SlideShare a Scribd company logo

2018 Year in Review- ICS Threat Activity Groups

Download as PPTX, PDF
Dragos, Inc.
Dragos, Inc.

Intelligence Analyst Selena Larson, Sr. Adversary Hunter Joe Slowik, and Sr. Adversary Hunter Amy Bejtlich overview the 2018 Year in Review report detailing the eight ICS threat activity groups Dragos' Intelligence team tracks and the changing threat landscape.

Technology
1 of 22
Dragos 2018 Year in Review ICS Threats and Activity Groups Joe Slowik, Amy Bejtlich, Selena Larson intel@dragos.com
Agenda 01 Introductions 02 ActivityGroups 03 Threats in Detail 04 Recommendations
Insights into ICS Activity Groups, Hunting and Responding & Vulnerabilities, and Executive Insights Activity Groups Threat Hunting & Responding Vulnerabilities Executive Insights
Dragos Threat Intelligence Team Joe Slowik Principal Adversary Hunter Amy Bejtlich Senior AdversaryHunter Selena Larson IntelligenceAnalyst
YIR 2017 VS 2018 In2017,Dragos was tracking5 activity groups. In2018,3 newactivity groups discovered offering more insight into the ICSthreat landscape, as well as newrecommendations and defense strategies. Dragos continuesto see anincrease inthreats and the aggressiveness of them, but has no evidence of “malware planted waiting to beactivated,” or other hypedup scenarios often heardin press and government discussions.
ICS Threats Takeaways In2018,four majorelements contributed significantlyto greater risk: 1. Intrusionsinto ICSnetworks enabling researchand reconnaissance of ICSoperations and technology 2. Commodity malware and wormable ransomware causing ICSinfections 3. Infrastructure-targetingactivity groups adopting Living off theLand tactics and behaviors that bypass traditional security protection mechanisms, both within ITand ICS 4. Thecompromise of several industrial control equipment manufacturersenabling potential supply chainthreats and vendor-enabled access to ICS
ICS YIR 2018: ICS Activity Groups
XENOTIME • Activity group behind TRISIS. • In2018,Dragos identified new XENOTIMEactivity targeting entities inthe US, and devices beyond Triconex. • Dragos identified several compromises of ICSvendors and manufacturersin2018by activity associated with XENOTIME. • Thegroup uses customized malware specifically for the target environment,stolen credentials to movebetween networks, legitimate but compromised servers for communication, and some Living off the Land techniques.
RASPITE • InAugust, we identified this group targeting access operations inthe USelectric utility sector, with additional victims in Saudi Arabia, Japan, and potentially Europe. The group appears active since at least mid-2017. • RASPITEcompromises websites its targets are likelyto visit inan attempt to gain initial access to victim networks. • No indication the group currentlyhas anICSdestructive capability.
ALLANITE • This grouptargets business and ICSnetworks in the USand UKelectric utility sectors and maintains access to understand the operational environmentandfor potential disruptive events. • Thegroup’s operations are limited to information gathering and have not yet demonstrated disruptive capabilities. • ALLANITEactivity includes the Palmetto Fusion event described by theUS Department of Homeland Security(DHS).
DYMALLOY • Associated with “Dragonfly 2.0”andfirst emerged inlate 2015. • Able to compromise multiple ICStargets inTurkey,Europe, andNorth America, includingobtaining access to humanmachineinterface (HMI) devices and stealing screenshots. • Infall 2018,Dragos identified multiple new malware infections matching DYMALLOY’s behavior. • This discovery is concerning;the malware Dragos recentlyidentified as part of new activity is only associated with knownintrusions into ICSnetworks.
MAGNALLIUM • Identified in2017,targeted ITops at petrochemical and aerospace manufacturers since 2013. • In2018,group expanded victimology to includeentities in Europe and North America. • Thegroup has transitioned from commodity malware and wiper variants to PowerShell based post-exploitation. • Group lacks ICS-specific capabilities.
CHRYSENE • Group targets petrochemical, oil and gas, and electric generation sectors. Targeting initially in the Gulf Region, but has shifted targeting. • Group lacks ICS-specific capabilities. • In2018,Dragos uncovered multiple samples of malware related to the group, and additional activity.
ELECTRUM • Group responsible for 2016CRASHOVERRIDEattack in Ukraine. • Identified newsamples of a malicious tool previously associated with that event. • Thegroup remainsactive and is no longer focusing exclusively on Ukraine.
COVELLITE • Targetsnetworks associated with electric energy,mostly inEurope, East Asia, and the US. • Compromised ITnetworks, andlacks anICS-specific capability. • No evidence this group remainsactive from an ICS-targetingperspective.
Threats in Detail 01 Disruptive IT Malware IT malware impacting operations is not new or unique, and Dragos expects these types of infections will continueto be prevalent for years to come. 02 Mid-point Network Access VPNFilter malware targeted SOHO networking devices. SOHO equipment is often used in an out-of-band manner, whichintroduces risk. 03 Significant TTPs ICS-directed threat behavior continues to transition away from malware and vulnerabilities for most operations. Supply Chain Compromise TheOT network access granted to vendors and others canalso expose an asset operator tosignificant risk as compromises canmove from vendors’ networks to the asset operator’s network. 04
Disruptive IT Malware IT-focusedmalware is easy to use, effective within the enterprise, and widely-available. Often untargeted, and can spread to operations due to poor segmentation. Examples: • Automated spreading mechanisms: WannaCry,NotPetya, Ryuk • Olympic Destroyer • LockerGoga
Mid-point Network Access Malware targeting networkrouters, like VPNFilter, could enable data collection and reconnaissance, potentially leading to a damaging attack. Examples: • VPNFilter malware enables information harvesting, credential theft, and DOS. • Concerningfor ICSoperators due to theMODBUS packet sniffer module. • Ukrainianchemical plant found VPNFilter on its networkand claimedto stop a disruptive attack. • However, the malware alone does not haveICSdestructive capabilities.
Supply Chain / Third-Party Compromise Supply chaincompromise leverages trust between parties and bypasses parts of the securitystack. Includescompromising contractors, websites, vendors, suppliers. Examples: • XENOTIMEcompromised several ICSvendors and manufacturers. • ICSwatering holes. • Enterprisedata trackingand sharing service compromised, affecting business operations across oil and gas and electric utility firms. • APT10campaigns against managed service providers (MSPs). • ASUS/ ShadowHammer
Significant TTPs ICSadversaries moving away from easily-detectable malware and exploits to Living off the Land – using built-intools within IT andOT – and pen testing tools. Examples: • Most ICS-impacting incidents begin in ITand moveto OT. • Adversaries utilizePowerShell, PSExec, WMIto movelaterally throughnetworks. • Within ICS:abuse native functionalityand features suchas operations of HMIs. Should not simply be considered the same Living off the Land techniquescommon inenterprise ITsecurity. • 5 of 8 activity groups use thesetypes of techniques. • Adversaries haveused tools suchas Mimikatz, Metasploit, and PowerShell Empire.
Recommendations 01 Security Best Practices Tool assessments, restricting internet connectivity within OT, increase visibility into host and ICS processes. 02 Defend Entire Kill Chain A “Whole of Kill Chain”approachmeans identifying adversary behaviors from Stage 1 intrusions to Stage 2 impacts. Utilize diverse threat detection strategies. 03 AnticipateThreats ICS threat intelligence provides actionable information for identifying and defending against threats. UseThreat Behavior Analytics Identify patterns in behavior and malicious activity tocreate analytics that canalert defenders to malicious activity. 04
Questions? intel@dragos.com

Recommended

Dragos 2019 ICS Year in Review
Dragos 2019 ICS Year in ReviewDragos 2019 ICS Year in Review
Dragos 2019 ICS Year in ReviewDragos, Inc.
 
The Current ICS Threat Landscape
The Current ICS Threat LandscapeThe Current ICS Threat Landscape
The Current ICS Threat LandscapeDragos, Inc.
 
Dressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDragos, Inc.
 
Dragos year in review (yir) 2018
Dragos year in review (yir) 2018Dragos year in review (yir) 2018
Dragos year in review (yir) 2018Dragos, Inc.
 
Rising Cyber Escalation US Iran Russia ICS Threats and Response
Rising Cyber Escalation US Iran Russia ICS Threats and Response Rising Cyber Escalation US Iran Russia ICS Threats and Response
Rising Cyber Escalation US Iran Russia ICS Threats and Response Dragos, Inc.
 
Neighborhood Keeper - Introduction
Neighborhood Keeper - Introduction Neighborhood Keeper - Introduction
Neighborhood Keeper - Introduction Dragos, Inc.
 
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks Dragos, Inc.
 
Debunking the Hacker Hype: The Reality of Widespread Blackouts
Debunking the Hacker Hype: The Reality of Widespread BlackoutsDebunking the Hacker Hype: The Reality of Widespread Blackouts
Debunking the Hacker Hype: The Reality of Widespread BlackoutsDragos, Inc.
 

Recommended

Dragos 2019 ICS Year in Review
Dragos 2019 ICS Year in ReviewDragos 2019 ICS Year in Review
Dragos 2019 ICS Year in ReviewDragos, Inc.
 
The Current ICS Threat Landscape
The Current ICS Threat LandscapeThe Current ICS Threat Landscape
The Current ICS Threat LandscapeDragos, Inc.
 
Dressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDragos, Inc.
 
Dragos year in review (yir) 2018
Dragos year in review (yir) 2018Dragos year in review (yir) 2018
Dragos year in review (yir) 2018Dragos, Inc.
 
Rising Cyber Escalation US Iran Russia ICS Threats and Response
Rising Cyber Escalation US Iran Russia ICS Threats and Response Rising Cyber Escalation US Iran Russia ICS Threats and Response
Rising Cyber Escalation US Iran Russia ICS Threats and Response Dragos, Inc.
 
Neighborhood Keeper - Introduction
Neighborhood Keeper - Introduction Neighborhood Keeper - Introduction
Neighborhood Keeper - Introduction Dragos, Inc.
 
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks Dragos, Inc.
 
Debunking the Hacker Hype: The Reality of Widespread Blackouts
Debunking the Hacker Hype: The Reality of Widespread BlackoutsDebunking the Hacker Hype: The Reality of Widespread Blackouts
Debunking the Hacker Hype: The Reality of Widespread BlackoutsDragos, Inc.
 
Reassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber AttackReassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber AttackDragos, Inc.
 
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack FrameworkDragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack FrameworkDragos, Inc.
 
How Long to Boom: Understanding and Measuring ICS Hacker Maturity
How Long to Boom: Understanding and Measuring ICS Hacker MaturityHow Long to Boom: Understanding and Measuring ICS Hacker Maturity
How Long to Boom: Understanding and Measuring ICS Hacker MaturityDragos, Inc.
 
Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos, Inc.
 
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...DevOps Indonesia
 
The State of Threat Detection 2019
The State of Threat Detection 2019The State of Threat Detection 2019
The State of Threat Detection 2019Fidelis Cybersecurity
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3Shawn Croswell
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on VehiclesPriyanka Aash
 
Kaspersky Lab new Enterprise Portfolio
Kaspersky Lab new Enterprise PortfolioKaspersky Lab new Enterprise Portfolio
Kaspersky Lab new Enterprise PortfolioKaspersky
 
Cyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceCyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceTom K
 
Solving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric IndustrySolving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric IndustryDragos, Inc.
 
PLC Virtualization Dragos S4 2019
PLC Virtualization Dragos S4 2019PLC Virtualization Dragos S4 2019
PLC Virtualization Dragos S4 2019Dragos, Inc.
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chainSymantec Brasil
 
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...Kaspersky
 
Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019Fidelis Cybersecurity
 
Kaspersky Lab's Corporate Presentation - our Values, Business, Solutions
Kaspersky Lab's Corporate Presentation - our Values, Business, SolutionsKaspersky Lab's Corporate Presentation - our Values, Business, Solutions
Kaspersky Lab's Corporate Presentation - our Values, Business, SolutionsKaspersky
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Sounil Yu
 
Darktrace white paper_ics_final
Darktrace white paper_ics_finalDarktrace white paper_ics_final
Darktrace white paper_ics_finalCMR WORLD TECH
 
How to Increase ICS Cybersecurity Return on Investment (ROI)
How to Increase ICS Cybersecurity Return on Investment (ROI) How to Increase ICS Cybersecurity Return on Investment (ROI)
How to Increase ICS Cybersecurity Return on Investment (ROI) Dragos, Inc.
 
NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018
NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018 NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018
NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018 NETSCOUT
 
Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscapeyohansurya2
 

More Related Content

What's hot

Reassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber AttackReassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber AttackDragos, Inc.
 
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack FrameworkDragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack FrameworkDragos, Inc.
 
How Long to Boom: Understanding and Measuring ICS Hacker Maturity
How Long to Boom: Understanding and Measuring ICS Hacker MaturityHow Long to Boom: Understanding and Measuring ICS Hacker Maturity
How Long to Boom: Understanding and Measuring ICS Hacker MaturityDragos, Inc.
 
Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos, Inc.
 
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...DevOps Indonesia
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3Shawn Croswell
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on VehiclesPriyanka Aash
 
Kaspersky Lab new Enterprise Portfolio
Kaspersky Lab new Enterprise PortfolioKaspersky Lab new Enterprise Portfolio
Kaspersky Lab new Enterprise PortfolioKaspersky
 
Cyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceCyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceTom K
 
Solving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric IndustrySolving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric IndustryDragos, Inc.
 
PLC Virtualization Dragos S4 2019
PLC Virtualization Dragos S4 2019PLC Virtualization Dragos S4 2019
PLC Virtualization Dragos S4 2019Dragos, Inc.
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chainSymantec Brasil
 
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...Kaspersky
 
Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019Fidelis Cybersecurity
 
Kaspersky Lab's Corporate Presentation - our Values, Business, Solutions
Kaspersky Lab's Corporate Presentation - our Values, Business, SolutionsKaspersky Lab's Corporate Presentation - our Values, Business, Solutions
Kaspersky Lab's Corporate Presentation - our Values, Business, SolutionsKaspersky
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Sounil Yu
 
Darktrace white paper_ics_final
Darktrace white paper_ics_finalDarktrace white paper_ics_final
Darktrace white paper_ics_finalCMR WORLD TECH
 
How to Increase ICS Cybersecurity Return on Investment (ROI)
How to Increase ICS Cybersecurity Return on Investment (ROI) How to Increase ICS Cybersecurity Return on Investment (ROI)
How to Increase ICS Cybersecurity Return on Investment (ROI) Dragos, Inc.
 

What's hot (20)

Reassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber AttackReassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber Attack
 
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack FrameworkDragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
 
How Long to Boom: Understanding and Measuring ICS Hacker Maturity
How Long to Boom: Understanding and Measuring ICS Hacker MaturityHow Long to Boom: Understanding and Measuring ICS Hacker Maturity
How Long to Boom: Understanding and Measuring ICS Hacker Maturity
 
Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware
 
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
 
The State of Threat Detection 2019
The State of Threat Detection 2019The State of Threat Detection 2019
The State of Threat Detection 2019
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on Vehicles
 
Kaspersky Lab new Enterprise Portfolio
Kaspersky Lab new Enterprise PortfolioKaspersky Lab new Enterprise Portfolio
Kaspersky Lab new Enterprise Portfolio
 
Cyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceCyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General Audience
 
Solving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric IndustrySolving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric Industry
 
PLC Virtualization Dragos S4 2019
PLC Virtualization Dragos S4 2019PLC Virtualization Dragos S4 2019
PLC Virtualization Dragos S4 2019
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chain
 
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
 
Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019
 
Kaspersky Lab's Corporate Presentation - our Values, Business, Solutions
Kaspersky Lab's Corporate Presentation - our Values, Business, SolutionsKaspersky Lab's Corporate Presentation - our Values, Business, Solutions
Kaspersky Lab's Corporate Presentation - our Values, Business, Solutions
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
 
Darktrace white paper_ics_final
Darktrace white paper_ics_finalDarktrace white paper_ics_final
Darktrace white paper_ics_final
 
How to Increase ICS Cybersecurity Return on Investment (ROI)
How to Increase ICS Cybersecurity Return on Investment (ROI) How to Increase ICS Cybersecurity Return on Investment (ROI)
How to Increase ICS Cybersecurity Return on Investment (ROI)
 

Similar to 2018 Year in Review- ICS Threat Activity Groups

NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018
NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018 NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018
NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018 NETSCOUT
 
Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscapeyohansurya2
 
Cybersecurity | Risk. Impact. Innovations.
Cybersecurity | Risk. Impact. Innovations.Cybersecurity | Risk. Impact. Innovations.
Cybersecurity | Risk. Impact. Innovations.Vertex Holdings
 
Top Security Trends for 2013
Top Security Trends for 2013Top Security Trends for 2013
Top Security Trends for 2013Imperva
 
Insecure magazine - 52
Insecure magazine - 52Insecure magazine - 52
Insecure magazine - 52Felipe Prado
 
Combating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringCombating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringLancope, Inc.
 
Application Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting ReputationsApplication Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting ReputationsCognizant
 
IBM X-Force Threat Intelligence Quarterly Q4 2015
IBM X-Force Threat Intelligence Quarterly Q4 2015IBM X-Force Threat Intelligence Quarterly Q4 2015
IBM X-Force Threat Intelligence Quarterly Q4 2015Andreanne Clarke
 
Toward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationToward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationE.S.G. JR. Consulting, Inc.
 
Toward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network AutomationToward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network AutomationKen Flott
 
Cyber Security
Cyber SecurityCyber Security
Cyber SecurityBryCunal
 
New Security Challenges Juan Miguel Velasco
New Security Challenges Juan Miguel VelascoNew Security Challenges Juan Miguel Velasco
New Security Challenges Juan Miguel VelascoJuanMiguelVelascoWeb
 
Juan miguel-velasco-lopez-urda-seguridad-informatica-cloud-computing
Juan miguel-velasco-lopez-urda-seguridad-informatica-cloud-computingJuan miguel-velasco-lopez-urda-seguridad-informatica-cloud-computing
Juan miguel-velasco-lopez-urda-seguridad-informatica-cloud-computingJuan Miguel Velasco López Urda
 
New Security Challenges Juan Miguel Velasco
New Security Challenges Juan Miguel VelascoNew Security Challenges Juan Miguel Velasco
New Security Challenges Juan Miguel VelascoJuanMiguelVelascoWeb
 
Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118
Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118
Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118AngelaHoltby
 
Protect Yourself from Cyber Attacks Through Proper Third-Party Risk Management
Protect Yourself from Cyber Attacks Through Proper Third-Party Risk ManagementProtect Yourself from Cyber Attacks Through Proper Third-Party Risk Management
Protect Yourself from Cyber Attacks Through Proper Third-Party Risk ManagementDevOps.com
 
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...Cyber Security Alliance
 

Similar to 2018 Year in Review- ICS Threat Activity Groups (20)

NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018
NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018 NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018
NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018
 
Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscape
 
Cybersecurity | Risk. Impact. Innovations.
Cybersecurity | Risk. Impact. Innovations.Cybersecurity | Risk. Impact. Innovations.
Cybersecurity | Risk. Impact. Innovations.
 
Top Security Trends for 2013
Top Security Trends for 2013Top Security Trends for 2013
Top Security Trends for 2013
 
M1_Introduction_IPS.pptx
M1_Introduction_IPS.pptxM1_Introduction_IPS.pptx
M1_Introduction_IPS.pptx
 
Insecure magazine - 52
Insecure magazine - 52Insecure magazine - 52
Insecure magazine - 52
 
Combating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringCombating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security Monitoring
 
ENSA_Module_3.pptx
ENSA_Module_3.pptxENSA_Module_3.pptx
ENSA_Module_3.pptx
 
APT - Project
APT - Project APT - Project
APT - Project
 
Application Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting ReputationsApplication Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting Reputations
 
IBM X-Force Threat Intelligence Quarterly Q4 2015
IBM X-Force Threat Intelligence Quarterly Q4 2015IBM X-Force Threat Intelligence Quarterly Q4 2015
IBM X-Force Threat Intelligence Quarterly Q4 2015
 
Toward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationToward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network Automation
 
Toward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network AutomationToward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network Automation
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
New Security Challenges Juan Miguel Velasco
New Security Challenges Juan Miguel VelascoNew Security Challenges Juan Miguel Velasco
New Security Challenges Juan Miguel Velasco
 
Juan miguel-velasco-lopez-urda-seguridad-informatica-cloud-computing
Juan miguel-velasco-lopez-urda-seguridad-informatica-cloud-computingJuan miguel-velasco-lopez-urda-seguridad-informatica-cloud-computing
Juan miguel-velasco-lopez-urda-seguridad-informatica-cloud-computing
 
New Security Challenges Juan Miguel Velasco
New Security Challenges Juan Miguel VelascoNew Security Challenges Juan Miguel Velasco
New Security Challenges Juan Miguel Velasco
 
Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118
Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118
Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118
 
Protect Yourself from Cyber Attacks Through Proper Third-Party Risk Management
Protect Yourself from Cyber Attacks Through Proper Third-Party Risk ManagementProtect Yourself from Cyber Attacks Through Proper Third-Party Risk Management
Protect Yourself from Cyber Attacks Through Proper Third-Party Risk Management
 
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
 

More from Dragos, Inc.

Dragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations CenterDragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations CenterDragos, Inc.
 
Purple Teaming ICS Networks
Purple Teaming ICS NetworksPurple Teaming ICS Networks
Purple Teaming ICS NetworksDragos, Inc.
 
Securing Electric Utility Infrastructure
Securing Electric Utility InfrastructureSecuring Electric Utility Infrastructure
Securing Electric Utility InfrastructureDragos, Inc.
 
Consequence Informed Cyber Security
Consequence Informed Cyber Security Consequence Informed Cyber Security
Consequence Informed Cyber Security Dragos, Inc.
 
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...Dragos, Inc.
 
Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...
Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...
Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...Dragos, Inc.
 
Industrial Control Systems Cybersecurity Technology Selection
Industrial Control Systems Cybersecurity Technology SelectionIndustrial Control Systems Cybersecurity Technology Selection
Industrial Control Systems Cybersecurity Technology SelectionDragos, Inc.
 
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors Dragos, Inc.
 
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and PracticeMeet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and PracticeDragos, Inc.
 
Threat Activity Groups - Dragos
Threat Activity Groups - Dragos Threat Activity Groups - Dragos
Threat Activity Groups - Dragos Dragos, Inc.
 
The Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityThe Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityDragos, Inc.
 
TRISIS in Perspective
TRISIS in PerspectiveTRISIS in Perspective
TRISIS in PerspectiveDragos, Inc.
 
Behavior-Based Defense in ICS
Behavior-Based Defense in ICSBehavior-Based Defense in ICS
Behavior-Based Defense in ICSDragos, Inc.
 
Trisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS DefendersTrisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS DefendersDragos, Inc.
 
TTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesTTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesDragos, Inc.
 

More from Dragos, Inc. (15)

Dragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations CenterDragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations Center
 
Purple Teaming ICS Networks
Purple Teaming ICS NetworksPurple Teaming ICS Networks
Purple Teaming ICS Networks
 
Securing Electric Utility Infrastructure
Securing Electric Utility InfrastructureSecuring Electric Utility Infrastructure
Securing Electric Utility Infrastructure
 
Consequence Informed Cyber Security
Consequence Informed Cyber Security Consequence Informed Cyber Security
Consequence Informed Cyber Security
 
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
 
Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...
Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...
Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...
 
Industrial Control Systems Cybersecurity Technology Selection
Industrial Control Systems Cybersecurity Technology SelectionIndustrial Control Systems Cybersecurity Technology Selection
Industrial Control Systems Cybersecurity Technology Selection
 
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
 
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and PracticeMeet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
 
Threat Activity Groups - Dragos
Threat Activity Groups - Dragos Threat Activity Groups - Dragos
Threat Activity Groups - Dragos
 
The Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityThe Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial Security
 
TRISIS in Perspective
TRISIS in PerspectiveTRISIS in Perspective
TRISIS in Perspective
 
Behavior-Based Defense in ICS
Behavior-Based Defense in ICSBehavior-Based Defense in ICS
Behavior-Based Defense in ICS
 
Trisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS DefendersTrisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS Defenders
 
TTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesTTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil Refineries
 

Recently uploaded

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 

Recently uploaded (20)

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 

2018 Year in Review- ICS Threat Activity Groups

  • 1. Dragos 2018 Year in Review ICS Threats and Activity Groups Joe Slowik, Amy Bejtlich, Selena Larson intel@dragos.com
  • 2. Agenda 01 Introductions 02 ActivityGroups 03 Threats in Detail 04 Recommendations
  • 3. Insights into ICS Activity Groups, Hunting and Responding & Vulnerabilities, and Executive Insights Activity Groups Threat Hunting & Responding Vulnerabilities Executive Insights
  • 4. Dragos Threat Intelligence Team Joe Slowik Principal Adversary Hunter Amy Bejtlich Senior AdversaryHunter Selena Larson IntelligenceAnalyst
  • 5. YIR 2017 VS 2018 In2017,Dragos was tracking5 activity groups. In2018,3 newactivity groups discovered offering more insight into the ICSthreat landscape, as well as newrecommendations and defense strategies. Dragos continuesto see anincrease inthreats and the aggressiveness of them, but has no evidence of “malware planted waiting to beactivated,” or other hypedup scenarios often heardin press and government discussions.
  • 6. ICS Threats Takeaways In2018,four majorelements contributed significantlyto greater risk: 1. Intrusionsinto ICSnetworks enabling researchand reconnaissance of ICSoperations and technology 2. Commodity malware and wormable ransomware causing ICSinfections 3. Infrastructure-targetingactivity groups adopting Living off theLand tactics and behaviors that bypass traditional security protection mechanisms, both within ITand ICS 4. Thecompromise of several industrial control equipment manufacturersenabling potential supply chainthreats and vendor-enabled access to ICS
  • 7. ICS YIR 2018: ICS Activity Groups
  • 8. XENOTIME • Activity group behind TRISIS. • In2018,Dragos identified new XENOTIMEactivity targeting entities inthe US, and devices beyond Triconex. • Dragos identified several compromises of ICSvendors and manufacturersin2018by activity associated with XENOTIME. • Thegroup uses customized malware specifically for the target environment,stolen credentials to movebetween networks, legitimate but compromised servers for communication, and some Living off the Land techniques.
  • 9. RASPITE • InAugust, we identified this group targeting access operations inthe USelectric utility sector, with additional victims in Saudi Arabia, Japan, and potentially Europe. The group appears active since at least mid-2017. • RASPITEcompromises websites its targets are likelyto visit inan attempt to gain initial access to victim networks. • No indication the group currentlyhas anICSdestructive capability.
  • 10. ALLANITE • This grouptargets business and ICSnetworks in the USand UKelectric utility sectors and maintains access to understand the operational environmentandfor potential disruptive events. • Thegroup’s operations are limited to information gathering and have not yet demonstrated disruptive capabilities. • ALLANITEactivity includes the Palmetto Fusion event described by theUS Department of Homeland Security(DHS).
  • 11. DYMALLOY • Associated with “Dragonfly 2.0”andfirst emerged inlate 2015. • Able to compromise multiple ICStargets inTurkey,Europe, andNorth America, includingobtaining access to humanmachineinterface (HMI) devices and stealing screenshots. • Infall 2018,Dragos identified multiple new malware infections matching DYMALLOY’s behavior. • This discovery is concerning;the malware Dragos recentlyidentified as part of new activity is only associated with knownintrusions into ICSnetworks.
  • 12. MAGNALLIUM • Identified in2017,targeted ITops at petrochemical and aerospace manufacturers since 2013. • In2018,group expanded victimology to includeentities in Europe and North America. • Thegroup has transitioned from commodity malware and wiper variants to PowerShell based post-exploitation. • Group lacks ICS-specific capabilities.
  • 13. CHRYSENE • Group targets petrochemical, oil and gas, and electric generation sectors. Targeting initially in the Gulf Region, but has shifted targeting. • Group lacks ICS-specific capabilities. • In2018,Dragos uncovered multiple samples of malware related to the group, and additional activity.
  • 14. ELECTRUM • Group responsible for 2016CRASHOVERRIDEattack in Ukraine. • Identified newsamples of a malicious tool previously associated with that event. • Thegroup remainsactive and is no longer focusing exclusively on Ukraine.
  • 15. COVELLITE • Targetsnetworks associated with electric energy,mostly inEurope, East Asia, and the US. • Compromised ITnetworks, andlacks anICS-specific capability. • No evidence this group remainsactive from an ICS-targetingperspective.
  • 16. Threats in Detail 01 Disruptive IT Malware IT malware impacting operations is not new or unique, and Dragos expects these types of infections will continueto be prevalent for years to come. 02 Mid-point Network Access VPNFilter malware targeted SOHO networking devices. SOHO equipment is often used in an out-of-band manner, whichintroduces risk. 03 Significant TTPs ICS-directed threat behavior continues to transition away from malware and vulnerabilities for most operations. Supply Chain Compromise TheOT network access granted to vendors and others canalso expose an asset operator tosignificant risk as compromises canmove from vendors’ networks to the asset operator’s network. 04
  • 17. Disruptive IT Malware IT-focusedmalware is easy to use, effective within the enterprise, and widely-available. Often untargeted, and can spread to operations due to poor segmentation. Examples: • Automated spreading mechanisms: WannaCry,NotPetya, Ryuk • Olympic Destroyer • LockerGoga
  • 18. Mid-point Network Access Malware targeting networkrouters, like VPNFilter, could enable data collection and reconnaissance, potentially leading to a damaging attack. Examples: • VPNFilter malware enables information harvesting, credential theft, and DOS. • Concerningfor ICSoperators due to theMODBUS packet sniffer module. • Ukrainianchemical plant found VPNFilter on its networkand claimedto stop a disruptive attack. • However, the malware alone does not haveICSdestructive capabilities.
  • 19. Supply Chain / Third-Party Compromise Supply chaincompromise leverages trust between parties and bypasses parts of the securitystack. Includescompromising contractors, websites, vendors, suppliers. Examples: • XENOTIMEcompromised several ICSvendors and manufacturers. • ICSwatering holes. • Enterprisedata trackingand sharing service compromised, affecting business operations across oil and gas and electric utility firms. • APT10campaigns against managed service providers (MSPs). • ASUS/ ShadowHammer
  • 20. Significant TTPs ICSadversaries moving away from easily-detectable malware and exploits to Living off the Land – using built-intools within IT andOT – and pen testing tools. Examples: • Most ICS-impacting incidents begin in ITand moveto OT. • Adversaries utilizePowerShell, PSExec, WMIto movelaterally throughnetworks. • Within ICS:abuse native functionalityand features suchas operations of HMIs. Should not simply be considered the same Living off the Land techniquescommon inenterprise ITsecurity. • 5 of 8 activity groups use thesetypes of techniques. • Adversaries haveused tools suchas Mimikatz, Metasploit, and PowerShell Empire.
  • 21. Recommendations 01 Security Best Practices Tool assessments, restricting internet connectivity within OT, increase visibility into host and ICS processes. 02 Defend Entire Kill Chain A “Whole of Kill Chain”approachmeans identifying adversary behaviors from Stage 1 intrusions to Stage 2 impacts. Utilize diverse threat detection strategies. 03 AnticipateThreats ICS threat intelligence provides actionable information for identifying and defending against threats. UseThreat Behavior Analytics Identify patterns in behavior and malicious activity tocreate analytics that canalert defenders to malicious activity. 04

Editor's Notes

  1. https://dragos.com/year-in-review/
  2. Dragos expects to identify more activity targeting ICS, due to greater visibility into OT networks and adversary behavior driven by ICS threat intelligence. Adversaries will continue to bridge IT and OT networks leveraging traditional malware and Living off the Land techniques, while largely avoiding the use of zero-days. RECOMMENDATIONS: Defend the entire Kill Chain, leverage threat behavior analytics, and understand/anticipate threats
  3. Dragos expects to identify more activity targeting ICS, due to greater visibility into OT networks and adversary behavior driven by ICS threat intelligence. Adversaries will continue to bridge IT and OT networks leveraging traditional malware and Living off the Land techniques, while largely avoiding the use of zero-days.
  4. - RASPITE is linked to newly-identified behavior targeting US electric utilities. ALLANITE also targets electric utilities in the US, in addition to UK XENOTIME, the activity group associated with TRISIS, expanded its operations beyond the Middle East - Most concerning: several compromises of ICS vendors and manufacturers in 2018 by activity associated with XENOTIME, providing potential supply chain threat opportunities and vendor-enabled access to asset owner and operator ICS networks - MAGNALLIUM: victimology expanded to additional targets, including entities in Europe and North America. Uses phishing emails purporting to be job advertisements relating to oil and gas companies to gain access to victims’ machines. - CHRYSENE: Dragos uncovered multiple samples of CHRYSENE-related malware and other activity, indicating the group remains active and is evolving in more than one area, including revising and updating its malicious software toolkit. CHRYSENE aims to evade existing anti-virus and other detection mechanisms. - DYMAOLLOY: Dragos identified multiple new malware infections matching DYMALLOY’s behavior. May indicate a potential resurgence of DYMALLOY activity, or a different entity leveraging similar toolsets. This is concerning; the malware Dragos recently identified as part of new activity is only associated with known intrusions into ICS networks.
  5. XENOTIME is the group behind TRISIS, the destructive, ICS-tailored malware targeting Triconex safety instrumented systems (SIS) in the Middle East. In 2018 Dragos identified new XENOTIME activity targeting entities in the US, and devices beyond Triconex. While TRISIS would be difficult to replicate to other SIS’s, the malware provided a roadmap for other adversaries to target these types of devices. In addition to customizing the malware specifically for the target environment, the group uses stolen credentials to move between networks, legitimate but compromised servers for communication, and some Living off the Land techniques.   Dragos identified TRISIS targeting an oil and gas facility in Saudi Arabia in the fall of 2017. It represented an escalation of ICS attacks due to its targeting of safety systems that could lead to potential loss of life and physical damage.   XENOTIME has operated since at least 2014 and it is not currently linked to any other known groups. Dragos assesses this is one of the most adept and notable ICS-targeting activity groups.
  6. In August 2018, Dragos identified a new group targeting access operations in the US electric utility sector, with additional victims in Saudi Arabia, Japan, and potentially Europe. The group appears active since at least mid-2017.   RASPITE compromises websites its targets are likely to visit in an attempt to gain initial access to victim networks. Similar to ALLANITE and DYMALLOY, RASPITE will embed a link to a resource to prompt an SMB connection and steal Windows credentials. The group then deploys install scripts for a malicious service to beacon back to RASPITE-controlled infrastructure, allowing the adversary to remotely access the victim machine. The group shares similarities with a group known as Leafminer by Symantec.   Despite demonstrating the steps necessary for initial intrusion into an IT network and potentially preparing a path for an ICS event at a later time, there is no indication the group currently has a destructive capability that could, for instance, cause energy sector disruptions.
  7. In 2018, Dragos identified victims and attack methodology that sufficiently differentiated ALLANITE from other activity groups. This group targets business and ICS networks in the US and UK electric utility sectors and maintains access to understand the operational environment and for potential disruptive events.   ALLANITE uses phishing and compromised websites, called watering holes, for credential theft. Dragos assesses the group’s operations are limited to information gathering and have not yet demonstrated disruptive capabilities. ALLANITE avoids custom malware, instead utilizing Living off the Land techniques.   ALLANITE activity includes the Palmetto Fusion event described by the US Department of Homeland Security (DHS). In October 2017, a DHS advisory documented ALLANITE technical operations combined with activity with a group Symantec calls Dragonfly 2.0 (the latter has links to the activity group Dragos tracks as DYMALLOY). https://www.washingtonpost.com/world/national-security/us-officials-say-russian-government-hackers-have-penetrated-energy-and-nuclear-company-business-networks/2017/07/08/bbfde9a2-638b-11e7-8adc-fea80e32bf47_story.html?noredirect=on&utm_term=.89566d6d9d26 https://www.us-cert.gov/ncas/alerts/TA17-293A
  8. In fall 2018, Dragos identified multiple new malware infections matching DYMALLOY’s behavior. These observations may indicate a potential resurgence of DYMALLOY activity, or a different entity leveraging similar toolsets. This discovery is concerning; the malware Dragos recently identified as part of new activity is only associated with known intrusions into ICS networks.   The DYMALLOY activity group, associated with “Dragonfly 2.0,” uses methods such as spearphishing and watering hole attacks for initial access, and commodity backdoors Goodor, DorShel, and Karagany for post-exploitation activity. The group first emerged in late 2015, and was able to successfully compromise multiple ICS targets in Turkey, Europe, and North America, including obtaining access to human machine interface (HMI) devices and stealing screenshots.
  9. In 2018, MAGNALLIUM’s victimology expanded to additional targets, including entities in Europe and North America. MAGNALLIUM used phishing emails purporting to be job advertisements relating to oil and gas companies to gain access to victims’ machines. The group used publicly-available phishing kits to construct the emails’ contents, and leveraged variants of the StoneDrill wiper and TURNEDUP malware family in infection events before transitioning to PowerShell based post-exploitation tools in 2018.   Although the expansion is concerning, MAGNALLIUM’s capabilities appear to still lack an ICS-specific capability, and remain focused on initial IT compromise and information gathering.   Dragos identified MAGNALLIUM in 2017 and determined that the group targeted IT operations at petrochemical and aerospace manufacturers since at least 2013. The group initially targeted Saudi Arabian energy firms and an aircraft holding company, but new intelligence suggests the group is expanding their targeting.
  10. Dragos uncovered multiple samples of CHRYSENE-related malware and other activity this year, indicating the group remains active and is evolving in more than one area, including revising and updating its malicious software toolkit. CHRYSENE aims to evade existing anti-virus and other detection mechanisms.   CHRYSENE developed from an espionage campaign which first appeared on the public’s radar after the destructive SHAMOON cyberattack in 2012 impacting Saudi Aramco. The activity group targets petrochemical, oil, gas, and electric generation sectors and has shifted targeting outside the Gulf Region.
  11. In summer 2018, Dragos identified multiple samples of a malicious tool previously associated with ELECTRUM’s 2016 CRASHOVERRIDE event in Ukraine. Although some samples of this tool had been previously identified “in the wild,” this tool is only associated with ELECTRUM activity. Dragos also identified new intelligence providing additional information into ELECTRUM infiltration techniques and the capabilities of the CRASHOVERRIDE malware.   The group does not rely on zero-day vulnerabilities, instead leveraging common exploitation behaviors and tools, including Mimikatz. Our intelligence indicates that the group remains active and is no longer focusing exclusively on Ukraine.
  12. COVELLITE compromised networks associated with electric energy, primarily in Europe, East Asia, and North America. The group lacks an ICS-specific capability at this time. Dragos identified COVELLITE activity targeting US electric utilities in 2017.   While technical activity linked to COVELLITE behaviors exist in the wild, there has been no evidence or indications this group remains active from an ICS-targeting perspective, nor has Dragos identified new activity against electric infrastructure specifically.
  13. Previous campaigns leveraged one of several automated mechanisms to spread: an exploit for WANNACRY, credential capture and reuse for NotPetya and BadRabbit, and self-propagating first-stage malware to deliver RYUK. Following the Altran incident, public reporting did not identify any of these three propagation mechanisms, nor information on how the infection spread so far and so quickly. The ransomware likely compromised the service and then pushed malicious software to hosts connected to the AD via a Group Policy Object (GPO). WannaCry and wormable ransomware leveraging vulnerabilities detailed in Microsoft bulletin MS17-010 continues to be a major threat to ICS. The MS17-010 vulnerabilities were first weaponized in May 2017, and despite patches being available since spring of that year, many enterprises – especially those within the OT space – have not or cannot update machines due to poor patch management, refusal to accept downtime, or system end-of-life considerations.   This remains a continuing threat. In August, an operational error during software installation at Taiwan Semiconductor Manufacturing Company caused a WannaCry infection and affected over 10,000 machines, leading to a financial impact of at least $250 million.   Olympic Destroyer — the malware known for causing a network disruption during the PyeongChang 2018 Winter Olympic Games — represented another IT-focused malware with the potential to bridge the IT-ICS gap. Although not an immediate threat to ICS networks, Olympic Destroyer provides an example for exploit-less propagation within a victim network paired with a disruptive effect that could cause significant disruption in ICS environments. TR-2018-38 MS17-010 and the ICS Environment; TR-2017-07 PETYA Ransomware; WVS-17-04 WANNACRY
  14. In May, researchers identified VPNFilter router malware targeting small office/home office (SOHO) network devices and some commercial equipment that harvested information, stole credentials, and could cause a denial of service. While this malware does not appear to be targeted towards ICS, a Ukrainian chemical plant reportedly identified VPNFilter on its network. The malware alone does not have destructive capabilities, however information gathered could further lead to a damaging attack. SOHO equipment is sometimes connected to ICS environments in an out-of-band manner without approval from IT departments, thus a VPNFilter infection could cause major issues. The targeted equipment types listed in Talos’ report are not designed for use in ICS environments. Unfortunately, Dragos assessments occasionally identify SOHO-type equipment in ICS environments as part of “shadow IT” operations. Ensure a complete and accurate inventory of network devices will all ICS asset owners and defenders to determine if such equipment is present. Furthermore, such equipment should never be Internet accessible – however, if part of “shadow IT” an inappropriate or insecure installation is highly probable, with the corresponding possibility of Internet connectivity.
  15. Third-party access to OT networks is a common and necessary component of modern operations. However, the OT network access granted to vendors and others can also expose an asset operator to significant risk as compromises can move from vendors’ networks to the asset operator’s network. Third-party or supply chain compromise leverages explicit trust between parties and bypasses a large part of the security stack, potentially including perimeter defenses such as firewalls or proxy servers, to access a target. Once an adversary accesses the victim network, it is possible to pivot throughout the network, steal credentials or other sensitive data, and further embed themselves within IT or operations.   Most concerning to Dragos are several compromises of ICS vendors and manufacturers in 2018 by activity associated with XENOTIME, providing potential supply chain threat opportunities and vendor-enabled access to asset owner and operator ICS networks. We suspect that there are other unknown manufacturer/vendor compromises and that this trend will continue because the value of such access is high. Other significant activity of interest involves the compromise of legitimate websites enabling exploitation and access of networks when engineers and operators access these sites or download legitimate-looking software (e.g., ICS watering holes).   In April, a business tool used by a number of energy firms for communication purposes experienced a cyber incident, exclusively affecting business communications across oil and gas and electric utility sectors. It forced a number of energy companies to shut down communication connections and hampered data processing. Further underscoring potential for third-party infections, the Department of Justice in December indicted alleged members of the APT 10 hacking group in part for accessing companies’ Managed Service Providers (MSPs) to gain access into primary victim networks to steal sensitive information. Additionally, in August Schneider Electric alerted customers that some USB media shipped with two Conext products may have been infected with unidentified malware during manufacturing by a supplier. No customers publicly reported incidents of infection in this case. ASUS -  ASUS Live Update Utility.   
  16. ICS-directed threat behavior continues to transition away from unique malware and vulnerabilities for most operations, which is concerning because many OT security practices rely on anti-virus and vulnerability-based protection schemes to reduce risk. Thus, their fundamental behavior becomes a key detection element for defense.   During earlier phases of operation threats increasingly use a methodology known as Living off the Land, leveraging native system commands, applications, and software to gain access to the system and move throughout the network undetected. Most ICS-impacting incidents still begin in an enterprise IT network although with the interconnection of industrial environments to vendors, integrators, and others, it is important to note that the enterprise IT network the compromise begins in may not belong to the organization that owns and operates the ICS. Living off the Land can allow an adversary to execute behaviors ranging from conducting research to executing an attack on a target while evading many signature- and blacklist-based detection methods. Living off the Land techniques encompass abuse of native functionality and features in the ICS, such as operations of HMIs, and should not simply be considered the same Living off the Land techniques common in enterprise IT security.   Five out of eight of the activity groups Dragos tracks use some Living off the Land techniques to accomplish early-phase operations. While detecting commodity malware and Living off the Land techniques seems straightforward, it often fails by traditional IT security approaches because of the complex nature and mission requirements of operations environments. As anti-virus products, detection software, and other threat detection methods become more robust and capable of detecting various malicious activity, adversaries must modify their methods to evade capture by blending in with the environment and not leaving behind identifiable artifacts.   Dragos has also identified a growing trend of adversaries using open source or commercially-available penetration testing tools in real-world campaigns. Mimikatz is the most popular and effective tool that lets adversaries capture Windows credentials from system memory. Multiple activity groups, including ELECTRUM, ALLANITE, and DYMALLOY, use Mimikatz, and major wormable malware including NotPetya and Olympic Destroyer build in Mimikatz-like functionality for credential capture to propagate through infected networks. This tool can be leveraged for a pivot point within the network and used for traversing the IT and ICS boundary. Other tools include penetration testing frameworks Metasploit and PowerShell Empire, both of which contain versions of Mimikatz.   Later operational phases against ICS networks see the usage of ICS-specific knowledge, technology, processes, and capabilities. Threats continue to require months-to-many years of dedicated ICS research and reconnaissance to achieve any specific intent – hence our concern of the growing number of ICS intrusions which are the precursor to any disruptive action. Later operational phases leverage ICS-specific technologies and protocols to interact with and ultimately disrupt an industrial process. This means that a comprehensive ICS cybersecurity strategy must incorporate ICS-specific defenses and IT cybersecurity mechanisms.
  17. Recommendations Organizations can lower their risk profiles and proactively protect against common attack techniques by performing security best practices. Implement proper security hygiene and the principle of least privilege based on a deep knowledge of the environment. For instance: question whether tools like PSExec are necessary for every user; use access control lists and restrict administration rights across all devices; prohibit OT devices, including engineering workstations, from connecting to the internet or email services wherever possible; and ensure employees are trained to identify and report phishing and malicious activity. Additionally, increase visibility into host and ICS processes as a means to identify suspicious behavior within otherwise legitimate processes, such as PowerShell execution resulting in network connectivity.   Defending the Entire Kill Chain Defending against a dynamic threat landscape requires adopting a “Whole of Kill Chain” approach, keying in on adversary behaviors from the initial intrusions through second-stage impacts. Defenders can use a mix of modern threat detection strategies including indicator- or behavior-based methods, or approaches relying on modeling and configuration. Diversifying threat detection strategies can help asset owners and operators identify threats earlier, and achieve greater visibility into potential threats.   Leverage Threat Behavior Analytics As adversaries increasingly adopt Living off the Land and ICS-specific techniques, leveraging Threat Behavior Analytics (TBA) – or identifying patterns in behavior and malicious activity alongside static operations – can help improve identification of malicious activity within the environment. Dragos develops TBAs to help define activity groups, providing analytic identifiers that allow defenders to detect malicious behavior holistically, regardless of whether the individual indicators of compromise (IOCs) relating to the analytic change in different attacks.   Understand and Anticipate Threats ICS threat intelligence can give asset owners and operators actionable information to anticipate and defend against threats by providing visibility into the current landscape, trends, and targeting. Threat intelligence combines information from various sources and expert assessments to form conclusions that decision-makers can use to implement vertical-specific controls that result in effective security postures. https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297 https://dragos.com/blog/FourTypesOfThreatDetection.html https://dragos.com/blog/20180226ThreatAnalyticsAndActivityGroups.html