Security tools and policies are good, but can contribute to a false sense of safety, especially in “highly secure” ICS environments. Threat Hunting can deliver a shocking dose of reality by discovering unknown threats… especially those that shouldn’t possibly be there.
Kimberly-Clark has been on a 3-year journey of hunting threats within its ICS environment. Despite having Purdue-inspired segmentation, next-gen firewalls, and globally-managed antivirus, we still managed to discover compromised devices.
In this talk, we examine several real incidents from our ICS networks, including the basic, easy-to-implement threat hunting techniques that led to their discovery. We will discuss root causes, policy/enforcement gaps, and why many existing tools failed to detect these issues. The audience will take away an understanding of how ICS threat hunting can identify and eliminate risk, as well as how to begin threat hunting in their own networks.
Disclaimer: This talk should NOT be considered financial guidance. All incidents occurred in the past and none carried had a material impact on financial results or carried ICS-specific payloads. This talk is not an admission of risk, but rather shows how Kimberly-Clark identified and eliminated risk that many other organizations miss.