Who: Nozomi Networks along with 1898 & Co., ABS Group, Claroty, Dragos, Forescout, NetRise, Network Perception, Schneider Electric, Tenable, and Waterfall Security.
What: An open-source community tool that will automatically compare shared OT/ICS data to identify statistically significant behaviors, anomalies, and indicators of new and novel attacks in real time.
Where: Github, with the potential to be hosted by any entity – nonprofit, government, security vendor, ISAC, etc. Multiple servers can be hosted and interoperable simultaneously.
When: Launched in April 2023, founding members are building the proof of concept before 2024. Participants can evaluate submission and notification APIs built on Github to understand how the tool anonymizes and aggregates information. The first server is under development.
Why: Created in response to CISA’s call for Shields Up and the Biden Administration’s 100 Day Sprint, with the goal of reducing timelines for responding to novel threats targeting operational technology and critical infrastructure.
Introducing ETHOS (Emerging THreat Open Sharing)
ETHOS is designed to share real-time information to develop early warning mechanisms for investigating anomalous behavior across a wide range of operational technology (OT) and industrial control systems (ICS) environments, rather than sharing data after alerting on known detections and malware signatures.
ETHOS automates the frequency analysis of novel threats and activity, and enables faster responses to new tactics, techniques, and procedures (TTPs) as they emerge. Benefits include reduced timelines for refining data to identify and classify new threats and prevention of more severe attack paths from successful exploitation.
Built for OT environments, any entity or security vendor may contribute to the project and host their own server to:
- Compare shared information,
- Contribute anonymized data, and
- Receive notifications of correlations.
Nozomi Networks has volunteered to host the first ETHOS server for beta testing and has already developed integration capabilities for machine-to-machine data sharing.
In the future, any company or government agency will be able to independently host an ETHOS server utilizing the open-source project. The host can allow selected participants and clients to connect and share information. To participate in an ETHOS server and receive notifications, an entity must also have an ETHOS client built with integration capabilities to send data.
Each ETHOS server will exclusively perform correlations of data shared by participating clients or integrated monitoring and detection tool. Each client will be provided a unique ID for the server and authentication will take place without identification of any vendor customer’s data. The notification of something to investigate will be sent directly back to end users, where the onus to perform deeper analysis and investigation based on ETHOS notifications lies with customers who have opted in to receive aggregate and correlated notifications from the server.
The Need for Proactive Information Sharing
From a US Government perspective, guidance documents are now on track for updates to capture OT/ICS. Several agencies are considering new ways to enable information sharing and produce warnings in and across sectors when they could be targeted or have newly discovered vulnerabilities in their systems.
However, any single source of information cannot inform an entire industry. If widely adopted, ETHOS can serve as a trusted third-party vehicle to provide early warning of impending attacks to critical infrastructure entities, based on many entities operating independently and sharing information anonymously.
There has been an increase in cyber incidents utilizing both IT and OT specific vectors and malware, both financially motivated and primed to cause physical disruption. The deterministic, purpose-built nature of cyber-physical systems and operations has so far ensured that no two attacks on OT/ICS are ever the same, meaning detections built in response to known attacks may never be adequate to thwart novel attacks.
The Shields Up initiative from CISA has its own backdrop of geopolitical tensions in a time where cyber capabilities and statecraft are contentious and contested. These dynamics have created a reality in which infrastructure seems to be outmanned, defense is often reactionary, and many industries feel like sitting ducks.
The ETHOS Community has built the necessary scaffolding for third-party, vendor neutral, real-time anonymized information sharing for any number of relevant critical infrastructure entities and stakeholders.
The ETHOS Vision
The STIX/TAXII server commonly used to share relevant threat intelligence today is designed to share available data when you already have the requisite information to share information, with updates entered and distributed at various intervals. It is not deployed as a beacon for immediate, real-time, sensitive information.
When paired with a security monitoring and detection tool like Nozomi Networks’, security teams opted into the ETHOS platform will receive immediate alerts of correlated frequency data of abnormal activities, events, or not yet recognized indicators of malicious or frivolous network activity.
For example, a large electric utility already deploying Nozomi Networks solutions for network monitoring, threat intelligence, and asset intelligence, might have an event that triggers an anomaly detection for its security team. If this event is detected at many locations across several deployed vendor technologies with no correlation, at-risk operations may not know to investigate for weeks or months.
Alternatively, if a dozen or more electric utilities with various vendor solutions all detect the same unknown IP address correlated at an ETHOS server, security teams can proactively investigate and take preventive measures, knowing the level of correlation for this IP address activity.
The ETHOS capability of comparing spurious activity and event frequency will allow participating end users to prioritize the most suspicious activity that is not associated with known signatures and detections – across a customer base, entire sector, or many sectors. ETHOS allows for investigation of the evidence that may foreshadow major security events.
Nozomi Networks Monitoring and Detection
ETHOS clients will be leveraging vendor technologies like the Nozomi Networks platform. Today, digital transformation and process automation are forcing a tighter integration between traditional OT/ICS devices and corporate networks, business applications and external organizations such as supply chain vendors, customers, partners, and even federal regulators. Many companies are looking to gain visibility into these previously unmonitored networks and environments.
The Nozomi Networks solution detects:
- Unauthorized or suspicious connections between OT assets and external networks, the internet, and new devices
- Unauthorized or suspicious connections between subnets within OT and IoT networks with IP and proprietary protocols
- Configuration changes to OT assets
- Tactics, techniques, and procedures (TTPs) in the MITRE ATT&CK and ATT&CK for ICS frameworks
- The exposure and/or usage of ports, protocols, and services that are unnecessary, frivolous, or are otherwise unknown, suspicious, or unauthorized
- Abnormal OT actions and operations (based on timing, location, commands, etc.)
With an “assume breach mentality” the focus for security products must be on reducing the severity of potential impacts, not on responding to worst case scenarios only after they unfold.