CyberX Enhances Industrial Threat Intelligence with Automated Threat Extraction Platform

By Larry O'Brien

Industry Trends

CyberX, the IoT and industrial control system (ICS) security company, announced it has enhanced its specialized IoT/ICS threat intelligence capabilities with a new automated threat extraction platform that uses machine learning to identify malware and APT campaigns targeting industrial and critical infrastructure organizations.

Named Ganymede, the new platform is more scalable than traditional threat intelligence approaches that rely on human analysts and manual techniques.  And unlike traditional threat intelligence produced by IT security firms, Ganymede is unique in focusing on IoT/ICS/OT-specific threat intelligence for industrial and critical infrastructure organizations.  Ganymede also incorporates an IoT/ICS/OT-specific malware analysis sandbox.

Ganymede was designed to reduce the time required to identify, hunt, and eradicate destructive malware, such as LockerGoga, that has cost industrial organizations tens or hundreds of millions of dollars in lost production and cleanup.  

How it Works

Developed by Section 52, CyberX’s threat intelligence and security research team, Ganymede continuously ingests massive amounts of data from a range of open and closed sources to deliver robust, data-driven analysis.

Machine learning and statistical models are used to assign risk scores to specific entities, such as files.  The risk scores are calculated by machine learning trained on datasets consisting of hundreds of thousands of known good and bad samples.  Section 52 threat analysts are used in the final phase to review and correlate the results based on their field experience.

Additionally, suspicious executables are detonated in CyberX’s IoT/ICS Malware Sandbox.  Unique in the industry because of its focus on IoT/ICS-focused malware, the CyberX sandbox is a virtualized IoT/ICS environment that analyzes malware activity — using machine learning combined with static and dynamic analysis capabilities — to detect malware access to IoT/ICS-specific objects (processes, libraries, DLLs, ports, etc.).  The sandbox then generates a collection of IoCs and representative screenshots of the malware in operation.

Section 52 is composed of domain experts and data scientists who previously staffed a national military CERT defending against daily nation-state cyberattacks.  The team is also on-call to perform emergency incident response for clients that have experienced an IoT/ICS compromise.

Operationalizing Threat Intelligence

Actionable threat intelligence is delivered to CyberX clients in several forms, including:

  • Threat intelligence updates to CyberX’s network monitoring platform enrich the industrial cybersecurity platform’s built-in, patented IoT/ICS-aware behavioral analytics with the latest threat information.
  • IoCs provided with SNORT and Yara rules for enriching clients’ other security tools — such as SIEM and IDS solutions — with Section 52’s threat intelligence data.
  • Threat intelligence reports, alerts, and TTPs for CyberX clients, along with expert recommendations and implementation services from the CyberX customer success team, to assist clients with threat mitigation.

Engage with ARC Advisory Group