MITRE ATT&CK for ICS How OT Stakeholders Can Benefit From This Framework?
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Table of Contents Executive Summary.......................................................................................................................................... 3 Overtaking Bad Actors...................................................................................................................................... 4 What is MITRE ATT&CK for OT?........................................................................................................................ 4 How can OT stakeholders benefit from MITRE ATT&CK?................................................................................... 5 Conclusion........................................................................................................................................................ 7 2
Executive Summary The original MITRE ATT&CK enterprise framework has been around since 2015. It is a great tool for understanding how adversaries try to get into our systems so that countermeasures can stop them. We are seeing organizations adopting it more as they realize they need a strong IT security team and more funding is becoming available to increase the maturity of information security programs. MITRE expended its ATT&CK framework and knowledge base for ICS/OT in Jan 2020. This publicly available resource is a great tool for the OT security community to anticipate and counter ICS threats more efficiently and consistently. This paper provides information on why and how MITRE ATT&CK for ICS was developed and what OT security stakeholders can do to get the most out of this framework. “Simply put, ATT&CK for ICS was created out of a need to better understand, concentrate, and disseminate knowledge about adversary behavior in the ICS technology domain.” Otis Alexander, Principal Cyber Security Engineer at the MITRE Corporation 3
Overtaking Bad Actors Whether targeting IT or OT, bad actors are quick at changing behaviors to beat detection. Looking at network anomalies can be useful for hunting adversarial behaviors but time consuming at the same time for ab-normal communication flags do not indicate if behavior is malicious or voluntary. Moreover, depending on the industrial process context, network communication patterns are prone to change on a daily basis. Detecting Process Control Network (PCN) Indicators of Compromises (IoCs) with methods such as YARA rules will provide a more stable detection than solely analyzing network anomalies. However, these IoCs evolve over time as well, making them valuable for forensic analysis but limited for efficient detection. While IoCs may change every week, threat behaviors last for months even years. Looking at these tactics, techniques, and procedures (TTPs) although more challenging for security analysts and vendors, can drastically improve the ability for asset owners to detect and protect their infrastructures from malicious actors. Last year, the MITRE organization developed a globally accessible framework and updated its knowledge database listing for all TTPs impacting the ICS/OT community. This framework comes on top of the existing MITRE ATT&CK knowledge base for enterprise IT, making it the perfect lexicon for defense in a converged IT/OT environment. What is MITRE ATT&CK for OT? MITRE ATT&CK for OT is the first ever framework lexicon of publicly analyzed threat behaviors against ICSs. It consolidates and standardizes the format of ICS adversary knowledge from several threat intelligence sources that were previously analyzing and reporting inconsistently. The framework is organized as a matrix columned Tactics (industrial attacker’s main goals) and rowed Techniques (methods to achieve the goals). The framework also lists the most common ICS malware and Advanced Persistent Threats (APT) Groups. 4
Inhibit Impair Lateral Command Initial Access Execution Persistence Evasion Discovery Collection Response Process Impact Movement and Control Function Control Data Historian Change Hooking Exploitation Control Device Default Automated Command Activate Brute Force Damage to Compromise Program State for Evasion Identification Credentials Collection Used Port Firmware I/O Property Update Mode Drive-by Command- Module Indicator I/O Module Exploitation Data from Connection Alarm Change Denial of Compromise Line Interface Firmware Removal on Discovery of Remote Information Proxy Suppression Program State Control Host Services Repositories Engineering Execution Program Masquerading Network External Detect Standard Block Masquerading Denial of View Workstation through API Download Connection Remote Operating Application Command Compromise Enumeration Services Mode Layer Protocol Message Exploit Graphical Program File Rogue Master Network Program Detect Block Modify Loss of Public-Facing User Interface Infection Device Service Organization Program State Reporting Control Logic Availability Application (GUI) Scanning Units Message ExternalRemote Man in the System Rootkit Network Remote File I/O Image Block Serial Modfy Loss of Control Services Middle Firmware Sniffing Copy COM Parameter Internet Program Valid Accounts Spoof Remote Valid Accounts Location Data Module Loss of Accessible Organization Reporting System Identification Destruction Firmware Productivity Device Units Message Discovery and Revenue Replication Project File Utilize/Change Serial Monitor Denial of Program Loss of Safety Through Infection Operating Connection Process State Service (DoS) Download Removable Mode Enumeration Media Spearphishing Scripting Point & Tag Device Rogue Master Loss of View Attachment Identification Restart/ Device Shutdown Supply Chain User Program Manipulate Service Stop Manipulation Compromise Execution Upload I/O Image of Control Wireless Role Modify Alarm Spoof Manipulation Compromise Identification Settings Reporting of View Message Screen Modify Unauthorized Theft of Capture Control Logic Command Operational Message Information Program Download Rootkit System Firmware Utilize/Change Operating Mode How can OT stakeholders benefit from MITRE ATT&CK? MITRE ATT & CK for OT offers tremendous advantages to ICS defenders. • CISO/C-Suite: enabling investment into a security posture that is mapping to specific risks, experienced attacks, threat groups and documented APT threat reports • SOC Security analyst: enabling them with rationalized and prioritized SOC alerts attributing risk values to assets based on the MITRE framework. It will also help drive improvement on missing TTPs detection mechanisms. 5
• Blue Team/Incident responders: enabling them to quickly map new cyberattacks seen in the news to techniques used, identify data needs and build analytics to cover detection across the different stages of tactics used by adversaries. • Threat hunters: by identifying threat behaviors listed in the framework that will not be discovered by automated detection. • Red Team/Penetration tester: by standardizing red team / blue team communication. Making it is easier and more effective to examine the tactics and techniques used in the investigation and determine the locations of gaps in the security system. • Product management / Product development: allowing teams to enhance the threat scenarios and abuse case scenarios to support feature elicitation throughout secure software development lifecycle. An example of a kill-chain mapping against MITRE for ICS framework: Electrum APT Group Crashoverride malware attack on Ukraine Grid system in December 2016. Inhibit Impair Lateral Command Initial Access Execution Persistence Evasion Discovery Collection Response Process Impact Movement and Control Function Control Data Historian Change Hooking Exploitation Control Device Default Automated Command Activate Brute Force Damage to Compromise Program State for Evasion Identification Credentials Collection Used Port Firmware I/O Property Update Mode Drive-by Command- Module Indicator I/O Module Exploitation Data from Connection Alarm Change Denial of Compromise Line Interface Firmware Removal on Discovery of Remote Information Proxy Suppression Program State Control Host Services Repositories Engineering Execution Program Masquerading Network External Detect Standard Block Masquerading Denial of View Workstation through API Download Connection Remote Operating Application Command Compromise Enumeration Services Mode Layer Protocol Message Exploit Graphical Program File Rogue Master Network Program Detect Block Modify Loss of Public-Facing User Interface Infection Device Service Organization Program State Reporting Control Logic Availability Application (GUI) Scanning Units Message ExternalRemote Man in the System Rootkit Network Remote File I/O Image Block Serial Modfy Loss of Control Services Middle Firmware Sniffing Copy COM Parameter Internet Program Valid Accounts Spoof Remote Valid Accounts Location Data Module Loss of Accessible Organization Reporting System Identification Destruction Firmware Productivity Device Units Message Discovery and Revenue Replication Project File Utilize/Change Serial Monitor Denial of Program Loss of Safety Through Infection Operating Connection Process State Service (DoS) Download Removable Mode Enumeration Media Spearphishing Scripting Point & Tag Device Rogue Master Loss of View Attachment Identification Restart/ Device Shutdown Supply Chain User Program Manipulate Service Stop Manipulation Compromise Execution Upload I/O Image of Control Wireless Role Modify Alarm Spoof Manipulation Compromise Identification Settings Reporting of View Message Screen Modify Unauthorized Theft of Capture Control Logic Command Operational Message Information Program Download Rootkit System Firmware Utilize/Change Operating Mode 6
Conclusion Having a common lexicon and knowledge base describing OT threat helps define and prioritize detection. Recognizing that threat behaviors often evolve slowly, it can be more effective to detect these on top of fast changing network anomalies or IoCs. Several OT stakeholders will benefit from the MITRE ATT&CK framework for ICS, a must have for the OT security community. About the Operational Technology Cyber Security Alliance (OTCSA) The Operational Technology Cyber Security Alliance (OTCSA) is a group of global industry-leading organizations focused on providing operational technology (OT) operators with resources and guidance to mitigate their cyber risk in an evolving world. Founded in 2019, OTCSA is the first group of its kind to architect a technical and organizational framework, the who, what, and how for safe and secure OT. Membership is open to all OT operators and IT/OT solution providers. Current members include Fortinet, ABB, Splunk, NCC Group, Qualys, Microsoft, WESCO, Forescout, Wärtsilä, CyberOwl, NTT, SCADAfence, Blackberry Cylance, CheckPoint, and Mocana. To learn more about the OTCSA or to become a member, visit https://otcsalliance.org. 7
Acknowledgements The following people served as contributors in the preparation of this document: Name Affiliation Antoine DHaussy Fortinet Bart de Wijs ABB Chris Duffey Splunk Matt Field NCC Group Dharmesh Ghelani Qualys Gunter Ollmann Microsoft Jason Wolff WESCO Luca Barba Forescout Päivi Brunou Wartsila Russell Kempley CyberOwl Tom Thirer SCADAfence Use of information Copyright 2020 Operational Technology Cyber Security Alliance (OTCSA) Redistribution and use of this document AS IS, without modification, is permitted provided that the following conditions are met: 1. Redistributions of this work of authorship must retain the above copyright notice, this license and conditions, including the disclaimer listed below. 2. The name(s) of the copyright holder, the Operational Technology Cyber Security Alliance (OTCSA), or any of its members or contributors may not be used to endorse or promote any products or other offerings, without specific prior written permission. THIS DOCUMENT IS PROVIDED BY THE OTCSA, COPYRIGHT HOLDER(S) AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OTCSA, COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 8
You can also read