Control Loop: The OT Cybersecurity Podcast 5.31.23
Ep 26 | 5.31.23

Taking a look at cyber insurance in the industrial space.


[ Music ]

Dave Bittner: It's Wednesday, May 23rd, 2023, and you're listening to Control Loop. In today's OT Cybersecurity Briefing, China's Volt Typhoon snoops into US infrastructure with special attention to Guam. Is CosmicEnergy just red-teaming, or is it a threat straight out of Red Square? Siemens patches a vulnerability endemic to the energy sector. An update on the Vulkan papers. A cyberattack leads Suzuki to shut down its Indian production line. BlackBasta conducts a ransomware attack against Swiss technology company ABB and claims responsibility for an incident at Rheinmetall. The Food and Agriculture Information Sharing and Analysis Center stands up. Today's guest is Gerry Glombicki of Fitch Ratings talking about cyber insurance and his opinions on the industrial space. The Learning Lab has a continuation of the discussion between Dragos's Mark Urban, Principal Adversary Hunter Kyle O'Meara, and Principal Intelligence Technical Account Manager Michael Gardener on threat hunting. Stay with us.

[ Music ]

A joint advisory from All Five Eyes reports a major Chinese cyber espionage operation that has succeeded in penetrating a wide range of US critical infrastructure sectors. Microsoft, in its own report on Volt Typhoon, as the threat activity is being called, says the group has been active since at least the middle of 2021. The targets of the spying have included a slew of sectors, including communications, manufacturing, transportation, government, IT, and education, among others. Microsoft writes that the threat actor intends to lie low and conduct cyber espionage for as long as they can. It does this, the Five Eyes stress, by carefully living off the land, exploiting existing legitimate administrative tools and privileges in its targets. Microsoft's report explains that internet-facing Fortinet and FortiGuard devices were penetrated by unknown means. Microsoft writes, "The threat actor attempts to leverage any privileges afforded by the Fortinet device, extracts credentials to an active directory account used by the device, and then attempts to authenticate to other devices on the network with those credentials." Microsoft adds, "Volt Typhoon proxies all its network traffic to its targets through compromised SOHO network edge devices, including routers. Microsoft has confirmed that many of the devices, which include those manufactured by ASIS, Cisco, D-Link, Netgear, and Zeisel, allow the owner to expose HTTP or SSH management interfaces to the internet. Owners of network edge devices should ensure that management interfaces are not exposed to the public internet in order to reduce their attack surface. By proxying through these devices, Volt Typhoon enhances the stealth of their operations and lowers overhead costs for acquiring infrastructure." Both Microsoft and the government's reports explain that Volt Typhoon is using living-off-the-land techniques to avoid detection. This technique utilizes tools that are already installed on the host network, which means that the security systems may not detect the activities as the actor can blend in with regular Windows traffic. Much of Volt Typhoon's activity has been directed against Guam, a US territory in the Western Pacific that plays host to important US military bases. Those bases would be important to any US intervention on behalf of Taiwan should China decide to take a page from Russia's geopolitical playbook and invade what it regards as a renegade province. For its part, China dismisses the reports as American disinformation and denies its involvement in any activity the Five Eyes and Microsoft associate with Volt Typhoon. There are a few aspects of this story that are of concern to those whose business it is to secure industrial control systems. The quiet establishment of persistence in any critical infrastructure network is a matter of concern. Whether Volt Typhoon is, in fact, engaged in preparing the battle space for an operation against Taiwan or whether it's simply conducting a trial in any hybrid war, the target lists will surely include control systems. Operators should be on their guard. Operators are also hearing about CosmicEnergy. That's not a natural phenomenon, of course, but rather a malware strain that appears designed to train operators in the case of an electrical disruption. Researchers at Mandiant late last week described CosmicEnergy, and they say it specializes in affecting operational technology and industrial control systems by interacting with IEC60870-5-104 devices, such as remote terminal units that are commonly leveraged in electric transmission and distribution operations in Europe, the Middle East, and Asia. CosmicEnergy was uploaded to the public malware scanning utility virus total in 2021 by a user in Russia. The version Mandiant obtained lacks a built-in discovery capability, which means that significant manual management would be necessary in an attack. Attribution has remained inconclusive, but researchers suggest that this malware could have been a Russian red-teaming tool used in exercises to simulate an electric infrastructure attack, perhaps a tool for Ross Telecom Solar, a Russian cybersecurity firm. Mandiant has not been able to attribute this malware to any nation state. Of course, even legitimate red-teaming tools can be put to malign purposes if those legitimate red-teaming tools actually work, that is. Based on analysis from Dragos, in its current form, CosmicEnergy doesn't pose high risk to OT environments in the same way PIPEDREAM or Industroyer2 do. Dragos states that though CosmicEnergy is not a threat, it does highlight the care defenders should take toward restricting access to critical devices such as IEC-104 devices and the components connected to them, such as MSSQL. Siemens earlier this month addressed a flaw in systems widely deployed throughout the electrical power sector. Security Week reports, "The vulnerability tracked as CVE 2023 28489 impacts the CPCI85 firmware of SICAM A8000 CP-8031 and CP-8050 products. And it can be exploited by an unauthenticated attacker for remote code execution. These products are remote terminal units designed for telecontrol and automation in the energy supply sector, particularly for substations. Most implementations of these systems are believed to be heavily firewalled, as observers put it, because their criticality is widely recognized. So the risk seems largely driven by the possibility of error and misconfiguration. risk to OT environments in the same way PIPEDREAM We've been following another development in Russia's war against Ukraine. The revelations contained in the so-called Vulkan papers. To recap briefly, NTC Vulkan is a Moscow-based IT consultancy that does contract work for all three major Russian intelligence services, the GRU, the SVR, and the FSB. Der Spiegel, one of a group of media outlets that broke the story, sourced it to a major leak of some thousand sensitive documents running more than 5,000 pages. The leaked papers reveal that Vulkan is engaged in supporting a full range of offensive cyber operations, espionage, disinformation, and disruptive attacks intended to sabotage infrastructure. Dragos has released a study of what the Vulkan papers mean for that class of activity, infrastructure disruption. The company's report took as its points of departure the coverage in the Washington Post, and it focused in particular on one of Vulkan's tools, a malware suite known as Amasit B. [phonetic] The researchers offer four key takeaways. First, the papers represent genuine leaks from a Russian contracting repository. Second, the tools represent an operational as opposed to a training or research capability. Third, Amasit B represents a clear potential threat to the rail, transportation, and petrochemical sectors. And it works from a familiar Russian military intelligence playbook. And finally, the Amasit B platform shows an interesting convergence of cyber operations with traditional signals intelligence and electronic warfare operations. And it's very much a combat support system intended for battlefield use by a combatant commander. Dragos advises taking Vulkan's capabilities seriously and understanding them in context. On May 10th, a cyberattack of an unspecified nature induced Suzuki Motorcycle India to shut down its production line. The Hindustan Times reported that the stoppage reduced production of two wheelers by tens of thousands over a matter of days. Suzuki has been tightlipped on its disclosures, saying only, "We are aware of the incident and have promptly reported to the concerned government department. The matter is currently under investigation. And for security purposes, we are unable to provide further details at this point in time." So no one knows what kind of cyberattack it was except perhaps for Suzuki and the responsible law enforcement authorities, and of course, except for the attackers themselves. But signs do seem, to many experts, to point to a ransomware incident. Writing for Bit Defender, Graham Cluley offers this assessment:

Graham Cluley: Suzuki may not wish to share any more information while it works out what's occurred and determines its next steps. But I don't think it would be a surprise to anyone if it was later revealed that the company had suffered a ransomware attack. A ransomware attack might have not just caused disruption to the company's network infrastructure and communications through the encryption of data and lockdown of systems, but it could also mean that a hacking group has managed to exfiltrate sensitive information from a compromised company. In many instances, a company will decline to acknowledge that a cybersecurity attack was ransomware related until it has determined whether it is prepared to pay a ransom or not to its extortionists.

Dave Bittner: This slow-developing situation continues to develop slowly. ABB, a technology company based in Switzerland, confirmed Friday that they are experiencing technical issues relating to a cyberattack. BleepingComputer reports that the BlackBasta ransomware gang was behind the attack. But ABB has yet to confirm this. BleepingComputer writes, "We have learned from multiple employees that the ransomware attack has affected the company's Windows Active Directory, affecting hundreds of devices." In response to the attack, ABB terminated VPN connections with its customers to prevent the spread of the ransomware to other networks. ABB seems to remain mostly operational. Eike Christian Meuter, group spokesperson at ABB, told ETCISO, "The vast majority of its systems and factories are up and running, and ABB continues to serve its customers in a secure manner." BlackBasta has been active elsewhere as well, continuing to show a predilection for attacks against industrial firms. BlackBasta, a recently prominently double extortion ransomware gang, published data stolen from Rheinmetall on BlackBasta's extortion site this past Saturday. According to BleepingComputer, samples on the site included non-disclosure agreements, technical schematics, passport scans, and purchase orders. Rheinmetall confirmed that it had indeed come under attack by the Russian criminal organization stating, "Rheinmetall is continuing to work on resolving an IT attack by the ransomware group BlackBasta." This was detected on the 14th of April, 2023. It affects the group's civilian business. Due to the strictly separate IT infrastructure within the group, Rheinmetall's military business is not affected by the attack. Rheinmetall is a well-known German manufacturer of steel, defense systems, automotive systems, and engines. One of its products is the widely used NATO 120-millimeter smoothbore tank main gun. There's a new ISAC in town. What had once been the Food and Agriculture Special Interest Group of the Information Technology, Information Sharing and Analysis Center, the IT ISAC, will now become its own analytical center. The Food and Agriculture Information Sharing and Analysis Center, the Food and AG ISAC, will serve the particular interests of the sector, enabling food and agriculture companies to share threat intelligence, alerts, analysis, and mitigation tactics. The Washington Post wrote about the motivation for the new ISAC stating, "Cyber experts have repeatedly cited the sector's lack of its own ISAC as a dangerous security gap in the industry's ability to get a full picture of the tremendous risks it faces." Backers of the ISAC, which includes major industry players like PepsiCo to Tyson's Food, expect it to fortify the defenses of its members. The most notorious cyberattacks against the food and agriculture sector have been ransomware incidents, the most significant of which is generally held to be the ransomware infestation at meat processing firm JBS in 2021. But the industry, as a whole, is susceptible to attacks on any number of industrial control systems. And even if the threat doesn't progress beyond ransomware targeted against business systems, that's serious enough. Just ask ABB or Rheinmetall. The new ISAC should fulfill a useful role. Good luck and good hunting.

[ Music ]

Our guest this week is Jerry Gerry Glombicki from Fitch Ratings. We're discussing cyber insurance and his opinions on the industrial space.

Gerry Glombicki: Cyber insurance, some people trace their lineage back to the 1980s. I'm not saying that it wasn't cyber insurance, but it was definitely not modern-day cyber insurance. It ensured things like mainframes, keyboards, data on tapes. It really started taking modern shape in 2003 when California passed its first privacy law. And for the most part, from thereafter, it kind of really was a privacy data breach type of product up until 2017. In 2017 ransomware really came on the scene. And it really changed the shift of how insurance was actually provided at that point in time, types of coverages type stuff. And then even then you got some bit of an interest in what I call catastrophic cyber insurance or things like, you know, for example, attacks on the grid, multiple days of being out for insurance-type stuff at that point in time. And that's the kind of landscape we're at right now is trying to really trying to find out where cyber insurance can exist, the prices that can be offered, and the coverages that can be offered, and trying to find the marriage of all that together.

Dave Bittner: Can you describe for us a little bit of the push-pull that happened in the industry when, as you say, ransomware came on the scene? And it seems as though that injected a little bit of chaos into the system.

Gerry Glombicki: It's true. So insurance really works great off of having good, solid past data and trends to kind of help predict the future and set pricing. So with ransomware, it wasn't really in the data set. So it wasn't able to be priced. It wasn't really to know what we call the frequency and severity. How often was this going to happen? How severe was it going to be? Who is going to be attacked? How can you price for this? Can you use to -- one of the ways you used to look at historical underwriting standards was they'd have you just fill out a survey, maybe five questions. And now the surveys are multiple pages long, multiple interviews long, depending on what type of limits you want type stuff. And they used some things like quick vulnerability scans. But now some things may actually require attestations, SOC 2 attestations, some pen tests at certain levels. The types of underwriting that's going on right now is definitely more sophisticated than it was in the past, particularly for the amount of coverage that you want. If you want maybe a lower-level limit, it might not be as advanced.

Dave Bittner: And how's it going for the insurers themselves? Or are they finding that this is a profitable business to be in?

Gerry Glombicki: It's a great question. So we look at it two ways. The first way we look at it is premium growth. And right now, cyber insurance for year-end 2022 was about $7 billion, which is slightly less than 1% of the overall industry. That said, it is one of the fastest-growing lines of business, though. For example, prior year over year, it grew 51%. And then on the standalone side, so they offer two types of cyber insurance right now, what we call standalone and product. Product is exactly what it sounds like. You sell cyber insurance to a company along with several other lines of business. A standalone policy is exactly what it is. It's just a standalone policy. You could buy other stuff. You may not at that point in time. Standalone policies actually grew 62% year over year and 91% the year after that. So premium growth is part of the answer, and that's certainly increased year over year. The second part, to answer your question more specifically, though, is the loss ratios. So there's two components when we look at profitability for insurance companies, the loss ratio and the expense ratio. And together, that makes up what we call the combined ratio. In the US, they have to subscribe to some data. But they don't have to actually give you the expense ratio portion. So we just get the loss ratio portion. And in year-end 2022, on a direct basis, that was 43%. So to put that into perspective, that means for every $100 they took in for premiums, they paid out in losses $43. In 2020, it was 72, and in 2021 it was 68. So there was a little bit of a high period there. By and large, this data has been available in the US just since 2015. It's been a fairly profitable line of business for cyber insurers to date.

Dave Bittner: Now, is any sense for how that compares to the other lines of business therein when it comes to ensuring folks?

Gerry Glombicki: That's a great question, and we did publish an infographic on this. So what I think you'll see for the whole entire industry is the loss ratio is higher, but it's certainly less volatile. And you can see that for the other major lines of business like private passenger auto and homeowner's insurance. I think what you're going to get when you get such a fast-growing line of business is you're going to get volatility. And you certainly see that in terms of the loss ratio. So I think in terms of the highs and lows for cyber insurance, the lowest lost ratio was at 34% in 2018, and the highest was the 72% in 2020 on a standalone basis. So almost double, a little bit more than double, actually, when you look at that versus some of these other lines of businesses. They're much larger, so it's hard double the losses in that ratio there. But then cyber overall from that time period, more profitable but more volatile than the other lines of business.

Dave Bittner: Do we have a sense, the providers of this, of how they are looking to have a competitive advantage here in their offerings? Are there particular things that they're targeting to try to stand out from the crowd?

Gerry Glombicki: That's a great question. So I think what you're seeing from the competitors' standpoint is they're seeing this as a growing line of business. And for the most part, insurance is a fairly mature industry, so there's really not much areas of growth. So the fact that this is a growing line is certainly of interest to them. All insurance companies want to offer products that people actually want to purchase. But the question is, you have to do so in a profitable manner. Otherwise, you actually decrease shareholder value. So what you're trying to find is that sweet spot of, you know, what can you offer? What type of limits can you offer? What type of underwriting has to go on but still be able to make a competitive return on the capital that supports the business?

Dave Bittner: So when we talk about the industrial space, specifically, are there any things that stand out there or different from the broader cybersecurity market?

Gerry Glombicki: So one of the things we look at is something called take-up rates. So the take-up rate is how many people who are offered the product actually take up the product. And what you're seeing there for in the manufacturing space, it's about a third of manufacturing space actually takes up cyber insurance. And for power and utilities, it's slightly better at about 37%. Those numbers are kind of relatively in line with the overall industry, but certain sectors, it's higher. So, for example, for education, it's about 60%, but also financial institutions, it's fairly low, about 30%, slightly a little bit better there. So I think what you're starting to see is an interest in the product. The question comes down to is cost and the benefits associated with that. What do you actually get when you get the cost? Ransomware covered? Is it not covered? The interesting thing, though, in the industrial space is complexity of the product. What I mean by that is, say, for example, you have a turbine, and that turbine was actually attacked from a cyber event and spun up slightly faster, and that turbine broke. The question is, how did that turbine break? Was it a cyberattack? In this case, we're saying yes, it was, but how do you prove that? How do you not prove that? And those lines -- those types of questions are still kind of evolving and still rapidly coming to place. And that's what actually the cyber insurers have to kind of deal with. And that's part of the deal between the package policy and the standalone policy. The standalone policy will actually maybe affirmatively say what's covered and what's not covered. And when it's part of a package, it may be a little bit silent in that regard. So definitely, the industrial space poses a little bit more of a challenge than, for example, a traditional informational technology space, not just necessarily the OT space.

Dave Bittner: And is that partially because it's still kind of early days here? I mean, I -- And I remember after 9/11, a colleague of mine who was in the commercial real estate space was telling me that, you know, they were, it was taking them years to debate whether it was one attack or two attacks, you know, and things like that. There's, and there's all this -- all these elements that really hadn't been hashed out before. Are we finding situations like that with cyber?

Gerry Glombicki: The short answer is yes. So I think what you actually referred to is what we call case law in insurance base. So when you can actually look at things in the past and say, yes, this is what's happened. This is the precedent. This is how we're actually pricing the product. This is how the claims are actually being adjudicated. Once that exists, it becomes a lot easier to do. And as cyber risk evolves, the case law will follow. The question is how quickly or how long does it take to actually follow? And right now, there hasn't really been that much to date. The biggest thing recently was the NotPetya attack. And what the insureds covered at that point in time was an all-risks policy. So the courts has ruled that the cyber insurance actually picks it up. And they're starting to see some policy language where they're actually starting to exclude some things, what they kind of call acts of war. The question is, what is an act of war? Especially if someone doesn't raise their hand and say, yes, it was us.

Dave Bittner: Yeah, that's really a fascinating element, I think. I'm curious, you know, do you have any advice for the folks who are out there who are shopping for this sort of thing? Are there any words of wisdom or things that they should keep top of mind?

Gerry Glombicki: So insurance policy is the same thing as an insurance contract. You entered into a contract with an insurance carrier at that point in time. So the biggest thing is make sure everything is spelled out in the policy that you want or don't want. Make sure it's all covered in there before you sign on that dotted line because once you do, that's the framework that will be used to determine if the claim is covered or not, as well as to be, if it does get adjudicated, whether or not coverage exists or not. So the biggest thing is when you actually purchase this product, make sure you read all the details, make sure legal looks over it, make sure your risk management teams look over it because, again, that is your source of insurance coverage at that point in time.

Dave Bittner: You know, a few years back, when ransomware was really coming to the fore, it struck me that perhaps we were on a trajectory where cyber insurance could become kind of like flood insurance, you know, where the federal government was the only backstop for it. And it wasn't great insurance, but, you know, it was all you could get. And I wondered if we were heading that way. But looking at the numbers here that you all have laid out, it seems as though that we're on a pathway to a sustainable business. Is that an accurate perception on my part?

Gerry Glombicki: That's certainly what the insurance industry would want it to be, is something that, you know, sustainable, thriveable business. And again, if you can price things in there or if you can't necessarily price for it, but you can exclude it in terms of the terms and conditions and yet still offer a viable product for the insureds, that's certainly what they want to do and cover. Because at the end of the day, anytime there's a risk, you have four things you can do to it. You can accept the entire risk. You can avoid the entire risk. You can try to mitigate some of the risk. Or you can try to transfer the risk. And that transfer piece is where actually the insurance companies come in. But in reality, most people try to mitigate some of that risk down, transfer some of that risk. And what's ever left over, that's what they accept at that point in time. But that framework of those four things is exactly what every risk manager has to do for all risks, cyber included.

Dave Bittner: Our thanks to Gerry Glombicki from Fitch Ratings for joining us.

[ Music ]

This week's Learning Lab features a discussion between Dragos's Mark Urban, Principal Adversary Hunter Kyle O'Meara, and Principal Intelligence Technical Account Manager Michael Gardner. They're talking threat hunting.

[ Music ]

Mark Urban: Hi, Mark Urban, once again with Learning Lab here on Control Loop. And we're going to focus on threat hunting. There are a couple different types of threat hunting. And to kind of describe, you know, some of those differences in the context that we're going to talk about today, I'm joined by Kyle O'Meara and Michael Gardner here at Dragos. Where do you start with a threat from, you know, from sourcing intel?

Kyle O'Meara: The hypothesis. So you develop your hypothesis, and then from there, you're like, well, how can I start this? You know, as rudimentary like elementary experiment as my -- to try to prove or disprove my hypothesis, I look at all my different sources I have. I typically break it down to five. Some might expand these out, but it's first-party data. Your information sharing and partnerships is two. Your open-source intelligence, your [inaudible] out there, anything you can gather from the Twitterverse to different blogs that individuals are posting. And then you, obviously, you have your paid sources that every company uses across the world. And then I think the key source in all this, number five, and these aren't in any specific order, is like your individual intelligent, you know, other cyber security threat hunters across different vendors and past lives and things like that, these networking connections you make that you can share information with, trusted sources that you can share information back with, and, you know, help you build out a case and help you try to solve and -- to either solve or disprove your own hypothesis.

Mark Urban: All right, so those are five sources. Can you give me an example of, you said, first-party data? Is that like, you know, your own internal data sets or what's first-party data? Give us a couple examples.

Michael Gardner: Yeah, absolutely. So first-party data is especially going to be something that's important to an asset owner-operator. You know, we at Dragos have our own types of first-party data that Kyle may hunt in. He can talk about some of that if he wants. But from an asset owner-operator perspective, these are your logs. So essentially, all of your network data that you collect, all your host data that you have, your incident data too. Which is actually, you know, an important part of data for threat hunting is understanding what's happened to the organization historically. Information on what, you know, an adversary may consider open source, but information around your staffing and your employees and the people that may be targeted at your organization. All of that's kind of that first-party data. And really, it's the most essential when we're talking about threat hunting. It's the most important thing for an asset owner-operator. Make sure that they have good collection and a good handle around sourcing that data so that they can carry out a fruitful hunt.

Mark Urban: So five sources, that is kind of a starting point. Where do you go from there?

Kyle O'Meara: Then you just start digging. You start digging into, you know, you start, you know, trying to figure out, you know, what kind of data you can extrapolate from those sources to help go after your hypothesis. So, you know, whether it's, you have different type of telemetry, whether that's domains or IP addresses. You have past events from, like Michael said, instant response events that you've seen, you know, whether your company's done it or other people have posted about from the, you know, open source. You have, man, you have your paid sources that you can leverage and look for those IOCs in. You have, you know, you have your, you know, friends and, like I said, in low places or high places that you share data with. But hey, I'm seeing this type of thing. Are you all seeing this type of thing? Do you have anything you can share on this? You know, we want to report this to our customers. Happy to keep it at this, you know, traffic light protocol, TLP level. So it's like kind of, you know, going back and forth. And, you know, you start pivoting. You start, you know, filtering. You start looking for these nuances. And then you start developing clusters, threat clusters, that you think might be targeting, in our case, targeting an ICS entity or an OT environment. And then you start distilling down there. Do I have something that might be bigger? Do I have a new threat group? Or do I just have a little bit of cluster I have? And then, from there, you write that intelligence down. And in our case, you know, we produce that intelligence for our customers. Sometimes you might not write a report right away because you're still trying to prove that hypothesis. Or you might have disproved it, but you still have a threat cluster. So it's kind of like a, it's a revolving door, you know. You have to make sure you don't get in that analysis paralysis, you know, type approach. You have to know when done is done and when good is good enough. And I like to always, when I used to teach back in the day, I used to tell my students like, "Perfect is the enemy of good," right? So I forget who said that. That's not my quote.

Mark Urban: So, two questions that come out of that. What does a threat cluster look like? I mean, you're saying it's kind of an abstract. Give us an example of that. That's kind of the first question. Then second, if you start with the hypothesis and you prove or disprove it, but you have some data that you -- is it an iterative process? Then do you formulate kind of a new hypothesis based on some of your observations and try to dig in and refine that or? So two questions. First, what is a threat? You know, help us understand a little bit more than the ethereal, what a threat cluster is. And then the second, how does that iterate?

Kyle O'Meara: Yeah, I'll take the first part. Michael, you take the second part. Like a threat cluster, I mean, is a group of activity. That activity could be any type of IOC you might have. You might even just have sort of something in the news that you're looking into. You might have something you discovered in your own network. So it's a -- it's an incident, you know, that you don't have a full understanding of what's going on yet. You don't have the full story complete.

Mark Urban: Is that like a network access from, you know, an unknown IP address, or, I mean, just kind of give it an example of --

Kyle O'Meara: Yeah, so I might just have a known C2 of an adversary group, a threat group that's targeting an OT entity. I might just have all I have. And then I start looking at, you know, different types of data to determine are they targeting other OT entities. Are they targeting, you know, a wide variety of different entities? Oh, they're targeting different OT entities. Okay. I'm going to label this as like a small cluster now while I investigate why they might be targeting, what are the other -- what are these victims, potential victims? You know, were there any compromises? I might pivot to the victim side and look at, did they target specific services on, you know, were there a bunch of similar services, vulnerable services that might be exposed to internet from these industrial entities and start going down that path. So you have like this subset of data that might be complete, but you still have some questions you need to answer before you can kind of label it as complete.

Mark Urban: Cool. And then, and how does that, then, how does that iterate?

Michael Gardner: One thing that comes into play here when we're talking about forming hypotheses, you know, there's various models that you can use to kind of track threats. And when we're talking about like an intrusion cluster, like Kyle was, one thing specifically that comes to mind is the diamond model of intrusion analysis, which we use a lot here at Dragos. It's pretty commonly used throughout kind of the overall CTI industry if you will. And it's starting to assess, you know, the various capacities of a specific actor. So when you're looking at intrusion sets, you start to identify overlap as you map that out on various diamond models, right? So like Kyle was describing, you might see similar victimology. You might see similar C2 infrastructure like Kyle was mentioning. There might be specific TTPs or various capabilities that the actor is employing in their campaigns. And you start to kind of form an adversary as you move down those lines. So from an asset owner-operator perspective, it's taking a look at those intrusion clusters that align to your specific threat surface. So one of the most important things there is looking at victimology. If you're an electric company in North America, and there's a new group that maybe hasn't been named yet, maybe it's one that Dragos has named, maybe it's one that another intelligence provider has named, and you see that they're targeting, you know, medium to large sized electric companies in North America, that's where you can start to form a hypothesis. So there is a likely chance that that actor would target an organization like yours. So you start to take a look at what capabilities that adversary has been employing. If there's specific tool sets that they've been leveraging, if there's a specific tactic for initial access that they've been employing, if there's, you know, stage two capabilities that they employ as far as the ICS cyber kill chains concerned as far as actually deploying capabilities within an OT environment, you start to frame all of those out, develop hypotheses that are specific answerable questions, and then hunt in your data sets along those lines to try and prove them.

Mark Urban: Gentlemen, Michael, Kyle, much appreciated. Like I said, this is a very rich topic. I'm Mark Urban with Michael Gardner and Kyle O'Meara from Dragos on the Learning Lab. Thanks very much.

[ Music ]

Dave Bittner: And that's Control Loop, brought to you by the CyberWire and powered by Dragos. For links to all of today's stories, check out our show notes at Sound design for the show is done by Elliott Peltzman, with mixing by Trey Hester. Our senior producer is Jennifer Ivan. Our Dragos producers are Joanne Rasch and Mark Urban. Our executive editor is Peter Kilpe. And I'm Dave Bitner. Thanks for listening. We'll see you back here next time.

[ Music ]