Intelligent CISO Issue 50 | Page 53

– with 70 % of their malicious activity targeting manufacturing .
The marked uptick in ransomware attacks is largely attributed to the emerging Ransomware-as-a-Service ( RaaS ) phenomena . Ransomware groups like Conti and Lockbit 2.0 have mobilised into an underground marketplace where developers outsource operations to affiliate who executes the attacks .
How does Dragos support OT defenders to be able to mitigate the physical consequences of OT cyberattacks ?
Dragos works with the community to help vendors provide more accurate , actionable and easier-to-track advisories . In 2021 , we significantly enhanced the vulnerability management features offered to customers through the Dragos Platform .
We assess vulnerabilities in our WorldView Intelligence reports in the Dragos Platform and categorise them by threat levels : Immediate Action ; Limited Threat ; Possible Threat ; No Action ; and Hype . Dragos also recommends four different responses to those threats : Remediate ; Mitigate ; Monitor ; or Ignore .
Talk us through Dragos ’ Crown Jewel Analysis ( CJA ) Model – how does this help organisations ?
Dragos uses a consequence-driven approach , the Crown Jewel Analysis ( CJA ) Model 9 when scoping and conducting OT cybersecurity assessments . The CJA Model is a repeatable scoping approach that helps visualise how an attacker assesses a system to achieve a specific consequence . Using CJA and credible threat intelligence , Dragos creates plausible attack scenarios to educate asset owners and operators on their potential exposure to adversaries and threat groups and to better prioritise the findings and recommendations in our reports .
What five recommendations would you offer CISOs to be better protected against these threats ?
1 . Build a more defensible architecture ( external connections , poor perimeters ) 70 % of Dragos Professional Services engagements found external connections from OEMs , IT networks , or the Internet to the OT network , and 77 % of engagements found improper network segmentation . To reduce cyber risk , network architects can leverage traditional tools and concepts such as strong segmentation , firewalls , or software-defined networks . This can take various forms , such as IEC62443 zones and conduits , DMZs , jumphosts , etc .
2 . Bolster OT monitoring capabilities 86 % of service engagements included a finding around lack of visibility across OT networks , making detections , triage and response incredibly difficult at scale . Visibility gained from monitoring your industrial assets validates the security controls implemented in a defensible architecture . Threat detection from monitoring allows for scaling and automation for large and complex networks . Additionally , monitoring can also identify vulnerabilities easily for action .
3 . Strengthen remote access authentication A total of 44 % of service engagements included a finding of shared credentials in OT systems , the most common method of lateral movement and privilege escalation . Multi-Factor Authentication ( MFA ) is the most effective control for remote access authentication . Where MFA is not possible , consider alternate controls such as jumphosts with focused monitoring . The focus should be placed on connections in and out of the OT network and not on connections inside the network .
4 . Prioritise OT vulnerability management The number of known ICS / OT vulnerabilities doubled in 2021 . Still , only 4 % of flaws require immediate action because they are being actively exploited in the wild or for which a public exploit is available . Dragos recommends defenders prioritise those that bridge IT and OT over those residing deep within the ICS / OT network or those that fall into the ‘ Remediate ’ category in Dragos ’ vulnerability analysis .
5 . Develop , implement and continually improve the ICS / OT Incident Response plan Tabletop Exercise ( TTX ) testing of existing ICS / OT Incident Response ( IR ) plans in 2021 showed that most organisations faced at least some challenges in five out of seven core IR capabilities . Dragos recommends that industrial organisations have a dedicated IR plan for their ICS / OT environments that they regularly exercise against real threat scenarios with cross-disciplinary teams ( IT , OT , executives , etc .) u www . intelligentciso . com