The Radiflow Security Blog

Using Threat Intelligence (TI)-Based Breach Simulations to Create an Efficient ICS Cyber-Strategy

By Yehonatan Kfir, CTO, Radiflow LTD

If you’ve found this article interesting, please visit and follow Radiflow on LinkedIn, where you’ll find a wealth of exclusive content. 

In this blog series, we will present Radiflow’s breach simulation algorithm. We will describe the inputs used by the algorithm, and we will show its output and discuss its benefit and limitations. We will also describe Radiflow’s approach toward the challenge raised in a previous post by Rani Kehat, Radiflow’s VP BizDev: “Is Your Cyber Risk Analysis based on Empirical Data? (It Should Be)”.

Introduction

Aligning corporate business strategy with cybersecurity strategy is essential for ensuring companies’ productivity and business continuity. Companies who fail to devise and execute an efficient strategic cyber defense plan greatly increase their vulnerability to cyber attacks and probability for loss. In that manner, industrial networks are no different than any other network.

To help companies shape a strategic cybersecurity plan, organizations such as NIST, ISA and CSA have developed methodologies for helping organizations better understand and improve their management of cybersecurity risk.

Imitating an attacker’s behavior

The first step in these methodologies is identifying network vulnerabilities. This is done by imitating an attacker’s behavior – looking for the same “holes” in the network that a hacker would look for. Organizations often use actual (ethical) hackers to perform active penetration testing for detecting security flaws in the network.

In order to properly imitate an attacker, organizations and security experts continuously collect intelligence on attackers’ behaviors and activity. Threat intelligence data is gathered by specialized organizations that track attackers’ motivations, the tools they use, the internet servers they own and more. Analysis of the TI data allows security personnel to properly define pen-testing test cases to imitate each attacker’s activity and to ensure that the protected network has sufficient defenses in place.

The combination of threat intelligence and an aligned penetration testing plan provides a strong mechanism for identifying network weaknesses. However, while active penetration testing is absolutely necessary for completing the TI-based identification phase, it is considered dangerous – the risk of accidental damage during testing may actually be higher than that of an actual attack (accounting for the low frequency of real-world attacks).

TI-based vulnerability detection

As an alternative to active penetration testing, Radiflow proposes a threat intelligence-based breach simulation method for OT networks. This method consists of two stages:

  1. Constructing a highly accurate network model, including all devices, security products, software, protocols used, ports, connections and other properties, as well as known threats
  2. Simulating each attacker’s activities within the network model, based on their known capabilities and activity patterns

Radiflow’s breach simulation algorithm uses three main inputs:

  • The digital image (model) of the OT network
  • Currently-deployed security controls (as self-reported by the user)
  • The adversaries and threats typical to the network’s sector and locale

Execution of the algorithm includes several steps:

  1. First, the algorithm simulates all of the attacker’s possible moves, iteratively simulating the attack “moving” between devices. At the end of this phase, each device in the network is assigned a base score for compromise likelihood.
  2. Next, the algorithm evaluates the likelihood of targeting the client network, with respect to other possible networks from the same region and sector as the client’s. At the end of the second phase the algorithm re-evaluates the base compromise likelihood value, and outputs the actual device compromise likelihood value.

Scenario-based evaluation

Often, risk managers are required to evaluate the likelihood of a specific scenario, e.g. the likelihood of loss of productivity due to a cyber incident. For such cases we have developed a scenario-based risk evaluator. This algorithm uses the device compromise likelihood, accounting for the scenario’s unique attributes, to estimate the likelihood of the scenario to materialize.

Since the core of our algorithm is based on TI, we will continue in the next post with some background on threat-intelligence.

TI-based breach simulations into OT networks provide an efficient & safe alternative to active penetration testing, which is considered a high-risk method of identifying network vulnerabilities.