Ordr Recognized in Gartner Market Guide for CPS Protection Platform Read more here!

Ordr

Request a Demo Search

Month: May 2021

On the afternoon of May 12, President Joe Biden issued his Executive Order on Improving the Nation’s Cybersecurity. The executive order came on the heels of a ransomware attack that shut down operation of a major U.S. refined products pipeline system, a critical infrastructure operator that supplies approximately 40% of the gasoline supply to states along the U.S. East Coast.

As gasoline stopped flowing from suppliers to service stations, prices shot up, shortages broke out and drivers rushed to fill their tanks, unsure of how long the effects would last. The impact of this attack was consequential, dramatically illustrating the vulnerability of key pieces of our economy, but it was not an isolated event. The Executive Order on Improving the Nation’s Cybersecurity was not a knee-jerk reaction to a singular event. It is the result of years of attacks on government, industry, and individual organizations and of a steady cry from both the public and private sector to enlist the resources of our federal government in the fight against cybercrime.

Ordr has been one of the voices speaking in support of greater federal involvement and calling out the need for greater attention to protecting public services and infrastructure. And we were pleased to see that the new executive order called out the need to focus attention not just on information technology (IT), but on operational technology (OT), and the importance of Zero Trust.

OT Security  

Operational technologies are the industrial hardware and software systems that form the backbone of industry. Manufacturing equipment, scientific equipment, facilities management controls, transportation and logistics infrastructure, and, yes, the valves and monitors and other gear essential to managing critical operations.

In many cases these systems were not designed with cybersecurity in mind and have been in place for decades. But, as our world grows more interconnected and dependent on technology, the lines between IT and OT have blurred. Those vulnerable systems are an attractive target for threat actors who can exploit weaknesses in IT infrastructure to move laterally into OT networks and execute attacks intended to extract valuable data, or disrupt operations through sabotage or extortion. Read Jamison Utter’s article on 90% of OT Security attacks being primarily common attacks like ransomware, and our Dir of Product Management Srinivas Loke’s response to DarkSide to understand our perspective more.

Zero Trust for Connected Devices 

We are also pleased to see Zero Trust called out as one of the key architectural tenets within the executive order. When it comes to the volume of connected IT, IoT, IoMT and OT in particular, it is impossible for any security team (even the government) to “react” to potential security alerts with these devices. Visibility into devices and their risks, along with proactive Zero Trust policies for mission-critical or vulnerable devices will limit the attack surface and mitigate risks, reducing the Security Operations Center (SOC) or Cyber Security Incident Response Team (CSIRT) burden of investigating alerts.

We’ve been advocating for Zero Trust for connected device security for several years now, and in fact, our platform is designed to make it simple to not only create Zero Trust network policies but also ensure that they can be properly enforced across existing networking and security infrastructure.

The executive order has set a number of priorities, including:

  • Improve the Federal Government’s ability to detect vulnerabilities and incidents on federal government networks;
  • Standardize the playbook for responding to cybersecurity vulnerabilities and incidents; and,
  • Improve the Federal Government’s investigation and remediation capabilities following cyberattacks.

At first glance, the Executive Order on Improving the Nation’s Cybersecurity seems to set overly ambitious goals for meeting these objectives on aggressively accelerated schedules. In fact, the clock is already ticking on deadlines that arrive in as little as 14 days. But the experience and innovation that has been happening within the private sector puts these goals well within reach.

For our part, Ordr already works with many federal agencies to achieve the goals and objectives the White House has articulated. Our technology is adept at identifying the many vulnerabilities that plague OT, and at executing real-time response to detect and isolate attacks that occur, preventing threat actors from moving laterally to gain the information and leverage they need to disrupt operations. We are also proven in our ability to execute Zero Trust policies in industries like healthcare, manufacturing, financial services, education, and more. We are eager, excited and ready to be a part of the mobilization effort that improves the nation’s cybersecurity.

To kick off Healthcare Technology Management (HTM) week, we would like to start by celebrating some folks that have been remarkable for their organization’s growth around network-connected device visibility and security. We thought it would be better if you heard it directly from their mouths so please check out these fireside chats and webinars where your colleagues share their best practices for medical devices, how they have secured budget to fund their projects, and how they are implementing policies around smart speakers.

While ALL HTM folks deserve this week full of appreciation, celebration and our gratitude, especially after a truly taxing year, we wanted to highlight these 10 rockstars:

1. Keith Witby, Senior Manager HTM – Mayo Clinic 

Keith has worked at Mayo Clinic for more than 22 years in several different support and leadership roles. He is currently the Section Head of Healthcare Technology Management Cybersecurity and Operations. Keith has also had several other positions in HTM, starting as a Unit Manager of the X-Ray equipment service group and most recently as the Section Head for Enterprise Lab, Research, and Ophthalmology Service. Prior to these roles in HTM, Keith worked in Surgical Services as a Core and Prosthesis Supervisor, and as a Surgical Process/Systems Analyst.

During Keith’s time at Mayo, Keith has had extensive experience collaborating on several multidisciplinary teams and demonstrated a commitment to customer service, strong leadership skills, and experience with process analysis, project management, and technical support. During Keith’s tenure in Surgical Services and HTM, Keith has been exposed to the depth and breadth of medical equipment in a large healthcare organization. This includes the use of, service and support on, and the operationalization of cybersecurity for a wide range of medical equipment and HIoT technology.

Mayo Clinic Efforts to Secure Connected Devices and HIoT 

Hear from Mayo Clinic and Ordr on best practices to gain complete visibility into these devices, profile behavior and risks, and enable the right policies to segment them.

https://ordr.net/webinars/mayo-clinic-efforts-to-secure-connected-devices-and-hiot

2 & 3 Mark Heston, Director of Clinical Engineering – Children’s Hospital Colorado  & Dylan Winthers, Network & Cybersecurity Analyst – HSS 

Mark Heston is the Director of Clinical Engineering at Children’s Hospital Colorado with a CHTM and CBET. With more than 40 years in the medical profession and an M.S. in Health Care Administration, Mark has served as the Director of Medical Technology for the Iowa Health System, a Biomedical Engineer at GE Healthcare, Director of Clinical Instrumentation at Thomas Jefferson University Hospital, Operations Director for Clinical Engineering at Cleveland Clinic, and so much more. Mark is dedicated to teaching as well and has served as an adjunct faculty member at Upper Iowa University and William Penn College for Working Adults.

Dylan Winthers is a Network and Cybersecurity Analyst for HSS Technology Services an organization that provides healthcare technology management support and integrated security services solutions to their customers. Not only is Dylan truly committed to helping healthcare organizations, but Dylan and his wife continue to build The Amelia Phoenix Fund, a Non-Profit organization established to raise awareness for CDH, as well as collect funds to donate for equipment for an area NICU.

Higher Risks, Lower Budgets, Covid Chaos The Scary Reality of Securing Healthcare Environments 

Mark Heston, Director of Clinical Engineering at Children’s Hospital Colorado, Ben Stock, Director of Healthcare Product Management at Ordr and Dylan Winthers, Network and Cybersecurity Analyst at HSS — explore these challenges and how to address them. Mark, Ben and Dylan will discuss the combination of products and managed services that allowed Children’s Hospital Colorado to cost-effectively discover, protect, and maintain their medical devices in a time of crisis, and how these tools will be imperative to transition back to a compliant and secure biomedical environment as normalcy returns.

https://ordr.net/healthcare/higher-risks-lower-budgets-covid-chaos-the-scary-reality-of-securing-healthcare-environments

4. David Yaeger, Bio-Med Security DBA – ProHealth Care 

David Yaeger has nearly 20 years of experience in as IT engineer, PACS administrator, security and data base administrator. Currently, David serves as the Biomed Security DBA at ProHealth Care. David is in charge of network-connected medical devices for ProHealth Care, he runs a program to identify, profile and analyze risk associated to these medical devices so David’s team can watch for vulnerabilities appropriately mitigate risk.

Building a Successful Medical Device Security Program (Security + IT + HTM) 

When it comes to developing a medical device security strategy it takes a village. Join Eric Ross, System Director Clinical Engineering of M Health Fairview, David Yeager, Biomed Security DBA at ProHealth Care, and Ben Stock, Director of Healthcare Product Development at Ordr in a fireside chat on how to build a successful medical device security program.

https://ordr.net/healthcare/building-a-successful-medical-device-security-program-security-it-htm

5. Michael Brilling, Manager of Clinical Engineering – Dartmouth-Hitchcock 

Michael Brilling is the Manager of Clinical Engineering at Dartmouth-Hitchcock. Michael began his career working on large datacenter thermal efficiency and UNIX systems. With nearly 20 years of experience in systems administration, clinical engineering and BMET, Michael is proficient in alarm fatigue prevention, equipment life cycle management, systems implementation, CMMS and AEM development.

Fireside Chat: Medical Device Security is a Joint Effort 

Join Michael Brilling, Manager, Clinical Engineering at Dartmouth-Hitchcock Health and Ben Stock, Director of Healthcare Product Development at Ordr in a fireside chat on how to drive cross functional collaboration to protect IoMT Devices.

https://ordr.net/webinars/fireside-chat-medical-device-security-is-a-joint-effort 

6. Christine Vogel, Cybersecurity Clinical Engineer – Hartford HealthCare 

Christine Vogel currently serves as the cybersecurity clinical engineer for Hartford HeathCare. With  nearly 10 years of experience, a Bachelors and Masters in Biomedical Engineering and various roles in systems engineering, research and security, Christine is one HTM leader you must meet!

7. Umair Siddiqui, Associate Vice President Clinical Engineering & Asset Management – Memorial Hermann Health System 

Umair Siddiqui is an M.B.A, M.S, CCE, and serves as the Associate Vice President Clinical Engineering & Asset Management at Memorial Hermann Health System. Umair has more than 20 years experience with the University of Connecticut Health Center, MD Anderson Cancer Center and GE Healthcare. It is fair to say that if you are looking for advice on medical devices, asset management, operation, technology assessment, capital equipment planning, equipment procurement, equipment distribution or logistics, Umair is a wonderful resource.

8. Jeremy Heim, Senior Information Security Risk Analyst – Avera Health 

Jeremy Heim is the Senior Information Security Risk Analyst at Avera Health, with more than 19 years of professional information technology experience and expertise. Jeremy has spent majority of his career in the healthcare sector where he has specialized in IT management, systems architecture, clinical systems and security risk analysis. If you are looking to secure your medical devices, Jeremy should be your go-to person for advice!

9. John Klein, Modality Manager Clinical Engineering – UnityPoint Health 

John Klein serves as the Modality Manager at UnityPoint Health. With more than 26 years of time and dedication to UnityPoint, he has been able to help their organization in their digital transformation and is responsible for a stellar team that manages all clinical devices for the organization. If you are looking to speak to a person who has seen it all, look no further!

10. Karen Waninger, Executive Director Clinical Engineering – Franciscan Health Network 

Karen Waninger is the Executive Director of Clinical Engineering for the Franciscan Health Network. With more than 20 years of experience and an MBA in Health Care, Karen is experienced beyond measure. Formerly, Karen’s was at TriMedx as the National Director of Regulatory Compliance which helped set the stage for the rise into Clinical Engineering Director and Community Health Network. If you are looking to understand regulatory compliance standards and how they impact medical devices, Karen should be your first call!

Throughout the week, we will be highlighting a few of the many great individuals that have been phenomenal in leading their team and organization. Stay tuned!

While you wait, here are some cool assets:

Each year, Verizon releases their Data Breach Investigations Report (DBIR) for the year prior. In this year’s report, they examine 2020 incident data and non-incident data (ie. malware, patching, DDos, and other data types). It is always good to note, with any research that it does not speak for all data sets and there are still variables that any research team cannot account for. Verizon clearly states that when talking about their Methodology:

“We would like to reiterate that we make no claim that the findings of this report are representative of all data breaches in all organizations at all times. Even though the combined records from all our contributors more closely reflect reality than any of them in isolation, it is still a sample. And although we believe many of the findings presented in this report to be appropriate for generalization (and our confidence in this grows as we gather more data and compare it to that of others), bias undoubtedly exists.” 

They also follow a standard Vocabulary and Event Recording and Incident Sharing (VERIS) framework with three basic methods:

  1. Direct recording of paid external forensic investigations and related intelligence operations conducted by Verizon using the VERIS Webapp
  2. Direct recording by partners using VERIS
  3. Converting partners’ existing schema into VERIS

The data processing and analysis takes roughly two months and they clearly acknowledge that their data is non-exclusively multinomial, meaning a single feature can have multiple values and there is random bias, sampling bias, and confirmation bias.

Just to clarify before we dive in, here are the definitions for an incident and a breach:

Incident: A security event that compromises the integrity, confidentiality or availability of an information asset.
Breach: An incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party.

Okay, so let’s dive into the areas that we (Jeff, Ben, Jamison and I) found fascinating from the Verizon DBIR:

Security Trends 

While we don’t believe that any of these trends are going to shock the industry, we do think some of these are great for those tricky board meetings where you have to discuss why you want budget to protect your organization. So, we pulled out a few of the security trends we thought were cool:

  • Social Engineering – while we love a good table top exercise (TTX) around social engineering and trying to see if we can craft a great phishing email to our favorite C-Level executive for credentials. This year’s report validates that, “A lot of Social Engineering breaches steal Credentials and once you have them, what better thing to do than to put those stolen creds to good use, which falls under Hacking. On the other hand, that Phishing email may have also been dropping Malware, which tends to be a Trojan or Backdoor of some type, a trap just waiting to be sprung.” Basically, not only do you have to worry about your infrastructure, but you have to worry about the people your organization is hiring and if they are able to spot a suspicious email or Social tactics. Get them on a good KnowBe4 training and refresh that frequently. Also, just share information or good phishing emails that your organization encounters so employees know what to look for.
  • Ransomware Breaches Over Time – well what can we say here. Ransomware as we know well before reading the Verizon DBIR is a crime of passion (as the true crime podcasts say) and now 10% of all breaches now involve ransomware. Since it has been around for more than 30 years, and its entry is usually completely opportunistic, a spam/phishing attack, or vulnerable service on the edge of networks that is easily compromised with very little skill. In addition, most ransomware as a service (RaaS) groups use opportunistic and low skill initial installation techniques like; spam/phishing campaigns, unpatched and vulnerable services exposed on the network, and previously compromised usernames/passwords that remain unchanged. From a mitigation perspective protecting your organization from these opportunistic attacks is the fundamental security best practice around knowing what you have, identifying their risks and monitoring for anomalous behavior.

Some other cool stats that the Verizon DBIR pointed out:

  • The rest of the vectors were split between Email, Network propagation and downloaded by other malware, which isn’t surprising
  • 60% of the Ransomware cases involving direct install or installation through desktop sharing apps
  • The first vector Actors are using is through the use of stolen credentials or brute force
  • 42% of incidents had no financial loss and 90% of ransomware had NO loss – absurd right?! The headlines would make you feel differently.

Before we take a deep dive into Healthcare and Manufacturing which had some cool data we wanted to highlight Education, Financial and Insurance, and Mining, Quarrying, and Oil & Gas Extraction + Utilities.

 

Education 

Financial & Insurance 

Mining, Quarrying,  

and Oil & Gas  

Extraction + Utilities 

Frequency 

1,332 incidents, 344 with confirmed data disclosure 

721 incidents, 467 with confirmed data disclosure 

546 incidents, 355 with confirmed data disclosure 

Top Patterns 

Social Engineering, Miscellaneous Errors and System Intrusion represent 86% of breaches 

Miscellaneous Errors, Basic Web Application Attacks and Social Engineering represent 81% of breaches 

Social Engineering, System Intrusion and Basic Web Application Attacks represent 98% of breaches 

Threat Actors 

External (80%), Internal (20%), Multiple (1%) (breaches) 

External (56%), Internal (44%), Multiple (1%), Partner (1%) (breaches) 

External (98%), Internal (2%) (breaches) 

Actor Motives 

Financial (96%), Espionage (3%), Fun (1%), Convenience (1%), Grudge (1%) (breaches) 

Financial (96%), Espionage (3%), Grudge (2%), Fun (1%), Ideology (1%) (breaches) 

Financial (78%-100%), Espionage (0%-33%) (breaches) 

Data Compromised 

Personal (61%), Credentials (51%), Other (12%), Medical (7%) (breaches) 

Personal (83%), Bank (33%), Credentials (32%), Other (21%) (breaches) 

Credentials (94%), Personal (7%), Internal (3%), Other (3%) (breaches) 

Top IG1 Protective Controls 

These are the CIS Controls Implementation Groups 

Security Awareness and Skills Training (14), Access Control Management (6), Secure Configuration of Enterprise Assets and Software (4) 

Security Awareness and Skills Training (14), Secure Configuration of Enterprise Assets and Software (4), Access Control Management (6) 

Security Awareness and Skills Training (14), Access Control Management (6), Account Management (5) 

Also, for a stack rank on industries and their number of incidents and confirmed data disclosures, here you go:

Industry 

Incidents 

Confirmed Data Disclosures 

Public Administration 

3,236 

885 

The Social Engineering pattern was responsible for over 69% of breaches in this vertical. Clearly, this industry is a favorite honey hole among the phishing fiends.The Social actions were almost exclusively Phishing with email as the vector. 

Information 

2,935 

381 

If we look at only incidents, we find that this industry tends to be bombarded with DoS attacks, a trend that has been occurring ever since computers were networked, or at least since we’ve been doing this report (Figure 108). Of the incidents, DoS alone accounts for over 90% of the Hacking actions we observed, with the rest being credential-based attacks such as Brute force or the Use of stolen credentials. 

Professional, Scientific and Technical Services 

1,892 

630 

Educational Services 

1,332 

344 

ArtsEntertainmentand Recreation  

7,065 

109 

What was a bit surprising was the high level of Medical information breached in this sector. One would typically associate medical record loss with the Healthcare industry. However, upon digging into the data a bit more, the Personal Health Information (PHI) was related to athletic programs, which fall under this vertical.  

Retail 

725 

165 

Financial and Insurance 

721 

467 

Misdelivery represents 55% of Financial sector errors. The Financial sector frequently faces Credential and Ransomware attacks from External actors 

Healthcare 

655 

472 

Manufacturing 

585 

270 

Mining, Quarryingand Oil & Gas Extraction + Utilities 

546 

355 

Accomodation and Food Services 

69 

40 
“Security postures and principles, such as proper network segmentation, the prevention of lateral movement, least privilege, and “never trust, always verify” have proven to be strong indicators of an organization’s ability to prevent or recover from unauthorized presence in its network environment.” 

Healthcare

Frequency 655 incidents

472 with confirmed data disclosure

Top Patterns

Miscellaneous Errors, Basic Web Application Attacks and System Intrusion represent 86% of breaches

Threat Actors  

  • External (61%),
  • Internal (39%) (breaches)

Actor Motives: 

  • Financial (91%)
  • Fun (5%)
  • Espionage (4%)
  • Grudge (1%) (breaches)

Data Compromised  

  • Personal (66%)
  • Medical (55%)
  • Credentials (32%)
  • Other (20%), (breaches)

Top IG1 Protective Controls: 

  •  Security Awareness and Skills Training (14),
  • Secure Configuration of Enterprise Assets and Software (4)
  • Access Control Management (6)
“In 2020, in the midst of the pandemic, cyber actors increased malware attacks against U.S. victims, including the healthcare and public health sector. The U.S. Secret Service noted a marked uptick in the number of ransomware attacks, ranging from small dollar to multi-million dollar ransom demands. While most organizations had adequate data backup solutions to mitigate these attacks, cyber actors shifted their focus to the exfiltration of sensitive data. These cyber actors, often organized criminal groups, proceeded to monetize the theft by threatening to publicize the data unless additional ransom was paid. The monetization of proceeds was typically enabled by cryptocurrency, in an attempt to obfuscate the destination of proceeds and hamper the ability of law enforcement to locate and apprehend those responsible for the crime.” 

But, you might ask what has changed? Well, in 2020 there was a significant shift in Healthcare, where breaches were no longer Internal actors but moved to be primarily External actors. So, some good news, right? No longer is your primary threat actor your own employees!

And lastly, we found it interesting that for the second year in a row, Personal data was compromised more often than Medical. One could make the leap that Personal data can actually be used more widely than someone’s Medical data.

Manufacturing (not mining, quarrying or oil & gas)

Frequency 585 incidents

270 with confirmed data disclosure

Top Patterns

System Intrusion, Social Engineering and Basic Web Application Attacks represent 82% of breaches

Threat Actors  

  • External (82%),
  • Internal (19%),
  • Multiple (1%) (breaches)

Actor Motives  

  • Financial (92%)
  • Espionage (6%)
  • Convenience (1%)
  • Grudge (1%)
  • Secondary (1%) (breaches)
  • Data Compromised
  • Personal (66%),
  • Credentials (42%),
  • Other (36%),
  • Payment (19%) (breaches)

Top IG1 Protective Controls  

  • Security Awareness and Skills Training (14)
  • Access Control Management (6)
  • Secure Configuration of Enterprise Assets and Software (4)

The Verizon DBIR uses organic almond milk and toilet paper – we will use the example of primed lumber and DIY tools for our examples of shortages that surround the manufacturing supply chain and implications of 2020. While facilities were shut down, you might think…cool we might get some time to relax…the answer to that was a BIG NO. Manufacturing saw ransomware as a significantly increased role in malware associated breaches (61.2%) in relation to previous years, overtaking both DoS and Phishing as the most common varieties of attacks.  

How Ordr Can Help 

It wouldn’t be a good vendor blog if we didn’t also mention that we are willing to help out and give you a 30 day free trial. For more information on how Ordr delivers visibility and security of all connected devices — from traditional servers, workstations and PCs to IoT, IoMT and OT devices, contact us at info@ordr.net. Also, if you want to see how we map to the CIS Controls you can take a look at our new CIS Controls Solutions Brief, here: https://ordr.net/solution-briefs/ordr-cis-controls-solutions-brief

On Friday, May 7, 2021, Colonial Pipeline confirmed that a cyberattack forced the company to proactively close down operations and freeze IT systems after becoming the victim of a ransomware attack. Even though the specifics of how the attack was carried out and its impact have not been disclosed, Colonial confirmed that operations is only partially restored even after three days. On May 10, 2021, the FBI confirmed that DarkSide ransomware was responsible for this attack on Colonial Pipeline.

What is Ransomware? 

Ransomware is a form of malware designed to encrypt files on a device, rendering any files and the systems unusable. This is usually carried out by malicious actors who then demand ransom in exchange for decryption. Ransomware actors often target and threaten to sell or leak exfiltrated data if the ransom is not paid. According to the latest industry trends, ransomware activity increased by close to 150% in 2020, with each event resulting in an average downtime of 18 days. The report also mentions an increase of financial loss for each event by 200% from 2019.

What is DarkSide? 

DarkSide is a group that has used ransomware to attack various companies in the U.S. and Europe. They have attempted to extort companies with threats and claims to give part of the money it makes to charity organizations. DarkSide follows a growing trend by ransomware gangs called “double extortion,” where the hackers not only encrypt and lock the data but threaten to release the data if ransomware is not paid.

FBI Flash Announcement of Indicators of Compromise (IOCs) 

On May 10, 2021, the FBI announced IOCs for the DarkSide ransomware. The list included a set of IP addresses and URLs that are associated with this ransomware. Our security team has incorporated these IOCs into the Ordr platform.

IP addresses associated with DarkSide  

176.123.2.216
51.210.138.71
185.105.109.19
192.3.141.157
213.252.247.18
23.95.85.176
159.65.225.72
80.209.241.4
46.166.128.144
108.62.118.232
185.203.116.7
185.203.117.159
104.21.69.79
172.67.206.76
185.203.116.28
198.54.117.197
198.54.117.199
185.243.214.107
45.61.138.171
45.84.0.127
212.109.221.205

URLs associated with DarkSide  

catsdegree.com
fotoeuropa.ro
7cats.ch
securebestapp20.com
gosleepaddict.com
kgtwiakkdooplnihvali.com
yeeterracing.com/gate
ironnetworks.xyz
lagrom.com
openmsdn.xyz
ctxinit.azureedge.net

Tracking DarkSide using Ordr 

There are a number of challenges when tracking ransomware typically:

  • Security controls might not have complete visibility to track Patient 0. Most ransomware is targeted
  • Lateral movement of malware is widespread. Security teams need complete visualization of East-West traffic to detect lateral movement
  • Ransomware typically uses standard protocols like HTTPS to communicate to C&C servers, so the traffic may appear benign.

Here are best practices using your Ordr deployment to track a potential DarkSide ransomware infection within your organization.

1. Identify and understand risks for every device 

Ordr uses DPI and AI, along with enrichment from a variety of different security and threat intelligence feeds to calculate the risk and security posture of every device. Device context including static attributes like O/S of the device, hotfixes deployed, installed software deployed, and the behavioral patterns of the device provides a unique view of the risks of a device. Ordr uses industry-leading threat intelligence to detect close to 25 critical event types to identify vulnerable devices in the network, and offers an actionable risk score.

2. Track East-West lateral movement with Ordr Threat Detection Engine 

Ordr sensors deployed across the network support the full stack L7 threat detection capabilities. Most organizations focus on north-south threat detection, but east-west traffic analysis is critical to lateral movement and is a major blind spot for enterprises as this analysis is outside the realm of perimeter firewall.

3. Monitor Communications to DarkSide C2  

Ordr’s multi-dimensional threat intelligence (URL reputation, IP reputation, IDS, weak passwords/certificates, etc.) has been updated to track all future communications to the malicious entities associated with the DarkSide ransomware in real-time. Ordr SCE also supports capabilities to analyze traffic retrospectively for these communications.

Currently, in the Ordr SCE 7.4.2 R1 release this can be accomplished by working with the Ordr Customer Support team. In the upcoming Ordr 7.4.2 R2 release this can be done via YAML and Ordr will support a simple customized YAML file to track these entities. Users can simply edit the YAML file and add the above list of IOCs to the file. This will update the system in real-time and will analyze all new and retrospective communications against the list and mark them accordingly.

All the IP addresses communications will be captured under Prohibited IP, and the URL communications will be captured as part of suspicious domains in the security page of SCE. The risk score for the devices with these communications will increase accordingly. This information is also available on the traffic analysis tool, where you can drill down on the data based on the classification type, VLAN or Subnet.

4. Customized Security Event Monitoring 

One other feature added to the upcoming 7.4.2 R2 release is the ability to create a special event that track customized IP addresses and suspicious domains. Users can configure the event by simply editing the YAML file named “monitoring-groups.yaml”.

Users can follow steps to create a new event called DarkSide and add associated URLs and IPs given in the list to the file. This will create a new entry in the Ordr Group Traffic Analysis constellation view which, provides users with a complete overview of network communications. The user will have an option to drill down the communication patterns of each device associated with the event. This could give some pointers to other devices that should be analyzed for potential infections. Multiple events can be created if needed.