Detecting OT Cybersecurity Threats Using the Known-Unknown Matrix

Detecting OT Cybersecurity Threats Using the Known-Unknown Matrix

From commodity malware to nuisance worms to sophisticated, targeted attacks, organizations need to protect themselves by reducing exposure to cybersecurity threats. Threats can range from something well-known and understood that somehow lingers on the network to a novel attack targeting control system functionality, intended to cause real-world harm.  

A useful tool for understanding and knowing how to detect cybersecurity threats, including OT cybersecurity threats, is the Known-Unknown Matrix.

What Is the Known-Unknown Matrix?

If you’ve ever seen or participated in corporate strategic planning, you’ve probably come across the Known-Unknown Matrix. Also called the Uncertainty Matrix, it’s a simple yet powerful risk assessment tool designed to aid decision-making by sorting challenges based on what is known and unknown about them.

Known Unknown Matrix
The Four Quadrants of the Known-Unknown Matrix

This matrix is also ideal for categorizing distinct types of OT and IoT cybersecurity threats to ensure you have the right techniques to detect them and minimize their risk as early as possible. These categories also distinguish the importance of detecting threats in one of two ways: with rule-based or behavior-based techniques:

  • Rule-based detection is efficient for detecting threats where the indicators are easily observable and identifiable as a potential match. It identifies threats based on unique patterns — signatures — of predefined attributes, such as file hashes, IP addresses and domain names. These attributes can be extracted from suspected threat activity and compared to a database of known threats with the same signature.  
  • Behavior-based detection is more sophisticated. It observes and analyzes how a threat, action or activity behaves and interacts with the network, looking for patterns and related actions or events. It uses heuristic rules or machine learning algorithms that can identify things like unauthorized access, file modifications or other anomalies.  

Known Known: Commodity Malware - Conficker

Conficker (CVE-2008-4250) has earned the moniker “the worm that won’t die.” After emerging in 2008, this worm quickly infected some nine million Windows computers worldwide. It still infects tens of thousands of legacy, unpatched Windows systems a year – including over 200 ICS endpoints in 2020 according to the Cybersecurity and Infrastructure Security Agency (CISA).  

In terms of the Known-Unknown Matrix, we know everything there is to know about a Conficker. We know what it is, how it behaves and how to mitigate it. If we encounter it in any environment, we can swiftly address it.  

Nozomi Networks manages an extensive database of known vulnerabilities that impact OT/IoT networks, collected by our own security research team as well as research bodies around the globe. Using rules-based detection to compare your environment to this database, our sensors can identify vulnerabilities and threats in your OT/IoT network immediately.  

Known Unknown: Credential Access Exploitation - BlackEnergy  

Known unknowns are the risks you know exist, but you don’t know exactly what they are. One example is the now-notorious BlackEnergy event. In December 2015, a power grid in Western Ukraine was attacked by the Russian hacking group Sandworm where credential access exploitation allowed for direct OT/ICS impacts. The attack left some 225,000 residents without power for up to six hours.  

Whereas credential access exploitation is a known threat, its unknown impacts depend on the infrastructure and architecture of targeted systems and operations. Responding to BlackEnergy required extensive, distributed mitigation and personnel hours.  

With known unknowns, the more threat intelligence you have about the TTPs being used by potential adversaries in OT/IoT environments, the better you’re able to stay one step ahead with your defenses. Static, open-source reference tools like the ICS Advisory Project and MITRE ATT&CK for ICS are insufficient for detecting similar attacks.  

The Nozomi Networks Threat Intelligence feed provides aggregated threat research and analysis as well as detailed information on threat indicators including Yara rules, packet rules, STIX indicators, threat definitions, a threat knowledgebase and vulnerability signatures. Our sensors and platform are continuously updated with the latest emerging malware and indicators of compromise specific to industrial processes and IoT devices.  

Unknown Known: Destructive Wipers - NotPetya

Destructive wipers are a perfect example of an unknown known, designed to disrupt and degrade environments using unforeseen capabilities. In 2017 the destructive wiper NotPetya infected more than 80 companies worldwide, including global giants Maersk and Merck. Zero-day exploits such as NotPetya are unknown knowns, as they represent previously undisclosed exploits that are known to have outsized impacts on target organizations and systems.  

NotPetya, which masqueraded as a ransomware but had no recovery capability, combined the use of the EternalBlue and Mimikatz exploits to hijack stored passwords from RAM, gain remote access and execute code without requiring human interaction. If that weren’t enough, it was also able to jump from system to system to find credentials, authenticate and deploy the wiper, and ultimately caused more than $10 billion in total damage.

Behavior-based detection informed by asset intelligence is essential for zero-day exploits. These threats capitalize on vulnerabilities that are not yet known to researchers, software vendors or the public, making them particularly menacing. Nozomi Asset Intelligence leverages AI, machine learning and our massive database of systems and configuration data for OT and IoT devices to detect anomalies, including zero days. Alerts point analysts to suspicious events and activities that deviate from the understood baseline operations for these devices.  

Unknown Unknown: Hijacking Native Functionality - INCONTROLLER

INCONTROLLER is a set of customized attack tools (Tagrun, CodeCall, Omshell) that enable cyber actors to conduct highly automated exploits against specific vendor systems. A threat actor could use INCONTROLLER to establish initial access in an OT network and then scan for, compromise and control these assets, perhaps by modifying device parameters. This example presents evidence that OT attackers are gaining deep knowledge of critical infrastructure environments and how to disrupt them, with potentially disastrous effects.

The worst-case scenario for a cyber defender is an unknown unknown: a threat that presents the most uncertainty and therefore risk.

The one very good piece of news is that INCONTROLLER has never been exploited in the wild. Thankfully, before it could be used, U.S. federal agencies working with Mandiant released a joint Cybersecurity Advisory warning that an advanced persistent threat (APT) actor had exhibited this capability. Cybersecurity vendors (including Nozomi Networks) quickly incorporated details about the sophisticated toolkit into their detection capabilities to ensure customers were covered.  

Similar to how we power our asset intelligence, the Nozomi Networks platform uses AI for process variable monitoring and anomaly detection. It learns process behavior over time to help eliminate false alerts and provide deeper insight into process trends. Instead of just producing traditional anomaly detection metrics of network traffic, it creates trendlines of process variables and control system data. This enables you to identify potential process issues and expand root cause analysis.

Detecting Known and Unknown OT Threats with the Nozomi Networks Platform

Using the Known-Unknown Matrix as a tool for understanding various cybersecurity threats is a novel and somewhat useful approach. But most anomalies, whether security or operational, must be detected continuously and prioritized for attention using a variety of techniques.  

The Nozomi Networks platform has the most sophisticated detection engine available for OT/IoT environments. It combines rule-based and behavior-based techniques to detect and limit the impact of every threat in your environment, from known knowns to unknown unknowns — without overwhelming analysts and operators with alerts and false positives.  

A diagram of a threat intelligenceDescription automatically generated
Nozomi Networks Threat Intelligence Feed


To see Nozomi Networks’ holistic threat detection capabilities in action, request a demo or join our next monthly demo session.