The MITRE Engenuity ATT&CK Evaluations for ICS Explained
Hear from Dragos experts in our on-demand webinar that provides a summary and breakdown of MITRE’s first evaluation of the ICS threat detection market, the MITRE Engenuity ATT&CK® Evaluations for ICS. MITRE released the results in July 2021, which analyzed five industrial cybersecurity vendors to determine threat behavior detection efficacy in operational technology (OT) environments. The Dragos team was honored to participate in the evaluation and pleased that the ICS community can benefit from independent insights on how the attack was designed and how the Dragos Platform performed.
In the on-demand webinar, you’ll hear from our panel of experts:
- Sergio Caltagirone, VP of Threat Intelligence
- Alex Larson, Principal Reverse Engineer
- Austin Scott, Director of Threat Detection [previously Principal Detection Engineer]
The team provides a thorough description of the evaluation methodology, the emulated threat behaviors and techniques, and how the Dragos Platform technology performed in response to each of these behaviors and techniques – specifically detailing the detections in the platform and the quality of those detections. They also cover how we plan to improve the platform technology based on the ATT&CK evaluation results.
Additionally, they respond to participant questions at the end of the webinar to provide further insight on the evaluation approach and how you should interpret these results. We highlight a sampling of webinar questions and the responses below. You can access the slides from the webinar here.
A Sampling from the Webinar Q&A
Q: How common is it for malicious actors to leverage “homegrown” or custom attacks [shown in the evaluation] vs. using more commonly used exploit tactics and tools?
A: Adversaries using commonly known tools to gain access to operational technology (OT) environments is the most popular method. When it comes to getting to the ICS equipment however, it’s common to use homegrown or custom attacks like those represented in the evaluation.
Q: How realistic is the evaluation scenario, which shows safety and control systems on the same network that are not properly segregated?
A: In a real-world scenario, it is usually not acceptable to not have proper segregation between these systems. But in the actual attack the evaluation methodology emulates, these systems were properly segregated but that didn’t matter because the firewalls weren’t going to stop an adversary of this type or a threat of this magnitude. Because of this, for evaluation purposes segmentation was not required.
Q: How can MITRE ATT&CK for ICS be used for OT cybersecurity in brown field projects?
A: We recommend you conduct an architecture review and evaluate the various ICS framework techniques against the architecture to identify:
- Could you see it?
- Could you detect it?
- Could you prevent it?
- How easily could you respond?
Use these results to guide how you can potentially retrofit your existing environments during downtime to improve your cybersecurity responses.
Read next blog post
Ready to put your insights into action?
Take the next steps and contact our team today.