Blog
/
/
March 25, 2021

SANS ICS Security Summit 2021 recap: Industry on the move

This blog provides a concise overview of the key points from SANS Summit 2021. Knowing ‘self’ both defends against the growing tide of external threats and allows organizations to gain visibility into new vulnerable areas as ICS evolves.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
David Masson
VP, Field CISO
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
25
Mar 2021

Shining a light into the murky world of industrial cyber security — where major incidents can be kept hush, and information is often not made publicly available — the SANS Institute held its 16th annual ICS Security Summit in March. With virtual events across APAC, EMEA, and the US, the round-the-clock summit stressed the importance of having good visibility and a strong understanding of industrial networks for anomaly detection and incident response. Speakers at the event also emphasized how automation can be used in industrial security to address budget restraints and skill shortages.

The summit also detailed the direction of developments in both industrial technologies and the surrounding threat landscape, including the adoption of cloud technologies for Industrial Control Systems, the broadening scope of threat actors, and the inherent limitations of patching and vulnerability management.

In addition to framing the key points of the summit, this blog will hone in on the program’s most salient points: namely, how building an in-depth understanding of ‘self’ for an ICS ecosystem can help fend off the rising tide of threat actors, and at the same time allow organizations to embrace new technologies in the face of their associated risks. Ultimately, by ‘knowing thyself,’ organizations will be able to simultaneously fight external threats, and also gain visibility into new areas of vulnerability that arise inside an organization as it evolves its industrial environment.

SANS Summit 2021: An overview

The following provides a high-level overview of the major topics discussed throughout the SANS summit:

Attacker TTPs

Threat Trend: MITRE ATT&CK for ICS provides details of known attack tradecraft.

Industry Challenge: There has been a historic lack of sharing lessons learned within the community.

Recommendation: Understand attack TTPs and align your defences with those techniques.

Industry Trend: MITRE ATT&CK for ICS offers a big step forward for the community to learn from previous attacks.

Visibility

Threat Trend: The SolarWinds attack has emphasized the vulnerability of ICS e.g. exploiting SNMP communications in BMS.

Industry Challenge: The absence of logging and event management has hindered SolarWinds investigations in CNI.

Recommendation: Use active network monitoring for log generation, and increase network and host visibility.

Industry Trend: The SolarWinds attack has emphasized the importance of CNI cyber security to the Biden administration.

Test your defenses

Threat Trend: Common TTPs — misuse of valid accounts, abuse of remote services, phishing/spear phishing.

Industry Challenge: Vulnerability tracking is not adequate to defend ICS networks — vulnerability reporting is far from comprehensive, and attackers are exploiting legitimate tools to gain access.

Recommendation: Test your defenses and your defenders using lab environments, external pentests, and adversary simulations.

Industry Trend: Pentesting of ICS environments is being performed remotely as a result of lockdown restrictions.

Know thyself

Threat Trend: The barrier to hacking ICS is lowering — threat actors are expanding, from nation states to cyber-criminals e.g. EKANS.

Industry Challenge: OT security teams suffer from a skills shortage and tight budgets.

Recommendation: Make use of the defender’s home turf advantages — defense-in-depth, learn ‘normal’ network behavior, gain visibility over internal comms.

Industry Trend: Digital solutions, such as cloud and virtualization, are being used to solve many ICS challenges.

New solutions bring new risks

Threat Trend: Third-party risks, such as OEMs and remote access points, are being exploited to gain direct access into ICS environments.

Industry Challenge: New digital solutions bring new challenges — supply chain risk, IT/OT convergence, compliance obligations, vendor lock-in.

Recommendation: If you can’t see the network, you can’t defend the network — improve visibility, identify crown jewels, boost incident response capability, and validate network segmentation.

Industry Trend: Renewable Energy industry is a big adopter of innovative ICS solutions, such as cloud, remote management, and ICSaaS. The decision to migrate to these solutions increasingly seems to be when, not if.

‘Know thyself’: Learning ‘self’ to identify emerging threats

A wide variety of threat actors are making their debut in the global ICS threat landscape. First, new state-sponsored advanced persistant threat groups (APTs) are targeting industrial ecosystems every year. 2020 also saw the addition of organized crime groups targeting ICS with new ransomware strains such as EKANS.

Accordingly, cyber-attacks on industrial systems are no longer the sole domain of nation states. With ransomware-as-a-service becoming increasingly available on the Dark Web, the barrier of entry for attacking critical infrastructure and manufacturing is demonstrably lowering. In light of this, experts at the SANS conference recommend gaining a detailed understanding of your network and making use of the defender’s home advantage with defence-in-depth.

With attacks growing in scale and sophistication, there is a growing recognition that defenses that sit at the border of organizations and attempt to keep threats out are no longer enough. Organizations must move to a model that assumes a breach, and adopt technologies that can identify cyber-threats once they are inside. This can only be achieved with a real-time, granular understanding of ‘normal’ behavior for every device and controller.

By learning, from scratch, the normal ‘pattern of life’ for all devices, users, and peer groups across industrial networks, Darktrace’s Industrial Immune System builds a sense of self for everything seen in an ICS ecosystem, as well as the digital environment as a whole. In this way, Darktrace allows organizations to ‘know thyself’ to a unparalleled degree, building a dynamic understanding of normal rather than relying on static baselines.

New solutions bring new risks

Throughout the summit, speakers discussed how they have used digital solutions such as cloud and virtualization to solve problems and cut costs. In particular, the renewable energy sector is a big adopter of cloud solutions, or “ICS as a Service” (ICSaaS). A wind farm in California, for example, might be remotely controlled by engineers on the east coast, or a vendor might maintain and run equipment for a hydroelectric plant in Latin America from their European headquarters.

As customers move to adopt these kinds of digital solutions — and with these decisions typically being made at board-level, rather than by the engineers — it seems more a question of when, not if, we see wider adoption of these technologies in the ICS community.

As OT converges with IT in the cloud, so do their associated risks. These new risks create headwinds to change, but some sectors are still adopting these new solutions and making big savings. Unified visibility across IT, OT, and the cloud have thus become a necessity for organizations seeking to accelerate digital transformation while also managing the risks of digitization and of their increasingly dynamic workforces.

A changing landscape

In the face of a new era of cyber-threats, the focus for OT specialists should not be on reactive measures, but embracing new self-learning technologies that develop an evolving understanding of ‘normal’ across industrial systems, the corporate network, cloud environments, and beyond.

By adapting to changes in the digital infrastructure, AI-powered defenses can detect and respond to zero-day threats, while alleviating the burden of security teams by automating much of the manual processes required in post-incident investigation. And by unifying insights across a range of different technologies, organizations can benefit from an enterprise-wide approach to security rather than relying on siloed defenses that lack the context for accurate decision-making.

In this age of advanced cyber-criminal rings and state-sponsored attacks, critical infrastructure and other industrial environments are now the focal point for cyber espionage and intrusions seeking to disrupt operations. The SANS ICS Security Summit reminds us of the need for defenders to face this new landscape with new and adaptive technologies that can disrupt the early signs of a threat, whether known or unknown.

Thanks to Darktrace analyst Oakley Cox for his insights.

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
David Masson
VP, Field CISO

More in this series

No items found.

Blog

/

/

May 8, 2025

Anomaly-based threat hunting: Darktrace's approach in action

person working on laptopDefault blog imageDefault blog image

What is threat hunting?

Threat hunting in cybersecurity involves proactively and iteratively searching through networks and datasets to detect threats that evade existing automated security solutions. It is an important component of a strong cybersecurity posture.

There are several frameworks that Darktrace analysts use to guide how threat hunting is carried out, some of which are:

  • MITRE Attack
  • Tactics, Techniques, Procedures (TTPs)
  • Diamond Model for Intrusion Analysis
  • Adversary, Infrastructure, Victims, Capabilities
  • Threat Hunt Model – Six Steps
  • Purpose, Scope, Equip, Plan, Execute, Feedback
  • Pyramid of Pain

These frameworks are important in baselining how to run a threat hunt. There are also a combination of different methods that allow defenders diversity– regardless of whether it is a proactive or reactive threat hunt. Some of these are:

  • Hypothesis-based threat hunting
  • Analytics-driven threat hunting
  • Automated/machine learning hunting
  • Indicator of Compromise (IoC) hunting
  • Victim-based threat hunting

Threat hunting with Darktrace

At its core, Darktrace relies on anomaly-based detection methods. It combines various machine learning types that allows it to characterize what constitutes ‘normal’, based on the analysis of many different measures of a device or actor’s behavior. Those types of learning are then curated into what are called models.

Darktrace models leverage anomaly detection and integrate outputs from Darktrace Deep Packet Inspection, telemetry inputs, and additional modules, creating tailored activity detection.

This dynamic understanding allows Darktrace to identify, with a high degree of precision, events or behaviors that are both anomalous and unlikely to be benign.  On top of machine learning models for detection, there is also the ability to change and create models showcasing the tool’s diversity. The Model Editor allows security teams to specify values, priorities, thresholds, and actions they want to detect. That means a team can create custom detection models based on specific use cases or business requirements. Teams can also increase the priority of existing detections based on their own risk assessments to their environment.

This level of dexterity is particularly useful when conducting a threat hunt. As described above, and in previous ‘Inside the SOC’ blogs such a threat hunt can be on a specific threat actor, specific sector, or a  hypothesis-based threat hunt combined with ‘experimenting’ with some of Darktrace’s models.

Conducting a threat hunt in the energy sector with experimental models

In Darktrace’s recent Threat Research report “AI & Cybersecurity: The state of cyber in UK and US energy sectors” Darktrace’s Threat Research team crafted hypothesis-driven threat hunts, building experimental models and investigating existing models to test them and detect malicious activity across Darktrace customers in the energy sector.

For one of the hunts, which hypothesised utilization of PerfectData software and multi-factor authentication (MFA) bypass to compromise user accounts and destruct data, an experimental model was created to detect a Software-as-a-Service (SaaS) user performing activity relating to 'PerfectData Software’, known to allow a threat actor to exfiltrate whole mailboxes as a PST file. Experimental model alerts caused by this anomalous activity were analyzed, in conjunction with existing SaaS and email-related models that would indicate a multi-stage attack in line with the hypothesis.

Whilst hunting, Darktrace researchers found multiple model alerts for this experimental model associated with PerfectData software usage, within energy sector customers, including an oil and gas investment company, as well as other sectors. Upon further investigation, it was also found that in June 2024, a malicious actor had targeted a renewable energy infrastructure provider via a PerfectData Software attack and demonstrated intent to conduct an Operational Technology (OT) attack.

The actor logged into Azure AD from a rare US IP address. They then granted Consent to ‘eM Client’ from the same IP. Shortly after, the actor granted ‘AddServicePrincipal’ via Azure to PerfectData Software. Two days later, the actor created a  new email rule from a London IP to move emails to an RSS Feed Folder, stop processing rules, and mark emails as read. They then accessed mail items in the “\Sent” folder from a malicious IP belonging to anonymization network,  Private Internet Access Virtual Private Network (PIA VPN) [1]. The actor then conducted mass email deletions, deleting multiple instances of emails with subject “[Name] shared "[Company Name] Proposal" With You” from the  “\Sent folder”. The emails’ subject suggests the email likely contains a link to file storage for phishing purposes. The mass deletion likely represented an attempt to obfuscate a potential outbound phishing email campaign.

The Darktrace Model Alert that triggered for the mass deletes of the likely phishing email containing a file storage link.
Figure 1: The Darktrace Model Alert that triggered for the mass deletes of the likely phishing email containing a file storage link.

A month later, the same user was observed downloading mass mLog CSV files related to proprietary and Operational Technology information. In September, three months after the initial attack, another mass download of operational files occurred by this actor, pertaining to operating instructions and measurements, The observed patience and specific file downloads seemingly demonstrated an intent to conduct or research possible OT attack vectors. An attack on OT could have significant impacts including operational downtime, reputational damage, and harm to everyday operations. Darktrace alerted the impacted customer once findings were verified, and subsequent actions were taken by the internal security team to prevent further malicious activity.

Conclusion

Harnessing the power of different tools in a security stack is a key element to cyber defense. The above hypothesis-based threat hunt and custom demonstrated intent to conduct an experimental model creation demonstrates different threat hunting approaches, how Darktrace’s approach can be operationalized, and that proactive threat hunting can be a valuable complement to traditional security controls and is essential for organizations facing increasingly complex threat landscapes.

Credit to Nathaniel Jones (VP, Security & AI Strategy, Field CISO at Darktrace) and Zoe Tilsiter (EMEA Consultancy Lead)

References

  1. https://spur.us/context/191.96.106.219

Continue reading
About the author
Nathaniel Jones
VP, Security & AI Strategy, Field CISO

Blog

/

/

May 6, 2025

Combatting the Top Three Sources of Risk in the Cloud

woman working on laptopDefault blog imageDefault blog image

With cloud computing, organizations are storing data like intellectual property, trade secrets, Personally Identifiable Information (PII), proprietary code and statistics, and other sensitive information in the cloud. If this data were to be accessed by malicious actors, it could incur financial loss, reputational damage, legal liabilities, and business disruption.

Last year data breaches in solely public cloud deployments were the most expensive type of data breach, with an average of $5.17 million USD, a 13.1% increase from the year before.

So, as cloud usage continues to grow, the teams in charge of protecting these deployments must understand the associated cybersecurity risks.

What are cloud risks?

Cloud threats come in many forms, with one of the key types consisting of cloud risks. These arise from challenges in implementing and maintaining cloud infrastructure, which can expose the organization to potential damage, loss, and attacks.

There are three major types of cloud risks:

1. Misconfigurations

As organizations struggle with complex cloud environments, misconfiguration is one of the leading causes of cloud security incidents. These risks occur when cloud settings leave gaps between cloud security solutions and expose data and services to unauthorized access. If discovered by a threat actor, a misconfiguration can be exploited to allow infiltration, lateral movement, escalation, and damage.

With the scale and dynamism of cloud infrastructure and the complexity of hybrid and multi-cloud deployments, security teams face a major challenge in exerting the required visibility and control to identify misconfigurations before they are exploited.

Common causes of misconfiguration come from skill shortages, outdated practices, and manual workflows. For example, potential misconfigurations can occur around firewall zones, isolated file systems, and mount systems, which all require specialized skill to set up and diligent monitoring to maintain

2. Identity and Access Management (IAM) failures

IAM has only increased in importance with the rise of cloud computing and remote working. It allows security teams to control which users can and cannot access sensitive data, applications, and other resources.

Cybersecurity professionals ranked IAM skills as the second most important security skill to have, just behind general cloud and application security.

There are four parts to IAM: authentication, authorization, administration, and auditing and reporting. Within these, there are a lot of subcomponents as well, including but not limited to Single Sign-On (SSO), Two-Factor Authentication (2FA), Multi-Factor Authentication (MFA), and Role-Based Access Control (RBAC).

Security teams are faced with the challenge of allowing enough access for employees, contractors, vendors, and partners to complete their jobs while restricting enough to maintain security. They may struggle to track what users are doing across the cloud, apps, and on-premises servers.

When IAM is misconfigured, it increases the attack surface and can leave accounts with access to resources they do not need to perform their intended roles. This type of risk creates the possibility for threat actors or compromised accounts to gain access to sensitive company data and escalate privileges in cloud environments. It can also allow malicious insiders and users who accidentally violate data protection regulations to cause greater damage.

3. Cross-domain threats

The complexity of hybrid and cloud environments can be exploited by attacks that cross multiple domains, such as traditional network environments, identity systems, SaaS platforms, and cloud environments. These attacks are difficult to detect and mitigate, especially when a security posture is siloed or fragmented.  

Some attack types inherently involve multiple domains, like lateral movement and supply chain attacks, which target both on-premises and cloud networks.  

Challenges in securing against cross-domain threats often come from a lack of unified visibility. If a security team does not have unified visibility across the organization’s domains, gaps between various infrastructures and the teams that manage them can leave organizations vulnerable.

Adopting AI cybersecurity tools to reduce cloud risk

For security teams to defend against misconfigurations, IAM failures, and insecure APIs, they require a combination of enhanced visibility into cloud assets and architectures, better automation, and more advanced analytics. These capabilities can be achieved with AI-powered cybersecurity tools.

Such tools use AI and automation to help teams maintain a clear view of all their assets and activities and consistently enforce security policies.

Darktrace / CLOUD is a Cloud Detection and Response (CDR) solution that makes cloud security accessible to all security teams and SOCs by using AI to identify and correct misconfigurations and other cloud risks in public, hybrid, and multi-cloud environments.

It provides real-time, dynamic architectural modeling, which gives SecOps and DevOps teams a unified view of cloud infrastructures to enhance collaboration and reveal possible misconfigurations and other cloud risks. It continuously evaluates architecture changes and monitors real-time activity, providing audit-ready traceability and proactive risk management.

Real-time visibility into cloud assets and architectures built from network, configuration, and identity and access roles. In this unified view, Darktrace / CLOUD reveals possible misconfigurations and risk paths.
Figure 1: Real-time visibility into cloud assets and architectures built from network, configuration, and identity and access roles. In this unified view, Darktrace / CLOUD reveals possible misconfigurations and risk paths.

Darktrace / CLOUD also offers attack path modeling for the cloud. It can identify exposed assets and highlight internal attack paths to get a dynamic view of the riskiest paths across cloud environments, network environments, and between – enabling security teams to prioritize based on unique business risk and address gaps to prevent future attacks.  

Darktrace’s Self-Learning AI ensures continuous cloud resilience, helping teams move from reactive to proactive defense.

[related-resource]

Continue reading
About the author
Pallavi Singh
Product Marketing Manager, OT Security & Compliance
Your data. Our AI.
Elevate your network security with Darktrace AI