Control Loop: The OT Cybersecurity Podcast 4.17.24
Ep 48 | 4.17.24

Examining CIRCIA and VOLTZITE.


Dave Bittner: It's April 17th, 2024, and you're listening to "Control Loop". In today's OT Cybersecurity briefing, Chinese manufactured devices in US networks see a 41% year-over-year increase. Ukraine-linked hackers deploy ICS malware against Russian infrastructure companies. A look at cyberattacks that had physical consequences in 2023. Lessons from NERC's GridEx exercise. An extension's been requested for the comment period on CISA's Incident Reporting rule. Our guest is Kate Ledesma, Senior Director of Government Affairs at Dragos, talking about the Cybersecurity Incident Reporting for Critical Infrastructure proposed rule. The Learning Lab has Dragos's Mark Urban speaking with Josh Hanrahan, Principal Adversary Hunter at Dragos, in part two of their discussion on adversary hunting and VOLTZITE.

Dave Bittner: A report from 4scout found that the number of Chinese-manufactured devices in US networks has increased 41% year over year, despite official bans by the US government. The report says, "Critical infrastructure organizations are among those that use the highest number of such devices, and some of these industries more than doubled the number of Chinese-manufactured devices in their networks in one year. One vertical of interest is the government, where Hikvision and Dahua cameras, despite being banned, remain connected to networks. Other devices, including Yealink voice-over IP phones, are also present in the thousands. The researchers note that vulnerable IP cameras often serve as initial access points to sensitive networks, and China-linked APTs have been known to exploit these devices in the past." Researchers at Claroty have published a report on Fuxnet, that's F-U-X-net, because of course it is, a strain of ICS malware deployed by Ukraine-linked hackers against Moskollector, a Moscow-based company that manages underground water and communications infrastructure. The hacking group, called Blackjack, posted online last week claiming to have damaged 87,000 remote sensors and IoT devices used by the Russian company. Claroty thinks this claim is exaggerated, but the malware does appear to have bricked at least 500 sensor gateways. The researchers note, "If the gateways were indeed damaged, the repairs could be extensive, given that these devices are spread out geographically across Moscow and its suburbs, and must be either replaced or their firmware must be individually reflashed." Waterfall Security Solutions has published a report looking at cyberattacks on OT organizations in 2023, finding that 68 of these attacks had physical consequences. This represents a 19% increase compared to 2022. Most of these physical effects were consequences of IT-based attacks rather than direct exploitation of OT systems. 80% of these attacks involved ransomware, while 15% were launched by hacktivists. Half of the attacks impacted entities in the manufacturing sector, and the most expensive attacks caused hundreds of millions of dollars in damages. The researchers also observed an increase in the use of GPS jammers, noting, "Many industrial systems rely on GPS signals for more than just location information, where microsecond synchronized timing is crucial, such as the protective relaying critical to the reliability of the electrical grid and of equipment in that grid. Operators of such systems are advised to evaluate the extent of their dependencies on such timing and positioning systems, and establish robust fail-safe operation modes when these systems are jammed or falsified." A report from NERC and the E-ISAC looks at lessons learned from the GridEX 7 exercise, a simulated targeting of North America's electrical grid with cyber and physical attacks. The exercise, which was conducted over two days in November 2023, involved participants from the electric sector and the government, and was followed by an in-person meeting between industry executives and government leaders from the United States and Canada. Recommendations from the report include increasing resilience for communication systems essential for operating the grid, preparing for recovery from complex and prolonged power outages, and increased coordination efforts between non-federal government partners and electric utilities. The US Chamber of Commerce and more than 20 industry groups have called for a month-long extension of the 60-day comment period for CISA's proposed Cyber Incident Reporting for Critical Infrastructure Act, The Record reports. The group said in a letter to CISA, "The proposed rule is extensive and intricate, reflecting the complexities inherent in addressing cybersecurity within critical infrastructure sectors. The NPRM spans nearly 500 pages. Consequently, its length and depth necessitate a comprehensive review process to ensure that all stakeholders fully understand its implications." The letter adds, "Given the potential impact of this rule affecting every critical infrastructure sector and possibly serving as a model and hub for other reporting requirements, this additional time is crucial. It will allow organizations to thoroughly evaluate the proposed requirements, identify potential challenges, and propose effective solutions that prioritize both security and operational continuity." [ Music ] I recently spoke with Kate Ledesma, Senior Director of Government Affairs at Dragos. We spoke about the Cybersecurity Incident Reporting for Critical Infrastructure proposed rule. Here's our conversation.

Kate Ledesma: First and foremost, the first thing that this represents is I think really the first attempt by both Congress and the federal government to really standardize across sectors cybersecurity standards and regulations. We have a patchwork of rules and regulations in place across different sectors, but this is really the first comprehensive rule passed into law. And now, with the proposed rule from CISA, you know, getting ready to be implemented. It does bring with it I think some challenges with some of the existing rules and regulations, but really this is the first comprehensive attempt at rulemaking across sectors.

Dave Bittner: Can we dig into some of the details here? I mean, what's are -- what's the scope of what this is trying to cover?

Kate Ledesma: Sure. I think, you know, first if we can go back to 2022, I want to start with the actual Cyber Incident Reporting Act for Critical Infrastructure. So, like I said, the first comprehensive attempt at standardizing, you know, reporting for cyber incidents across sectors. And this month obviously CISA released the proposed rule to implement it, which included the reporting requirements. And while the final rule is 18 months away, industry and the public is, you know, starting to digest the content of the draft rule. And I think there are some note where there are observations, and then some ways that organizations can start preparing for the final rule to take effect. But I think, you know, first and foremost, it's federal law. And so while CISA is tasked with building out and executing the rule and the reporting requirements, many things have already been outlined in the act. That includes things like reporting a covered cyber incident to CISA within 72 hours, determining the incident has occurred. And then also reporting to CISA any ransomware payments within 24 hours. And, you know, here I think is a really important thing, providing CISA with supplemental information when it becomes available as the incident unfolds. So we're really talking about reporting requirements across the lifecycle of an incident with this rule.

Dave Bittner: And what is the mechanism for enforcement here?

Kate Ledesma: The Cyber Incident Reporting for Critical Infrastructure Act of 2022 does also give CISA subpoena power and other enforcement tools, including things like issuing requests for information. And those are the primary mechanisms, you know, embedded within the Act in 2022 for enforcement for CISA.

Dave Bittner: And that's new, right? I mean, my understanding is up till now, CISA really didn't have that kind of enforcement mandate.

Kate Ledesma: That is new. And I think this is something that agencies, including CISA and industry and Congress, have been grappling with for a while is what is appropriate for CISA to have for enforcement purposes within this, you know, the scope of the mandate of the agency, within its existing authorities? What new authorities did it need, and how CISA is going to handle, you know, its role as the cyber risk manager for the nation, you know, still maintaining that relationship with industry. And so I think that's where they arrived. The subpoena power and authority, which CISA has been asking for I think, you know, since almost the inception of the agency. And then also for, you know, those additional enforcement tools, like the request for information. So moving more from the voluntary side of information sharing to, you know, playing more of an enforcement role, but still not, you know, a full-fledged regulatory regime there.

Dave Bittner: And in general, what has industry's been response to this proposed rule?

Kate Ledesma: So, I think everyone from government and industry alike agrees that there needs to be harmonization. There need to be baseline cybersecurity standards and rules. So, I think if we're looking at rules and regulations for the purpose of security, for reducing risk, for providing insight back to industry and owners and operators, I think there's largely agreement with expanding cyber regulations and standards for -- for critical infrastructure owners and operators. Where I think there's still some discussion to be had is in the overlapping nature of some of the regulations that are in place. You know, especially when you think about some of the critical infrastructure sectors that have very well established standards such as electricity. When you think about the new incident reporting requirements and new SEC regulations that took effect last year for organizations, some sectors and some organizations are covered by multiple reporting requirements and other regulatory frameworks. And so the regulatory harmonization task that the White House is undertaking is really important here, because what we want to do is make sure that any new regulations don't impose additional compliance burden solely for the sake of compliance, that they actually do produce security outcomes, risk reduction outcomes, and do help owners, operators of critical infrastructure to secure their assets. And we want to make sure that any existing regulatory requirements are slowly over time harmonized so that, again, organizations aren't spending precious security dollars on things that are simply compliance, but they're able to spend those dollars on things that are really helping to reduce risk. And then to provide CISA and other government agencies with information that helps those agencies in turn provide information back out to industry to help other organizations identify risks early on, take mitigation measures, or simply look at, you know, have a better picture of sector risk overall so that we can reduce sector-wide risk as a national security and safety imperative as well.

Dave Bittner: Can you give me a sense of when you look at the different sectors, you know, for example, you know, you and your colleagues at Dragos work with folks, you know, lots of different industries. Are there particular sectors that are better equipped, better prepared to embrace something like this versus other sectors that maybe have a little more work to do?

Kate Ledesma: I think there are, and I think you can look at it through several different lenses. So, first there are some sectors that, like I mentioned before, have very well established standards, standard bodies, and, you know, cybersecurity rules and processes. For example, the electricity sector has, you know, NERC standards. They're used to doing this, they have governance, processes, and procedures in place to be able to identify a cybersecurity incident. They have requirements and they have, you know, experience in doing so. So when you look at it from those who have already -- they're used to having to do this type of thing, having to report incidents. When you look at other sectors like the water sector, for example, that is a much more decentralized sector. There are many, many small water organizations across the country. They're regulated also at, you know, the state and local as well as federal levels. But those requirements aren't exactly the same. They aren't as well developed yet in that sector for cybersecurity as they are in, for example, the electricity sector. So when you look at it from that perspective, there are differences. You can also look at it from a pure resourcing perspective. There are some industries that are -- just don't have the resources that others do. Unfortunately, the water sector is one that falls into that category as well. They're fighting for every dollar for both safety and security to maintain, you know, just providing water to the local communities. And they need additional resources directly to be able to add cybersecurity protections, and even to have staff to be able to handle something like cybersecurity reporting requirements. I think there's one additional perspective to look at. Some of those organizations, the larger, you know, investor-owned utilities, manufacturing companies, that sort of thing, the chemical facilities, they're already covered by a couple of different regulatory frameworks. And so for them, they're -- they're used to doing this. They have the tools and processes in place. But I think what we're finding now is that some of the regulatory requirements don't line up. So, when the timelines don't line up for reporting covered cyber incidents, when it's reporting to multiple agencies that don't have information-sharing agreements, I think that's where we can see that those organizations, you know, having to adopt yet another reporting requirement is going to increase the compliance burden on those organizations. And so again, where the federal government, where the White House, where CISA can coordinate to harmonize some of these requirements, it will really allow our critical infrastructure owners and operators to focus on security outcomes, and not just simply compliance outcomes.

Dave Bittner: You know, I'm curious from your point of view, with your level of expertise with this, my perception with CISA has been that so far their approach, their tone has been very collaborative. And so I'm curious if, first of all if my perception is accurate there, but then their ability to have subpoena power here, could we see that by necessity become a little more adversarial, or is a collaborative tone something that they'll be able to continue with?

Kate Ledesma: I think they will be able to continue with the collaborative tone, and in fact I think that is what CISA -- what Director Easterly, you know, want. They want to maintain that collaborative relationship with industry. And you can look at, you know, a couple of different things that they've done in the past few years. So, you know, beginning with the JCDC and starting to build out that framework to continue to work with industry, knowing that industry can't do it alone and government can't do it alone. Cybersecurity, I think more than ever, is a public-private partnership by necessity. I think when the Cyber Incident Reporting for Critical Infrastructure Act was passed and CISA, you know, was tasked formally with developing these rules to take effect, you know, late next year, 2025, they set out to do listening sessions across the country with critical infrastructure owners and operators, with cybersecurity service providers who will be, you know, helping with some of these things, with trade associations, with communities. So, they got that feedback up front as well in developing this rule, I think. And so, you know, obviously now through the comment period on this proposed rule continues to be collaborative. What I hope is that CISA will receive all of the feedback from industry and then do some additional listening sessions, or, you know, work through some of the comments they receive, again, with industry. I do think they want to maintain that collaborative relationship, because, you know, that's why the agency was founded, was to work with industry and not just task industry or oversee industry. But really, I think they like to say, Hey, be the closest thing to industry in the federal government. And so I do see that continuing.

Dave Bittner: What are your recommendations, you know, for -- for folks who are listening to our conversation here to make sure that their points of view are heard? Do you encourage them to be a part of this commenting process?

Kate Ledesma: Absolutely. I think, you know, looking at the proposed rule, I think there are a couple of ways that organizations can prepare. So, first is to participate in the comment process for the rule. Operators know their systems and their requirements best, and the rules need to be informed by that, just as every other regulatory framework. And so the best way to do that is to get, you know, operators in industry to participate in this process and with CISA as they receive these comments and refine -- refine the rules. As I said, CISA has conducted listening sessions, so continue to engage there whenever they, you know, open that engagement with industry. I think the other thing to get, you know, to start preparing for these new rules is to make sure that they're ready with the right information and tools. So, you know, organizations are going to need things like metrics, logs, visibility into all of their systems, including, you know, operational technology and industrial control systems, to be able to comply with some of these requirements. So, making sure that your team, your organization has those, has the visibility, has the monitoring capabilities, the logs, the information, ahead of time is something else that you can start doing now to prepare for when the rule is finalized, you know, and becomes effective. And I think there's one more, you know, thing that organizations can be doing, and that's really using the content of the proposed rule to review and update governance processes and playbooks. Even as the rule isn't final yet, start exercising with the new reporting requirements. Incorporate that into your tabletops and other exercises you're doing, not only to see how you do, but to identify, you know, challenges that might be more broad across your sector or other sectors that other organizations might face as well, and actually implementing these new reporting requirements. And give that feedback to CISA so they can take that into account as they finalize the rule. And it also includes establishing clear goals and responsibilities from across your operating teams, your comms team, your legal teams, your security teams, and your executive teams and boards. Not just the CISA and the CSO, but really engaging at those executive levels as well, you know, as this rule, you know, begins to take effect along with, you know, all of the other reporting requirements that are sector-specific or from the SEC or a part of another regulatory framework.

Dave Bittner: Can you provide some clarification in terms of defining what a reportable incident entails?

Kate Ledesma: Yeah, sure. So, you know, both the act passed in 2022 and the Cyber Incident Reporting for Critical Infrastructure proposed rule seek to define what is called a substantial cyber incident, or essentially what incident or, you know, ransomware attack is considered reportable under the rules. And so they, you know, basically define that, you know, in this rule as something that produces a substantial loss or a serious impact or disruption to systems. And I want to point out that does include operational technology or OT systems as well. And there are, I think, a couple of lines in the proposed rule that really define that a little bit further. And, of course, they're open for comment. I think this is really important for owners and operators to kind of take a look at. So it's defined as a substantial loss of confidentiality, integrity, or availability of an information system or a network, serious impact on safety or resilience of operational systems and processes, the disruption of ability to engage in industrial operations, and even something like unauthorized access. So unauthorized access alone is enough to define a substantial cyber incident, according to the proposed goal.

Dave Bittner: That's Kate Ledesma, Senior Director of Government Affairs at Dragos. [ Music ] On our learning lab, Dragos's Mark Urban speaks with Josh Hanrahan, Principal Adversary Hunter at Dragos. This is part two of their discussion on adversary hunting and VOLTZITE. [ Music ]

Mark Urban: We're going to look at a specific threat activity group, VOLTZITE, sometimes known as Volt Typhoon. And Josh Hanrahan is leading us through the discussion. That it's some interesting insights into that world. I'm here with Josh Hanrahan, who is one of the Adversary Hunters at Dragos. Welcome, Josh.

Josh Hanrahan: Hey.

Mark Urban: Let's turn to a recent -- kind of a recent group that's been on the map. It was in the Dragos Year in Review, and that's VOLTZITE. You're the adversary hunter who focused on VOLTZITE. Tell us a little bit about that group and why -- why it has an impact in industrial.

Josh Hanrahan: Yeah, sure. So yeah, VOLTZITE is one of the groups I kind of look after. We've been tracking them for a long time, I'd say almost -- almost 12 months now. I think the public kind of got the real first decent information about VOLTZITE from a Microsoft and CISA press release back in May of 2023. It was probably the first time it was kind of out -- thrown out into the public realm and there was kind of the details and kind of what they were doing. But I think at that point in time, it wasn't really fully understood what was really going on, apart from it was bad. And then I think subsequent kind of releases in, like, June, July by other vendors as well, kind of pivoting off -- pivoting off kind of -- kind of what was going on and piecing together all the puzzles up until, you know, late 2023 and early 2024 when there's been, you know, more updates from CISA and others on kind of the growing threat of VOLTZITE, I guess. So yeah, a quick background on them is that they are a persistent threat group focused on living off the land. They are predominantly interested in the electric sector and a few other critical infrastructure sectors, as well as government, and defense, industrial base, etc. We really track VOLTZITE as opposed to Volt Typhoon, so we assess that VOLTZITE is essentially the ICS-focused portion of Volt Typhoon activities. Volt Typhoon isn't exclusively interested in ICS, but as, you know, in line with, you know, key fundamental CTI principles, you can never say one group is mapped to another's interpretation of the same group, because you have differing data sources, different analysis techniques. You can never be assured that your analysts are making the same conclusions from the same data sets, because you aren't. As much as, like, you know, a Bible on unified threat group mappings is, you know, would be ideal for defenders, realistically, every definition of every different group from every different vendor are talking about different things. Is there, you know, physical groups, like, are they physical, you know, foreign intelligence organizations running multiple of these threat groups? Yes. Are we going to spend the time to figure out what that is as an industry, or should we? No, I don't believe so, because it's a waste of time. At the end of the day, it's all about mapping and tracking TTPs. So really, getting back on track, VOLTZITE generally likes to do kind of, like, low and slow reconnaissance and information gathering from typically IP addresses within the country of their targets. Now, that's not kind of like a one-size-fits-all. Like, their activity is absolutely widespread. I don't think we're anywhere near the bottom of how far their kind of operations have spread over, you know, the last recent period. I think, you know, within, you know, government and stuff there's probably a clearer picture, but within the private sector and in the public, I don't think the full picture is kind of there, just because the matureness of their operations is quite -- quite good, to be honest. They really do like going under the radar, and the way that they do things every step of the way is actually quite -- he's going to get past a lot -- a lot of defenses or a lot of detection mechanisms that a lot of organizations would have in place. But they typically tend to long-term kind of scan and enumerate a target's -- a target's infrastructure for a long period of time. Whenever they decide the tipping point is to try and actively get in, they generally go off to VPN nodes, like corporate VPN nodes, like SSL VPN or whatever kind of common VPN solutions that organizations use for employees to, you know, or contractors, whatever, to come into their -- their IT network. Generally, they exploit zero days or kind of like n + 1 days I guess, like, so zero days are dropped and patched and then public exploits are put up and then they're using them before organizations have, you know, that time window before they kind of patch stuff. So that's normally how they get in. They normally -- there's a few different ways they kind of traverse inwards, but essentially their key focus is on obtaining legitimate credentials, replaying those to pivot throughout the IT network, to then enumerate and look for wherever kind of like the OT hopping point is. Generally, they -- the trend that I've seen is that they like to exfiltrate a lot of data, but they do it in kind of like a slow methodical way. It's staged, it's, like, zipped up. They take it back out through their entry point most times. Sometimes they don't. They're not exhibiting a whole lot of malware. In some cases they kind of were, or kind of, like, questionable tools and less so malware, but using a lot of living off land techniques. So using kind of native Windows tooling that would be expected to be seen on a device in a certain way. So, it's really hard to kind of drill down and find that activity from kind of, like, basic detection mechanisms. And they like to take data about OT kind of processes within an OT system and kind of -- so I'm talking about, like, you know, documents, how certain things are configured, operating procedures, etc. We haven't yet seen them within, like, really within an OT network. We've seen them very close to or adjacent to or, you know, on devices that are kind of -- can touch parts of an OT network. But, like, if we're talking, like, you know, really inside an OT network, like some of the other adversaries we kind of track, we haven't seen that yet. So we kind of do assess them as being a stage one group, but the caveat is, is that they are well-resourced, they are well-funded, and they more than likely have the capability of an ICS-disruptive, you know, tool at their disposal. But again, as with, you know, Ukraine 2015 and 2016, and, you know, ELECTRUM and KAMACITE, and we're talking about crash override and that type of stuff, etc. This type of activity, seen a lot with VOLTZITE, was going on for a little bit before, you know, an ICS-disruptive capability was dropped. Because at the end of the day, like, that's -- that's the crown jewels of their tools. If they're an ICS-focused group and they are going after, you know, ICS disruption, they're not going to drop their tools they've been building for six or seven years straightaway. They're going to use it when they need to use it and want to use it. Which is why VOLTZITE is concerning, because looking at the victimology, they seem to be pre-positioning themselves for something, but it's the targets they're choosing that is concerning. It's not everyone that looks like ICS. It's very strategically placed targets on different, you know, different critical pillars of corners of society, of, you know, functions that need to be, you know, operating at absolute kind of emergency mode within, you know, a disruptive event.

Mark Urban: Yeah, but -- yeah, and you're talking about, so we wrote up a little bit about this case that you were involved with at Dragos, about a water and electric utility in the United States. To your point, which you can comment more on, it showed that they stayed in stage one, which is, again, not crossing into the OT, you know, environment, but manipulating or showing capability to get there and, you know, exfiltrating data from the GIS server. And we'll post a link to that. So, you're saying that they're subtle, right? Not easy to catch? They hang around at the door. They do some things to indicate they could go in the door any time they want. And, you know, those doors are not something that we want them to get through. Is that a fair sort of --

Josh Hanrahan: Yeah. 100%. 100%. Yeah.

Mark Urban: So, like, you know, my next question, well, have we seen this in real life? And we just -- we just answered that one. What, you know, if you are somebody who, you know, is in one of those organizations, what are the best things that, you know, you can do?

Josh Hanrahan: Yeah. So, I think it's really kind of, as I said, kind of like focusing on the TTPs of this adversary. Traditional detection methods will not work. Like, the infrastructure that they come from, there isn't, like -- I mean, there is, like, an amount of, you know, VOLTZITE-controlled infrastructure that is what we would call their operational relay boxes. So, you know, the orbs, as we call them, like, where traditional adversary tradecraft kind of comes from. So, they're doing stuff on these machines and they're normally directly interacting with the victim's organization. VOLTZITE, and to, you know, to my point, a lot of other more advanced adversaries in the last, you know, five to ten years have set up their tradecraft where, you know, they can put in front of them a string of proxies essentially. And not proxies in the technical word, but a proxy as in, like, a middleman or an intermediary. So VOLTZITE did that with what was, you know, publicly disclosed as the KB botnet, effectively, which was -- there was some good work out there by Black Lotus Lumen and the FBI in, you know, identifying that, and then the FBI later kind of taking that down by patching devices. Effectively, small office and home office, like, home router devices and modem devices sitting out there on the net, people aren't patching because they don't even know it's a thing. And they're effectively going in there with corrupted -- corrupted firmware or whatever, like, a malicious firmware, and they're kind of flashing these devices from a distance, and then using those to enroll into their own botnet. And then in a series of kind of like cross-communications back, through, like, three or four layers of these devices, getting back to their operational relay boxes. So from an external perimeter, if you're looking at, you know, traffic coming into, you know, your VPN gateways or your other external infrastructure as an ICS organization, you're not going to see anything that's kind of jumping out as that weird, essentially. It is kind of hiding within the noise. So it gets really hard to kind of, like, you know, when you have, like, an absolute mammoth amount of traffic, and then a lot of that is kind of like just generic web scanning as well, just from different things on the internet, malicious and non-malicious, just scanning everything in existence. It's very hard to kind of pinpoint that kind of ingress point. So then moving further in, I guess my advice would be to stay on top of patching for, you know, your corporate IT network and VPN devices. Stay, you know, stay ahead in what's happening in the intel space in that game. Listen to your vendors in terms of, you know, patching turnaround and if they're saying it's critical, then, you know, try and really within, you know, the best time window that you can that doesn't have a, you know, drastic impact on your core business operations to get those devices patched. And then from there, it really becomes having a strong cybersecurity maturity program that can look at, you know, detection methods of living off the land techniques being utilized and monitoring, you know, key points. If you know you have certain, you know, certain entry points into your OT network, you know, provide -- provide the business case and justification and get that through your change advisory boards or whatever to try and get extended monitoring on those devices. Try and, you know, come up with hunting ideas, even if it's just, you know, introduce your -- your security operations team, if you have one, to focus on those assets and really identify what your kind of core assets are. Threat modeling and crown jewels analysis can be big wins here as well. So, mapping out what are, for crown jewels analysis, what are the, you know, what are the systems within your network or what are the functions or workflows that keep you doing what it is you're designed to do. Whether that's, you know, refining, you know, materials or whether that's, you know, running an electricity grid, figure out what those things are, and then overlapping that with threat modeling. So, mapping your threats, mapping what, like, where would they be traversing, like, what would they be after if this was -- this certain group or an actor with this type of intent, what would they be coming for? And in VOLTZITE's case, that is, you know, essentially OT operations, you know, information. So where does that reside? Do you have a bunch of process diagrams and system information and, you know, system restart procedures for your OT network sitting on a file server in your IT network? Stuff like that. Do you have credentials for the OT network? Like, are you not segregating, you know, different sets of credentials for the IT network and the OT network? Are all your OT network user credentials sitting on your corporate IT domain controller? Because that is pretty much the first place that VOLTZITE goes once they get in. They credential replays from varying different amounts of methods to get to the domain controller and to dump the NTDS database and then take that database offline to do password cracking. And then come back in, sometimes via a service account or a third-party account, or they're analyzing the type of people you have in your Active Directory and the profiles that are assigned to them in terms of, like, what is going to cause the least amount of detection. Like, you know, an IT engineer or an OT engineer coming in with a bunch of, you know, permission groups attached, but you know, actually might have just cause to be moving all around the network. I guess not someone from, like, HR or legal, you know, going and looking at data historians or something, because that might flag a few -- flag a few rules, right? So yeah, I guess in summary, looking into your different choke points, like, looking at network monitoring, host monitoring, wherever you can on your VPN endpoints.

Mark Urban: Lock that -- lock that front door, right? If you've got an externally facing router, no vulnerabilities, tighten that stuff up, right? Thing number one, right?

Josh Hanrahan: Yeah, yeah. I think in this case, though, it's a little bit more complicated because if we're talking traditional, you know, ICS devices that probably shouldn't be out on the net or other IT devices that shouldn't be on the net that provide an ingress point to the network, it's like, Yeah, okay, patch it, take it off the internet, it doesn't need to be there, find out a better way. But the fact that they're going after, you know, VPN points were absolutely crucial for remote employees we're seeing, you know, since the start of COVID, where people were, you know, working from home more and companies having to adapt to that. And a lot of these devices were, you know, even companies that have that kind of more traditional 9 to 5, Monday to Friday in the office kind of mindset. Like, we're just talking to vendors and just be like, We want to do this and just slap something in. And then no one's looked at it for a few years. They forget that it's even there, which is what makes it tricky. Because it's like, Well, you still need that for a justified business purpose. But it's the same reason that, you know, a lot of our kind of vulnerability and patching a device for OT devices isn't just patch everything, because it's not -- it's not feasible. Like, it's -- you need to come up with a justified level of -- level of risk that is being accepted and matching that to the vulnerabilities and the patches that are coming out, and then marrying that up with your critical business operations. You can't just keep bringing stuff down outside of agreed maintenance windows that may have, you know, service impacts that then roll onto legal and monetary impacts. Because, you know, as a systems provider for maybe a certain legislation, whether it's a, you know, a gas pipeline or electric grids or whatever, like, you can't just bring down critical infrastructure repeatedly because a vendor has to patch every week. Like, it's just not acceptable. So again, same type of decision-making. Looking at from a risk to business operations side, looking at the security side, and the likelihood of an adversary using this, matched with the criticality of the exploit and the vulnerability, and finding out what works for your organization. I think applying that similar approach to, like, VPN gateways is -- probably makes sense.

Mark Urban: And this is the challenge, Josh, because there are highly advanced adversaries out there. And the -- you made the point before, you know, there's the highly advanced adversaries, there's also just the run-of-the-mill ransomware gangs, and they target critical infrastructure because they're the lowest barrier. They're the -- it's the last, you know, it's the last frontier of cyber security. Like, how the heck, sorry, just swallowed an f-bomb, how the heck did we get here where our water and electric is the least protected thing? And that's -- that's what pisses us off at Dragos, is, like, that that is the case. And -- but the challenge is, and I can see it, I just asked you, What can you do? And you talked for a while about a lot of meaty things. And I think that's a challenge a lot of times with security professionals that are in that place. Where do I start? And that's -- all the -- all the advice you gave was sound, and can sometimes be daunting. And that's why, you know, we recommend, you know, we go back up to the SANS 5 critical controls, which is, and you can look it up, we'll make a link there. Because you have to have a starting place to kind of view, you know, these types of very complex threats in the context of an underprotected and very complex environment. And that's I think what we're recognizing, that there is no simple, easy answer. There is a lot of potential complexity, but there are places to start, right? And start with the SANS 5 critical controls. Understand, you know, understand your -- the core processes you're trying to protect. Understand that mitigation is always a trade-off with business, and you have to find, you know, you have to walk that line in order to do it effectively. Is that a fair summary of, you know, of the analysis you were talking about?

Josh Hanrahan: Yeah, yeah, 100%.

Mark Urban: It's a scary damn world, and we appreciate you, you know, looking out for all of us, you know, looking for the adversaries out there, understanding how they approach, who they're approaching, how they're targeting, you know, and, you know, doing that good work to, you know, to be able to put in the hands of people who, you know, can take it to the next level. Josh Hanrahan, thank you very much.

Josh Hanrahan: Awesome, thank you for your time.

Dave Bittner: That's Dragos's Josh Hanrahan and Mark Urban. [ Music ] And that's "Control Loop", brought to you by the CyberWire and powered by Dragos. For links to all of today's stories, check out our show notes at Sound design for this show is done by Elliott Peltzman, with mixing by Tre Hester. Our senior producer is Jennifer Eiben. Our Dragos producers are Joanne Rasch, Mark Urban, and Montserrat Thomason. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next time.