag suspicious activity in their OT environment. 

Want to know more about what’s happening in OT cyber threat intelligence? 

If you have general questions about cyber threats or threat activity targeting industrial control systems, submit your questions for response in our ‘Ask Dragos Intel’ blog series. 

Submit Your Questions

The Scenario: A Suspicious Connection Between IT and OT Systems 

You’re in charge of cybersecurity for a large energy company. The Dragos Platform has flagged suspicious communication between an engineering workstation in your OT environment and an employee’s laptop on the IT side of the network. The communication is unusual and outside of normal business operations, immediately raising concerns that a threat may have breached IT and OT systems. 

Upon further investigation, your security team identifies several suspicious files on the employee’s laptop. These files don’t immediately match any known malware but are unusual enough to raise alarms. The pressure is on to quickly determine if the files are malicious and understand how the employee’s laptop became compromised in the first place. 

The Key Questions You Need to Answer

  1. Are these files malicious? 
  2. How did they get onto the employee’s laptop? 
  3. What additional TTPs and IOCs should you seek in your OT environment to ensure the threat hasn’t spread?

Your team is skilled, but these questions require a deeper understanding of OT environments, adversary behavior, and advanced malware analysis. Unfortunately, you don’t have an in-house OT intelligence team with the specific expertise to handle this type of analysis and investigation. 

The Challenge: Limited In-House OT Cyber Threat Expertise 

While your security tools have done their job by flagging suspicious activity, the hard work is just beginning. This incident crosses your IT and OT systems, making it more complicated than a standard IT breach. If the files on the laptop are malicious, the threat could move laterally into your OT systems, potentially disrupting critical processes or causing operational downtime. 

To fully understand the scope of the incident, you need answers to some very specific questions quickly. But like many companies, you don’t have the luxury of a full-time, in-house OT threat intelligence team that can quickly analyze the files, assess how they might have gotten there, and provide detailed TTPs and IOCs to help you look for signs of compromise in your OT environment. 

The Solution: Dragos WorldView RFI Service

This is where the Dragos WorldView RFI (Request for Intelligence) service comes in. When your team faces a scenario where immediate, OT-specific threat intelligence is needed, submitting an RFI gives WorldView subscribers access to our team of OT experts who can analyze the situation and provide tailored actionable intelligence. 

Here’s how it works in the above scenario. 

1 | Submit the RFI Request

As a WorldView subscriber, your team submits a Support Request for an RFI in the WorldView subscription portal, outlining the suspicious activity and the nature of the request. 

2 | Our OT Cyber Threat Experts Investigate

The Dragos Threat Intelligence team begins analyzing the suspicious files and conducts malware analysis to determine if they are part of a known malware campaign or are new, unknown threats. 

Based on the available information and our research on adversary tactics, we consider how the files may have been introduced to the employee’s laptop, including potential attack vectors such as phishing, compromised remote access, or USB devices. This helps you understand how the compromise occurred so you can prevent similar incidents in the future. 

3 | Receive a Detailed Report 

Once the analysis is complete, our OT cyber threat experts provide a detailed report that answers your key questions. 

  • Are the files malicious? We confirm whether the files contain malware, and if so, we identify the strain, its capabilities, and its potential impact on your OT systems. 
  • How did they get there? We investigate the possible routes the malware took to get onto the employee’s laptop and how the attacker may have used the connection between the computer and the OT network to stage the attack. 
  • What TTPs and IOCs should you look for? Our report includes a list of relevant TTPs, and IOCs based on adversary behavior and malware activity, which helps you identify and block the threat’s further spread in your OT system. 
4 | Get Actionable Threat Intelligence and Next Steps 

Our report does not just tell you what is happening – it provides clear, actionable steps to contain and mitigate the threat. This includes guidance on whether additional monitoring is needed on the OT network, recommendations for patching any identified vulnerabilities, and insight into whether the attack could escalate or remain contained.

The Outcome: Tailored, Actionable OT Threat Intelligence On-Demand 

Thanks to the Dragos WorldView RFI service, your team now has the answers to act confidently. You’ve determined that the files are malicious and part of a targeted campaign to compromise your IT and OT systems. The malware entered through a phishing attack on the employee’s laptop, and the network connection to the engineering workstation was used to move into the OT environment. 

With the TTPs and IOCs provided in the report, your team has set up additional monitoring on the IT side to catch any further attempts to gain access to your OT environment. You’ve patched the gaps and segmented your IT and OT networks, which allowed the malware to spread in the first place. You’ve contained the threat before it could cause operational downtime. 

WorldView RFI Service Now Available

The Dragos WorldView RFI service allows Dragos WorldView subscribers to ask detailed questions and get specific, OT-focused answers when needed. Whether you’re facing suspicious files or need custom research on a particular threat, your team has the intelligence to respond effectively and confidently. 

CTA Image
Not Yet a WorldView Subscriber?
Learn more about our OT-focused cyber threat intelligence subscription by requesting a demo today.

Ready to put your insights into action?

Take the next steps and contact our team today.