Security news that informs and inspires

MITRE Adds ICS-Specific Techniques to ATT&CK Framework


MITRE has released a version of its ATT&CK knowledgebase covering tactics and techniques used in attacks against industrial control systems.

MITRE’s ATT&CK, which stands for Adversarial Tactics, Techniques and Common Knowledge, is a framework widely used by cybersecurity professionals to check whether their defenses are enough to detect and block attacks. Security vendors also use the framework to verify their products can detect specific attacks. ATT&CK for ICS knowledge base provides critical infrastructure operators and other organizations who have ICS in their environments with information about which of their ICS-specific applications and protocols be abused.

“With expertise in this domain [ICS security] in short supply, it can also help with the development of incident response playbooks, prioritizing defenses as well as finding gaps, reporting threat intelligence, analyst training and development, and emulating adversaries during exercises,” MITRE said.

Organizations such as energy transmission and distribution plants, oil refineries, wastewater treatment facilities, and transportation systems are concerned about attacks against ICS, as they can cause physical damage to equipment, or may interrupt critical service delivery by disrupting normal processes. ATT&CK for ICS currently has detailed information about 81 attack techniques used by adversaries, 17 pieces of malware used against ICS, 10 threat groups known to have launched ICS-related attacks, and 7 types of assets that can be targeted.

MITRE said the existing tools and techniques outlined in ATT&CK for enterprise IT systems are also relevant for ICS operators, as IT systems may provide the initial entry point into ICS.

Concerns about critical infrastructure attacks are currently high, but not new. Recent attacks include attacks on the Ukranian power grid (attributed to Russia) that caused short blackouts in 2015 and 2016. NotPetya is believed to have caused an estimated $10 billion in damage to Ukrainian energy firms as well as airports, banks, other major companies, and government agencies.

“The knowledge base can play several key roles for defenders, including helping establish a standard language for security practitioners to use as they report incidents,” MITRE said.

The first ATT&CK model was released in 2013 with a focus on Microsoft Windows. Since then, it has expanded to include Linux, Mac OS, and cloud platforms. The matrix of tactics and techniques describe how attackers break into and move within systems, from initial access and exfiltration. By breaking out different tactics into specific categories, defenders can detect and block the adversary at any point during the attack. Defenders still have multiple opportunities to detect the attack after the initial entry point by looking for these tactics.

ATT&CK is regularly updated with new information about attack tactics. Last month, MITRE added, or updated, 36 techniques to cover adversary behavior against cloud-based platforms. The update also included attack tactics specifically targeting Microsoft Entra ID and Microsoft Office 365. Last fall, Immersive Labs integrated MITRE ATT&CK into its skills development platform to help industry professionals improve their abilities to detect and respond to attacks.