The industrial threat landscape continues to evolve with a perpetual influx of new network anomalies and Indicators of Compromise (IOC). Consequently, prudent defenders must focus on more actionable elements of attack characteristics, such as Tactics, Techniques and Procedures (TTPs). One such example of this is the MITRE ATT&CK for ICS Initial Access tactic.
Industrial organizations managing industrial controls systems (ICS) and operational technology (OT) assets should be well-versed in Initial Access techniques for the following reasons:
- Initial access is the pre-requisite to further stages of an attack and therefore focusing on this tactic can aid in the prioritization of efforts for defenders.
- The rapidly changing nature of network anomalies and IOCs mandates the focus on threat behaviours, such as the more slowly changing TTPs.
- While direct access to an ICS/OT environment is considered the code red of initial access scenarios, gaining access to a corporate/IT network can act as a precursor to an ICS/OT network pivot.
- Numerous Dragos-tracked Activity Groups have been known to explicitly target and develop initial access into industrial organization environments.
Because numerous Dragos-tracked Activity Groups (AGs) are actively targeting initial access into industrial environments, Dragos performed an analysis of the top MITRE ATT&CK for ICS Initial Access techniques utilised by these groups. You can download the full analysis, “How Dragos Activity Groups Obtain Initial Access into Industrial Environments,” here.
Interestingly, while direct access to ICS/OT technologies is considered to be the code red of initial access scenarios, Dragos has observed that gaining access to a corporate/IT network was the more common mechanism by which adversaries facilitated or prepared for a pivot to ICS/OT environments. The table below shows the number of Dragos Activity Groups that use the different MITRE ATT&CK for ICS Initial Access techniques.
MITRE ATT&CK for ICS Initial Access techniques used by Dragos Activity Groups
| MITRE ATT&CK for ICS Initial Access technique | Number of Dragos AGs utilising the technique |
| Spearphishing Attachment [T0865] | 10 |
| Supply Chain Compromise [T0862] | 6 |
| Exploitation of Remote Services and/or Public-Facing Applications [T0866 & T0819] | 5 |
| Drive-by Compromise [T0817] | 4 |
Initial access is one of the most important adversarial tactics and it may form the critical dependency on which further tactics rely, or conversely it may be the end goal in itself. Irrespective of the adversary’s intent, preventing successful initial access can be paramount in preventing successful intrusions against your organization.
While this blog provides a high-level overview of the initial access techniques deployed by Dragos Activity Groups, Dragos does not publicly describe ICS/OT activity group technical details except in extraordinary circumstances to limit tradecraft proliferation. However, full details on a range of initial access techniques and campaigns are available to network defenders via through Dragos WorldView Threat Intelligence.
Download the full analysis of initial access techniques leveraged by Dragos Activity Groups in the whitepaper, “How Dragos Activity Groups Obtain Initial Access into Industrial Environments.“
Ready to put your insights into action?
Take the next steps and contact our team today.