Telling the Full Story with the MITRE ATT&CK for ICS Framework

If you’re reading this, you probably already know all about the seriousness of the threats facing IoT/ICS networks.

Over the last several years, we’ve seen an increase in awareness of these types of threats, especially in operational technology environments. High-profile attacks like Industroyer, LockerGoga, and Triton, just to name a few, are enough to make anyone even tangentially responsible for running industrial operations break out in nervous sweats.

But it’s one thing to be aware of the vulnerabilities of ICS networks and well-versed in the TTPs of attackers. It’s another task altogether to actually protect your vulnerable ICS networks against those threats — and often, a particularly challenging one.

Why? Because IoT/ICS  networks are comprised of unmanaged, often-unpatched devices that can’t be protected using the same security strategies as the traditional IT environment.

And what’s more, because of the unique nature of these devices, attackers often use very different methods to compromise them than the more well-known methods used to compromise IT systems. This means that ICS networks security doesn’t necessarily fall under the jurisdiction of IT security. They’re two completely different challenges that require different approaches.

This is why we were very pleased to see MITRE release the ATT&CK for ICS Framework in January 2020, cataloging the unique adversary tactics adversary use against facing IoT/ICS environments.

A Sign of Shifting Tides

The original enterprise MITRE ATT&CK Framework has been a staple in the rulebooks of traditional IT security for years now. But clearly, in light of the myriad of differences between IoT/ICS and enterprise IT environments, the enterprise ATT&CK Framework wasn’t much help when it came to defending against IoT/ICS risks.

Now, MITRE has addressed that gap with the ATT&CK for ICS Framework. The framework consists of eleven tactics that threat actors use to attack an ICS environment, which are then broken down into specific techniques. Ultimately, this database describes every stage of an ICS attack from initial compromise to ultimate impacts.

Above: The MITRE ATT&CK for ICS Matrix (Source: https://collaborate.mitre.org/attackics/index.php/Main_Page)

This is what makes the MITRE ATT&CK for ICS Matrix so valuable. Not only does it document all of these different techniques into one database, it also presents them as they appear in the real world: as pieces of complete story, rather than actions in a vacuum.

And this is how you’ll get the most value out of using the MITRE ICS framework: by looking at these techniques holistically, and understanding how they function within the full story of an attack.

Mapping the Complete Story

Virtually any IoT/OT attack will move across many of these techniques, rather than embodying just one or two. This is why it’s so important to achieve holistic coverage across the entire matrix, not just bits and pieces.

Take, for example, one of the most infamous of all ICS attacks: Triton. This malware was originally discovered targeting a Saudi Arabian petrochemical plant in 2017, and targeted a vulnerability in Triconex safety controllers — meaning that, if successful, the attack could have caused the release of poisonous gasses or deadly explosions. The stakes don’t get much higher than that.

For many, Triton was a wake-up call. ICS security became, literally, a matter of life and death.

So, how does one of the most infamous ICS attacks of all time break down into the MITRE ATT&CK for ICS techniques?

  1. Engineering Workstation Compromise (T818) – Triton initially gains access to the system by gaining remote access to an SIS engineering workstation.
  2. Masquerading (T849) – Triton masquerades as trilog.exe, the Triconex software for analyzing SIS logs.
  3. Control Device Identification (T808) – Triton detects Triconex controllers on the network by sending certain UDP broadcast packets over port 1502.
  4. Exploitation for Evasion (T820) – Triton exploits a Triconex firmware vulnerability to disable a firmware RAM/ROM consistency check and inject a payload, imain.bin, into the firmware memory.
  5. Modify Control Logic (T833) – Triton reprograms SIS logic to allow unsafe conditions to persist.
  6. Loss of Safety (T880) – Triton’s manipulations of controls result in dangerous malfunctions.

While these six techniques describe the overall path of Triton’s behavior, it’s worth noting that MITRE identifies that the malware is actually capable of nineteen different techniques. Any one of those steps could play a pivotal role in the progression of an attack.

This illustrates our point: comprehensive coverage across the full matrix, not just a handful of techniques, is critical. It is impossible to seal an ICS environment — or, frankly, any environment — away from every possible vulnerability.  This is especially true now, as the air gap between IT and OT environments disappears with the proliferation of digitization in industrial environments.

You may, for example, fail to detect an initial intrusion (in the case of Triton, the original remote access to the engineering workstation). But with continuous threat monitoring that is able to detect the many other adversary techniques that follow the initial compromise, you would still be able to quickly mitigate an attack and diagnose the affected areas of your network.

It comes down to that classic security adage: the good guys need to get it right every time, but the bad guys only need to get it right once.

This is why a comprehensive knowledgebase like the MITRE ATT&CK for ICS Framework is such a useful resource, and why organizations should strive to achieve holistic coverage across the full matrix. This goes beyond just being able to “check the boxes” of individual techniques. It means having the comprehensive ability across your entire IoT/ICS network to detect risky abnormalities, manage vulnerabilities, and achieve full visibility into devices and how they behave.

The value of the ATT&CK Matrix for ICS goes beyond the industrial network, too. While MITRE is discussing these specific techniques in reference to industrial environments, many of these tactics could also be used to infiltrate unmanaged devices in an IoT environment. For example, a threat actor could download firmware onto a security camera (T839) just as easily as they can download it onto a PLC.

While some of the terminology in the matrix is fairly specific to ICS environments — such as, for example, references to engineering workstations and controllers — the overall techniques are still worthy of consideration for anyone responsible for IoT security. This is especially true as more and more organizations are opting for a unified approach to IoT and ICS security.

The Path to Full MITRE ATT&CK for ICS Coverage

Achieving full coverage of the IoT and ICS threats described in the ATT&CK for ICS framework not only positions you to protect your networks against the threats that exist today, it also prepares you for the new ones that will, inevitably, appear in the future.

Crafting an IoT/ICS security approach capable of this requires a combination of capabilities: you need full visibility into your assets, proactive risk management to address vulnerabilities that could be exploited by adversaries, and M2M analytics to provide continuous network security monitoring. .

If you’re interested in learning how CyberX can give you this coverage, download our whitepaper, which describes how CyberX addresses the IoT/ICS threats described in the MITRE ATT&CK for ICS framework.

The post Telling the Full Story with the MITRE ATT&CK for ICS Framework appeared first on CyberX.

Article Link: https://cyberx-labs.com/blog/telling-the-full-story-with-the-mitre-attck-for-ics-framework/