SlideShare a Scribd company logo

Dragos and CyberWire: ICS Ransomware

Dragos, Inc.
Dragos, Inc.

Jason Christopher, Dragos Principal Cyber Risk Advisor, joins CyberWire for this podcast that discusses the evolution of ICS/OT ransomware, its impacts on the community, and cybersecurity best practices ICS/OT practitioners can implement to combat it. Listen to the full podcast here: https://dragos.com/resource/ransomware-in-an-industrial-world/

Technology
1 of 28
Download to read offline
I N D U S T R I A L C O N T R O L S Y S T E M S C Y B E R S E C U R I T Y V I S I B I L I T Y . D E T E C T I O N . R E S P O N S E . RANSOMWARE IN AN INDUSTRIAL WORLD
Principal Cyber Risk Advisor JASON D. CHRISTOPHER § Cyber risk management professional services, tied to threat intel & Dragos platform § Certified SANS Instructor for industrial control systems security § Former CTO for Axio Global, Inc., leading critical infrastructure protection strategy § Federal energy lead for several industry standards and guidelines, including NERC CIP, NIST CSF, and the C2M2 § Led cyber incident & risk management team for US Department of Energy § Security metrics development across EPRI and other research organizations § Began career deploying & securing ICS § Frequent speaker at conferences & client events § MS, Electrical Engineering, Cornell @jdchristopher linkedin.com/in/jdchristopher
3 Quick ICS Overview Ransomware… where? Actionable Recommendations • OT security concepts • ICS Cybersecurity Kill Chain • Attacking ICS • Evolution of ransomware • ICS & untargeted ransomware • Recent events and examples • OT-specific security programs • The M&M model • ICS hardening and limitations RANSOMWARE in an INDUSTRIAL WORLD
4 Focused on processes that impact the real world, using industrial control systems (ICS) and operational technology (OT) INDUSTRIAL TECHNOLOGIES 24 x 7 10-30 16 operations year lifecycle critical infrastructure sectors
What are industrial control systems? When a 0 or 1 impacts the physical world. Devices and systems include: Sensors Controllers Motors Generators Safety Systems I/O Devices Field Devices IEDs Human- Machine Interface 5
Evolution of Operational Technology (OT) 3rd Industrial Revolution Automation of Production by Electronics DCS | Distributed Control System SCADA | Supervisory Control & Data Acquisition 4th Industrial Revolution Smart Connected Systems “Industry 4.0” // “Industrial IoT” STAND-ALONE LOOSELY CONNECTED HIGHLY CONNECTED s t a n d a r d i z a t i o n 6
Traditional IT Security Issues in OT Endpoint Agents ENCRYPTION VULNERABILITY SCANNING ANTI- VIRUS PATCHING 7
Real-world cyber-based industrial-impacts 8 AGAIN Think physical processes… 2009: Centrifuge Failure 2012: Telvent Espionage 2001: Sewage Spill 2014: Furnace Loss of Control 2015 & 2016: Power Outages 2017: (un)Safety System
Describing ICS Cyber Attacks 9 The Lockheed Martin Cyber Kill Chain® is a model to help in the identification and prevention of cyber intrusions activity… but does not consider steps needed for ICS- specific attacks STAGE1
Describing ICS Cyber Attacks 10 Stage 2 of the ICS Cyber Kill Chain discusses unique capabilities required to result in real-world impacts. STAGE2
STAGE1STAGE2 Stage 1 and Stage 2 work together to impact industrial processes, stretching across both IT and OT networks INDUSTRIAL ATTACKS: IT and OT Corporate IT Plant OT
Industrial Process Impacts For ICS-specific capabilities, the impact would be focused on operational impacts. 12
ICS Attack Difficulty The knowledge involved in ICS attacks, with physical impact, includes: • IT security • OT security • OT-specific protocols • Engineering processes • Incident response • Disaster recovery 13
ENTER RANSOMWARE
THE DRAGOS PLATFORM ICS SECURITY SERVICES DRAGOS WORLDVIEW 2017-2018 2018-PresentPre-2017 Evolution of Ransomware § Interactive operations to attack corporate networks § Hold entire networks hostage § RISE OF THE WORMS § Single victim machine, opportunistic targeting § Primary targeting via phishing, malicious websites § Single victim, single machine focus 15
16 WannaCry Animated map from New York Times, accessed 2020-03-30: https://www.nytimes.com/interactive/2017/05/12/world/europe/wannacry-ransomware-map.html
17 “Wiper disguised as ransomware,” with increased collateral damage beyond any initial targets. NotPetya… Not Ransomware +$10B 2M +65 in estimated damages computers impacted in 2HRs countries involved in response
Norsk Hydro & LockerGoga …at execution… …through encryption… …to lock out… § Removes self, launches child process § Writes ransom note § Encrypts files, binaries, etc § Changes local user and admin credentials § Disables system network card § Logs off all logged-in users Read more here: https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/ 18
STAGE1STAGE2 Again, think back to the ICS Cyber Kill Chain – there are no OT-specific knowledge or tools leveraged during these events. IT-Centric RANSOMWARE in OT Systems Corporate IT Plant OT OT was collateral damaged
20 EKANS and ICS § Ransomware with ICS-specific system processes highlighted Trends & Considerations What’s next? § Ransomware evolution over the past few years shows trending towards bigger impacts Ransom = $$$ § What are organizations willing to pay to unlock data? § Whole networks? § Entire industrial facilities? Ransomware vs. Wiper § Careful distinction, but would that change your behavior? § Regardless of paying the ransom, would you ever trust that device again?
21 Paying the Ransom as “Remediation” P a y t h e r a n s o m ? … o r g o o u t o f p o c k e t ? V S Read more here: https://www.forbes.com/sites/forbestechcouncil/2020/01/07/taking-governments-hostage-three-fixes-for-a-ransomware-world/
SO NOW WHAT? awesome.
PROTECTING THE CROWN JEWELS
Getting Started on Industrial Cybersecurity Dedicate OT-specific resources Planning for a bad day Understanding the impacts § Who knows how to protect ICS? § In-house & 3rd party resources § What’s the worst-case scenario? How would you prepare? § Who would you call? § What’s the cost associated with downtime? Or broken equipment? § What are the “crown jewels?”
invest in PERIMETERS Strengthen & harden SYSTEMS where possible BACK-UP Lock up those crown jewels Restrict external communications Look for bad stuff happening Mileage will vary Understand the last known “good state” ICS is a critical, high-trust zone. Treat it accordingly! Hot and cold storage considerations ICS-specific: set points, project files, engineering documents TEST. TEST. TEST.
26 BRINGING IT ALL TOGETHER Establish, Enable, & Enhance Your ICS Defenses Understand your ICS environments with impact- based prioritization Learn attackers’ behaviors, proactively find threats, and reinforce your detection methods Test your defenses with real- world scenarios and strengthen your response procedures 1 3 2 - ARCHITECTURE REVIEW - OT-SPECIFIC RESOURCES - CROWN JEWEL ANALYSIS - INVEST IN PERIMETERS - HARDEN SYSTEMS - BACK-UPS! - DATA COLLECTION - OT DETECTION - THREAT HUNTING - TABLE TOP EXERCISE - PENETRATION TESTING - MANAGED THREAT HUNTING S T A R T H E R E
Dragos’ Year in Review provides insights and lessons learned from our team’s first-hand experience hunting, combatting, and responding to ICS adversaries throughout the year. Provides an analysis of ICS-specific vulnerabilities and discusses impacts, risks, and mitigation options for defenders ICS VULNERABILITIES REPORT Provides insights on the state of ICS cybersecurity, the latest trends and observations of ICS-specific adversaries, and proactive defensive recommendations. ICS THREAT LANDSCAPE REPORT Provides a synopsis of trends observed within the industry and lessons learned from Dragos’ proactive and responsive service engagements LESSONS LEARNED FROM THE FRONT LINES REPORT 27
THANK YOU JASON D. CHRISTOPHER @jdchristopher linkedin.com/in/jdchristopher

Recommended

Purple Teaming ICS Networks
Purple Teaming ICS NetworksPurple Teaming ICS Networks
Purple Teaming ICS Networks
Dragos, Inc.
 
How to Respond to Industrial Intrusions
How to Respond to Industrial Intrusions How to Respond to Industrial Intrusions
How to Respond to Industrial Intrusions
Dragos, Inc.
 
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack FrameworkDragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos, Inc.
 
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Dragos, Inc.
 
Dragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations CenterDragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations Center
Dragos, Inc.
 
How to Increase ICS Cybersecurity Return on Investment (ROI)
How to Increase ICS Cybersecurity Return on Investment (ROI) How to Increase ICS Cybersecurity Return on Investment (ROI)
How to Increase ICS Cybersecurity Return on Investment (ROI)
Dragos, Inc.
 
TRISIS in Perspective
TRISIS in PerspectiveTRISIS in Perspective
TRISIS in Perspective
Dragos, Inc.
 
Industrial Control Systems Cybersecurity Technology Selection
Industrial Control Systems Cybersecurity Technology SelectionIndustrial Control Systems Cybersecurity Technology Selection
Industrial Control Systems Cybersecurity Technology Selection
Dragos, Inc.
 

Recommended

Purple Teaming ICS Networks
Purple Teaming ICS NetworksPurple Teaming ICS Networks
Purple Teaming ICS Networks
Dragos, Inc.
 
How to Respond to Industrial Intrusions
How to Respond to Industrial Intrusions How to Respond to Industrial Intrusions
How to Respond to Industrial Intrusions
Dragos, Inc.
 
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack FrameworkDragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos, Inc.
 
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Dragos, Inc.
 
Dragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations CenterDragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations Center
Dragos, Inc.
 
How to Increase ICS Cybersecurity Return on Investment (ROI)
How to Increase ICS Cybersecurity Return on Investment (ROI) How to Increase ICS Cybersecurity Return on Investment (ROI)
How to Increase ICS Cybersecurity Return on Investment (ROI)
Dragos, Inc.
 
TRISIS in Perspective
TRISIS in PerspectiveTRISIS in Perspective
TRISIS in Perspective
Dragos, Inc.
 
Industrial Control Systems Cybersecurity Technology Selection
Industrial Control Systems Cybersecurity Technology SelectionIndustrial Control Systems Cybersecurity Technology Selection
Industrial Control Systems Cybersecurity Technology Selection
Dragos, Inc.
 
Reassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber AttackReassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber Attack
Dragos, Inc.
 
PLC Virtualization Dragos S4 2019
PLC Virtualization Dragos S4 2019PLC Virtualization Dragos S4 2019
PLC Virtualization Dragos S4 2019
Dragos, Inc.
 
Dragos year in review (yir) 2018
Dragos year in review (yir) 2018Dragos year in review (yir) 2018
Dragos year in review (yir) 2018
Dragos, Inc.
 
Consequence Informed Cyber Security
Consequence Informed Cyber Security Consequence Informed Cyber Security
Consequence Informed Cyber Security
Dragos, Inc.
 
Debunking the Hacker Hype: The Reality of Widespread Blackouts
Debunking the Hacker Hype: The Reality of Widespread BlackoutsDebunking the Hacker Hype: The Reality of Widespread Blackouts
Debunking the Hacker Hype: The Reality of Widespread Blackouts
Dragos, Inc.
 
Neighborhood Keeper - Introduction
Neighborhood Keeper - Introduction Neighborhood Keeper - Introduction
Neighborhood Keeper - Introduction
Dragos, Inc.
 
How Long to Boom: Understanding and Measuring ICS Hacker Maturity
How Long to Boom: Understanding and Measuring ICS Hacker MaturityHow Long to Boom: Understanding and Measuring ICS Hacker Maturity
How Long to Boom: Understanding and Measuring ICS Hacker Maturity
Dragos, Inc.
 
2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups
Dragos, Inc.
 
Dragos 2019 ICS Year in Review
Dragos 2019 ICS Year in ReviewDragos 2019 ICS Year in Review
Dragos 2019 ICS Year in Review
Dragos, Inc.
 
Dressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDressing up the ICS Kill Chain
Dressing up the ICS Kill Chain
Dragos, Inc.
 
The Current ICS Threat Landscape
The Current ICS Threat LandscapeThe Current ICS Threat Landscape
The Current ICS Threat Landscape
Dragos, Inc.
 
Solving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric IndustrySolving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric Industry
Dragos, Inc.
 
Securing Electric Utility Infrastructure
Securing Electric Utility InfrastructureSecuring Electric Utility Infrastructure
Securing Electric Utility Infrastructure
Dragos, Inc.
 
Kofax Document Security
Kofax Document Security Kofax Document Security
Kofax Document Security
Kofax
 
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Dragos, Inc.
 
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
Dragos, Inc.
 
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
Kaspersky
 
IDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDSIDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDS
AlienVault
 
Improve Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMImprove Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USM
AlienVault
 
Supply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy SectorSupply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy Sector
Kaspersky
 
Nozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company IntroductionNozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company Introduction
Nozomi Networks
 
Ot ics cyberattaques dans les organisations industrielles
Ot ics cyberattaques dans les organisations industrielles Ot ics cyberattaques dans les organisations industrielles
Ot ics cyberattaques dans les organisations industrielles
Cisco Canada
 

More Related Content

What's hot

Reassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber AttackReassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber Attack
Dragos, Inc.
 
PLC Virtualization Dragos S4 2019
PLC Virtualization Dragos S4 2019PLC Virtualization Dragos S4 2019
PLC Virtualization Dragos S4 2019
Dragos, Inc.
 
Dragos year in review (yir) 2018
Dragos year in review (yir) 2018Dragos year in review (yir) 2018
Dragos year in review (yir) 2018
Dragos, Inc.
 
Consequence Informed Cyber Security
Consequence Informed Cyber Security Consequence Informed Cyber Security
Consequence Informed Cyber Security
Dragos, Inc.
 
Debunking the Hacker Hype: The Reality of Widespread Blackouts
Debunking the Hacker Hype: The Reality of Widespread BlackoutsDebunking the Hacker Hype: The Reality of Widespread Blackouts
Debunking the Hacker Hype: The Reality of Widespread Blackouts
Dragos, Inc.
 
Neighborhood Keeper - Introduction
Neighborhood Keeper - Introduction Neighborhood Keeper - Introduction
Neighborhood Keeper - Introduction
Dragos, Inc.
 
How Long to Boom: Understanding and Measuring ICS Hacker Maturity
How Long to Boom: Understanding and Measuring ICS Hacker MaturityHow Long to Boom: Understanding and Measuring ICS Hacker Maturity
How Long to Boom: Understanding and Measuring ICS Hacker Maturity
Dragos, Inc.
 
2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups
Dragos, Inc.
 
Dragos 2019 ICS Year in Review
Dragos 2019 ICS Year in ReviewDragos 2019 ICS Year in Review
Dragos 2019 ICS Year in Review
Dragos, Inc.
 
Dressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDressing up the ICS Kill Chain
Dressing up the ICS Kill Chain
Dragos, Inc.
 
The Current ICS Threat Landscape
The Current ICS Threat LandscapeThe Current ICS Threat Landscape
The Current ICS Threat Landscape
Dragos, Inc.
 
Solving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric IndustrySolving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric Industry
Dragos, Inc.
 
Securing Electric Utility Infrastructure
Securing Electric Utility InfrastructureSecuring Electric Utility Infrastructure
Securing Electric Utility Infrastructure
Dragos, Inc.
 
Kofax Document Security
Kofax Document Security Kofax Document Security
Kofax Document Security
Kofax
 
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Dragos, Inc.
 
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
Dragos, Inc.
 
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
Kaspersky
 
IDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDSIDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDS
AlienVault
 
Improve Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMImprove Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USM
AlienVault
 
Supply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy SectorSupply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy Sector
Kaspersky
 

What's hot (20)

Reassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber AttackReassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber Attack
 
PLC Virtualization Dragos S4 2019
PLC Virtualization Dragos S4 2019PLC Virtualization Dragos S4 2019
PLC Virtualization Dragos S4 2019
 
Dragos year in review (yir) 2018
Dragos year in review (yir) 2018Dragos year in review (yir) 2018
Dragos year in review (yir) 2018
 
Consequence Informed Cyber Security
Consequence Informed Cyber Security Consequence Informed Cyber Security
Consequence Informed Cyber Security
 
Debunking the Hacker Hype: The Reality of Widespread Blackouts
Debunking the Hacker Hype: The Reality of Widespread BlackoutsDebunking the Hacker Hype: The Reality of Widespread Blackouts
Debunking the Hacker Hype: The Reality of Widespread Blackouts
 
Neighborhood Keeper - Introduction
Neighborhood Keeper - Introduction Neighborhood Keeper - Introduction
Neighborhood Keeper - Introduction
 
How Long to Boom: Understanding and Measuring ICS Hacker Maturity
How Long to Boom: Understanding and Measuring ICS Hacker MaturityHow Long to Boom: Understanding and Measuring ICS Hacker Maturity
How Long to Boom: Understanding and Measuring ICS Hacker Maturity
 
2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups
 
Dragos 2019 ICS Year in Review
Dragos 2019 ICS Year in ReviewDragos 2019 ICS Year in Review
Dragos 2019 ICS Year in Review
 
Dressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDressing up the ICS Kill Chain
Dressing up the ICS Kill Chain
 
The Current ICS Threat Landscape
The Current ICS Threat LandscapeThe Current ICS Threat Landscape
The Current ICS Threat Landscape
 
Solving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric IndustrySolving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric Industry
 
Securing Electric Utility Infrastructure
Securing Electric Utility InfrastructureSecuring Electric Utility Infrastructure
Securing Electric Utility Infrastructure
 
Kofax Document Security
Kofax Document Security Kofax Document Security
Kofax Document Security
 
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
 
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
 
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
 
IDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDSIDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDS
 
Improve Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMImprove Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USM
 
Supply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy SectorSupply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy Sector
 

Similar to Dragos and CyberWire: ICS Ransomware

Nozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company IntroductionNozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company Introduction
Nozomi Networks
 
Ot ics cyberattaques dans les organisations industrielles
Ot ics cyberattaques dans les organisations industrielles Ot ics cyberattaques dans les organisations industrielles
Ot ics cyberattaques dans les organisations industrielles
Cisco Canada
 
2012 02 14 Afcom Presentation
2012 02 14 Afcom Presentation2012 02 14 Afcom Presentation
2012 02 14 Afcom Presentation
Eric Gallant
 
Cybersecurity for Control Systems: Current State and Future Vision pt.1
Cybersecurity for Control Systems: Current State and Future Vision pt.1Cybersecurity for Control Systems: Current State and Future Vision pt.1
Cybersecurity for Control Systems: Current State and Future Vision pt.1EnergySec
 
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
TI Safe
 
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
Abhishek Goel
 
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonSCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonPatricia M Watson
 
Cyber security colombo meetup
Cyber security colombo meetupCyber security colombo meetup
Cyber security colombo meetup
Eguardian Global Services
 
Nozomi Fortinet Accelerate18
Nozomi Fortinet Accelerate18Nozomi Fortinet Accelerate18
Nozomi Fortinet Accelerate18
Nozomi Networks
 
Tenable Solutions for Enterprise Cloud Security
Tenable Solutions for Enterprise Cloud SecurityTenable Solutions for Enterprise Cloud Security
Tenable Solutions for Enterprise Cloud Security
MarketingArrowECS_CZ
 
BlackHat_2015_Slides_Krotofil_FINAL
BlackHat_2015_Slides_Krotofil_FINALBlackHat_2015_Slides_Krotofil_FINAL
BlackHat_2015_Slides_Krotofil_FINALMarina Krotofil
 
The Quality “Logs”-Jam: Why Alerting for Cybersecurity is Awash with False Po...
The Quality “Logs”-Jam: Why Alerting for Cybersecurity is Awash with False Po...The Quality “Logs”-Jam: Why Alerting for Cybersecurity is Awash with False Po...
The Quality “Logs”-Jam: Why Alerting for Cybersecurity is Awash with False Po...
Mark Underwood
 
2019 10-22 axio - taking control of cyber risk - grid-seccon
2019 10-22 axio - taking control of cyber risk - grid-seccon2019 10-22 axio - taking control of cyber risk - grid-seccon
2019 10-22 axio - taking control of cyber risk - grid-seccon
Axio
 
Lessons Learned: Protecting Critical Infrastructure from Cyber Attacks
Lessons Learned: Protecting Critical Infrastructure from Cyber AttacksLessons Learned: Protecting Critical Infrastructure from Cyber Attacks
Lessons Learned: Protecting Critical Infrastructure from Cyber Attacks
Mighty Guides, Inc.
 
Webinar - Reducing the Risk of a Cyber Attack on Utilities
Webinar - Reducing the Risk of a Cyber Attack on UtilitiesWebinar - Reducing the Risk of a Cyber Attack on Utilities
Webinar - Reducing the Risk of a Cyber Attack on Utilities
WPICPE
 
Practical risk management for the multi cloud
Practical risk management for the multi cloudPractical risk management for the multi cloud
Practical risk management for the multi cloud
Ulf Mattsson
 
Cyber Security Lecture at Rah Rah 7
Cyber Security Lecture at Rah Rah 7Cyber Security Lecture at Rah Rah 7
Cyber Security Lecture at Rah Rah 7
Filip Maertens
 
Critical Infrastructure Protection from Terrorist Attacks
Critical Infrastructure Protection from Terrorist AttacksCritical Infrastructure Protection from Terrorist Attacks
Critical Infrastructure Protection from Terrorist Attacks
BGA Cyber Security
 
Insecure magazine - 52
Insecure magazine - 52Insecure magazine - 52
Insecure magazine - 52
Felipe Prado
 
CyCron 2016
CyCron 2016CyCron 2016
CyCron 2016
Cruxcreative
 

Similar to Dragos and CyberWire: ICS Ransomware (20)

Nozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company IntroductionNozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company Introduction
 
Ot ics cyberattaques dans les organisations industrielles
Ot ics cyberattaques dans les organisations industrielles Ot ics cyberattaques dans les organisations industrielles
Ot ics cyberattaques dans les organisations industrielles
 
2012 02 14 Afcom Presentation
2012 02 14 Afcom Presentation2012 02 14 Afcom Presentation
2012 02 14 Afcom Presentation
 
Cybersecurity for Control Systems: Current State and Future Vision pt.1
Cybersecurity for Control Systems: Current State and Future Vision pt.1Cybersecurity for Control Systems: Current State and Future Vision pt.1
Cybersecurity for Control Systems: Current State and Future Vision pt.1
 
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
 
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
 
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonSCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
 
Cyber security colombo meetup
Cyber security colombo meetupCyber security colombo meetup
Cyber security colombo meetup
 
Nozomi Fortinet Accelerate18
Nozomi Fortinet Accelerate18Nozomi Fortinet Accelerate18
Nozomi Fortinet Accelerate18
 
Tenable Solutions for Enterprise Cloud Security
Tenable Solutions for Enterprise Cloud SecurityTenable Solutions for Enterprise Cloud Security
Tenable Solutions for Enterprise Cloud Security
 
BlackHat_2015_Slides_Krotofil_FINAL
BlackHat_2015_Slides_Krotofil_FINALBlackHat_2015_Slides_Krotofil_FINAL
BlackHat_2015_Slides_Krotofil_FINAL
 
The Quality “Logs”-Jam: Why Alerting for Cybersecurity is Awash with False Po...
The Quality “Logs”-Jam: Why Alerting for Cybersecurity is Awash with False Po...The Quality “Logs”-Jam: Why Alerting for Cybersecurity is Awash with False Po...
The Quality “Logs”-Jam: Why Alerting for Cybersecurity is Awash with False Po...
 
2019 10-22 axio - taking control of cyber risk - grid-seccon
2019 10-22 axio - taking control of cyber risk - grid-seccon2019 10-22 axio - taking control of cyber risk - grid-seccon
2019 10-22 axio - taking control of cyber risk - grid-seccon
 
Lessons Learned: Protecting Critical Infrastructure from Cyber Attacks
Lessons Learned: Protecting Critical Infrastructure from Cyber AttacksLessons Learned: Protecting Critical Infrastructure from Cyber Attacks
Lessons Learned: Protecting Critical Infrastructure from Cyber Attacks
 
Webinar - Reducing the Risk of a Cyber Attack on Utilities
Webinar - Reducing the Risk of a Cyber Attack on UtilitiesWebinar - Reducing the Risk of a Cyber Attack on Utilities
Webinar - Reducing the Risk of a Cyber Attack on Utilities
 
Practical risk management for the multi cloud
Practical risk management for the multi cloudPractical risk management for the multi cloud
Practical risk management for the multi cloud
 
Cyber Security Lecture at Rah Rah 7
Cyber Security Lecture at Rah Rah 7Cyber Security Lecture at Rah Rah 7
Cyber Security Lecture at Rah Rah 7
 
Critical Infrastructure Protection from Terrorist Attacks
Critical Infrastructure Protection from Terrorist AttacksCritical Infrastructure Protection from Terrorist Attacks
Critical Infrastructure Protection from Terrorist Attacks
 
Insecure magazine - 52
Insecure magazine - 52Insecure magazine - 52
Insecure magazine - 52
 
CyCron 2016
CyCron 2016CyCron 2016
CyCron 2016
 

More from Dragos, Inc.

Rising Cyber Escalation US Iran Russia ICS Threats and Response
Rising Cyber Escalation US Iran Russia ICS Threats and Response Rising Cyber Escalation US Iran Russia ICS Threats and Response
Rising Cyber Escalation US Iran Russia ICS Threats and Response
Dragos, Inc.
 
Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...
Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...
Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...
Dragos, Inc.
 
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and PracticeMeet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
Dragos, Inc.
 
Threat Activity Groups - Dragos
Threat Activity Groups - Dragos Threat Activity Groups - Dragos
Threat Activity Groups - Dragos
Dragos, Inc.
 
The Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityThe Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial Security
Dragos, Inc.
 
Behavior-Based Defense in ICS
Behavior-Based Defense in ICSBehavior-Based Defense in ICS
Behavior-Based Defense in ICS
Dragos, Inc.
 
Trisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS DefendersTrisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS Defenders
Dragos, Inc.
 
TTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesTTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil Refineries
Dragos, Inc.
 

More from Dragos, Inc. (8)

Rising Cyber Escalation US Iran Russia ICS Threats and Response
Rising Cyber Escalation US Iran Russia ICS Threats and Response Rising Cyber Escalation US Iran Russia ICS Threats and Response
Rising Cyber Escalation US Iran Russia ICS Threats and Response
 
Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...
Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...
Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...
 
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and PracticeMeet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
 
Threat Activity Groups - Dragos
Threat Activity Groups - Dragos Threat Activity Groups - Dragos
Threat Activity Groups - Dragos
 
The Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityThe Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial Security
 
Behavior-Based Defense in ICS
Behavior-Based Defense in ICSBehavior-Based Defense in ICS
Behavior-Based Defense in ICS
 
Trisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS DefendersTrisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS Defenders
 
TTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesTTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil Refineries
 

Recently uploaded

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
g2nightmarescribd
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 

Recently uploaded (20)

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 

Dragos and CyberWire: ICS Ransomware

  • 1. I N D U S T R I A L C O N T R O L S Y S T E M S C Y B E R S E C U R I T Y V I S I B I L I T Y . D E T E C T I O N . R E S P O N S E . RANSOMWARE IN AN INDUSTRIAL WORLD
  • 2. Principal Cyber Risk Advisor JASON D. CHRISTOPHER § Cyber risk management professional services, tied to threat intel & Dragos platform § Certified SANS Instructor for industrial control systems security § Former CTO for Axio Global, Inc., leading critical infrastructure protection strategy § Federal energy lead for several industry standards and guidelines, including NERC CIP, NIST CSF, and the C2M2 § Led cyber incident & risk management team for US Department of Energy § Security metrics development across EPRI and other research organizations § Began career deploying & securing ICS § Frequent speaker at conferences & client events § MS, Electrical Engineering, Cornell @jdchristopher linkedin.com/in/jdchristopher
  • 3. 3 Quick ICS Overview Ransomware… where? Actionable Recommendations • OT security concepts • ICS Cybersecurity Kill Chain • Attacking ICS • Evolution of ransomware • ICS & untargeted ransomware • Recent events and examples • OT-specific security programs • The M&M model • ICS hardening and limitations RANSOMWARE in an INDUSTRIAL WORLD
  • 4. 4 Focused on processes that impact the real world, using industrial control systems (ICS) and operational technology (OT) INDUSTRIAL TECHNOLOGIES 24 x 7 10-30 16 operations year lifecycle critical infrastructure sectors
  • 5. What are industrial control systems? When a 0 or 1 impacts the physical world. Devices and systems include: Sensors Controllers Motors Generators Safety Systems I/O Devices Field Devices IEDs Human- Machine Interface 5
  • 6. Evolution of Operational Technology (OT) 3rd Industrial Revolution Automation of Production by Electronics DCS | Distributed Control System SCADA | Supervisory Control & Data Acquisition 4th Industrial Revolution Smart Connected Systems “Industry 4.0” // “Industrial IoT” STAND-ALONE LOOSELY CONNECTED HIGHLY CONNECTED s t a n d a r d i z a t i o n 6
  • 7. Traditional IT Security Issues in OT Endpoint Agents ENCRYPTION VULNERABILITY SCANNING ANTI- VIRUS PATCHING 7
  • 8. Real-world cyber-based industrial-impacts 8 AGAIN Think physical processes… 2009: Centrifuge Failure 2012: Telvent Espionage 2001: Sewage Spill 2014: Furnace Loss of Control 2015 & 2016: Power Outages 2017: (un)Safety System
  • 9. Describing ICS Cyber Attacks 9 The Lockheed Martin Cyber Kill Chain® is a model to help in the identification and prevention of cyber intrusions activity… but does not consider steps needed for ICS- specific attacks STAGE1
  • 10. Describing ICS Cyber Attacks 10 Stage 2 of the ICS Cyber Kill Chain discusses unique capabilities required to result in real-world impacts. STAGE2
  • 11. STAGE1STAGE2 Stage 1 and Stage 2 work together to impact industrial processes, stretching across both IT and OT networks INDUSTRIAL ATTACKS: IT and OT Corporate IT Plant OT
  • 12. Industrial Process Impacts For ICS-specific capabilities, the impact would be focused on operational impacts. 12
  • 13. ICS Attack Difficulty The knowledge involved in ICS attacks, with physical impact, includes: • IT security • OT security • OT-specific protocols • Engineering processes • Incident response • Disaster recovery 13
  • 15. THE DRAGOS PLATFORM ICS SECURITY SERVICES DRAGOS WORLDVIEW 2017-2018 2018-PresentPre-2017 Evolution of Ransomware § Interactive operations to attack corporate networks § Hold entire networks hostage § RISE OF THE WORMS § Single victim machine, opportunistic targeting § Primary targeting via phishing, malicious websites § Single victim, single machine focus 15
  • 16. 16 WannaCry Animated map from New York Times, accessed 2020-03-30: https://www.nytimes.com/interactive/2017/05/12/world/europe/wannacry-ransomware-map.html
  • 17. 17 “Wiper disguised as ransomware,” with increased collateral damage beyond any initial targets. NotPetya… Not Ransomware +$10B 2M +65 in estimated damages computers impacted in 2HRs countries involved in response
  • 18. Norsk Hydro & LockerGoga …at execution… …through encryption… …to lock out… § Removes self, launches child process § Writes ransom note § Encrypts files, binaries, etc § Changes local user and admin credentials § Disables system network card § Logs off all logged-in users Read more here: https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/ 18
  • 19. STAGE1STAGE2 Again, think back to the ICS Cyber Kill Chain – there are no OT-specific knowledge or tools leveraged during these events. IT-Centric RANSOMWARE in OT Systems Corporate IT Plant OT OT was collateral damaged
  • 20. 20 EKANS and ICS § Ransomware with ICS-specific system processes highlighted Trends & Considerations What’s next? § Ransomware evolution over the past few years shows trending towards bigger impacts Ransom = $$$ § What are organizations willing to pay to unlock data? § Whole networks? § Entire industrial facilities? Ransomware vs. Wiper § Careful distinction, but would that change your behavior? § Regardless of paying the ransom, would you ever trust that device again?
  • 21. 21 Paying the Ransom as “Remediation” P a y t h e r a n s o m ? … o r g o o u t o f p o c k e t ? V S Read more here: https://www.forbes.com/sites/forbestechcouncil/2020/01/07/taking-governments-hostage-three-fixes-for-a-ransomware-world/
  • 24. Getting Started on Industrial Cybersecurity Dedicate OT-specific resources Planning for a bad day Understanding the impacts § Who knows how to protect ICS? § In-house & 3rd party resources § What’s the worst-case scenario? How would you prepare? § Who would you call? § What’s the cost associated with downtime? Or broken equipment? § What are the “crown jewels?”
  • 25. invest in PERIMETERS Strengthen & harden SYSTEMS where possible BACK-UP Lock up those crown jewels Restrict external communications Look for bad stuff happening Mileage will vary Understand the last known “good state” ICS is a critical, high-trust zone. Treat it accordingly! Hot and cold storage considerations ICS-specific: set points, project files, engineering documents TEST. TEST. TEST.
  • 26. 26 BRINGING IT ALL TOGETHER Establish, Enable, & Enhance Your ICS Defenses Understand your ICS environments with impact- based prioritization Learn attackers’ behaviors, proactively find threats, and reinforce your detection methods Test your defenses with real- world scenarios and strengthen your response procedures 1 3 2 - ARCHITECTURE REVIEW - OT-SPECIFIC RESOURCES - CROWN JEWEL ANALYSIS - INVEST IN PERIMETERS - HARDEN SYSTEMS - BACK-UPS! - DATA COLLECTION - OT DETECTION - THREAT HUNTING - TABLE TOP EXERCISE - PENETRATION TESTING - MANAGED THREAT HUNTING S T A R T H E R E
  • 27. Dragos’ Year in Review provides insights and lessons learned from our team’s first-hand experience hunting, combatting, and responding to ICS adversaries throughout the year. Provides an analysis of ICS-specific vulnerabilities and discusses impacts, risks, and mitigation options for defenders ICS VULNERABILITIES REPORT Provides insights on the state of ICS cybersecurity, the latest trends and observations of ICS-specific adversaries, and proactive defensive recommendations. ICS THREAT LANDSCAPE REPORT Provides a synopsis of trends observed within the industry and lessons learned from Dragos’ proactive and responsive service engagements LESSONS LEARNED FROM THE FRONT LINES REPORT 27
  • 28. THANK YOU JASON D. CHRISTOPHER @jdchristopher linkedin.com/in/jdchristopher