The 2022 ATT&CK Evaluations for Managed Services Call for Participation is now open. Click here to learn how to participate.
Home  >  ICS  >  Participants  >  Dragos  >  TRITON Configuration

Dragos Configuration


Product Versions

  • Dragos Platform SiteStore version: 7.2
  • Dragos Platform Sensor version: 7.2
  • Dragos Knowledge Pack: April 2020

Description

The Dragos Platform is a network-based cybersecurity software technology that identifies ICS network assets and their communications to provide an inventory and topology, identify and manage vulnerabilities, detect malicious activity, and provides guidance to investigate incidents. Within the Dragos Platform, we leverage The 4 Types of Threat Detection model.

The 4 Types of Threat Detection

The 4 Types of Threat Detection create different use-cases and detection strategies for defenders leveraging the Dragos Platform and are aggregated in the Notification view.

  1. Modeling
    Modeling is a mathematical approach to detecting threats by defining “normal” and measuring the divergence from the definition. When organizations talk about “baselines”, “machine learning” or various forms of “anomaly detection” they are referring to Modeling based detections. The goal of Modeling is to build profiles of the environment over time and alert on uncustomary behaviors. The value in doing this approach is that it is threat-agnostic instead of relying on knowledge of the environment. The downside is that detections contain very limited if any context on the threat because the detection was not looking for the threat itself but the deviation. These detections are great for hunting but not ideal for triaging as their threat context is specific to the modeled environment.
  2. Configuration
    Configuration-based detection relies on current knowledge of an environment’s known architecture or design to identify changes to the configuration. As an example, a new device would be a change to the configuration. However, a change in the configuration such as a change on the timing in a GPS clock, a project file upload to a programmable logic controller (PLC), or the change of a key switch from RUN mode to PROGRAM mode in a safety system would all be configuration alerts. These alerts can be useful for understanding your environment better and provide good forensics on changes in the environment but contain little threat context for triaging.
  3. Indicators
    Indicators are the quickest way of leveraging detection with threat context. When properly created, indicators identify specific activity that gives analysts the context to properly prioritize and respond to the activity observed. There are two main benefits associated with indicators: knowledge enrichment and quick scoping. The downside is that adversaries can change their dependence on specific indicators (such as infrastructure and malware), which can quickly make those specific indicators ineffective. Indicators though are ideal for triaging for known threats.
  4. Threat Behavior
    Threat behavior analytics codify malicious adversary tradecraft (e.g., tactics, techniques, and methods) for detection regardless of specific indicators like malware or infrastructure. Threat behavior analytics are the best form of expandable and alterable threat detection that also result in context for the defender. The downside is they are often time-intensive to create. The value is that they are not tied to any individual adversary but instead represent a series of events that catch known tactics and techniques that adversaries leverage making them able to identify known and unknown threat groups with context making them a great form of threat detection. The structure of MITRE ATT&CK is based upon Threat Behaviors and documents Threat Behaviors in detail, which is why it is such a valuable resource for network defenders.

Hunting for threat behavior is akin to “finding a needle in a haystack” of data. To best approach this monumental task, the Dragos Platform sorted the haystack into smaller, more manageable haystacks. These smaller haystacks make it easier for Dragos Platform users to identify and investigate threat behavior within ICS Networks. The smaller haystacks consist of the following:

Tagged Data
Data that the Dragos Platform might be interested in using for the creation of Events and Notifications is identified, inspected using deep packet analysis, and then stored as Tagged Data.
Events
Events (Severity 0) are actions taken within the ICS network that you probably want to keep track of but do not necessarily want to be constantly notified about. Events could be atomic (single step) threat behaviors in the context of an attack but could also be normal operations of an ICS environment. Events are normally hidden from view but can feed information into Composite Analytics (see below) or turned on to see the Events that led up to high severity Notifications. They are also useful for forensics and investigation timelines.
Notifications
Notifications are actions taken within the ICS network that could be considered one of The 4 Types of Threat Detection. The higher the severity rating of the Notification, the higher the confidence that this is a real threat, and that action should be taken.
Composite Analytics
Composite Analytics are multi-step threat analytics that more confidently relate to adversary actions. They often will take data from multiple sources, such as Windows Events, Network Traffic, Asset Information, or Vulnerability Information to create context-sensitive, high confidence and high severity Notifications (often severity 3 – 5).
Query Focused Datasets (QFDs)
Query Focused Datasets (QFDs) provide analysts with powerful tools for both proactive threat hunts and investigations. A query focused dataset is a pared down dataset that combines disparate data to enable analysts to prove or disprove a given hypothesis quickly. While a QFD is a subset of a larger dataset, the QFD might contain additional enriched information that provides analysts with an optimized view of the situation in question. QFDs normalize data and reduce the overall time analysts must spend when triaging suspicious activity or threat hunting.


Product Configuration

Each of the Windows hosts used the Microsoft Sysmon tool and forwarded logs to the Dragos Platform which can passively collect network data off of the environment and optionally leverage host-based logs. The network traffic was monitored by one Dragos network sensor monitoring the SPAN port of the switch. With this deployment, Windows host and network data were our two data sources.

MITRE Evaluation Network Topology with the Dragos Platform Sensor and Sitestore Event and Traffic Aggregation

Dragos Platform Configuration

  • Network Traffic Ingestion by Dragos Sensor
  • Windows Events ingested using the SYSLOG via Dragos Platform Sitestore