Industrial Control System Cybersecurity Threat Hunting - Pentestmag

Industrial Control System Cybersecurity Threat Hunting

Industrial Control System Cybersecurity Threat Hunting

By Leonard Jacobs, M.S. in Cybersecurity Technology, CISSP, CSSA

Cyber threat hunting is the practice of proactively exploring for cyber attackers prowling undetected in a network attempting to exploit cyber weaknesses. The premise of cyber threat hunting is finding the cyber attacker before they can do damage or steal information.

Before continuing to explain the cyber threat hunting process, the cyber defender should clearly understand cyber threat hunting is not the same as cyber incident response or cyber forensics. However, the outcome of cyber threat hunting has a relationship with cyber incident response explained later.

Performing cyber threat hunting is one of the most important cybersecurity protections applied to industrial control systems (ICS). For the purposes of this article, ICS includes devices, servers, and networks. ICS cyber threat hunters need broad understanding of all ICS and how they operate, ICS network protocols, and ICS cybersecurity practices.

Using traditional cybersecurity protections with ICS can lead to inconsistent results. Often, traditional cybersecurity protections cannot be applied to protect ICS because those protections can affect the performance of systems and networks. Cybersecurity protections, such as network-based intrusion prevention systems or host-based firewalls, can be disruptive to ICS. Typically, ICS function in real-time. Industrial control networks do not tolerate delays in packet flows. Many ICS endpoint devices have limited resources, e.g., processor performance, small amounts of program memory, lack of data storage, such as disk drives.  

The Cybersecurity Triad for business information systems (Confidentiality, Integrity, Availability) is applied differently with ICS as a reverse triad (Availability, Integrity, Confidentiality). Availability is the most important factor in ICS. Availability issues can cause process control delays and even failures. Even more important with ICS is life/environmental safety. ICS device failures can cause harm to humans and/or damage to the environment.

ICS are generally very static in design and with configurations. This characteristic can make it easier to protect ICS. Additionally, this characteristic makes it easier for cyber threat hunters to distinguish when changes occur in ICS.  Any changes could be the result of a cyber-attack and is what the cyber threat hunter is to determine. However, cybersecurity is not always perfect. Cybersecurity protections are often circumvented by cyber attackers and allowing them to take advantage of cybersecurity weaknesses in ICS. This is when cyber threat hunting techniques come to the rescue and allow cybersecurity defenders to explore for cyber attackers that have possibly invaded the ICS.

Cyber threat hunting cannot be fully automatic because the hunter is certain to miss finding evidence of cyber attackers.  Cyber threat hunting does require cyber defenders to be very knowledgeable in cyber attacker’s tactics through prior experience observing cyber-attacks and gaining experience in recognizing cyber threat hunting techniques. Cyber threat hunters assume cyber attackers are already inside the network and initiate their investigation to find unusual behavior indicating the presence of cyber attacker performing malicious activity.

In cyber threat hunting, investigations fall into three main categories.

  1. Hypothesis-driven investigation are initiated when a new cyber threat is identified out of previously collected cyber threat attack intelligence, giving insights into cyber attackers’ latest tactics, techniques, and procedures (TTP) behaviors. Once a new TTP is identified through cyber intelligence sources, cyber threat hunters attempt to determine if the cyber attacker’s particular behaviors are discoverable in the target network.
  2. Known Indicators of Compromise or Indicators of Attack Investigation involves utilizing tactical threat intelligence to catalog known Indicators of Compromise and Indicators of Attack associated with new threats. Cyber threat hunters utilize this intelligence to discover potential concealed attacks or ongoing malicious activity.
  3. Advanced analytics and machine learning investigation  merges data analysis and machine learning to correlate substantial amounts of information to detect anomalies suggesting potential malicious activity. These anomalies become cyber threat hunting indications to be investigated by skilled cybersecurity analysts to identify covert threats within the ICS.

The common theme in these investigation types is a cyber threat hunter identifies the threat and the cyber incident response team should mitigate the cyber threat. The cyber threat hunter should set a reasonable time limit to their activities. If the cyber threat hunt time limit expires then the cyber threat hunter should move onto the next planned hunt. The purpose of the cyber threat hunt is to find the threats in the most expedient and efficient manner.

Typical investigation steps are:

  1. A trigger leads a cyber threat hunter to a specific ICS system or area of the ICS network for further investigation when evidence identifies unusual actions that may indicate malicious activity. For example, a hypothesis about a new threat or a new indicator of compromise are triggers.
  2. During the second investigation step, the cyber threat hunter might have to utilize passive network packet capture to review unusual ICS network traffic to find malicious activity or review system logs, if available, from ICS devices or servers to determine if unusual behaviors exist. Remember that an ICS cannot be treated in the same manner as with business information technology. ICS devices might not have the system resources to install cybersecurity control agents to collect evidence. The investigation continues until either the activity is considered nonthreatening, or malicious activity evidence is collected.
  3. The resolution phase involves providing cyber threat evidence to the cyber incident response team so they can respond to the incident and mitigate threats. Evidence gathered about both malicious and nonthreatening activities should be utilized by automated cybersecurity controls to improve their effectiveness without further human intervention.

Cyber threat hunting is meant to be a cyclical process.  In summary, during investigation, cyber threat hunters gather as much information as possible about a cyber attacker’s actions, methods, and intent. They analyze collected data to establish cybersecurity trends about the organization’s ICS, provide evidence to help eliminate current vulnerabilities, and make predictions to assist in enhancing cybersecurity in the future.

Though much of cyber threat hunting is performed manually, there are tools and aids available to assist cyber threat hunters. Links for all tools can be found in the resources.

A valuable tool for cyber threat hunting is MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework for ICS. The framework is a curated knowledge base for cyber adversary behavior in the ICS technology domain. It reflects various phases of a cyber attacker’s attack life cycle and the assets and systems they are known to target. ATT&CK for ICS originated from MITRE internal research focused on applying the ATT&CK methodology to the ICS technology domain.  Use of the framework assists a cyber threat hunter in building various cyber threat hunting scenarios for investigations.

The following scenarios illustrates a simple attack on an ICS using MITRE ATT&CK for the ICS framework.

Run a Cyber Threat Hunt looking for the following activity based on the hypothesis that a malicious actor gains access to an ICS Engineering Workstation.

  1. Cyber Attacker covertly changes the operating mode of the target ICS controller to program mode.
  2. Cyber Attacker covertly uploads a modified malicious program to target ICS controller.
  3. Cyber Attacker covertly changes the operating mode of the target ICS controller back to run mode.
  4. Cyber Attacker has manipulated the operational controls on the target ICS controller through a cyber-attack. 

Another useful open-source threat hunting tool is Kestrel. Kestrel is a threat hunting language that facilitates fast cyber threat hunting by providing a layer of abstraction to build reusable, composable, and shareable hunt-flows. A hunt flow in Kestrel is a sequence of Kestrel commands. Cyber threat hunters write Kestrel code to quickly turn cyber threat hypotheses into a hunt-flow. While Kestrel allows a human to express what to hunt, the Kestrel runtime deals with how to hunt.

Example of Kestrel Hunt-Flow:

# create four process entities in Kestrel and store them in the variable `proclist`

proclist = NEW process [ {"name": "cmd.exe", "pid": "123"}

                       , {"name": "explorer.exe", "pid": "99"}

                       , {"name": "firefox.exe", "pid": "201"}

                       , {"name": "chrome.exe", "pid": "205"}


# match a pattern of browser processes, and put the matched entities in variable `browsers`

browsers = GET process FROM proclist WHERE [process:name IN ('firefox.exe', 'chrome.exe')]

# display the information (attributes name, pid) of the entities in variable `browsers`

DISP browsers ATTR name, pid 

Example of Results after running Hunt-Flow:

      name    pid

chrome.exe  205

firefox.exe    201

[SUMMARY] block executed in 1 seconds


 proclist        process                 4                       4         0

 browsers     process                 2                       2         0

*Number of related records cached.

Real Intelligence Threat Analytics (R-I-T-A) tool is an open-source framework for detecting command and control communication through use of network traffic analysis. The RITA framework ingests Zeek logs or PCAPs converted to Zeek logs for analysis. RITA has the following capabilities:

  • Beacon Detection: Identify signs of beaconing behavior in and out of network.
  • DNS Tunneling Detection: Identify signs of DNS-based covert channels.
  • Identify Long Connections.
  • View User-Agent strings.
  • Blacklist Checking: Query blacklists to search for suspicious domains and hosts.

Velociraptor is an open-source advanced digital forensic and incident response tool capable of enhancing visibility into endpoints. Velociraptor has cyber threat hunting functionality built in. The tool can collect identical artifacts from multiple endpoints simultaneously using its hunting functionality as follows:

  • Monitor offline endpoints by scheduling hunts collecting artifacts from any endpoints that come back online during a certain period.
  • Examine the results from all collections easily.
  • Keep track of which endpoints collected the artifact and make sure the same artifact is not collected more than once on any endpoint.

The Hunting ELK or simply HELK is one of the first open-source hunt platforms with advanced analytics capabilities such as SQL declarative language, graphing, structured streaming, and even machine learning via Jupyter notebooks and Apache Spark over an ELK stack. This project was developed primarily for research, but due to its flexible design and core components, it can be deployed in larger infrastructures with the correct configurations and a scalable infrastructure.

Open-source network packet capture tools are useful in cyber threat hunting.  The following are a sampling of available tools.

Suricata is the leading independent open-source threat detection engine. By combining intrusion detection (IDS), intrusion prevention (IPS), network security monitoring (NSM) and PCAP processing, Suricata can quickly identify, stop, and assess even the most sophisticated attacks.  Suricata is capable of parsing ICS network protocols and Internet of Things (IoT) protocols, e.g., Modbus, DNP3, Ethernet IP/CIP, MQTT.

The open-source packet capture tool Wireshark is capable of parsing ICS network protocols.

MALCOLM is an open source, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files) and logs. Malcolm provides insight into specific protocols used in ICS.


December 15, 2022
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013

Privacy Preference Center


Cookies that are necessary for the site to function properly. This includes, storing the user's cookie consent state for the current domain, managing users carts to using the content network, Cloudflare, to identify trusted web traffic. See full Cookies declaration

gdpr, PYPF, woocommerce_cart_hash, woocommerce_items_in_cart, _wp_wocommerce_session, __cfduid [x2],


These are used to track user interaction and detect potential problems. These help us improve our services by providing analytical data on how users use this site.

_global_lucky_opt_out, _lo_np_, _lo_cid, _lo_uid, _lo_rid, _lo_v, __lotr
_ga, _gid, _gat, __utma, __utmt, __utmb, __utmc, __utmz


tr, fr