Last January, MITRE released the ATT&CK for ICS framework – which organizes and codifies the malicious threat behaviors affecting industrial control systems (ICS). The MITRE ATT&CK for ICS framework is a critical development in the defense of industrial environments which evolves cyber defensive from low-level tactics to detecting and defending against strategic behaviors of real-world threats. Dragos is proud to have played a role in its founding and continues as a key contributor to improving the ongoing work to better understand ICS-focused threats.
Later this month, MITRE will publicly announce the MITRE Engenuity ATT&CK Evaluations for ICS results. During this evaluation MITRE analyzed 5 industrial cybersecurity vendors to determine threat behavior detection efficacy in operational technology (OT) environments. The ATT&CK Evaluations is MITRE’s first evaluation of the ICS threat detection market and simulates an attack against an OT industrial environment with safety and environmental impact.
The evaluation demonstrated how different ICS cybersecurity threats are from Enterprise network attacks which use the ATT&CK for Enterprise framework. The ICS-focused evaluation highlights the importance of control and safety manipulation in OT environments. The evaluation simulated a realistic multi-phase attack scenario ending in the hypothetical destruction of industrial equipment. A decade ago, such an evaluation of multiple ICS detection technologies would have been impossible. This evaluation marks a real change in the maturation of the ICS cybersecurity market and a real step forward in protecting industrial and critical infrastructure in the future.
How MITRE ATT&CK for ICS and ATT&CK for Enterprise Are Different
Industrial/OT and Enterprise/IT environments are different. Not only are there physics components in an industrial network (events can cause loss of life), but there are also different technologies, architectures, and both physical and logical risk mitigation measures. This means that cyber threats and Activity Groups target and operate differently within industrial environments from IT environments. Even within ICS, industry verticals (Electric, O&G, Manufacturing) have unique characteristics. ATT&CK for ICS is vertical agnostic and is meant to work equally for ICS systems that support a wide range of industrial processes.
When Dragos began work with MITRE in 2017 under the ATT&CK initiative, we first evaluated whether we could utilize the existing ATT&CK for Enterprise framework as creating another framework is not always the best choice. However, after 4 months of work, MITRE and Dragos recognized the inability of mapping IT-based and ICS-based threats within the same framework and decided it would be best to create a dedicated ICS-centric related framework.
The MITRE ATT&CK for ICS framework organizes all known ICS-specific threat behaviors and characterizes the malicious activity found uniquely in ICS/OT environments. MITRE and Dragos together categorized all the public threat behaviors, combined with some of Dragos’s proprietary insights, into the ATT&CK for ICS framework to support defenders and their need for a similar model.
You can read more on the history of MITRE and the ATT&CK framework in our previous blog, A Closer Look at MITRE ATT&CK for ICS.
Mapping to the MITRE ATT&CK for ICS Framework
The ATT&CK for ICS framework defines 12 behavioral tactics: Initial Access, Execution, Persistence, Privilege Escalation, Evasion, Command and Control, Collection, Lateral Movement, Discovery, Inhibit Response Function, Impair Process Control, and Impact. These behavioral tactics, or categories, are further refined into behavioral techniques (there are 86 of them), and, together, outline how ICS networks worldwide are being threatened daily and providing common view on which all ICS threats can be mapped. With ATT&CK for ICS there is now a common community lexicon and framework from which to discuss ICS threat detection.
As an example of how to leverage this new framework, Dragos measures and maps our threat detections in the Dragos Platform against ATT&CK for ICS to visualize coverage and gaps. With this information, defenders now have a comprehensive ICS detective map from which they can identify areas of improvement and investment. This is a massive step forward in that these efforts can now be quantified, enabling the ICS cybersecurity team to have fact-based conversations with the C-suite.
To read more on threat detection using MITRE ATT&CK for ICS and the Dragos Platform, read our blog on the topic.
The Difference Between Threat Behaviors and Indicators
The greatest strength of the ATT&CK framework is its focus on threat behaviors. While it is trivial for an Activity Group to change out technical components such as IP addresses, domain names, file hash values and network artifacts, it is much more difficult to change behaviors.
Changing behaviors requires investment in new technology and retraining for resources, which is considerably more expensive and time-consuming than something as simple as acquiring a new domain name. By focusing on threat behaviors, defenders can get higher confidence detection as well as longevity.
ATT&CK Evaluation Results to Be Announced Mid-July
Look to hear more from Dragos later this month when MITRE publicly announces the ATT&CK Evaluations results. We’ll be sharing the Dragos platform evaluation results in a technical blog summarizing the process and how Dragos performed. We’ll also provide access to a white paper that details the simulated attack used in the evaluation and show you how Dragos was able to detect the threat behaviors in the platform.
Be sure to register for our webinar on July 29 to hear highlights straight from the Dragos participating team who will cover the Dragos platform evaluation results. Hope to see you there!
Ready to put your insights into action?
Take the next steps and contact our team today.