EclecticIQ
nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

Threat Intelligence for Critical Infrastructure

Josef Williamson January 1, 2019

Threat Intelligence for Critical Infrastructure

Despite the ever-increasing focus on the state of industrial cybersecurity, accurate and timely threat intelligence for industrial control systems (ICS) remains hard to come by. Worse still, the burgeoning interest around incidents caused by novel capabilities like TRITON can often give way to hyperbolic commentary from outlets far removed from the reality of the situation. To combat this, EclecticIQ Fusion Center has teamed up with Dragos to bolster our Critical Infrastructure offering.

Why is ICS Threat Intelligence Different?

The operational technology (OT) environment is a distant relative of the enterprise IT environment. Although many cybersecurity best practices are applicable to both, an ICS-focussed adversary’s background, intent and leveraged TTPs are so radically different that we must tailor our own approach.

Coverage

As an Intelligence Requirement, the scope of ‘threats to critical infrastructure’ can be difficult to define. For our Critical Infrastructure bundle we have adopted three distinct categories previously defined by Dragos: 

  • Direct ICS Impact: actors and capabilities seeking to directly impact ICS operations. Examples: Stuxnet, Industroyer, TRITON.
  • Interested Adversaries: actors with demonstrated interest in ICS and operational networks but have not demonstrated destructive or disruptive intent. Examples: Dragonfly, OilRig, Thrip.
  • Indirect Impact: threats not tailored to disrupt industrial processes, but which can impact operations. Examples: Shamoon, Stonedrill, WannaCry.

Funnily enough, Dragos’ categories directly map to those we initially established when first designing the scope of product, jokingly naming them ‘Big Dogs’, ‘Sneaky Lurkers’ and ‘Tick Tick Boom’.

Integrating with our knowledge base

Like many vendors, Dragos track actors and capabilities according to their own nomenclature. We integrate this nomenclature with all reported actor and malware aliases into a single STIX entity, meaning the actor is searchable in our Platform according to whichever alias an analyst favours – Chrysene is searchable by OilRig, APT34 and HelixKitten, just as TRISIS is searchable by HATMAN and TRITON.

Oilrig

This is not total aggregation. There are cases in which aliases can be completely standardised – for example, in TRITON’s case. However, by adding actor aliases to the entity’s metadata we are not necessarily saying that APT34 is OilRig. Threat actors are groups of real people who may move between different organisations, taking their knowledge and tools with them, so the idea that we can track them as distinct entities without any confusing overlap is unrealistic. The objective is simply to store overlapping intrusion sets in such a way that analysts can easily understand the points of intersection and divergence as report by each vendor.

TTP-driven Approach

Dragos’ approach to CTI is closely-aligned with ours in the respect that it is heavily TTP-driven. Tracking actors according to their attack patterns and the behaviour of their malware enables analysts to defend proactively, rather than based on static values related to an attack that has already occurred. By maintaining and developing a knowledge base of actors’ TTPs of long periods of time, from campaign to campaign, we can assess which attack patterns they favour and how to proactively mitigate them.

elected snapshot of Leviathan campaign reported by FireEye demonstrates TTP-driven approach

Selected snapshot of Leviathan campaign reported by FireEye demonstrates TTP-driven approach

All our TTPs are mapped to relevant MITRE ATT&CK techniques. As well as providing strategic view of a TTP’s functionality and intent, this allows users to build dynamic datasets based on combinations of high-level attack patterns and other contextual information. A basic example shows a dataset that isolates malware and tools with T1113: Screen Capture that have observed targeting organisations within the energy telecommunications or utilities sectors:

Screen Capture Malware

By mapping TTPs to high-level categories like Defense Evasion and Persistence we can also track over time which specific tactics are most commonly observed for each tactic in order to prioritise mitigations.

Conclusion

Threat Intelligence for industrial control systems is different. The intents and TTPs observed in campaigns of adversaries targeting require:

  • Clear definition of an organisation’s intelligence requirements against the backdrop of the threat landscape;
  • Aggregating known actors and capabilities in order to minimise the noise created by conflicting nomenclatures;
  • A TTP-driven approach

See our Critical Infrastructure data sheet for more details.

 

We hope you enjoyed this post. Subscribe to our blog for more interesting reads on Cyber Threat Intelligence or check out our resource section for whitepapers, threat analysis reports and more.

Receive all our latest updates

Subscribe to receive the latest EclecticIQ news, event invites, and Threat Intelligence blog posts.

3 more posts you might like

All Blog Posts (115)

Explore all topics

© 2014 – 2021 EclecticIQ B.V.
EclecticIQ. Intelligence, Hunting, Response.
Get demo