Abstract image of a woman sitting on books and studying on a laptop

The Four Types of Threat Detection and Use Cases in Industrial Security

Download as PPTX, PDF
Dragos, Inc., profile picture
Dragos, Inc.

The document outlines various threat detection strategies in cybersecurity, emphasizing the importance of comprehensive detection approaches tailored to specific risks and use cases. It categorizes detection methods into four types: configuration-based, modeling-based, indicator-based, and behavior-based, each with distinct benefits and challenges. The authors recommend developing a detection strategy that utilizes multiple methods, supports all use cases, and involves creating detection targets and analytics maps to ensure effective coverage.

Technology
Related topics:
Threat Detection
1 of 21
Downloaded 79 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
DetectionStrategies Understanding and Using the 4Types of ThreatDetection Sergio Caltagirone and Robert M. Lee
Detection is themost Important thingyoudo. Develop and implement appropriate activities to identify the occurrence of a cybersecurity event. NISTCybersecurityFrameworkv1.1 ASSUMEBREACH MEANS ALL ELSE FAILS. NIST CYBERSECURITY FRAMEWORK IDENTIFY PROTECT DETECTRESPOND RECOVER
Detection Strategies How &Where Howyoudetectmattersas muchas whereyou detect. Deploying“networkdetection”and“host detection”isnota completedetectionstrategy. Nor doall resourcesrequirethesamedetection! Detection Costs Falsenegativesandfalsepositivesbothleadtolossof control! ASOC inundatedwithlow-qualityalertsis thesame as aSOC lacking alerts. HowandWhere determineyourdetectionquality. Detection is Multi-Use Securityoperationsismorethanrapidresponseand incorporateshunting,investigation,andeachuse caserequiresdifferentdetectionstrategies. A detection strategy matches the appropriate detection approach to risks, resources, and use-case ensuring full detective coverage while minimizingcost.
A Detection Strategy - How Asset Event Location Use-Case Detection Human-MachineInterface (HMI) NewFiles Host NovelAttack Behavioral OPCServer Enumeration Network SimilarAttack ScanningModels(Anomaly) VPNConcentrator VPN-to-Known-C2 Network Scoping Indicator 01 IdentifyAssets,Events,Location,andUse-CasewithDetectionApproach–Each linebecomesa “DetectionTarget”
A Detection Strategy Recon Delivery Exploitation Action on Objectives P4 VPN.ID VPN.PWD_REUSE VPN.CONFIG_CHG P3 EW.ID EW.SMB EW.NEW_ACCT P2 HMI.ID HMI.NEW_FILES HMI.CHANGE_VAL P1/0 PLC.ID PLC.CHANGE_VAL * For Some Definition of the Purdue Model and Kill Chain 02 GenerateDetectionMaptoTestandMeasureCoverage–forICS,placeeach detectiontargetonthemap using thePurdueModel &KillChain
4 Detection Types
Configuration-Based Detection Configuration-based detection identifies deviations from aknown architecture. Example: Two fielddevices(e.g.,PLCs)communicatingwitheachother,counterarchitectureanddesignexpectations Benefits: • Withperfectvisibilityandcoverage,itcan hypotheticallydetectallmaliciousactivity • Accessible forindividualswithawiderangeofexperience • Easytomaintainin staticenvironments • Addssignificantvaluetootherdetectiontypesin responsesituations Challenges: • Difficulttomaintainindynamicenvironments • Limitedvisibilityandcoveragereduce effectiveness • Assumesa knowledgeofinfrastructureandconfiguration • False-positiveproneduetolikelyconfigurationchanges
Modeling-Based Detection Modeling-baseddetection uses mathematical models to classify assets andactivity identifying elements inconsistent with the model. Example: AbnormalnumberofWriterequestsinModbusTCPoutsideofnormalgiventhe averageoverthelast30days Benefits: • Canidentifynoveladversaryactivity • Easiertomaintainin verystaticenvironments • Addssignificantvaluetootherdetectiontypesin responsesituations Challenges: • Difficulttomaintainwhenenvironmentschange • Limitedvisibilityandcoveragereducestheeffectiveness • Nocontextofthreatactivitytosupportinvestigations • Assumesanalystshavein-depthknowledgeofinfrastructureandconfiguration • False-positiveprone duetolikelyconfigurationchanges • Potentiallyincorporatesexistingmaliciousactivityintothemodel
Indicator-Based Detection Indicator-based detection searches for elements of information known about previously andare often seen in the form of Indicators of Compromise (IOCs). Example: A specificIPaddressthatisaccessinganinternalasset Benefits: • Thequickestformofdetectiontocreateand deploy • Containsspecificthreatcontextrelatedtotheindicator • Usefulforenrichingotherdatasourcesandthreatdetections • Highlyeffectiveforscopinganenvironmentpostobservationoftheindicator Challenges: • Thevalueishighlydependentontheadversary’srateofchange • Retroactivein naturegiventheneedtoobservetheindicatorfirst • Doesnotscalewellbetweenvictims • Upperlimitsastohowmanyindicatorscanbe processed • Unknownindicatorexpiryleadstoinaccuratedetection
Threat Behavior-Based Detection Threat behavior analytics examine activity in environments and compares single actions and aggregate actions against aset of known malicious or suspicious activities. Example: LegitimateVPN accessfollowedbyuseraccount creationandfiledownloadon anengineeringworkstationandfinallyloginfromtheworkstationtoanHMI Benefits: • Excellent durabilityagainstadversarychange • Easytotuneforeachorganizationandenvironment • Lowfalsepositiverates • Immediatetransparencyforanalyststodiagnosethealertagainstexpectedbehavior • Onlyrequiresa fewanalyticstodetectmostknownmaliciousbehaviorusedsomewhere inan intrusion • Integrateswellwithdefensiveplaybooksandautomatedinvestigation/remediation Challenges: • Moderatelydifficulttoimplement • Manyanalyticsrequiredtoprovidecompletecoverage • Onlydetectssimilarthreatbehavioratthelimitofanalyticimagination • Are notfullyreusableacrossallindustries
Analytic Properties
Comparing Detection Approaches
Threat Detection Applications
Comparing Detection Approaches to Applications
Detection Strategy Use-Case IT Land SPEARPHISHINGEMAIL KEY LOGGER & RAT ENGINEER CREDENTIALTHEFT
CONTROLLER CONTROLLER CONTROLLER CONTROLLER Detection Strategy Use-Case VPN ENGINEERING WORKSTATION NEW FILE (S) SCANSSTARTED IT Land SPEARPHISHINGEMAIL KEY LOGGER & RAT ENGINEER CREDENTIALTHEFT
Detection Strategy Use-Case VPN ENGINEERING WORKSTATION NEW FILE (S) SCANSSTARTED CONTROLLER CONTROLLER CONTROLLER CONTROLLER OPC SERVER OPC SCAN ENUMERATION IT Land SPEARPHISHINGEMAIL KEY LOGGER & RAT ENGINEER CREDENTIALTHEFT
Detection Strategy Use-Case VPN ENGINEERING WORKSTATION NEW FILE (S) SCANSSTARTED CONTROLLER CONTROLLER CONTROLLER CONTROLLER OPC SERVER OPC SCAN ENUMERATION OPC VALUE OVERWRITE IT Land SPEARPHISHINGEMAIL KEY LOGGER & RAT ENGINEER CREDENTIALTHEFT
CONTROLLER VALUE OVERWRITE Detection Strategy Use-Case VPN ENGINEERING WORKSTATION NEW FILE (S) SCANSSTARTED CONTROLLER CONTROLLER CONTROLLER CONTROLLER OPC SERVER OPC SCAN ENUMERATION OPC VALUE OVERWRITE IT Land SPEARPHISHINGEMAIL KEY LOGGER & RAT ENGINEER CREDENTIALTHEFT
Detection Strategy with the 4 Types of Detection Develop a detection strategy! • Utilizeall detection methods • Support all youruse cases • Detection is multi-use • Consider How, Why, Where How do yougeneratea detection strategy? 1. Develop “detection targets” 2. Createyour analytics map 3. Implement using costs & benefits ofeach type 4. Test &measure coverage
Thank you info@dragos.com

More Related Content

PPSX
Next-Gen security operation center
Muhammad Sahputra
 
PPTX
Threat hunting - Every day is hunting season
Ben Boyd
 
PPTX
SOC: Use cases and are we asking the right questions?
Jonathan Sinclair
 
PDF
Threat Hunting
Splunk
 
PPTX
Threat Hunting - Moving from the ad hoc to the formal
Priyanka Aash
 
PPTX
Incident response
Anshul Gupta
 
PPTX
Cyber Threat Hunting with Phirelight
Hostway|HOSTING
 
PDF
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
Katie Nickels
 
Next-Gen security operation center
Muhammad Sahputra
 
Threat hunting - Every day is hunting season
Ben Boyd
 
SOC: Use cases and are we asking the right questions?
Jonathan Sinclair
 
Threat Hunting
Splunk
 
Threat Hunting - Moving from the ad hoc to the formal
Priyanka Aash
 
Incident response
Anshul Gupta
 
Cyber Threat Hunting with Phirelight
Hostway|HOSTING
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
Katie Nickels
 

What's hot (20)

PDF
Threat Hunting with Splunk Hands-on
Splunk
 
PDF
From SIEM to SOC: Crossing the Cybersecurity Chasm
Priyanka Aash
 
PPTX
Effective Threat Hunting with Tactical Threat Intelligence
Dhruv Majumdar
 
PDF
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 
PDF
Red Team Framework
👀 Joe Gray
 
PPTX
Sqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl
 
PPTX
Security Operations Center (SOC) Essentials for the SME
AlienVault
 
PDF
Introduction to QRadar
PencilData
 
PDF
Endpoint Detection & Response - FireEye
Prime Infoserv
 
PDF
Soc and siem and threat hunting
Vikas Jain
 
PPTX
SIEM Primer:
Anton Chuvakin
 
PDF
Upgrade Your SOC with Cortex XSOAR & Elastic SIEM
Elasticsearch
 
PDF
Threat Hunting Procedures and Measurement Matrice
Vishal Kumar
 
PDF
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE - ATT&CKcon
 
PPTX
Effective Security Operation Center - present by Reza Adineh
ReZa AdineH
 
PDF
Global Cyber Threat Intelligence
NTT Innovation Institute Inc.
 
PDF
Threat hunting 101 by Sandeep Singh
OWASP Delhi
 
PDF
Rothke secure360 building a security operations center (soc)
Ben Rothke
 
PDF
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
 
PPTX
QRadar, ArcSight and Splunk
M sharifi
 
Threat Hunting with Splunk Hands-on
Splunk
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
Priyanka Aash
 
Effective Threat Hunting with Tactical Threat Intelligence
Dhruv Majumdar
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 
Red Team Framework
👀 Joe Gray
 
Sqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl
 
Security Operations Center (SOC) Essentials for the SME
AlienVault
 
Introduction to QRadar
PencilData
 
Endpoint Detection & Response - FireEye
Prime Infoserv
 
Soc and siem and threat hunting
Vikas Jain
 
SIEM Primer:
Anton Chuvakin
 
Upgrade Your SOC with Cortex XSOAR & Elastic SIEM
Elasticsearch
 
Threat Hunting Procedures and Measurement Matrice
Vishal Kumar
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE - ATT&CKcon
 
Effective Security Operation Center - present by Reza Adineh
ReZa AdineH
 
Global Cyber Threat Intelligence
NTT Innovation Institute Inc.
 
Threat hunting 101 by Sandeep Singh
OWASP Delhi
 
Rothke secure360 building a security operations center (soc)
Ben Rothke
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
 
QRadar, ArcSight and Splunk
M sharifi
 
Ad

Similar to The Four Types of Threat Detection and Use Cases in Industrial Security (20)

PPTX
How to Build and Validate Ransomware Attack Detections (Secure360)
Scott Sutherland
 
PPTX
RMS Security Breakfast
Rackspace
 
PDF
Doten apt presentaiton (2)
Jeff Green
 
PPTX
Your cyber security webinar
Intergen
 
PDF
Full_Cybersecurity_Project_Report_30_Pages.pdf
Arun446808
 
PDF
Full_Cybersecurity_Project_Report_30_Pages.pdf
Arun446808
 
PPTX
EthicalHack{aksdladlsfsamnookfmnakoasjd}.pptx
dagarabull
 
PPTX
What is Threat Hunting? - Panda Security
Panda Security
 
PPTX
C4I cyber secuirty by Eric Eifert - Keynote 9.pptx
bakhtinasiriav
 
PPTX
Your cyber security webinar
Empired
 
PDF
NCC Group Pro-active Breach Discovery: Network Threat Assessment
Ollie Whitehouse
 
PDF
Incident Response & Malware Analysis Protecting the Digital Frontier
varnika2764
 
PDF
Why Penetration Testing is Important- digitdefence
kandrasupriya99
 
PDF
Penetration Testing: An Essential Guide to Cybersecurity
techcountryglow
 
PDF
Caccia alle Minacce: Intelligence e Hunting nel cyberspace
Speck&Tech
 
PDF
What Every Developer And Tester Should Know About Software Security
Anne Oikarinen
 
PDF
Cyber Threat Hunting Workshop.pdf
ssuser4237d4
 
PDF
Cyber Threat Hunting Workshop.pdf
ssuser4237d4
 
PDF
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
James Anderson
 
PDF
Understanding the Basics of Penetration Testing Services.pdf
Rosy G
 
How to Build and Validate Ransomware Attack Detections (Secure360)
Scott Sutherland
 
RMS Security Breakfast
Rackspace
 
Doten apt presentaiton (2)
Jeff Green
 
Your cyber security webinar
Intergen
 
Full_Cybersecurity_Project_Report_30_Pages.pdf
Arun446808
 
Full_Cybersecurity_Project_Report_30_Pages.pdf
Arun446808
 
EthicalHack{aksdladlsfsamnookfmnakoasjd}.pptx
dagarabull
 
What is Threat Hunting? - Panda Security
Panda Security
 
C4I cyber secuirty by Eric Eifert - Keynote 9.pptx
bakhtinasiriav
 
Your cyber security webinar
Empired
 
NCC Group Pro-active Breach Discovery: Network Threat Assessment
Ollie Whitehouse
 
Incident Response & Malware Analysis Protecting the Digital Frontier
varnika2764
 
Why Penetration Testing is Important- digitdefence
kandrasupriya99
 
Penetration Testing: An Essential Guide to Cybersecurity
techcountryglow
 
Caccia alle Minacce: Intelligence e Hunting nel cyberspace
Speck&Tech
 
What Every Developer And Tester Should Know About Software Security
Anne Oikarinen
 
Cyber Threat Hunting Workshop.pdf
ssuser4237d4
 
Cyber Threat Hunting Workshop.pdf
ssuser4237d4
 
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
James Anderson
 
Understanding the Basics of Penetration Testing Services.pdf
Rosy G
 
Ad

More from Dragos, Inc. (20)

PPTX
How to Increase ICS Cybersecurity Return on Investment (ROI)
Dragos, Inc.
 
PPTX
Dragos 2019 ICS Year in Review
Dragos, Inc.
 
PDF
Dragos and CyberWire: ICS Ransomware
Dragos, Inc.
 
PPTX
Dragos S4x20: How to Build an OT Security Operations Center
Dragos, Inc.
 
PPTX
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos, Inc.
 
PDF
Reassessing the 2016 CRASHOVERRIDE Cyber Attack
Dragos, Inc.
 
PPTX
Solving ICS Cybersecurity Challenges in the Electric Industry
Dragos, Inc.
 
PPTX
Purple Teaming ICS Networks
Dragos, Inc.
 
PPTX
Securing Electric Utility Infrastructure
Dragos, Inc.
 
PDF
Rising Cyber Escalation US Iran Russia ICS Threats and Response
Dragos, Inc.
 
PPTX
Neighborhood Keeper - Introduction
Dragos, Inc.
 
PPTX
Dressing up the ICS Kill Chain
Dragos, Inc.
 
PDF
Consequence Informed Cyber Security
Dragos, Inc.
 
PPTX
Dragos year in review (yir) 2018
Dragos, Inc.
 
PPTX
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
Dragos, Inc.
 
PPTX
2018 Year in Review- ICS Threat Activity Groups
Dragos, Inc.
 
PDF
Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...
Dragos, Inc.
 
PDF
The Current ICS Threat Landscape
Dragos, Inc.
 
PDF
Industrial Control Systems Cybersecurity Technology Selection
Dragos, Inc.
 
PPTX
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Dragos, Inc.
 
How to Increase ICS Cybersecurity Return on Investment (ROI)
Dragos, Inc.
 
Dragos 2019 ICS Year in Review
Dragos, Inc.
 
Dragos and CyberWire: ICS Ransomware
Dragos, Inc.
 
Dragos S4x20: How to Build an OT Security Operations Center
Dragos, Inc.
 
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos, Inc.
 
Reassessing the 2016 CRASHOVERRIDE Cyber Attack
Dragos, Inc.
 
Solving ICS Cybersecurity Challenges in the Electric Industry
Dragos, Inc.
 
Purple Teaming ICS Networks
Dragos, Inc.
 
Securing Electric Utility Infrastructure
Dragos, Inc.
 
Rising Cyber Escalation US Iran Russia ICS Threats and Response
Dragos, Inc.
 
Neighborhood Keeper - Introduction
Dragos, Inc.
 
Dressing up the ICS Kill Chain
Dragos, Inc.
 
Consequence Informed Cyber Security
Dragos, Inc.
 
Dragos year in review (yir) 2018
Dragos, Inc.
 
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
Dragos, Inc.
 
2018 Year in Review- ICS Threat Activity Groups
Dragos, Inc.
 
Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...
Dragos, Inc.
 
The Current ICS Threat Landscape
Dragos, Inc.
 
Industrial Control Systems Cybersecurity Technology Selection
Dragos, Inc.
 
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Dragos, Inc.
 

Recently uploaded (20)

PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
PPTX
Modernising the Digital Integration Hub
Daniel Toomey
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PDF
Five Habits of High-Impact Board Members
OnBoard
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PPTX
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
PDF
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
PDF
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
PDF
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
PDF
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
PDF
CloudStack 4.21: First Look Webinar slides
ShapeBlue
 
PPTX
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
PDF
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PDF
August Patch Tuesday
Ivanti
 
PDF
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
PPT
Geologic Time for studying geology for geologist
ssuser738f5a
 
PDF
A Late Bloomer's Guide to GenAI: Ethics, Bias, and Effective Prompting - Boha...
Mindy Bohannon
 
PDF
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
Modernising the Digital Integration Hub
Daniel Toomey
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
Five Habits of High-Impact Board Members
OnBoard
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
CloudStack 4.21: First Look Webinar slides
ShapeBlue
 
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
August Patch Tuesday
Ivanti
 
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
Geologic Time for studying geology for geologist
ssuser738f5a
 
A Late Bloomer's Guide to GenAI: Ethics, Bias, and Effective Prompting - Boha...
Mindy Bohannon
 
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 

The Four Types of Threat Detection and Use Cases in Industrial Security

  • 1. DetectionStrategies Understanding and Using the 4Types of ThreatDetection Sergio Caltagirone and Robert M. Lee
  • 2. Detection is themost Important thingyoudo. Develop and implement appropriate activities to identify the occurrence of a cybersecurity event. NISTCybersecurityFrameworkv1.1 ASSUMEBREACH MEANS ALL ELSE FAILS. NIST CYBERSECURITY FRAMEWORK IDENTIFY PROTECT DETECTRESPOND RECOVER
  • 3. Detection Strategies How &Where Howyoudetectmattersas muchas whereyou detect. Deploying“networkdetection”and“host detection”isnota completedetectionstrategy. Nor doall resourcesrequirethesamedetection! Detection Costs Falsenegativesandfalsepositivesbothleadtolossof control! ASOC inundatedwithlow-qualityalertsis thesame as aSOC lacking alerts. HowandWhere determineyourdetectionquality. Detection is Multi-Use Securityoperationsismorethanrapidresponseand incorporateshunting,investigation,andeachuse caserequiresdifferentdetectionstrategies. A detection strategy matches the appropriate detection approach to risks, resources, and use-case ensuring full detective coverage while minimizingcost.
  • 4. A Detection Strategy - How Asset Event Location Use-Case Detection Human-MachineInterface (HMI) NewFiles Host NovelAttack Behavioral OPCServer Enumeration Network SimilarAttack ScanningModels(Anomaly) VPNConcentrator VPN-to-Known-C2 Network Scoping Indicator 01 IdentifyAssets,Events,Location,andUse-CasewithDetectionApproach–Each linebecomesa “DetectionTarget”
  • 5. A Detection Strategy Recon Delivery Exploitation Action on Objectives P4 VPN.ID VPN.PWD_REUSE VPN.CONFIG_CHG P3 EW.ID EW.SMB EW.NEW_ACCT P2 HMI.ID HMI.NEW_FILES HMI.CHANGE_VAL P1/0 PLC.ID PLC.CHANGE_VAL * For Some Definition of the Purdue Model and Kill Chain 02 GenerateDetectionMaptoTestandMeasureCoverage–forICS,placeeach detectiontargetonthemap using thePurdueModel &KillChain
  • 7. Configuration-Based Detection Configuration-based detection identifies deviations from aknown architecture. Example: Two fielddevices(e.g.,PLCs)communicatingwitheachother,counterarchitectureanddesignexpectations Benefits: • Withperfectvisibilityandcoverage,itcan hypotheticallydetectallmaliciousactivity • Accessible forindividualswithawiderangeofexperience • Easytomaintainin staticenvironments • Addssignificantvaluetootherdetectiontypesin responsesituations Challenges: • Difficulttomaintainindynamicenvironments • Limitedvisibilityandcoveragereduce effectiveness • Assumesa knowledgeofinfrastructureandconfiguration • False-positiveproneduetolikelyconfigurationchanges
  • 8. Modeling-Based Detection Modeling-baseddetection uses mathematical models to classify assets andactivity identifying elements inconsistent with the model. Example: AbnormalnumberofWriterequestsinModbusTCPoutsideofnormalgiventhe averageoverthelast30days Benefits: • Canidentifynoveladversaryactivity • Easiertomaintainin verystaticenvironments • Addssignificantvaluetootherdetectiontypesin responsesituations Challenges: • Difficulttomaintainwhenenvironmentschange • Limitedvisibilityandcoveragereducestheeffectiveness • Nocontextofthreatactivitytosupportinvestigations • Assumesanalystshavein-depthknowledgeofinfrastructureandconfiguration • False-positiveprone duetolikelyconfigurationchanges • Potentiallyincorporatesexistingmaliciousactivityintothemodel
  • 9. Indicator-Based Detection Indicator-based detection searches for elements of information known about previously andare often seen in the form of Indicators of Compromise (IOCs). Example: A specificIPaddressthatisaccessinganinternalasset Benefits: • Thequickestformofdetectiontocreateand deploy • Containsspecificthreatcontextrelatedtotheindicator • Usefulforenrichingotherdatasourcesandthreatdetections • Highlyeffectiveforscopinganenvironmentpostobservationoftheindicator Challenges: • Thevalueishighlydependentontheadversary’srateofchange • Retroactivein naturegiventheneedtoobservetheindicatorfirst • Doesnotscalewellbetweenvictims • Upperlimitsastohowmanyindicatorscanbe processed • Unknownindicatorexpiryleadstoinaccuratedetection
  • 10. Threat Behavior-Based Detection Threat behavior analytics examine activity in environments and compares single actions and aggregate actions against aset of known malicious or suspicious activities. Example: LegitimateVPN accessfollowedbyuseraccount creationandfiledownloadon anengineeringworkstationandfinallyloginfromtheworkstationtoanHMI Benefits: • Excellent durabilityagainstadversarychange • Easytotuneforeachorganizationandenvironment • Lowfalsepositiverates • Immediatetransparencyforanalyststodiagnosethealertagainstexpectedbehavior • Onlyrequiresa fewanalyticstodetectmostknownmaliciousbehaviorusedsomewhere inan intrusion • Integrateswellwithdefensiveplaybooksandautomatedinvestigation/remediation Challenges: • Moderatelydifficulttoimplement • Manyanalyticsrequiredtoprovidecompletecoverage • Onlydetectssimilarthreatbehavioratthelimitofanalyticimagination • Are notfullyreusableacrossallindustries
  • 15. Detection Strategy Use-Case IT Land SPEARPHISHINGEMAIL KEY LOGGER & RAT ENGINEER CREDENTIALTHEFT
  • 16. CONTROLLER CONTROLLER CONTROLLER CONTROLLER Detection Strategy Use-Case VPN ENGINEERING WORKSTATION NEW FILE (S) SCANSSTARTED IT Land SPEARPHISHINGEMAIL KEY LOGGER & RAT ENGINEER CREDENTIALTHEFT
  • 17. Detection Strategy Use-Case VPN ENGINEERING WORKSTATION NEW FILE (S) SCANSSTARTED CONTROLLER CONTROLLER CONTROLLER CONTROLLER OPC SERVER OPC SCAN ENUMERATION IT Land SPEARPHISHINGEMAIL KEY LOGGER & RAT ENGINEER CREDENTIALTHEFT
  • 18. Detection Strategy Use-Case VPN ENGINEERING WORKSTATION NEW FILE (S) SCANSSTARTED CONTROLLER CONTROLLER CONTROLLER CONTROLLER OPC SERVER OPC SCAN ENUMERATION OPC VALUE OVERWRITE IT Land SPEARPHISHINGEMAIL KEY LOGGER & RAT ENGINEER CREDENTIALTHEFT
  • 19. CONTROLLER VALUE OVERWRITE Detection Strategy Use-Case VPN ENGINEERING WORKSTATION NEW FILE (S) SCANSSTARTED CONTROLLER CONTROLLER CONTROLLER CONTROLLER OPC SERVER OPC SCAN ENUMERATION OPC VALUE OVERWRITE IT Land SPEARPHISHINGEMAIL KEY LOGGER & RAT ENGINEER CREDENTIALTHEFT
  • 20. Detection Strategy with the 4 Types of Detection Develop a detection strategy! • Utilizeall detection methods • Support all youruse cases • Detection is multi-use • Consider How, Why, Where How do yougeneratea detection strategy? 1. Develop “detection targets” 2. Createyour analytics map 3. Implement using costs & benefits ofeach type 4. Test &measure coverage