Part 1: Understanding Intelligence-Based Detections
Did you just say “Intelligence-Based Detections in ICS Fail”? Well, that’s a heck of a title and jumps way into the weeds. What is intelligence? What are detections? If you’re reading this, you likely already know the answers to some of these questions and can skip down to the TL;DR. If not, here are some resources to help you dig deeper into those topics:
Comprehensive threat intelligence article from Recorded Future
Go down the rabbit hole of threat-detection
TL;DR – Summarizing Intelligence-Based Detections Resources
- Intelligence is the analysis of current and past activities that may inform future prevention or detection efforts.
- There are very few current and past activities in ICS
- Threat detections are the attempt to make those intelligence efforts a reality with your current data.
- Limited known activities overly specific to single targets make for weak detections
- Intelligence relies on first-party collection, analysis from experts, context from industry (impact), and knowledge of your environment to make actionable decisions.
- Little first-party collection in ICS, experts are limited but growing, context from industry is at least nuanced, knowledge to make it actionable is low
- Tactics, techniques, and procedures (TTPs) derived from threat actors via intelligence pave the way for capturing malicious actions.
- Besides initial attack vectors via the enterprise networks, the few ICS attack vector TTPs are still overly specific to the target, live off the land, or are so IT generic as to be useless for ICS (i.e., TeamViewer bad)
History and Basics of Detections
Summarizing a bit too much, detections and their technologies evolved from rules-based matching (if bad happens, then alert!) up to current with all of the magic of correlation and automation. Oversimplified diagram below:
And honestly, all was well in the world. But there was one problem. Much like detections’ out-of-state cousin antivirus, you were only as good as your signatures. This resulted in you being beholden to your vendor of choice and their rules for detection.
Luckily as technology evolved, so did our options. Open source tooling like Snort and Suricata started to standardize the format for rules-based detections. Groups like Proofpoint and Talos began publishing regular rules updates… and the indicator of compromise arms race began.
IOCs, Behaviors, Analytics, Oh My!
First, the basics:
Indicators of Compromise
Think of these as AV signatures, but for everything else. An IOC can be as simple as an IP address or a file hash that someone says is malicious or indicative of malicious activity. IOCs are a representation of PAST behaviors that are now identified with some context. IOC information is then converted into some form of detection rule, such as snort/yara/sigma.
Pros: IOC-based rules will 100% either fire, or not fire. These are great if you’re looking for something very specific, either in the past/present/future.
Cons: You won’t catch what you aren’t looking for. IOCs can be too specific, so much so that they miss any variation. Or they may be too broad and cause false positives and lower confidence.
Analytics, Behaviors, UEBA, ML/AI and the Rest
Some organizations may use the term analytics to differentiate how their detection rules work. Basically, this is taking some correlated or math-based view at one or many data streams for the purposes of finding badness. Imagine taking one element of an IOC (such as a file hash) along with one element of MATH (standard deviations from a norm) and maybe some context about the user or entity (device type). The idea here is to cast a wide enough net to catch badness while not restricting yourself to a single thread.
To overly summarize ML/AI, so far in security, it comes down to advanced stats (ML) or very complicated IF/THEN statements (AI). But that’s a blog for another day.
Pros: Good systems elevate actual threat activities from the noise floor of millions of snort rules firing.
Cons: Systems need a complex correlation of many data events and types. Correlation rules engines haven’t really worked as advertised (see: https://medium.com/anton-on-security/security-correlation-then-and-now-a-sad-truth-about-siem-fc5a1afb1001)
Here are some great resources in video form:
What are IOCs – TrendMicro
“Is SIEM Dead?” – Anton Chuvakin
What is Cyber Threat Intelligence? – MITRE
We’ve covered some of the basics and made a pretty bold claim. In my next blog, I’ll dig into why cyber threat intelligence isn’t as effective in ICS because of the environments we defend. (Some basics regarding those environments can be found in the ICS for Cyber Geeks blog series)