Detecting Malware Before It Strikes

The Challenge

Detecting Malware on Your Network Before it Causes Damage

Advanced malware threats designed to disrupt industrial processes typically go through lengthy infection, reconnaissance and lateral movement phases before executing their final ICS or SCADA attack.

One example is the TRITON malware that went beyond previous industrial cyberattacks to interact directly with a petrochemical plant’s Safety Instrumented System (SIS). The attack began with penetration of the IT network, then moved to the OT network via systems accessible to both environments. There, it infected the SIS system’s engineering workstation.

The attack reprogrammed the facility’s SIS controllers, causing them to enter a failed state, which fortunately resulted in an automatic shutdown of the industrial process. While TRITON failed to deliver its ultimate goal – a malicious OT payload, if left un-checked, malware can cause unpredictable and dangerous operational disruption.

The Solution

Automated Monitoring of the Industrial Network to Identify Operational Anomalies

An important part of neutralizing threats before disruption occurs involves early warning across all three phases of attack.

Nozomi Networks uses a hybrid approach to detect malware at each attack phase. This includes behavior-based anomaly detection and multiple types of signature and rules-based detection.

The solution alerts you about early stage infection and reconnaissance and provides information that helps you take action before a final attack occurs.

  • In Phase I, anomaly detection identifies malware that is beaconing out to an external Command and Control server (C&C) through its connections to a new public IP address. Then, using YaraRules, its built-in analysis toolkit immediately identifies specific files associated with the malware. Assertions can also be used to detect data and events in network traffic related to the presence of the malware at a particular site.
  • In Phase 2, the malware prepares for attack by triggering a learning process. During this phase, the solution’s anomaly detection identifies new commands in the host network and generates alerts that include command sources. Even if the malware uses regular industrial protocols to communicate, its messages will vary from the system’s baseline behavior, allowing them to be singled out.
  • In Phase 3, if an attack occurs, it is quickly identified and an alert is sent out. This enables you to implement new firewall rules, or take other actions to stop further attack commands.

Thanks to integration with multiple firewalls, the solution can go beyond detection to tackle prevention, by automatically triggering the implementation of rules that block an attack upon detection of irregular commands.


Click to enlarge.

The Nozomi Networks solution uses multiple techniques for comprehensive, real-time malware detection. It is effective in identifying early stage advanced threats, and generates alerts that help you remediate before damage occurs.

Stay Up-to-Date on Emerging Threats with OT ThreatFeed

The OT ThreatFeed subscription delivers up-to-date industrial threat intelligence to the Nozomi Networks Guardian solution, making it easy for you to detect threats and identify vulnerabilities in your environment.

When new information is received, Guardian rapidly checks your network for the presence of new malware and vulnerabilities. If a threat is found, you are immediately notified.

More Operational Visibility & Cyber Security Challenges

Mitigating ICS Cyber Incidents

I need to reduce my operational risk by identifying accidental and unintentional insider threats quickly.

Spotting ICS Credential Theft

To prevent unauthorized access to my network, I need to know immediately when someone is misusing credentials.

Understanding My System Vulnerabilities

Knowing which vendor’s RTUs, PLCs and other devices are at risk would help me focus my cyber security efforts.


Want to Know More?