CyberWire Daily - Encore: Active visibility into OT systems. [Control Loop]
Episode Date: December 27, 2023Rockwell Stratix routers vulnerable to Cisco zero-day. SecurityWeek’s ICS Cyber Security Conference. Malware attacks against IoT devices increase by 400%. Nuclear power plant operator cited over cyb...ersecurity plan. CISA’s ICS advisories. Guest Garrett Bladow, Distinguished Engineer at Dragos, joins us from the CyberCon 2023 event in Bismarck, North Dakota. Garrett discusses active visibility into OT systems. On the Learning Lab, Mark Urban shares the second part of his conversation about cyber threat intelligence with Paul Lukoskie, who is Dragos’ Director of Intelligence Services. Control Loop News Brief. Rockwell Stratix routers vulnerable to Cisco zero-day. PN1653 | Stratix® 5800 & 5200 vulnerable to Cisco IOS XE Web UI Privilege Escalation (Active Exploit) (Rockwell Automation) SecurityWeek’s ICS Cyber Security Conference. 2023 ICS Cybersecurity Conference (SecurityWeek) Malware attacks against IoT devices increase by 400%. Zscaler ThreatLabz 2023 Enterprise IoT and OT Threat Report (Zscaler) Nuclear power plant operator cited over cybersecurity plan. UK Cites Nuclear Plant Operator Over Cybersecurity Strategy (Silicon UK) Rockwell and Dragos announce partnership. Dragos and Rockwell Automation Strengthen Industrial Control System Cybersecurity for Manufacturers with Expanded Capabilities (Business Wire) CISA’s ICS advisories. CISA Releases Two Industrial Control Systems Advisories (CISA) Hitachi Energy’s RTU500 Series Product (Update B) (CISA) CISA Releases Nine Industrial Control Systems Advisories (CISA) Control Loop Interview. Guest is Garrett Bladow, Distinguished Engineer at Dragos, discussing active visibility into OT systems. Control Loop Learning Lab. On the Learning Lab, Mark Urban is joined by Dragos’ Director of Intelligence Services, Paul Lukoskie, for part two of their discussion on cyber threat intelligence. Control Loop OT Cybersecurity Briefing. A companion monthly newsletter is available through free subscription and on the CyberWire's website. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Miller Lite.
The light beer brewed for people who love the taste of beer
and the perfect pairing for your game time.
When Miller Lite set out to brew a light beer,
they had to choose great taste or 90 calories per can.
To brew a light beer, they had to choose great taste or 90 calories per can.
They chose both because they knew the best part of beer is the beer.
Your game time tastes like Miller time.
Learn more at MillerLight.ca.
Must be legal drinking age.
With TD Direct Investing, you can get live support. So whether you need help buying a partial share from your favorite tech company,
opening a TFSA, or learning about investing tools, we're here to help.
But keeping your cat off your keyboard?
That's up to you.
Reach out to TD Direct Investing today and make your investing steps count.
Plus, enjoy 1% cash back.
Conditions apply.
Offer ends January 31, 2025.
Visit td.com slash dioffer to Control Loop.
In today's OT cybersecurity briefing, Rockwell Stratix routers are vulnerable to a Cisco Zero Day,
Security Week's ICS cybersecurity conference.
Malware attacks against IoT devices increased by 400%. A nuclear power plant operator is cited
over a cybersecurity plan and CISA's ICS advisories. We welcome guest Garrett Bladow to the show.
He's a distinguished engineer at Dragos. We caught up with Garrett at the CyberCon 2023 event in Bismarck, North Dakota.
He discusses active visibility into OT systems.
The Learning Lab has the second part of Mark Urban's conversation about cyber threat intelligence
with Paul Lukowski, who is Dragos' Director of Intelligence Services.
I'm Mary Goss's Director of Intelligence Services. with pools and a spa and endless snacks. Yes, yes, yes. With savings of up to 40% on Transat South packages,
it's easy to say so long to winter. Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat. Travel moves us.
Rockwell Automation has warned that its Stratix 5800 and 5200 routers are vulnerable to the recently disclosed vulnerability
in Cisco IOS XE Software's Web UI feature.
The company notes,
while Rockwell Automation has no evidence of active exploitation
against the Stratix product line,
this vulnerability was discovered by Cisco Talos
during an incident response for a Cisco customer.
Rockwell adds that it strongly encourages customers to follow guidance disabling Stratix HTTP servers on all internet-facing systems.
Security Week held its ICS cybersecurity conference in Atlanta last week.
conference in Atlanta last week. In a fireside chat hosted by Security Week editor-at-large Ryan Narian, John Holquist, chief analyst at Mandiant Intelligence, described activity by
China's Volt Typhoon threat actor. Holquist noted that China's interest in staging potentially
destructive attacks is a relatively new development. Later, Mackenzie Morris, senior industrial consultant at Dragos,
gave a talk emphasizing that better practices beat out best practices recommendations
with feasibility, cost, likelihood of implementation, and improvement in security posture.
The next day, Benjamin Sterling, global Director, ICS Cybersecurity at ABS Group,
discussed risks to chemical processors in cyber-physical environments.
Sterling added that one of the major issues facing the petrochemical industry is lack of visibility.
A report from Zscaler's Threat Labs has identified a 400% year-over-year increase in malware attacks against IoT devices in the first six months of 2023.
Activity from the Mirai and Gafget botnet malware families accounted for 66% of attack payloads against these devices.
Additionally, the researchers found that 34 of the 39 most popular IoT exploits specifically directed at vulnerabilities that have existed for more than three years.
The most commonly targeted devices were routers.
More than half of malware attacks against IoT targeted devices in the manufacturing industry.
The report notes, On an average week, the manufacturing sector receives more than triple the number of attacks as any other sector. With a low tolerance for operational disruptions, manufacturing is high
stakes for malware attacks. High attack volumes not only jeopardize IoT systems but also pose
a serious threat to OT processes. The UK's Office for Nuclear Regulation has cited EDF,
a French power utility that runs five nuclear power plants in the UK,
for the company's failure to provide the ONR with a comprehensive
and fully resourced cybersecurity improvement plan in a timely manner, Silicon UK reports.
The ONR stated,
EDF's corporate center has been moved to significantly enhanced regulatory attention
for cybersecurity. EDF has made two new appointments to specifically address cybersecurity.
We have subsequently met with EDF's senior team to ensure regulatory expectations are understood.
senior team to ensure regulatory expectations are understood.
On Tuesday, Rockwell Automation and Dragos announced a partnership under which Rockwell will be making the Dragos ICS security platform available to organizations, giving them enhanced
ICS-OT cybersecurity threat detection, providing global deployment services and support capabilities.
The partnership is expected to help customers operationalize their security investment.
We close with some advisories on ICS vulnerabilities from the U.S. Cybersecurity
and Infrastructure Security Agency. On October 17th, CISA issued two advisories for vulnerabilities affecting Schneider Electric EcoStruxure Power Monitoring Expert and Power Operation Products and Rockwell Automation Factory Talk Links.
On October 19th, the agency published an advisory for a set of critical vulnerabilities affecting Hitoshi Energy's RTU-500 series.
Thank you. I recently attended CyberCon 2023 in Bismarck, North Dakota, where I had the pleasure of catching up with Garrett Bladow.
He's a distinguished engineer at Dragos. We discuss active visibility into OT systems.
So you and I find ourselves here at Bismarck State College. We are here for CyberCon 2023,
and you are presenting later this afternoon and have graciously agreed to give us a little
preview of that presentation
for our show here.
What's the title of the presentation?
It's Going Active in OT.
I'm going to talk about the benefits of asset visibility,
which is one of the biggest challenges our customers have.
They just don't know what's necessarily on their networks
because they've evolved through 20 years
of static emplacements in oil and gas pipelines
or manufacturing or energy grids.
A lot of security solutions in the IT space
are around scanning.
I'm going to bring my Nessus scanner,
I'm going to bring Nmap,
and I'm going to use those tools
to just poke everything out there
and see what happens.
But the challenge here is that IT-OT
break again. IT is meant for that
resiliency. They've kind of built that into their ecosystem.
They're expected to be poked all the time.
It's a feature.
The OT systems were built to be closed-loop systems.
The devices that are out there,
they're really good at their job.
Real-time measurement, sending data out,
being as available and reliable as possible.
What didn't happen was any encryption,
any authentication, any of that sort of stuff.
And then they were built for the use case they were built for.
Measure these devices,
send those sensor readings back to a thing,
and keep doing all of these real-time operations.
And what happens if they get an interrupt?
Something coming in from the side that says,
hey, tell me your identification.
Hey, tell me it again.
No, really, tell me it again.
Right, right.
And one of the examples I have
is one of the specific OT protocols,
Ethernet Industrial Protocol, Ethernet IP.
And it's great.
It's got one call.
You say, give me your ID.
Everything comes back. You get the serial number, the product name, when it was last installed, when it was updated.
You can even get the software that was installed on it and bring it back. The challenge is,
if you do that a million times in a row, the darn thing falls right over because it's trying to do
the measurements. It's trying to grab the stuff from the actuator, and then it's trying to do the measurements. It's trying to grab the stuff from the actuator and then it's trying to answer your question
and you're just like, bug off.
You're like that toddler, like, mom, mom, mom, mom.
And again, there are programs out there like Nmap or Nessus that people will take off the
shelf and try that.
Not that they're bad technology at all.
Heck, they're great for cybersecurity tools.
they're bad technology at all. Heck, they're great for cybersecurity tools. But when you take that and take it off the shelf and just say, you know, beep, bop, boop, do that thing that I've asked you
to do in IT, but against OT systems, there's all these unintended consequences because OT is IT
plus physics, right? Can you give us a sort of a simplified example of a system that would
kind of fall victim to this?
What sort of workflow does this apply to?
Right, so we'll look at oil and gas pipeline.
A lot of them have these programmatic logic controllers, PLCs,
and those devices are taking the measurements from the sensors
or maybe they're moving an actuator,
right? This is literally like, I am opening the pipe. I am shutting the pipe, right? How much
pressure is in that pipe? You know, how much is, how much liquid or whatever is flowing through
that pipe, right? All of that is happening. And it's, and it's trying to send that data back to
some sort of historian or human machine interface
for that control engineer operator to say,
my pipeline is green today.
Everything is working as I intended it to,
and oh, I need to shut that pipe.
I'll hit the button.
Boop, I can see that that button happened.
The pipe shut.
All of these things are going on
in that real-time automated fashion. All of these protocols are going on in that real-time, real-time automated fashion.
All of these protocols are running this,
and they're intended to be fast, loose, make sure.
It's availability overall.
That's the only thing that's really emphasized in that world.
And now, if an attacker should gain access into that environment,
everyone thought their systems were air-gapped.
In six years of Dragos doing business and professional services
and reviewing architectures and doing instant response,
we have found exactly zero air-gapped OT systems.
And it doesn't take a lot of technical expertise to go in there and write a packet
because they're mostly UDP, user datagram protocol.
Just write one packet on the wire and that's it.
You don't even have to have a session.
Poof, shoot that out.
That thing is now off its track
and not necessarily working in the same working state
that you have.
They're all open. They're all read-write.
There's not like I can put a lock on it and say, stop listening.
There's no firewalls on them.
Help me understand here.
They're not built with any sort of adversarial communication in mind?
Not at all.
Again, this protocol that I'm emphasizing, Ethernet IP, Any sort of adversarial communication in mind? Not at all.
Again, this protocol that I'm emphasizing, Ethernet IP,
it was built in 1991.
Defense in depth was not a concept yet.
Another one, Modbus, another protocol that's heavily used in the OT space was built in 1979.
We didn't even know that computers existed half the time.
These have evolved, and they've always evolved
in that context in the OT world of,
don't worry, no one else has access to this system.
It's closed. We'll never have to worry about
an intruder in this system.
We control everything.
And now with the OT-IT convergence
that we're seeing across the world,
that is not true anymore.
The advent of industrial IoT,
where I have a 4G LTE 5G device,
it's now controlled wirelessly.
And it's sending those wirelessly. Right.
And it's sending those same data.
I don't even control the wires that go to it anymore.
To what degree is it a challenge to know that the information you're getting back from a remote device is truth, is ground truth? In other words, this device is telling me that the valve is open, but unless I have someone
with eyes on, how do I know the valve is open? I suppose I know the valve is open if the other
thing is measuring flow through the pipe, right? That's typically how it works.
It's a lot of redundancy in these systems to kind of give that control engineer that peace of mind
that the system as a whole is working as it's intended.
I see.
But again, from an attacker perspective,
which is typically where I come at it from,
that's one of the biggest impacts
that can happen in a control system.
We call that lack of visibility or lack of control.
Lack of control is,
I've lost control of the entire device.
Lack of visibility is, I can't trust the data
that's coming back from that.
It's very, very easy from an attacker's perspective
if you're in the system to send the inputs back
to something that's reading the console
that the control engineer is looking at.
You can make it look red when it's green or green when it's red.
That includes even the readings that are coming from a pressure sensor or that.
You can fake that funk if you know what you're doing from a protocol level.
But again, control engineers don't always look at one component.
They always look at the system.
And so that's the bigger challenge from an attacker perspective
is how do I make everything look like it's supposed to
across the entire ecosystem.
Yeah.
So what are you proposing then?
I mean, in your presentation today, it's not just doom and gloom.
You've got some solutions in mind, right?
Right. today, it's not just doom and gloom. You've got some solutions in mind, right?
Right.
So a lot of it is go to a vendor that knows what they're doing in the OT space.
One of the things that our technology does is we've actually taken the right capacity out of it.
It's only read at this point.
And so we are not able to go and change the values
within a system and do things,
even if an attacker would gain access to the software
we're giving the control engineer.
And a lot of it is really just
understand the context of what you're doing.
And the biggest takeaway,
and this is the last slide in my deck,
is do not do this on production systems, ever.
Bar none.
Do not do what on production systems?
Do not do active identification or active looking for your assets
when a system is in production.
There's always an unintended consequence to what you're doing.
So let me push back on you there a little bit.
I remember in a previous career when I was
in the digital video world, there was a saying, never update your software in the midst of a
project. And the challenge was, we're always in the midst of a project. So is this a matter of
regular downtime, scheduled downtime, those sorts of things?
It is, but that's built into an OT system's life cycle.
Yeah.
If you're running a plant, an oil refinery,
they're literally shut down for probably two months out of the year
for health and safety and maintenance.
Not just of the pipe is worn, but it might be they're replacing pipes, they're
replacing this PLC, they're doing all of these different things, and it's built into how they
operate an operational technology platform. And so what we're saying is that's also the time
when you start to do your active testing of the systems to make sure that they're working as you intended,
and also to find that PLC that someone stuck in the rack five years ago that you didn't know.
Right, right. Ultimately, where do you suppose we're headed here with this? What does the ideal
future state look like to you? The ideal future state that I think we're headed to is that hybrid environment.
Most of the OT security vendors in this world,
they have some sort of sensor product that's out there passively listening
to the chatty protocol traffic that's happening.
They'll identify assets,
they'll make sure that everything's in
quote-unquote normal state.
We can introduce an active component to that.
Maybe actively I can send a
give me your identification packet,
but I don't even have to listen to it.
I send that out,
the device burps out their identification,
and my sensor picks that up,
and I don't have to even further interrogate that
or ask it more questions
or even push its registers to the limit
because I can do it with sort of one shot
and use the rest of my technology
in order to help and facilitate
that sort of hybrid environment.
All right.
Well, I think I have everything I need.
Is there anything I missed?
No, not really.
I think at least for this product or this sort of concept,
the one thing that I would like to talk a little bit about
is sort of the new generations of threat intelligence
and making sure that we're all in this together.
So a lot of
what we're doing is these shared
threat intelligence environments
and being able and
participating in that.
The nice thing about a lot of the technology
that we've built there is that it is
anonymous. You can provide
anonymous data that's not going
to get you in trouble with your regulators
or any of that sort of data
to help win the common defense of these systems.
We're already seeing it pay dividends
with Dragos Neighborhood Keeper,
but if there's anything that you can participate in
in that sort of ilk, please, please do.
The other part of that common defense is common action.
One example that I really like to push
is it's an electric utility concept
of like the old linemen, right?
The linemen in the truck.
If there's a hurricane in Louisiana,
North Dakota is going to roll truck down
and help those people to bring back power in that environment.
We're not busy. It's spring here.
Ice storm hits us in North Dakota.
There's that mutual assurance where Louisiana is going to roll truck, come back up to North Dakota.
And what we're starting to see is that same concept being applied in the cyber environment.
is that same concept being applied in the cyber environment where there may be a large investor-owned utility
that has the money to have an IT SOC,
an OT SOC, Intel analyst sources,
all of these things that come
with actually being able to invest
in your cybersecurity program.
Or you might be that co-op
that's out in McKinsey County, North Dakota,
where you run the IT, the OT,
and you mow the lawn on Saturday.
And this thing blips across your screen
and you have no idea what it does.
What we're trying to do in this mutual assurance
is being able to click a button and say,
help me.
And having that investor-owned utility, maybe in a different region in the United States,
bring their expertise, help that person get the data they need. And then at the end, they all
press a button, right? And everyone goes back to being anonymous. And that's one of those things
that we're really trying to push for common defense here at Dragos.
Our thanks to Garrett Bledow from Dragos for joining us. In this week's Learning Lab, the second part of Mark Urban's conversation about
cyber threat intelligence with Paul Lukosky, Dragos' Director of Intelligence Services.
Hi, this is Mark Urban with another edition of the Learning Lab.
And today we're going to talk about threat intelligence for operational technology.
And I'm joined today by Paul Lukosky here at Dragos.
Paul, welcome.
Thanks, Mark. I really appreciate the opportunity to talk about this.
Can you talk a little bit about what does a threat intelligence vendor deliver?
And we'll just use the Dragos context.
How do we deliver that intelligence to a customer environment?
Sure.
So in the context of Dragos,
one of the primary ways that we have prioritized delivering threat intelligence,
or at minimum, having a threat intelligence-influenced capability is with the Dragos
platform. And what I mean by that is our threat intelligence team uses everything that we gather during our daily hunts, and we create detection signatures that are then deployed into the Dragos platform. goes from other threat intel vendors in the same space, but it gives kind of like that
backstop, that peace of mind to Dragos platform customers that they know that any alerts or
detections that pop up in their platform, there is a threat intelligence nexus upstream
from that detection.
And there's always the opportunity to kind of have that reach back into the
Dragos ecosystem and ask for additional context.
Now with those detections,
I will say that sometimes detections don't always provide the right level of
context.
So that's one of the reasons why whenever we're having those conversations with people, I always, and irregardless of whether or not this is a
Dragos customer or a Mandiant customer or a CrowdStrike or whoever, it's always good to
have multiple points of view. And it's always good to have that kind of understanding of how
different components of the threat intelligence delivery model works.
And what I mean by that specifically is you want to kind of break it down into three different areas.
So tactical intelligence, strategic intelligence, and operational intelligence.
And this is how I always describe it to our customers at Dragos Intelligent, or our customers
at Dragos Intel.
So tactical intelligence,
it's really designed for kind of that immediate human or security device action. Usually they're
driven by indicators of compromise, like I said earlier, malware hashes, IP addresses, domains,
URLs, detection signatures, vulnerability information like CVEs and things like that, CVSS2 scoring.
An example in worldview of what could very easily be
consumed as a tactical deliverable
is the weekly suspicious domains report
that we internally lovingly refer to as,
quote unquote, the DOM.
And those reports capture every single week hundreds of domains and
IP addresses that we have assessed to be either at minimum suspicious and at most certainly
malicious. And they are often masquerading as OT vendor URLs. A lot of them we see masquerading as very common, malicious domains that are trying
to mimic Microsoft 0365 logins, things like that.
So really aimed at credential theft and those initial intrusion techniques.
And then we have strategic intelligence, which is really designed for long-term projects
and security strategies
and investments because it focuses on trends and patterns that we've observed over a measurable
period of time.
So in the last quarter, we've observed X percentage increase in ransomware operations
impacting industrial organizations.
And the idea there is that if you are an industrial organization and you're not
paying attention to ransomware, then you probably should be because it's clearly ramped up over the
last 90 days. In worldview, an example of this would be our executive threat intelligence or
executive threat insights report, which is a quarterly report that provides a retrospective of the past quarter's OT, cyber threat intelligence.
And then lastly, operational intelligence, which is really the bridge between tactical and strategical intelligence,
in that it expands on tactical indicators with that added context.
with that added context.
And that added context can be anything from those post-compromise behavioral elements,
like the adversary gets into the environment and then they move laterally through the IT environment using PowerShell and other Windows native tools.
And once they find the DMZ, these are the things that they do. And then obviously, probably the biggest context that can be added is really around what is
our assessment of the adversary's objectives?
What are they really trying to do?
Is it information gathering?
Is it intellectual property theft?
Is it destructive or disruptive operations?
Is it reconnaissance?
Or in the sense of the cybercrime ecosystem, is it monetary gain? Is it reconnaissance? Or in the sense of the cyber
crime ecosystem, is it monetary gain? Is it kind of profiteering? So all of those things are added
context that we kind of lump into that operational intelligence. And within the Dragos worldview
portal, we have different types of reports that meet and exceed all of those elements.
Just as a quick summary, a lot of the intelligence is compiled into software that operates on the
Dragos platform to fire detections against some of these threat behaviors. So that's kind of thing
one. Thing two is then a worldview subscription in our example delivers kind of reports analysis etc at the tactical level
at the operational level that adds context to that technical level and then that the strategic
level that might give more insight into kind of threat groups and campaigns and overall so it's a
good kind of taxonomy there could you give me one or two use cases if I'm in an Intel group in a company that, you
know, I have, I don't know, three, five feeds, including like Dragos. How is that? Can you give
me an example of how OT threat intelligence thing that comes through worldview would be
used in the context of, I don't know if it's a SOC analyst in a specific environment,
just give me a use case about how that would be used in a use case form.
Sure. So one very distinct use case that I can reference, and that's because we dealt with this
exact situation with one of our concierge customers.
So there is a significant risk trend that we've observed with industrial organizations in that there are often quite a number of OT devices that are publicly accessible from the internet. And with the Dragos Threat
Intelligence team, we have a number of different tools and techniques that we use to kind of
identify those things. But what that does is it creates a point of entry in which adversaries can
almost directly access the OT environment without having to go into the IT environment,
root around, figure out where everything is,
enumerate the network,
and then successfully navigate over into that
and establish persistence.
What these publicly accessible devices do
is they're RDP servers and things like that.
And sometimes we've even come across circumstances where RDP servers are using very, very weak credentials or the default credentials that were supplied by the vendor at the onset of deploying it within the OT environment.
So we came across this circumstance with one of our concierge customers and our concierge analyst that was supporting them observed some kind of bizarre activity.
They're also Drago's platform customer, and we observed some bizarre activity where it
seemed like there were some brute force attacks that were happening.
And what our concierge analyst figured out was they had a couple of different RDP servers
that were linked to different engineering workstations within the OT environment,
and they were publicly accessible, and adversaries were trying to brute force their way into those RDP servers.
So in this use case, we notified the concierge customer,
the concierge customer, and then we worked with them to help identify those external network-based indicators that the adversaries were using to conduct the brute force attacks so that
all of that network traffic can be dropped at the firewall level. We also helped the customer
identify and better map out all of those public-facing OT assets,
pull them off of the network so that they were no longer publicly accessible. And then obviously,
some of the basic hygiene things and best practices of creating better credentials and
hardening those assets with role-based access control and things like that. So
that's a really good use case example of very OT-specific threat intelligence.
Do you have one you can share around a standard vulnerability report?
I mean, we mentioned control logics and things.
Sometimes Dragos does kind of public-facing webinars and information that are available to the general public,
including our customers and non-customers.
So, Paul, could you give me an example of how a vulnerability alert might be used
by somebody receiving that information?
Somebody that's receiving one of our vulnerability alerts within their environment through worldview,
what they would want to do is dig into the vulnerabilities, the vulnerability specifically.
And the unique aspect of Dragos intelligence and the vulnerability threat intelligence that we provide is that all of the assessments are driven from our own analysis and research conducted at our ICS range located at our headquarters in Maryland. And because of that, it allows us to provide very bespoke, unique perspective on the different technologies and the vulnerabilities that are relevant to those technologies.
You're not really going to find that kind of information elsewhere.
For example, there's a recent vulnerability that we released, Ardrag Systema SCADA.
And when customers get these reports, they can see the insum, which really lays out
the CVE numbers. So there's always that link to other resources to compare and contrast,
well, what is Drago saying versus what is also being publicly reported elsewhere.
Again, it's always important to have multiple points of reference whenever you're working with
threat intelligence, particularly with vulnerabilities, because everybody has
different interpretations of what the vulnerability is, how an adversary may use it, and what to do about it.
We include a lot of our, obviously, assessment around restricting access,
whether or not there are public proof-of-concept exploitations that exist. So customers can take these assessments,
identify whether or not they actually have the technology in their environment, because
as I mentioned earlier, that's always a big unknown with many organizations is what they
actually have in their OT environment. And then taking the vulnerability assessments that we have
here, using any of the information that we've
provided, whether or not if it's remotely exploitable, maybe you take that information
and then build out processes and protocols around those vulnerable devices so that it's
no longer remotely accessible. That's a great example. So you get a vulnerability analysis,
you know, or you don't know if it's in your environment. If you do have an environment,
it provides kind of like, hey, here's some steps you can take to limit the risk associated with
this particular vulnerability, like implementing specific access controls to remove external addressability of that.
Good example. What happens then if they need kind of more questions? Obviously, there are
these standard reports that come in. They can utilize them. Good intelligence means that it's
practical to operationalize in their environment. And is there room for if they need a clarification on something
or if they need to understand a little bit more fully
than what's in the report?
It absolutely leads to more questions.
And almost every week we field questions
from all sorts of customers,
but probably the most asked question is,
how are these things relevant to me? Years ago, organizations were often just excited to be
in the know. And that was a lot of times driven by general curiosity because, as I mentioned earlier,
the cyber threat intelligence ecosystem was still quite new. And a lot of people felt like those things were really reserved for classified environments.
I think the CTI landscape has changed quite a bit.
And I think customers are now more aware of cyber threats.
And as a result, they're really hyper-focused on this idea of CTI for me.
What does this mean for me?
Is this impacting me?
What should I do about it? So we get a lot of questions around clarification on those things. And one of the neat things about
being at Dragos and standing on top of the mountain in terms of OT threat intelligence is that
we field a lot of questions from customers that are really just asking us our opinion
on different things. And that in and of itself is really cool because it gives us an opportunity to maybe train our attention onto different areas that we weren't necessarily thinking about.
A really good example of that is you have a customer that says,
Hey, we saw these localized news articles about ransomware being successfully deployed in an organization's OT environment.
And as a result, all of their OT environment got locked up and they had to completely shut
down their operation. What do you know about that? And that kind of gives us a little bit
of an opportunity to retrain our focus onto, okay, well, how do ransomware operators actually get
into an OT environment?
What are the common points of entry there? Historically, what ransomware operators have
gotten into the OT environment before deploying the ransomware? And just kind of allows us to
build out that level of expertise into a variety of threats that are directly relevant to the OT
environment.
And at the same time, it allows us to build up those bona fides with those specific customers and continue to be that trusted advisor. And it's really cool when a customer pings you directly and
says, hey, Paul, we saw this. What do you think about it? They're not asking you for an official
confidence-based assessment. They're just simply asking, what do you or your
colleagues at Dragos think about this particular threat intelligence topic? Because we're interested
in knowing what you think. And that doesn't have to be anything formal. And that's one of the really
nice aspects about having a really quality threat intelligence capability like we do.
Excellent. Ladies and gentlemen, Paul Lukowski,
part of Jericho's threat intelligence team here,
focused on the OT side of threat intelligence.
And that'll be a wrap for today's Learning Lab on Threat Intel.
Paul, thanks very much.
Thanks, Mark.
And that's Control Loop, brought to you by The Cyber Wire and powered by Dragos.
For links to all of today's stories, check out our show notes at thecyberwire.com.
Sound design for this show is done by Elliot Peltzman, with mixing by Trey Hester.
Our senior producer is Jennifer Iben.
Our Dragos producers are Joanne Roche and Mark Urban.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next time. Thank you.