MITRE ATT&CK Framework for ECS/OT Safety
WHAT IS THE MITRE ATT&CK FRAMEWORK FOR EX/OT SECURITY?
The MITRE ATT&CK framework threat modeling for Industrial Control Systems (ICS) classifies malicious cybersecurity incidents based on their operational technology (OT) environment. This framework design classifies each incident as a specific tactic and maps each tactic to one or more high-level technical categories.
In essence, this crowdsourced framework is designed to define the course of action a cyber attacker might take and build a knowledge base of threat actor behaviors. Security teams can then use this information to improve their organization’s security strategies and policies.
MITRE ATT&CK FRAME ONTOLOGY
The elements of the MITRE ATT&CK Framework for ECS reflect the hallmarks of a physical operational environment. The focus is on operational technology, including PLCs, actuators, sensors and similar devices. These assets include valves and motors as well as power lines and water treatment plants, all with stringent security and availability requirements.
The framework provides a clear classification of the impact an attack can have on OT assets. It consists of 11 technical categories that make up the entire attack chain. These categories are
| First Access | This category refers to actions that provide a starting point for infrastructure. |
| Execution | This category refers to the cyber attacker’s attempts to execute malicious code. |
| Persistence | This category refers to actions that attackers use to gain a foothold in an EKS environment. |
| Avoidance | This category refers to measures taken by the attacker to hide their actions. Related incidents include fake reporting messages, modifying logs, etc. |
| Discovery | This category refers to events related to entity identification. These actions are considered the beginning of a real attack. |
| Lateral Movement | This category refers to actions that allow movement within the operational network. |
| Collection | This category refers to events related to information gathering. These actions are considered the beginning of a real attack. |
| Command and Control | This category refers to establishing communication and control of at-risk systems, controllers and platforms that have access to your EKS environment. |
| Overcoming the Blocking Function | This category refers to actions aimed at preventing safety, protection, quality assurance and operator intervention functions from responding to a failure, hazard or unsafe condition. |
| Disrupting Process Control | This category refers to incidents linked to the control process. Here the aggressor is trying to manipulate, disable or damage physical control processes. |
| Impact | This category refers to incidents associated with direct interaction with an EKS system, such as an attempt to manipulate, disrupt or destroy your EKS systems, data and the environment around them. |
Tactics can be divided into three main categories:
- Reconnaissance and Offensive Preparation – Initial Access, Execution, Persistence, Evasion, Reconnaissance, Lateral Movement, Gathering, Command and Control
- Attack Execution – Circumventing Blocking Function, Disrupting Process Control
- Attack Effect – Impact
DIFFERENCES BETWEEN MITRE ATT&CK FRAME FOR BT AND EX/OT
MITRE has established a framework for the IT enterprise environment. This framework is specifically designed to provide a knowledge base for those in the IT field.
While the IT Framework effectively identifies a large number of attack tactics, unfortunately it cannot be effectively integrated into the OT environment for the following reasons:
- Cyber attackers have different motivation, goals and intentions. In an OT environment, the main objective is to access and disrupt physical processes controlled by specialized hardware specific to the OT domain. To influence the industrial process, common elements in the domain, such as ladder logic and security functions, require a new set of tactics, methods and tools from the attacker’s perspective. A new approach and industry knowledge is also required to identify events such as stopping a robotic arm or changing a process variable that reports to the operator.
- The phases and lifecycles of an attack are different. The EKS environment focuses on business and operational continuity and security factors. Here the main goal of the attacker is to disrupt the operational process. This involves additional phases involving manipulation of operational and safety factors.
- Finally, technology in general is different. Experienced intrusion prevention strategies have security and usability limitations. The environment is very resistant to policy changes that can affect or stop the process. Any framework-based strategy needs to take these factors into account.
The best and most comprehensive approach is to use the MITRE Framework for Enterprises at the upper levels of the Purdue model (historian, workstations, etc.) and the MITRE Framework for ECS for the lower levels of the model (PLC, actuators, sensors, etc.). In this way, you can benefit from experience specific to the threats targeting each environment.
THE VALUE OF THE MITRE FRAME FOR EX
The core value of the MITRE ATT&CK Framework for ECS is that its classifications reflect real-world experience. The approach collectively tries to convey the know-how of cyber attackers and provides insight into the sophisticated methods and tools of APTs (Persistent Threats). It is a conceptual approach to attacks as well as a knowledge base for real incidents.
For example, an attack like TRITON can be broken down into abstract categories that provide insight into the basic steps of the attack. For example, one of the evasion tactics TRITON uses to infiltrate a network includes a specific icon and filename “trilog.exe”. The tactics are used to trick engineers into thinking they are seeing a legitimate executable file related to the Triconex software to analyze SIS logs; a method that can be easily mapped in the framework with the Masquerading technique (ID T849). This shows what the attackers are focused on and the approach to achieve their goals. In this case, the framework can be used as a guideline to improve the organization’s security based on real-world experience.
MITRE ATT&CK FRAMEWORK ANALYSIS: DETERMINING WHAT IS NORMAL AND WHAT IS MALICIOUS
The MITRE framework has some complexities to consider. While the ATT&CK techniques provide a useful knowledge base and an understanding of the possible directions an attacker might take once inside, some of these techniques can be difficult to detect in practice.
For example, there are many ways in which the EKS framework can implement Screen Capture (T852) or Point and Tag Identification (T861). For example, screen capturing can occur outside of your security controls via a cell phone or a camera. Attacks like this reflect how the usability of the framework can be hindered when events that would draw attention to an attacker’s actions cannot be detected.
Another point is that the approach has elements that are difficult to clearly distinguish as malicious and legitimate events. For example, the Lateral Movement tactic has a Remote File Copy technique (T867) that can be attributed to both malicious actors and legitimate actions. This makes it difficult to distinguish normal behavior from malicious activities.
Additionally, the framework cannot account for unseen events. This can be attributed to the small number of incidents that occur in the live EKS environment and the lack of detailed public reports on some of them. Attackers act and defenders react. Due to this information asymmetry, it is possible that the framework does not include techniques that are actively used by the latest attackers at a given time (such as day zero, etc.).
Finally, there are some complexities in the practical implementation of the framework. Many security companies, including Nozomi Networks, have started supporting the EKS framework. While some vendors claim to fully support it, the reality is that a complete implementation represents a long journey that requires continuous effort over time.
There are also many different approaches to a single technique; in fact, attackers can use very different approaches to accomplish a given task in the absence of a “jack-of-all-trades” solution that provides visibility into all elements necessary to detect an incident. It is also difficult to see tactics from every category of technique to achieve end-to-end attack chain visibility. This requires instrumentation in multiple places – from a gateway, an IDS/IPS, and an agent on a device – it may be necessary to create an environment that several vendors offer.
For example, while antivirus solutions provide visibility into workstations, they cannot provide information about industrial controllers and actuators. These OT elements require network monitoring approaches such as IDS solutions. The use of legitimate credentials by attackers requires monitoring of established access and control policies. These elements demonstrate that effective use of the framework requires multiple levels of defense and best practices that allow operators to leverage the framework.
MITRE ATT&CK FRAMEWORK FOR EX APPLICATIONS
At Nozomi Networks and Cerrus, we believe that the MITRE ATT&CK Framework for EKS is effective in identifying incidents and providing detailed insight into the behavior of threat actors. And we are constantly working to apply new techniques to provide better visibility into cyber incidents.
For example, the following image from our Threat Intelligence service shows a Man-in-the-Middle (MITM) attack categorized with the appropriate technique (T830) under the Execution tactic.
Given that threat actors and cyberattacks are constantly evolving, it is important to stay up-to-date. We invite you to subscribe to Nozomi Networks Labs and utilize our cybersecurity community resources, including threat advisories, security reports, webinars, podcasts, and other free tools developed by the Nozomi Networks Labs Security Research team.
For more: hello@cerrus.io