MITRE ATT&CK for ICS How OT Stakeholders Can Benefit From This Framework?
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
MITRE ATT&CK for ICS How OT Stakeholders Can Benefit From This Framework?
Table of Contents
Executive Summary.......................................................................................................................................... 3
Overtaking Bad Actors...................................................................................................................................... 4
What is MITRE ATT&CK for OT?........................................................................................................................ 4
How can OT stakeholders benefit from MITRE ATT&CK?................................................................................... 5
Conclusion........................................................................................................................................................ 7
2Executive Summary
The original MITRE ATT&CK enterprise framework has been around since 2015. It is a great tool for
understanding how adversaries try to get into our systems so that countermeasures can stop them. We are
seeing organizations adopting it more as they realize they need a strong IT security team and more funding is
becoming available to increase the maturity of information security programs.
MITRE expended its ATT&CK framework and knowledge base for ICS/OT in Jan 2020. This publicly available
resource is a great tool for the OT security community to anticipate and counter ICS threats more efficiently
and consistently.
This paper provides information on why and how MITRE ATT&CK for ICS was developed and what OT security
stakeholders can do to get the most out of this framework.
“Simply put, ATT&CK for ICS was created out of a need to better understand,
concentrate, and disseminate knowledge about adversary behavior in the ICS
technology domain.”
Otis Alexander, Principal Cyber Security Engineer at the MITRE Corporation
3Overtaking Bad Actors
Whether targeting IT or OT, bad actors are quick at changing behaviors to beat detection.
Looking at network anomalies can be useful for hunting adversarial behaviors but time consuming at the same
time for ab-normal communication flags do not indicate if behavior is malicious or voluntary. Moreover, depending
on the industrial process context, network communication patterns are prone to change on a daily basis.
Detecting Process Control Network (PCN) Indicators of Compromises (IoCs) with methods such as YARA rules will
provide a more stable detection than solely analyzing network anomalies. However, these IoCs evolve over time as
well, making them valuable for forensic analysis but limited for efficient detection.
While IoCs may change every week, threat behaviors last for months even years. Looking at these tactics,
techniques, and procedures (TTPs) although more challenging for security analysts and vendors, can drastically
improve the ability for asset owners to detect and protect their infrastructures from malicious actors.
Last year, the MITRE organization developed a globally accessible framework and updated its knowledge database
listing for all TTPs impacting the ICS/OT community. This framework comes on top of the existing MITRE ATT&CK
knowledge base for enterprise IT, making it the perfect lexicon for defense in a converged IT/OT environment.
What is MITRE ATT&CK for OT?
MITRE ATT&CK for OT is the first ever framework lexicon of publicly analyzed threat behaviors against ICSs. It
consolidates and standardizes the format of ICS adversary knowledge from several threat intelligence sources that
were previously analyzing and reporting inconsistently. The framework is organized as a matrix columned Tactics
(industrial attacker’s main goals) and rowed Techniques (methods to achieve the goals).
The framework also lists the most common ICS malware and Advanced Persistent Threats (APT) Groups.
4Inhibit Impair
Lateral Command
Initial Access Execution Persistence Evasion Discovery Collection Response Process Impact
Movement and Control
Function Control
Data Historian Change Hooking Exploitation Control Device Default Automated Command Activate Brute Force Damage to
Compromise Program State for Evasion Identification Credentials Collection Used Port Firmware I/O Property
Update Mode
Drive-by Command- Module Indicator I/O Module Exploitation Data from Connection Alarm Change Denial of
Compromise Line Interface Firmware Removal on Discovery of Remote Information Proxy Suppression Program State Control
Host Services Repositories
Engineering Execution Program Masquerading Network External Detect Standard Block Masquerading Denial of View
Workstation through API Download Connection Remote Operating Application Command
Compromise Enumeration Services Mode Layer Protocol Message
Exploit Graphical Program File Rogue Master Network Program Detect Block Modify Loss of
Public-Facing User Interface Infection Device Service Organization Program State Reporting Control Logic Availability
Application (GUI) Scanning Units Message
ExternalRemote Man in the System Rootkit Network Remote File I/O Image Block Serial Modfy Loss of Control
Services Middle Firmware Sniffing Copy COM Parameter
Internet Program Valid Accounts Spoof Remote Valid Accounts Location Data Module Loss of
Accessible Organization Reporting System Identification Destruction Firmware Productivity
Device Units Message Discovery and Revenue
Replication Project File Utilize/Change Serial Monitor Denial of Program Loss of Safety
Through Infection Operating Connection Process State Service (DoS) Download
Removable Mode Enumeration
Media
Spearphishing Scripting Point & Tag Device Rogue Master Loss of View
Attachment Identification Restart/ Device
Shutdown
Supply Chain User Program Manipulate Service Stop Manipulation
Compromise Execution Upload I/O Image of Control
Wireless Role Modify Alarm Spoof Manipulation
Compromise Identification Settings Reporting of View
Message
Screen Modify Unauthorized Theft of
Capture Control Logic Command Operational
Message Information
Program
Download
Rootkit
System
Firmware
Utilize/Change
Operating
Mode
How can OT stakeholders benefit
from MITRE ATT&CK?
MITRE ATT & CK for OT offers tremendous advantages to ICS defenders.
• CISO/C-Suite: enabling investment into a security posture that is mapping to specific risks, experienced
attacks, threat groups and documented APT threat reports
• SOC Security analyst: enabling them with rationalized and prioritized SOC alerts attributing risk values to assets
based on the MITRE framework. It will also help drive improvement on missing TTPs detection mechanisms.
5• Blue Team/Incident responders: enabling them to quickly map new cyberattacks seen in the news to
techniques used, identify data needs and build analytics to cover detection across the different stages of
tactics used by adversaries.
• Threat hunters: by identifying threat behaviors listed in the framework that will not be discovered by
automated detection.
• Red Team/Penetration tester: by standardizing red team / blue team communication. Making it is easier and
more effective to examine the tactics and techniques used in the investigation and determine the locations of
gaps in the security system.
• Product management / Product development: allowing teams to enhance the threat scenarios and abuse case
scenarios to support feature elicitation throughout secure software development lifecycle.
An example of a kill-chain mapping against MITRE for ICS framework: Electrum APT Group Crashoverride
malware attack on Ukraine Grid system in December 2016.
Inhibit Impair
Lateral Command
Initial Access Execution Persistence Evasion Discovery Collection Response Process Impact
Movement and Control
Function Control
Data Historian Change Hooking Exploitation Control Device Default Automated Command Activate Brute Force Damage to
Compromise Program State for Evasion Identification Credentials Collection Used Port Firmware I/O Property
Update Mode
Drive-by Command- Module Indicator I/O Module Exploitation Data from Connection Alarm Change Denial of
Compromise Line Interface Firmware Removal on Discovery of Remote Information Proxy Suppression Program State Control
Host Services Repositories
Engineering Execution Program Masquerading Network External Detect Standard Block Masquerading Denial of View
Workstation through API Download Connection Remote Operating Application Command
Compromise Enumeration Services Mode Layer Protocol Message
Exploit Graphical Program File Rogue Master Network Program Detect Block Modify Loss of
Public-Facing User Interface Infection Device Service Organization Program State Reporting Control Logic Availability
Application (GUI) Scanning Units Message
ExternalRemote Man in the System Rootkit Network Remote File I/O Image Block Serial Modfy Loss of Control
Services Middle Firmware Sniffing Copy COM Parameter
Internet Program Valid Accounts Spoof Remote Valid Accounts Location Data Module Loss of
Accessible Organization Reporting System Identification Destruction Firmware Productivity
Device Units Message Discovery and Revenue
Replication Project File Utilize/Change Serial Monitor Denial of Program Loss of Safety
Through Infection Operating Connection Process State Service (DoS) Download
Removable Mode Enumeration
Media
Spearphishing Scripting Point & Tag Device Rogue Master Loss of View
Attachment Identification Restart/ Device
Shutdown
Supply Chain User Program Manipulate Service Stop Manipulation
Compromise Execution Upload I/O Image of Control
Wireless Role Modify Alarm Spoof Manipulation
Compromise Identification Settings Reporting of View
Message
Screen Modify Unauthorized Theft of
Capture Control Logic Command Operational
Message Information
Program
Download
Rootkit
System
Firmware
Utilize/Change
Operating
Mode
6Conclusion
Having a common lexicon and knowledge base describing OT threat helps define and prioritize detection.
Recognizing that threat behaviors often evolve slowly, it can be more effective to detect these on top of fast
changing network anomalies or IoCs.
Several OT stakeholders will benefit from the MITRE ATT&CK framework for ICS, a must have for the OT
security community.
About the Operational
Technology Cyber Security
Alliance (OTCSA)
The Operational Technology Cyber Security Alliance (OTCSA) is a group of global industry-leading
organizations focused on providing operational technology (OT) operators with resources and guidance
to mitigate their cyber risk in an evolving world. Founded in 2019, OTCSA is the first group of its kind
to architect a technical and organizational framework, the who, what, and how for safe and secure OT.
Membership is open to all OT operators and IT/OT solution providers. Current members include Fortinet,
ABB, Splunk, NCC Group, Qualys, Microsoft, WESCO, Forescout, Wärtsilä, CyberOwl, NTT, SCADAfence,
Blackberry Cylance, CheckPoint, and Mocana.
To learn more about the OTCSA or to become a member, visit https://otcsalliance.org.
7Acknowledgements
The following people served as contributors in the preparation of this document:
Name Affiliation
Antoine DHaussy Fortinet
Bart de Wijs ABB
Chris Duffey Splunk
Matt Field NCC Group
Dharmesh Ghelani Qualys
Gunter Ollmann Microsoft
Jason Wolff WESCO
Luca Barba Forescout
Päivi Brunou Wartsila
Russell Kempley CyberOwl
Tom Thirer SCADAfence
Use of information
Copyright 2020 Operational Technology Cyber Security Alliance (OTCSA)
Redistribution and use of this document AS IS, without modification, is permitted provided that the following conditions
are met:
1. Redistributions of this work of authorship must retain the above copyright notice, this license and conditions, including
the disclaimer listed below.
2. The name(s) of the copyright holder, the Operational Technology Cyber Security Alliance (OTCSA), or any of its members
or contributors may not be used to endorse or promote any products or other offerings, without specific prior written
permission.
THIS DOCUMENT IS PROVIDED BY THE OTCSA, COPYRIGHT HOLDER(S) AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OTCSA, COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
USE OF THIS DOCUMENTATION, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
8You can also read
