MITRE ATT&CK for ICS How OT Stakeholders Can Benefit From This Framework?

Page created by Dean Mack
 
CONTINUE READING
MITRE ATT&CK for ICS How OT Stakeholders Can Benefit From This Framework?
MITRE ATT&CK for ICS
How OT Stakeholders Can Benefit From This Framework?
MITRE ATT&CK for ICS How OT Stakeholders Can Benefit From This Framework?
Table of Contents
Executive Summary.......................................................................................................................................... 3
Overtaking Bad Actors...................................................................................................................................... 4
What is MITRE ATT&CK for OT?........................................................................................................................ 4
How can OT stakeholders benefit from MITRE ATT&CK?................................................................................... 5
Conclusion........................................................................................................................................................ 7

                                                                                                                                                                       2
Executive Summary
The original MITRE ATT&CK enterprise framework has been around since 2015. It is a great tool for
understanding how adversaries try to get into our systems so that countermeasures can stop them. We are
seeing organizations adopting it more as they realize they need a strong IT security team and more funding is
becoming available to increase the maturity of information security programs.

MITRE expended its ATT&CK framework and knowledge base for ICS/OT in Jan 2020. This publicly available
resource is a great tool for the OT security community to anticipate and counter ICS threats more efficiently
and consistently.

This paper provides information on why and how MITRE ATT&CK for ICS was developed and what OT security
stakeholders can do to get the most out of this framework.

    “Simply put, ATT&CK for ICS was created out of a need to better understand,
    concentrate, and disseminate knowledge about adversary behavior in the ICS
                               technology domain.”
     Otis Alexander, Principal Cyber Security Engineer at the MITRE Corporation

                                                                                                                3
Overtaking Bad Actors
Whether targeting IT or OT, bad actors are quick at changing behaviors to beat detection.
Looking at network anomalies can be useful for hunting adversarial behaviors but time consuming at the same
time for ab-normal communication flags do not indicate if behavior is malicious or voluntary. Moreover, depending
on the industrial process context, network communication patterns are prone to change on a daily basis.
Detecting Process Control Network (PCN) Indicators of Compromises (IoCs) with methods such as YARA rules will
provide a more stable detection than solely analyzing network anomalies. However, these IoCs evolve over time as
well, making them valuable for forensic analysis but limited for efficient detection.
While IoCs may change every week, threat behaviors last for months even years. Looking at these tactics,
techniques, and procedures (TTPs) although more challenging for security analysts and vendors, can drastically
improve the ability for asset owners to detect and protect their infrastructures from malicious actors.
Last year, the MITRE organization developed a globally accessible framework and updated its knowledge database
listing for all TTPs impacting the ICS/OT community. This framework comes on top of the existing MITRE ATT&CK
knowledge base for enterprise IT, making it the perfect lexicon for defense in a converged IT/OT environment.

What is MITRE ATT&CK for OT?
MITRE ATT&CK for OT is the first ever framework lexicon of publicly analyzed threat behaviors against ICSs. It
consolidates and standardizes the format of ICS adversary knowledge from several threat intelligence sources that
were previously analyzing and reporting inconsistently. The framework is organized as a matrix columned Tactics
(industrial attacker’s main goals) and rowed Techniques (methods to achieve the goals).

The framework also lists the most common ICS malware and Advanced Persistent Threats (APT) Groups.

                                                                                                                    4
Inhibit          Impair
                                                                                          Lateral                           Command
Initial Access      Execution        Persistence        Evasion        Discovery                          Collection                         Response          Process          Impact
                                                                                         Movement                          and Control
                                                                                                                                             Function          Control
Data Historian         Change          Hooking         Exploitation    Control Device       Default        Automated        Command           Activate        Brute Force     Damage to
Compromise          Program State                      for Evasion      Identification    Credentials      Collection       Used Port        Firmware             I/O          Property
                                                                                                                                            Update Mode
      Drive-by       Command-           Module          Indicator       I/O Module        Exploitation     Data from        Connection         Alarm            Change         Denial of
    Compromise      Line Interface     Firmware        Removal on        Discovery         of Remote      Information         Proxy          Suppression     Program State     Control
                                                          Host                              Services      Repositories
    Engineering       Execution        Program        Masquerading       Network            External        Detect           Standard          Block         Masquerading    Denial of View
    Workstation      through API      Download                          Connection          Remote         Operating        Application      Command
    Compromise                                                         Enumeration          Services        Mode           Layer Protocol     Message
       Exploit        Graphical      Program File     Rogue Master       Network          Program            Detect                             Block          Modify           Loss of
    Public-Facing   User Interface     Infection         Device           Service        Organization     Program State                       Reporting      Control Logic     Availability
     Application        (GUI)                                            Scanning           Units                                             Message
ExternalRemote       Man in the         System           Rootkit         Network          Remote File      I/O Image                         Block Serial       Modfy        Loss of Control
    Services          Middle           Firmware                          Sniffing           Copy                                                COM           Parameter
      Internet       Program         Valid Accounts       Spoof           Remote         Valid Accounts     Location                            Data            Module         Loss of
     Accessible     Organization                        Reporting         System                          Identification                     Destruction       Firmware      Productivity
       Device          Units                            Message          Discovery                                                                                           and Revenue
    Replication      Project File                     Utilize/Change      Serial                            Monitor                           Denial of        Program       Loss of Safety
     Through          Infection                         Operating       Connection                        Process State                     Service (DoS)     Download
    Removable                                              Mode        Enumeration
      Media
Spearphishing         Scripting                                                                            Point & Tag                         Device        Rogue Master     Loss of View
    Attachment                                                                                            Identification                       Restart/         Device
                                                                                                                                              Shutdown
    Supply Chain        User                                                                                Program                          Manipulate      Service Stop    Manipulation
    Compromise        Execution                                                                              Upload                          I/O Image                        of Control
      Wireless                                                                                                Role                          Modify Alarm        Spoof        Manipulation
    Compromise                                                                                            Identification                     Settings         Reporting        of View
                                                                                                                                                              Message
                                                                                                            Screen                            Modify         Unauthorized       Theft of
                                                                                                            Capture                         Control Logic     Command         Operational
                                                                                                                                                               Message        Information
                                                                                                                                               Program
                                                                                                                                              Download
                                                                                                                                               Rootkit
                                                                                                                                               System
                                                                                                                                              Firmware
                                                                                                                                            Utilize/Change
                                                                                                                                              Operating
                                                                                                                                                 Mode

How can OT stakeholders benefit
from MITRE ATT&CK?
MITRE ATT & CK for OT offers tremendous advantages to ICS defenders.

•       CISO/C-Suite: enabling investment into a security posture that is mapping to specific risks, experienced
        attacks, threat groups and documented APT threat reports

•       SOC Security analyst: enabling them with rationalized and prioritized SOC alerts attributing risk values to assets
        based on the MITRE framework. It will also help drive improvement on missing TTPs detection mechanisms.

                                                                                                                                                                                               5
•       Blue Team/Incident responders: enabling them to quickly map new cyberattacks seen in the news to
        techniques used, identify data needs and build analytics to cover detection across the different stages of
        tactics used by adversaries.

•       Threat hunters: by identifying threat behaviors listed in the framework that will not be discovered by
        automated detection.

•       Red Team/Penetration tester: by standardizing red team / blue team communication. Making it is easier and
        more effective to examine the tactics and techniques used in the investigation and determine the locations of
        gaps in the security system.

•       Product management / Product development: allowing teams to enhance the threat scenarios and abuse case
        scenarios to support feature elicitation throughout secure software development lifecycle.

An example of a kill-chain mapping against MITRE for ICS framework: Electrum APT Group Crashoverride
malware attack on Ukraine Grid system in December 2016.

                                                                                                                                              Inhibit          Impair
                                                                                          Lateral                           Command
Initial Access      Execution        Persistence        Evasion        Discovery                          Collection                         Response          Process          Impact
                                                                                         Movement                          and Control
                                                                                                                                             Function          Control
Data Historian         Change          Hooking         Exploitation    Control Device       Default        Automated        Command           Activate        Brute Force     Damage to
Compromise          Program State                      for Evasion      Identification    Credentials      Collection       Used Port        Firmware             I/O          Property
                                                                                                                                            Update Mode
      Drive-by       Command-           Module          Indicator       I/O Module        Exploitation     Data from        Connection         Alarm            Change         Denial of
    Compromise      Line Interface     Firmware        Removal on        Discovery         of Remote      Information         Proxy          Suppression     Program State     Control
                                                          Host                              Services      Repositories
    Engineering       Execution        Program        Masquerading       Network            External        Detect           Standard          Block         Masquerading    Denial of View
    Workstation      through API      Download                          Connection          Remote         Operating        Application      Command
    Compromise                                                         Enumeration          Services        Mode           Layer Protocol     Message
       Exploit        Graphical      Program File     Rogue Master       Network          Program            Detect                             Block          Modify           Loss of
    Public-Facing   User Interface     Infection         Device           Service        Organization     Program State                       Reporting      Control Logic     Availability
     Application        (GUI)                                            Scanning           Units                                             Message
ExternalRemote       Man in the         System           Rootkit         Network          Remote File      I/O Image                         Block Serial       Modfy        Loss of Control
    Services          Middle           Firmware                          Sniffing           Copy                                                COM           Parameter
      Internet       Program         Valid Accounts       Spoof           Remote         Valid Accounts     Location                            Data            Module         Loss of
     Accessible     Organization                        Reporting         System                          Identification                     Destruction       Firmware      Productivity
       Device          Units                            Message          Discovery                                                                                           and Revenue
    Replication      Project File                     Utilize/Change      Serial                            Monitor                           Denial of        Program       Loss of Safety
     Through          Infection                         Operating       Connection                        Process State                     Service (DoS)     Download
    Removable                                              Mode        Enumeration
      Media
Spearphishing         Scripting                                                                            Point & Tag                         Device        Rogue Master     Loss of View
    Attachment                                                                                            Identification                       Restart/         Device
                                                                                                                                              Shutdown
    Supply Chain        User                                                                                Program                          Manipulate      Service Stop    Manipulation
    Compromise        Execution                                                                              Upload                          I/O Image                        of Control
      Wireless                                                                                                Role                          Modify Alarm        Spoof        Manipulation
    Compromise                                                                                            Identification                     Settings         Reporting        of View
                                                                                                                                                              Message
                                                                                                            Screen                            Modify         Unauthorized       Theft of
                                                                                                            Capture                         Control Logic     Command         Operational
                                                                                                                                                               Message        Information
                                                                                                                                               Program
                                                                                                                                              Download
                                                                                                                                               Rootkit
                                                                                                                                               System
                                                                                                                                              Firmware
                                                                                                                                            Utilize/Change
                                                                                                                                              Operating
                                                                                                                                                 Mode

                                                                                                                                                                                               6
Conclusion
Having a common lexicon and knowledge base describing OT threat helps define and prioritize detection.
Recognizing that threat behaviors often evolve slowly, it can be more effective to detect these on top of fast
changing network anomalies or IoCs.

Several OT stakeholders will benefit from the MITRE ATT&CK framework for ICS, a must have for the OT
security community.

About the Operational
Technology Cyber Security
Alliance (OTCSA)
The Operational Technology Cyber Security Alliance (OTCSA) is a group of global industry-leading
organizations focused on providing operational technology (OT) operators with resources and guidance
to mitigate their cyber risk in an evolving world. Founded in 2019, OTCSA is the first group of its kind
to architect a technical and organizational framework, the who, what, and how for safe and secure OT.
Membership is open to all OT operators and IT/OT solution providers. Current members include Fortinet,
ABB, Splunk, NCC Group, Qualys, Microsoft, WESCO, Forescout, Wärtsilä, CyberOwl, NTT, SCADAfence,
Blackberry Cylance, CheckPoint, and Mocana.

To learn more about the OTCSA or to become a member, visit https://otcsalliance.org.

                                                                                                                 7
Acknowledgements
The following people served as contributors in the preparation of this document:

Name                                      Affiliation
Antoine DHaussy                           Fortinet
Bart de Wijs                              ABB
Chris Duffey                              Splunk
Matt Field                                NCC Group
Dharmesh Ghelani                          Qualys
Gunter Ollmann                            Microsoft
Jason Wolff                               WESCO
Luca Barba                                Forescout
Päivi Brunou                              Wartsila
Russell Kempley                           CyberOwl
Tom Thirer                                SCADAfence

Use of information
Copyright 2020 Operational Technology Cyber Security Alliance (OTCSA)

Redistribution and use of this document AS IS, without modification, is permitted provided that the following conditions
are met:

1.   Redistributions of this work of authorship must retain the above copyright notice, this license and conditions, including
     the disclaimer listed below.

2.   The name(s) of the copyright holder, the Operational Technology Cyber Security Alliance (OTCSA), or any of its members
     or contributors may not be used to endorse or promote any products or other offerings, without specific prior written
     permission.

THIS DOCUMENT IS PROVIDED BY THE OTCSA, COPYRIGHT HOLDER(S) AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OTCSA, COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
USE OF THIS DOCUMENTATION, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

                                                                                                                                 8
You can also read