Nexus Podcast: Dan Gunter on Threat Hunting in Industrial Control Systems

Asset owners in critical infrastructure—particularly those industries targeted by nation-state adversaries—should consider adding threat hunting to their defensive arsenals. Resourced adversaries are adept at studying targets; they know your technology, your assets, your people, and the data you rely on. Any defensive gaps are ripe for the picking for such an adversary. 

In this episode of the Nexus podcast, Insane Forensics CEO and founder Dan Gunter discusses threat hunting in industrial control systems and OT networks. He cautions that critical infrastructure operators need to understand their defensive posture, have as complete an asset inventory as possible, and close any gaps by adding predictability to find threats faster. 

“Threat hunting is a human-driven process looking for those threats capable of bypassing defenses,” Gunter said. “If an attacker understands your gaps and can use an attack technique targeting that gap, they might take that chance.”

The challenge with defending industrial control systems starts with visibility. Too often asset inventories are incomplete, and rarely accurate. The nature of critical infrastructure and especially securing technology in remote operations are harsh challenges. This complicates not only asset inventory completeness, but also patching and updating. 

In this discussion, Gunter shares threat hunting approaches that he believes are helpful and have been successful with users. He also advocates for the use of Shodan as a threat hunting tool for ICS. The popular search engine scans the internet for connected devices, and provides context to devices, for example, that are exposed to the internet and vulnerable to particular exploits. Numerous filters can be used to pull data from Shodan to help with threat hunting. 

“The immediate and easiest option is if you know your IP addresses, you can set up alerting in Shodan and track IP addresses and even domains. You can set that domain up and it will tell you as new IP addresses are added,” Gunter said. “Using Shodan as another data source or early warning system of knowing something is changing in the environment is certainly something at play."

Shodan is also useful for users who may not know all their specific IP ranges. Creatively using Shodan’s query language, users can query it to reveal IP addresses through the SSL certificates use to sign those assets. Users can also track whether their SSL signing key has been stolen in this manner as well by tracking whether their certs have been used to sign anything outside their domain. Shodan’s vulnerability tracking can also be useful in threat hunting by correlating known CVEs to known connected assets. 

Gunter also covers how Shodan can help understand existing trust relationships to the OT network and where there may be vulnerabilities or security gaps that could put organizations at risk.