There is a lot of buzz recently on the topic of MITRE ATT&CK for ICS and rightfully so.
Multiple industrial sectors are experiencing a growing threat landscape for operational technology (OT) networks and ICS and SCADA systems. This is clearly demonstrated by the number of recent successful ransomware attacks, which have compelled critical infrastructure organizations to better prepare themselves for incoming cyber threats.
To be more prepared, the different stakeholders responsible for infrastructures and services are enhancing and maturing their security operations centers (SOCs) and are adopting more cyber threat intelligence. This has resulted in considering adversarial Tactics, Techniques, and Procedures (TTPs) to be the most valuable tool.
While adopting the latest and greatest new security tool can help an organization's security posture it's equally as important to understand the different threat landscapes and attack methods that an organization could fall victim to. Recently the security community has started to have a common belief that the new attacks by adversaries have become more sophisticated with new techniques that are making it easier to exploit new vulnerabilities or new methods for lateral movement.
Too often we see that the majority of successful attacks are using common methods and techniques and are able to exploit an organization due to poor implementation of security controls or poor security posture. Therefore organizations need to have a better understanding of the attack techniques and adopt security solutions that will increase the detection of attacks which will make it easier for security teams. This is where the MITRE ATT&CK for ICS framework comes into play.
The Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) project by MITRE is an initiative started in 2015 with the goal of providing a “globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The knowledge base helps security professionals make sense of the numerous varieties of tactics and techniques attackers use to infiltrate networks, steal data and other methods of exploiting organizations. The MITRE ATT&CK framework enables security professionals to move beyond identifying the simplest and most common attack methods and instead allocate resources to get a better understanding of adversaries’ behaviors.
The enterprise ATT&CK framework consists of 11 tactics that tend to answer which tactic and what the cyber criminal wants to achieve when exploiting an organization.
Diagram 01. The SCADAfence Platform’s built-in MITRE ATT&CK framework dashboard
This globally accessible knowledge base has become the security industry-accepted framework due to its specifically detailed list of methods of how enterprise IT and OT environments can be exploited and compromised. Security experts have mentioned that if an organization can defend against every technique in the framework then its environment will be entirely secure.
Since the framework has become the industry standard, in January 2020 they released the MITRE ATT&CK for Industrial Control Systems (ICS) framework. This list of OT-specific TTPs collected from real-world data and provides a common classification for industrial security teams to improve their detection and how they should respond to cyber incidents. Now that OT defenders have a community-accepted attacker framework and list of TTPs which is constantly updated, it’s time to integrate this attack intelligence into the security solution being deployed in incident response processes.
With over 500 adversarial techniques in the framework, it would be very difficult for any organization to defend against all the methods and techniques no matter how solid their security strategy is.
The ATT&CK framework can be super useful and informative for any organization that needs to increase its threat knowledge and strengthen its security posture. While MITRE offers the materials for free, it's suggested to adopt a solution that has the framework integrated into their security solution. This will allow security teams to deploy the framework for the organization's security needs.
If an organization has a dedicated security team whose responsibilities include analyzing threat data, it's recommended to start mapping threat intelligence based on the ATT&CK framework, instead of relying on previous mapping frameworks. This will allow the security teams to map out both external and internal attack information based on the ATT&CK framework which includes real-time alerts, incident responding and more. Once the security team has mapped out the attack data, they will be able to compare the ATT&CK framework with the organization data and prioritize attack techniques.
Earlier this year the SCADAfence Platform launched our advanced support for the MITRE ATT&CK framework. SCADAfence shares this new approach with the OT and ICS industry by mapping individual assessments and results to the framework. Aggregated results provide a visual map of the framework within our platform that identifies the systematic strengths and weaknesses of the organization's security architecture. SCADAFence is the only OT security company that offers these mitigation steps within the map of the framework. This is aligned with SCADAfence’s development teams work motto - “fueled by innovation”.
Diagram 02. The SCADAfence Platform provides organizations with a MITRE ATT&CK visual map
The SCADAfence research team is constantly updating and understanding the development of the framework's tactics and techniques. They offer feedback and actionable mitigation steps on the tactics and techniques of the framework which align with best practices for OT security and ICS.
The SCADAfence Platform correlates security alerts to the MITRE ATT&CK framework, providing visibility to the user on the attack tactic and technique. A new MITRE overview tab was added to our platform to analyze the security posture.
Diagram 03. The SCADafence Platform showing all the stages of the attack based on the MITRE ATT&CK framework
All system alerts from the SCADAfence Platform are mapped to the MITRE ATT&CK for the ICS model. The SCADAfence Platform also provides a map of an attack that is advancing according to the MITRE kill chain, and per each alert, the corresponding classification is presented as well. In the case of security incidents, this can greatly help customers to understand the phase of the incident, its extent and impact, and respond in a quicker and more effective way.
SCADAFence is the first OT security and ICS vendor that has developed and integrated the ATT&CK for ICS framework within their platform in such a comprehensive manner. Customers are already getting a better understanding of where and how cybercriminals are trying to gain access to their environments according to the framework. By implementing SCADAfence’s ATT&CK for ICS technology it has provided them with a better picture for organizations when it comes to securing ICS.
In one specific case, one of our customers was able to detect and identify an active attack in the SCADAfence MITRE ATT&CK dashboard. Their security team was able to quickly identify the attacker's movements through the kill chain and stop them in their tracks before any damage was done to their organization.
As cyber criminals continue to use more sophisticated attack methods, organizations need to prioritize the time and resources into understanding the behaviors of these attackers to stay secure against incoming threats. By leveraging the most advanced OT security vendor which covers the MITRE ATT&CK framework you will be able to quickly detect, visualize and mitigate any security gaps within your organization.
To learn more about SCADAfence's coverage for the MITRE ATT&CK for ICS, schedule a demo here: https://l.scadafence.com/demo