In a groundbreaking moment for the ICS industry, MITRE today announced the ICS-ATT&CK framework – organizing and codifying the malicious threat behaviors affecting industrial control systems (ICS). ICS-ATT&CK is a critical evolution in the defense of industrial environments worldwide: evolving our defensive approach from merely analyzing case studies to leveraging actual behaviors and strategies. As a key contributor, the world-class ICS intelligence team at Dragos worked with MITRE to categorize and validate public threat behaviors that are hallmarks of malicious activity groups targeting critical OT infrastructure.
As a rule, adversaries evolve threat behaviors far more slowly than any other element. These threat behaviors are comprised of Tactics, Techniques and Procedures (TTPs) that adversary groups leverage in the course of their campaigns. Therefore, prioritizing behavioral threat detection provides longer lasting and more comprehensive detection. More importantly, behaviors and ICS-ATT&CK allow a defender to qualify and quantify their defensive coverage by answering these important questions:
- What can you detect?
- What can’t you detect?
- For which threats do you have multi-detection coverage?
- For which threats do you rely on a single detection?
A defender should have answers to all these questions.
ICS-ATT&CK is an ICS-specific threat behavior framework built to characterize the malicious activity found uniquely in OT environments. This is a related, but separate, framework from the Information Technology (IT)-centric Enterprise ATT&CK. Dragos, MITRE, and defenders quickly realized the limitations while trying to apply an IT-centric paradigm to model ICS threat detection. MITRE and Dragos together categorized all the public threat behaviors, combined with some of Dragos’ proprietary insights, into the ICS-ATT&CK framework to support defenders and their need for a similar model.
The ICS-ATT&CK framework defines 11 behavioral tactics: Initial Access, Execution, Persistence, Evasion, Command and Control, Collection, Lateral Movement, Discovery, Inhibit Response Function, Impair Process Control, and Impact. These behavioral tactics, or categories, are further refined into behavioral techniques (there are 86 of them), and, together, outline how ICS networks worldwide are being threatened daily and providing common view on which all ICS threats can be mapped. With ICS-ATT&CK there is now a common community lexicon and framework from which to discuss ICS threat detection.
As an example of how to leverage this new framework, Dragos measures and maps our threat detections in the Dragos Platform against ICS-ATT&CK to visualize coverage and gaps. With this information, defenders now have a comprehensive ICS detective map from which they can identify areas of improvement and investment. This is a massive step forward in that these efforts can now be quantified, enabling the ICS cybersecurity team to have fact-based conversations with the C-suite.
If you’re interested in learning more, we invite you to register for our upcoming webinar: Introducing MITRE ATT&CK for ICS and Why it Matters. Dragos’ own Principal Adversary Hunter, Joe Slowik, will be co-presenting with MITRE’s Otis Alexander. It’s your chance to learn from the experts and get a head start implementing ICS-ATT&CK in your organization.