Known-Known

This includes threats about which the cybersecurity teams (should) have comprehensive information. The experts know how these threats work, their effects and how to combat them. One example is the Conficker worm.

The four squares of the Known- Unknown matrix. © Nozomi

This worm, which first appeared in 2008, quickly infected millions of Windows computers worldwide. Conficker exploits vulnerabilities in the Windows operating system to spread and gain control of infected systems. The effects range from data theft to the disruption of operational processes. Thanks to its high profile, effective countermeasures exist, such as regular security updates and the use of anti-virus software.

Known-Unknown

In this scenario, the experts know that these threats exist, but their exact impact is unknown. They depend on the specific infrastructure and architecture of the target system. The BlackEnergy attack is an example of this category.

In December 2015, a power grid in western Ukraine was attacked by the Russian hacker group Sandworm. Access to login information was exploited, which had a direct impact on the OT/ICS systems. The attack left around 225,000 residents without power for up to six hours. The response to BlackEnergy required extensive, distributed defense and staffing hours, as the exact impact could not be estimated in advance.

Gathering threat intelligence on the TTPs (Tactics, Techniques, and Procedures) used by potential attackers in OT/IoT environments is helpful in such an area. The more this information is available, the better companies can stay one step ahead with their defense.

TTPs are used in cybersecurity to describe the patterns of activities or methods used by threat actors in attacks. Tactics are the overarching strategic objectives, techniques are the specific methods used, and procedures are the steps or processes followed to achieve those objectives. By analyzing TTPs, security experts gain valuable insights into the attackers' behavior and methods. However, static open source reference tools such as the ICS Advisory Project and MITRE ATT&CK for ICS are not sufficient to detect similar attacks.

Unknown-Known

These are previously undisclosed exploits that can have a significant impact on companies. Destructive wipers like NotPetya fall into this category. NotPetya emerged in 2017 and infected a large number of companies worldwide, including global giants Maersk and Merck. This wiper disguised itself as ransomware, but had no recovery function. Instead, it used the EternalBlue and Mimikatz exploits to steal passwords from RAM, gain remote access and execute destructive code. The damage caused by NotPetya amounted to around 10 billion US dollars.

Unknown-Unknown

This is the worst-case scenario. These threats are completely unknown and pose the greatest risk. INCONTROLLER, a set of attack tools that allows hackers to compromise specific vendor systems, is one example. It is known that cybercriminals have already shown that they are able to use it to enable intelligent attacks on OT systems. INCONTROLLER could be used by attackers to gain initial access to an OT network, search specifically for vulnerable assets and control them. It would also be conceivable to manipulate device parameters, which could lead to serious disruptions to operational processes.

Intelligent detection techniques

Regardless of the current threat a company is facing, companies must use intelligent detection techniques to protect themselves against all four forms. Different detection techniques are used depending on the category of threat.

• Rule-based detection: This method identifies threats using unique patterns, so-called signatures. Signatures can be file hashes, IP addresses or domain names. When choosing a cybersecurity partner, companies should make sure that this partner has access to an extensive database of known vulnerabilities that can be used by security solutions - particularly intelligent sensors in the OT environment - to immediately detect a potential attack.
• Behavior-based detection: This more complex method analyzes the behavior of a threat and looks for patterns and related actions. Heuristic rules or machine learning algorithms are used to detect anomalies such as unauthorized access, unusual traffic in form and/or quantity, and other anomalies. By using artificial intelligence, the defense systems continue to learn and thus improve the protection of the OT environment.

Selection of protection mechanisms

The author: Will Stefan Roth is Vice President DACH, Eastern Europe and Baltic States at Nozomi Networks. © Nozomi

Regardless of the vendor, IT security professionals should ensure that solutions have an advanced detection engine designed for OT/IoT environments. This engine should be able to combine rule-based and behavior-based techniques to detect and limit the impact of threats. This allows all areas to be covered - from known-known to unknown-unknown - without overwhelming those responsible for security with false alarms. The known-unknown matrix and modern IT/OT security platforms provide companies with valuable tools to adapt to these challenges.

ag



Will Stefan Roth
is Vice President DACH, Eastern Europe and Baltic States at Nozomi Networks.