ICS / OT Security Guideline : MITRE ATT&CK

Posts in this series

The purpose of this series is to explain typical examples of general-purpose guidelines for ICS and OT security and understand the concepts required for security in smart factories. In this series, Part 1 to Part 5 have explained IEC62443 (1, 2), the NIST CSF (3), part of the P800 series (4), and CIS Controls (5).

As a side story, Part 6 explains MITRE ATT&CK. Although it is not a guideline, it gets attention as a knowledge base in which offensive and defensive technologies in cyber-attacks are clearly organized. In addition to guidelines showing what security should be and how security should be performed, it is considered to be helpful as a resource when checking whether measures are excessive or deficient by understanding actual attacks as scenarios, not just points. This part explains the points of the ICS version by clarifying the basic concepts of MITRE ATT&CK.

What is MITRE ATT&CK?

It is a knowledge base (a database of knowledge) provided by the MITRE Corporation, which is a non-profit research institute in the U.S. and is known as a company that numbers/manages the CVE of vulnerability information.

ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge, and as its name suggests, strategies and technologies are organized as a database, from the viewpoint of attackers. The main feature is that for both attackers and defenders, the same classifications can be used.

It is created on the basis of the attack phase and target platform. Excluding PRE-ATT&CK described later in the reconnaissance phase, there are the following three domains that depend on the platform: Enterprise, Mobile, and ICS.

This knowledge base has been developed on the basis of the following three concepts:

It maintains the adversary's perspective
It follows real-world use of activity through empirical use examples
The level of abstraction is appropriate to bridge offensive action with possible defensive

The 3rd concept, which requires an appropriate abstraction level for bridging between the method of attack and the countermeasures that can be implemented on the defense side, is particularly important when you understand the structure of ATT&CK. Information is organized as information with a high degree of abstraction, not individual/specific information such as IP addresses, URL, and signature information of malware.

The base of the concept of factors is to analyze attacks based on so-called Tactic, Technique, and Procedure (TTP). Mainly, knowledge on Techniques is acquired and organized.

Tactic: A short-term goal of an attacker

Technique: The means for an attacker to achieve a goal

Procedure: A specific method for an attacker to utilize techniques

ATT&CK Matrix: List of techniques and strategies

The basics of ATT&CK are a series of Techniques representing actions for an attacker to achieve a goal. Goals are classified as Tactics. The following shows a Matrix for Enterprise.

Fig. 1: The ATT&CK for Enterprise Matrix (extracted from the MITRE website)

The Tactic represents the "Why" of Technique. It is the reason why an attacker executes an action. A Technique is the "Means" for an attacker to achieve a goal by executing an action. It also represents "What" the attacker acquires.

When taking the domain of Enterprise as an analogy, the Tactic is as follows:

Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Command and Control
Exfiltration
Impact

In ATT&CK, Tactic mainly targets processes after Deliver in the Cyber Kill Chain, which is a model of attack processes.

Fig. 2: Positions of the Cyber Kill Chain and ATT&CK (extracted from the MITRE website)

For preceding processes, there is another matrix called "PRE-ATT&CK." When Technique was revised, a concept called Sub-Technique was introduced for classification and layering.

Objects of Database

ATT&CK consists of five Objects, and it has been released as a database.

Objects are as follows: based on the means of attack (Technique), who (Groups) attacks for what purpose (Tactic) using what (Software)? What are the defense measures (Mitigations) for preventing that attack?

Fig. 3: Relationships between Objects in ATT&CK (by Trend Micro, based on information from MITRE)

You can visit the website of MITRE ATT&CK and get the following information from each Object.

Tactics: For each Tactic, you can view a list of Techniques
Techniques: For each Technique, you can view a list of Procedures, Mitigations, and Detections
Mitigations: For each Mitigation, you can view a list of manageable Techniques
Groups: You can view a list of Techniques and Software used by each attacker group
Software: For each Software application, you can view what kind of Technique uses the software, and which Group uses the software

Fig. 4: Navigation on the ATT&CK Website (extracted from the MITRE website)

Use cases

MITRE ATT&CK allows you to organize technologies from the attacker's viewpoint and to reference countermeasures on the defense side. Therefore, the following use cases are described.

Adversary Emulation
The emulation of an attacker. From Groups in the database, extract Techniques and attack scenarios used by a specific attacker, detect a series of attacks, and verify whether there are defensive measures against those attacks.

Red Teaming
Create attack scenarios for cyber exercises. The red team plays the role of the attacker, the blue team plays the role of defense, and the white team plays the role of control and judgment.

Behavioral Analytics Development
Instead of IoC and known threat information, use the knowledge base of ATT&CK, and analyze unknown techniques and action patterns to develop new countermeasures.

Defensive Gap Assessment
Identify what is deficient in the existing countermeasures of an organization. Determine priorities for investment.

SOC Maturity Assessment
Determine how effective the detection, analysis, and response by SOC are.

Cyber Threat Intelligence Enrichment
The analyst can deeply understand the actions of an attacker group, and report them. It is possible to clearly identify what kind of tools a specific group has used, what kind of technology and what procedure the group has used when starting attacks, by retrieving data from the database.

Although it is a professional field, the website of MITRE ATT&CK also provides an application called ATT&CK Navigator, which allows you to create a matrix according to the purposes described above.

ATT&CK for Industrial Control Systems

In January, 2020, ATT&CK for ICS was released, and it targets ICS as a new technology domain.

Attacks that are aimed at factories and plants often overlap with the technology domain of Enterprise (IT). However, by defining an area that is not included in ATT&CK for Enterprise as an ICS technology domain, it focuses on the systems and functions related to the Levels 0-2 of the Purdue architecture (Purdue Enterprise Reference Architecture).

The targets of ATT&CK for ICS include attackers' actions that may have influence on the following systems in ICS

Basic process control systems
- Process controls
- Operator interfaces and monitoring
- Real-time data and history data
- Alerts
Safety instrumentation systems and protection systems
Engineering and maintenance systems

Specifically, the following actions are added in Tactics, which are not included in the Enterprise domain.

Inhibit Response Function
Impair Process Control

As assets, Programmable Logic Controllers (PLC), Human Machine Interfaces (HMI), Remote Terminal Units (RTU), Safety Instrumented Systems (SIS), etc. are included. However, the point we should notice here is that the Purdue architecture, which we are referencing, is a model with layered functions, where most functions can be mapped by means of IT and ICS technologies, but it is impossible to clearly establish boundaries between technologies and thus there is an overlap between IT and ICS. For example, there are some cases as follows: a case where a Windows or Linux platform co-exists in a control device with Function Level 1, and a case where an HMI with Function Level 2 works as a host for an ICS application while using an IT platform. A monitoring control for supporting an operation management that corresponds to Function Level 3 should be considered as ICS, although the control is based on IT.

It is considered to be helpful in filling in the gap between security requirements and the maintenance/operation of system functions, to analyze/understand attackers' actions, from the viewpoint of not only technologies such as IT or ICS, but also system functions.

Fig. 5: Functions and Technologies in ICS (Trend Micro)

In investigation and research on smart factories, which was conducted by Trend Micro, it has been confirmed in a report on the observation of actual attacks against a fake system for sting, that attacks which are not intentionally aimed at factories have an influence on production activities. In another report, a report on the study of potential security risks in smart factories in experimental environments, it was verified that attacks involving multiple methods may actually occur in OT environments. With an increase in the necessity of security, including both IT and OT, if you have an interest in technical measures, we recommend you visit and view our solution pages.

Conclusion

Finally, there are two important points when you use ATT&CK for ICS.

The 1st point is the strategic shift from "what has happened" to "what can happen." The 2nd point is to consider actions that can be executed for both IT and ICS factors.

With the concept that the methods of attacks and their countermeasures should be referenced on a one-to-one basis, it is often impossible to easily apply countermeasures to ICS environments because there are some restrictions on technologies and operations. Therefore, it is said that countermeasures can be planned/developed by considering defensive strategies in wider contexts, from the viewpoint of attackers.

MITRE ATT&CK is a knowledge base of strategies and technologies. As another model with a high degree of abstraction for analyzing threats, there is the previously-described Cyber Kill Chain. As information with a low degree of abstraction, there is vulnerability information such as CVE. MITRE ATT&CK falls in between them. MITRE ATT&CK is not a substitute for these concepts. It is appropriate to use these concepts selectively on a case-by-case basis, for example, for executives, performing communication based on the Cyber Kill Chain which focuses on outlines.

In MITRE ATT&CK, the offensive and defensive sides, and strategies and technologies are systemized, and it has quickly become widely used in the security industry as one of so-called common protocols. This can also be said to suggest the following: in the future, when it is necessary to protect environments where IT and OT are integrated from cyber-attacks, it is important to respond to attacks organically and technologically across a boundary between IT and OT, from the viewpoints of both attackers and system functions.

*reference
MITRE ATT&CK: Design and Philosophy
MITRE ATT&CK for Industrial Control Systems: Design and Philosophy

Guidelines to secure factories 6: MITRE ATT&CK

Authors

Resources

Support

About Trend

Resources

Support

About Trend

The Americas

Middle East & Africa

Europe

Asia & Pacific