The Hunt: Decoding Human Behavior in OT Threat Hunting

Mistakes are human. We downplay them. We excuse them as if we are a worthy exception to the rule. Our adversaries know them well – they expect it, they work to exploit it – after all, they are human too. On the bright side, many human mistakes are explainable, predictable, and repeated. As an industrial threat hunter, this is exceptionally good news.

As a Dragos OT Watch Threat Hunter, I find opportunities every day to exercise my passion for understanding human behavior and apply it to my threat hunting work. To many who work outside of the technology industry, working with computers, networks, and digital artifacts may seem to require expertise only in the robotic, autonomous, and binary actions of interconnected systems. Fortunately for those of us inside this industry, who are fascinated by the human psyche, that assumption is simply not accurate. Human behavior is a huge factor in cybersecurity, industrial controls systems (ICS) and operational technology (OT) security, and therefore OT threat hunting.

What Is Threat Hunting?

Threat hunting is a proactive, data-driven methodology where our threat hunters actively search for behaviors that could indicate attempts to penetrate OT networks, going beyond standard detection capabilities. It also involves searching for opportunities attackers could take advantage of to achieve their objectives. At Dragos, hunting for human-driven threat behaviors informed by our extensive adversary research is where my passion lies.

Navigating the Human Elements

In work environments, mistakes happen, but so do deliberate (albeit benign) decisions and shortcuts. Humans make decisions to make their work lives better, more efficient. People are busy, have conflicting priorities, and frequently in cybersecurity, teams are navigating a myriad of alerts, overwhelming the ability to scrutinize data which leads to threats slipping past. Technology is vital to understanding the environment and identifying points of concern, but technology alone is not sufficient; cybersecurity requires people.

The question is: Can we utilize our understanding of human behavior to prevent the manipulation of our critical systems and protect those who need them? I have come to the conclusion: Yes, we certainly can. 

The Hunt Starts with a Hypothesis

Knowing the potential tactics of cyber adversaries, we consider the likely approach of an adversary to obfuscate their activities so they can hide within network activity that appears normal, and we look for strategies they may take to do so. We utilize the network visibility provided by the Dragos Platform, Dragos’s proprietary OT threat intelligence, and other strategic inputs to form a threat hunt hypothesis in our customers’ environments. Then, we get to work.

Finding Adversaries Hiding in the Noise

A frequent tactic used by adversaries is to hide in the noise of normal network activity. Often, when we ask asset owners questions like, “Why is this here?” or “Where did this come from?” The answer is unknown. When we hunt to support our customers, we may ask them, “Does your team frequently use (x) tool?” or “We’ve observed (x) traffic, which appears to be anomalous for your network – is this expected?” It’s concerning when the response is, “This alone doesn’t seem suspicious,” or when there’s no response at all.

Adversaries exploit existing network behaviors to blend in with the crowd, taking advantage of noise and the overuse and over-taxation of human resources. For example, the OT Watch team recently observed a spike in traffic around a single host in a customer’s environment, involving various ad hoc file/data sharing sites such as Pastebin, JustPasteIt, MediaFire, and ZippyShare. This spike was anomalous for both the host and the customer’s network over the past 90 days.

Upon further investigation, the customer had all the necessary data points to confirm:

• Why this happened? A specific user was bypassing approved file-sharing methods for convenience.
• Should it be happening? No, it was unwanted behavior and highlighted a gap.
• Who initiated it? The specific user was identified.
• How can we prevent this from happening again? Enhance VPN configurations and add additional file-sharing site blocks.

We quickly ruled out malicious hypotheses, enabling the customer to evaluate and control the tools their assets can access.

Many customers face similar situations, though sometimes there is no clear answer. Often, organizations lack the necessary tools to fully investigate unusual network behavior. Gaps in logging and network artifacts make it difficult to prove or disprove hypotheses, leaving us and the asset owner struggling for answers.

This is why organizations need to implement OT network monitoring, such as with the Dragos Platform, to gain the visibility required to get to the bottom of anomalous patterns and threat hunting, specifically OT Watch, for digging deeper. The results of exploratory hunting can reveal unknown findings and gaps, strengthening the customer’s security posture. Every day, findings like these push our customers towards a better understanding of their unique networks and improved security.

Exploiting Remote Access Tools

Another common tactic is to exploit Remote Access Tools.

“Rogue” remote access tools residing within OT networks are also frequently observed by the OT Watch team. These tools are often left behind by vendors or employees or built into systems without the asset owner’s awareness. Sometimes the site has no idea that these tools were being used in the first place. If a tool like this is present, there is a risk it could be used for malicious purposes.  

We see this repeatedly: organizations struggle to narrow the scope of the remote tools a single entity uses. They have difficulty pulling in the reins and keeping track of the tools actively in use or sitting abandoned across various parts of their network. The tools that are often a focus for OT Watch in our daily threat hunting operations are those that are easily downloadable from the internet – “download and go.” The looser the grip an entity has on who needs to be using which tool for remote access, the greater the opportunity for adversaries. Depending on their goals, adversaries may use existing tools to advance their purposes if it means they are less likely to be detected.

We Hunt Against the Human Element

As a threat hunter with a passion for protection, especially within the realm of hunting through the spiderweb of data that critical ICS systems generate, I leverage an understanding of human behavior to positively impact our clients’ security postures. We hunt not only for malicious adversary manipulation of human routine, but also for the error in the routine itself, a hunter must be aware of how humans operate.  

We consider those on the owner-operator side: 

• What actions do humans take that they may later forget to complete or come back to?  
• What actions do humans take when they want to get away with something that they know may not be permitted by policy, but in the moment, is “no big deal”?  

We consider those who want to take advantage of these pitfalls: 

• What actions do humans take when they want to look for those same loopholes, left behind by others, and not get caught? 
• What actions do humans take if they want to blend in? – Our adversaries have worked hard to perfect this art.  

If a threat hunter can understand common human assumptions and pitfalls, they can know how to look for the needle in the haystack – the task we work to complete all day, every day. When a hunter understands that the adversary is human and therefore error-prone like the rest of us, they can finally begin to get one step ahead of the adversary. That is why I hunt.

We identify and mitigate numerous threats stemming from human errors and adversarial exploits, enhancing the overall security of critical systems. My approach to threat hunting is to cut through the noise that weighs our customers down and give them peace of mind. On behalf of our customers, Dragos threat hunters:

• Escalate critical concerns before they become issues.
• Ask the “why/how” questions.
• Flag seemingly simple misconfigurations that could be exploited.
• Understand and anticipate human behavior to improve security and protect critical infrastructure.

Connect with OT Watch Threat Hunters

On behalf of the Dragos OT Watch team, we would be honored to support your organization through proactive threat hunting. If you are interested in learning more about Dragos Platform and OT Watch, please contact us.