Last week, MITRE publicly released its new framework called “ATT&CK for Industrial Control Systems (ICS)”. ATT&CK for ICS shines a light into the unique threat behaviors leveraged by adversaries targeting ICS environments. Dragos understands the critical importance ICS threat behaviors play in an effective cybersecurity strategy and was proud to be a key contributor to this program and community resource. As you begin your journey implementing a threat behavior detection approach in your organization, we look forward to partnering together as you take your first steps.
A quick history lesson…
Since its inception in 1958, MITRE has leveraged advanced technology and brilliant minds to solve complex problems. In 2013, MITRE focused its resources on what would later be known as ATT&CK for Enterprise. ATT&CK is an acronym for Adversarial Tactics, Techniques, and Common Knowledge, and its original intent was to provide a framework for enumerating threat behavior for use in threat emulation Red Team exercises. The impetus for ATT&CK was the belief that offense is the best driver for defense. Working closely with a Red Team (network attackers) enables a Blue Team (network defenders) to validate detection strategies and strengthen network defenses.
As ATT&CK has evolved, its core value has shifted towards Cyber Threat Intelligence. ATT&CK provides Threat Analysts with a standard nomenclature for threat behaviors enriched with public references. Its comprehensive coverage of the techniques and tools used by Activity Groups enable network defenders to create effective defense strategies for enterprise networks.
The greatest strength of the ATT&CK framework is its focus on Threat Behaviors rather than Indicators. Why is this important? While it’s trivial for an Activity Group to change out IP addresses, domain names, file hash values and network artifacts, it is extremely difficult and tedious to change the Tactics, Techniques and, Procedures (TTPs), or behaviors, behind attacks. Changing TTPs requires investment in new technology and retraining for resources, which is considerably more expensive and time-consuming than something as simple as acquiring a new domain name. By focusing on Threat Behaviors, network defenders are able to create detections with a high confidence rating and increased longevity.
If you’d like to learn more about ATT&CK for Enterprise and how it is used, I recommend you watch the ATT&CK for Cyber Threat Intelligence Training series published by MITRE:
Why was ATT&CK for ICS created?
In 2017, MITRE started work on a new initiative called ATT&CK for ICS with the goal of enumerating the unique Threat Behaviors utilized by Activity Groups targeting Industrial Control System (ICS) networks.
Because ICS technology operates differently than enterprise technology, it requires that Activity Groups take a unique approach to cause an impact in this arena. Even within ICS, industry verticals (Electric, O&G, Manufacturing) have unique characteristics. ATT&CK for ICS is vertical agnostic and is meant to work equally for ICS systems that support a wide range of industrial processes.
Who can use ATT&CK for ICS?
- Analysts can leverage the standard language for reporting and analysis. For example, before ATT&CK for ICS you may have seen something like this: “APT33 is related to MAGNALLIUM but is more like a subset of that group. They are focused on O&G/Industrial primarily in the Middle East with connections to multiple wiper events.” It can be confusing to read and digest all of the different reports from various threat intel feeds, and generally leaves the analyst with more questions than answers. To solve this problem, ATT&CK for ICS has established a common language to help analysts better understand threat behavior, rather than specific indicators or network anomalies that may never occur again.
- Threat Hunters and IR Teams can utilize the library of enumerated threat behaviors as part of their ICS hunts and ICS IR triage efforts. The benefit to them is that they’re much more effective and efficient in their work – delivering better recommendations in a fraction of the time it used to take.
- Red Teams can emulate the Threat Behaviors of known Activity Groups to support the development, testing and validation of Blue Team network defenses. These activities increase the confidence of defenders and also identify deficiencies that may need more attention.
- CISOs / SOC Managers can utilize the outcome of all of these other exercises to assist in formulating a defensive strategy and prioritizing cybersecurity initiatives. At the management level, it’s essential to have answers to questions like: what’s the next tool we should invest in; or, what’s the next analytic we should develop? The answer to the second question will drive decisions on what type of data the team should be collecting next, which would then inform them on the types of new tools required in order to collect that data.
S4x20 ICS Security Conference
At S4x20, I will be presenting on the methodology Dragos leveraged for testing and contributing changes to the ATT&CK for ICS framework. During my presentation, I will detail how we used the ATT&CK for ICS framework to map the Dragos Activity Groups and how we have used the framework to validate our coverage of ICS Threat Behavior within the Dragos Platform. I’ve also crunched the numbers through a heat-mapping process and have some very interesting data about the framework to share.
ICS ATT&CK is an independent and community-sourced way to communicate about the unique threat behaviors that ICS adversaries are using and will help the community identify their coverage and gaps to increase their ability to detect and respond to threats. ATT&CK for ICS is a huge win for the front-line ICS network defenders who now have a common lexicon for categorizing ICS specific techniques to support reporting and further analysis. Dragos understands the critical importance ICS threat behaviors play in an effective cybersecurity strategy, and we’re proud to contribute to this program and community resource.