Your Guide to the MITRE ATT&CK Framework for ICS

Your Guide to the MITRE ATT&CK Framework for ICS

What Is MITRE ATT&CK for ICS?

The MITRE ATT&CK® Framework for Industrial Control Systems (ICS) threat modeling classifies malicious cybersecurity events against an operational technology (OT) environment. Its ontology categorizes each event as a specific tactic and maps each tactic into one or more higher level technique categories.

At its heart, the community-sourced framework is designed to describe the course of action an adversary might follow, and create a knowledge base of threat actor behaviors. Security teams can then use this information to enhance their organization’s security strategies and policies.

MITRE ATT&CK Framework Ontology

The elements of the MITRE ATT&CK Framework for ICS reflect the distinctiveness of a physical operational environment. The focus is on operational technology, which includes devices like PLCs, actuators, sensors, and so on. These assets include valves and motors, and power lines and water treatment plants, all of which have strict safety and availability requirements.

The framework provides explicit classification for the effect an attack might have on OT assets. It consists of 11 categories of techniques that make up the entire attack chain. These categories are:

Initial Access This category refers to actions that provide an initial foothold into the infrastructure.
Execution This category refers to attempts by the adversary to run malicious code.
Persistence This category refers to actions attackers use to maintain a foothold in an ICS environment.
Evasion This category refers to measures the adversary is taking to conceal their actions. Relevant events include spoof reporting messages, tampering with logs, etc.
Discovery This category refers to events that are related to asset identification. These actions are considered a prelude to an actual attack.
Lateral Movement This category refers to the actions that allow movement inside the operational network.
Collection This category refers to events that are related to information collection. These actions are considered a prelude to an actual attack.
Command and Control This category refers to the establishment of communication and control of the compromised systems, controllers, and platforms with access to your ICS environment.
Inhibit Response Function This category refers to actions that aim to prevent the safety, protection, quality assurance, and operator intervention functions from responding to a failure, hazard, or unsafe state.
Impair Process Control This category refers to events connected with the control process. Here, the adversary is trying to manipulate, disable or damage physical control processes.
Impact This category refers to events that are directly connected to interaction with an ICS system, like the attempt to manipulate, interrupt or destroy your ICS systems, data and their surrounding environment.

The tactics can be split into three main categories:

  • Reconnaissance and Attack Staging – Initial access, Execution, Persistence, Evasion, Discovery, Lateral Movement, Collection, Command and Control
  • Attack Execution – Inhibit Response Function, Impair Process Control
  • Attack Impact – Impact

Differences Between the MITRE ATT&CK for Enterprise and MITRE ATT&CK for ICS

MITRE has also established a framework for the IT enterprise environment. This framework is designed to provide a knowledge base specifically for those in the IT field.

While it effectively describes a plethora of attack tactics, unfortunately it cannot be effectively integrated with the OT environment, for these reasons:

  1. The motivation, objectives and intents of the adversaries are different. The main goal in an OT environment is to access and impair physical processes that are controlled by specialized hardware unique to the OT field. To impact industrial process, common elements in the field like ladder logic and safety functions require, from the adversary’s perspective, a new set of tactics, methods and tools. A new ontology is also required to describe events like stopping a robotic arm, or manipulating a process variable reporting to the operator.
  2. The stages and life cycles of an attack are different. The ICS environment is focused on operation and safety factors. Here, the main goal of the adversary is to hinder the operational process. This involves additional stages that include the manipulation of operational and safety factors.
  3. Finally, the technology overall is different. The mitigation strategies produced by the knowledge base have safety and availability constraints. The environment is very resistant to policy changes that might impact the process. Every strategy based on the framework will reflect those factors.

The best and most comprehensive approach is to use the MITRE Framework for Enterprises on the upper levels of the Purdue model (historians, workstations, etc), and the MITRE Framework for ICS for lower levels of the model (PLC, actuators, sensors, etc). This way, you can take advantage of the knowledge base specific to the threats targeting each environment.

The Value of The MITRE Framework for ICS

The main value of the MITRE ATT&CK Framework for ICS is that its categorizations reflect real-world experiences. The approach collectively attempts to communicate the know-how of the adversaries, and navigates through complex methods and tools of APTs. It provides a conceptual approach to attacks, as well as a knowledge base for real incidents.

As an example, an attack like TRITON can be dissected into abstract categories that provide insight into key steps of the attack. For instance, one of the evasion tactics TRITON uses to infiltrate a network involves a specific icon and filename “trilog.exe”. The tactics are used to trick engineers into thinking they are seeing a legitimate executable related to the Triconex software for analyzing SIS logs; one that can be easily mapped in the framework with the Masquerading technique (ID T849). This illustrates what the adversaries focus on, and the approach to achieving their objective. In this case, the framework can be used as a guide to enhance the security of the organization, based on real world experience.

MITRE ATT&CK Framework Complexity: Identifying What’s Normal vs Malicious

The MITRE framework has some complexities that need to be considered. While the ATT&CK techniques provide a useful knowledge base and an understanding of the possible directions an attacker might follow post-compromise, detecting some of these techniques can be challenging in practice.

For example, there are many ways to implement Screen Capture (T852) or Point & Tag Identification (T861) of the ICS framework. For instance, screen capture might happen via a mobile phone or a camera outside your security controls. Attacks like this reflect how the framework’s usability can be hindered when events that would call attention to actions of an adversary go undetected.

Another point is that the ontology has elements that are difficult to clearly differentiate as malicious versus legitimate events. For example, the Lateral Movement tactic has a Remote File Copy technique (T867)3 that can be attributed to both malicious actors and legitimate actions. This makes it challenging to discern normal behavior from malicious activity.

Additionally, the framework cannot take unseen events into account. This can be attributed to a small number of incidents occurring in the live ICS environment, and the lack of detailed public reports regarding some of them. Attackers act and defenders react. Due to this informational asymmetry, it’s possible that the framework won’t include techniques actively being used by cutting-edge attackers at a certain point in time.

Finally, the framework has some complexity in its practical implementation. Several security firms have begun supporting the ICS framework, including Nozomi Networks. Although some vendors may claim to fully support it, the reality is that a complete implementation represents a long journey that requires constant effort over time.

There are also many different approaches to a single technique; in fact, attackers could use very different approaches to achieve a specific task, in cases when there is no “Jack-of-all trades” solution that provides visibility to all the elements required to detect an event. It’s also difficult to see tactics from every category of technique to gain end-to-end attack chain visibility. This would require instrumentation at multiple places from a gateway, an IDS/IPS and an agent on a device – something few vendors offer.

For example, while antivirus solutions provide visibility into workstations, they cannot provide insight into industrial controllers and actuators. These OT elements require network monitoring approaches like IDS solutions. The usage of legitimate credentials by adversaries requires monitoring of established access and control policies. These elements indicate that an effective usage of the framework requires multiple levels of defense and best practices that allow operators to benefit from the framework.

MITRE ATT&CK Framework for ICS Implementation

We believe that the MITRE ATT&CK Framework for ICS is effective in describing incidents and providing detailed insight into threat actors’ behavior. And, we’re constantly working to implement new techniques to provide enhanced visibility into cyber incidents.

For example, the image below from our Threat Intelligence service shows an Adversary in the Middle attack that has been categorized with the proper technique (T830) under the Execution tactic.

An Adversary in the Middle attack
An Adversary in the Middle attack that has been categorized with the proper technique (T830) under the Execution tactic.

Given that threat actors and cyberattacks are continually evolving, it’s important to stay up-to-date. We invite you to subscribe to Nozomi Networks Labs, and utilize our cybersecurity community resources, including threat advisories, security reports, webinars, podcasts, and other free tools developed by the Nozomi Networks Labs Security Research team.