How to effectively utilise MITRE ATT&CK for ICS
MITRE ATT&CK is a knowledge base of cyber attacker TTPs that catalogs behaviours, providing a visual representation of attack patterns that can help detect and respond effectively to attacks. However, it was initially designed for enterprise IT, so MITRE developed ATT&CK for ICS, a framework specifically for industrial environments. This consolidated and standardized OT adversary knowledge from dozens of sources, with tradecraft citations that complete the story of adversary behaviour for OT defenders. The framework provides intelligence on what the asset owner’s view looks like, including the impact on unique protocols and specialized apps used by operators. Ultimately, the framework is a valuable tool for improving detection and response capabilities to attacks on industrial control systems.
OT and ICS cyber defenders can effectively utilize MITRE ATT&CK for ICS in several ways, including but not limited to:
- Accelerating response times and prioritizing risks when dealing with attacks on industrial systems.
- Enhancing detection capabilities by providing valuable insights on what to monitor for.
- Employing hypothesis-driven threat hunting to uncover concealed or emerging threats that match patterns identified in the framework.
- Safeguarding ICS security plans by keeping up with evolving attack methods tracked by ATT&CK, thus ensuring their effectiveness in the future.
The following are some good practice principles to utilize ATT&CK for ICS in OT environments
1. Obtain pertinent threat intelligence
The initial step towards detecting and hunting threats in ICS/OT environments is obtaining pertinent threat intelligence. In order to effectively detect and prioritize threats, threat intelligence used by defenders must be first and foremost relevant in addition to being complete, accurate, and time relevant.
2. Isolate conduct patterns from cyber threat intelligence
To derive actual benefits from ATT&CK for ICS, the enterprise must identify conduct patterns from the acquired cyber threat intelligence. It is preferable to find a vendor who can directly associate these behaviours with the ATT&CK framework, which can significantly simplify the procedure. However, if such an option is not available, the enterprise’s analysts must perform this task.
3. Performing routine threat hunting
In recent years, security analysts have increasingly adopted the practice of hypothesis-driven threat hunting, which involves formulating hypotheses about potential or actual security incidents within the organization and conducting investigations to verify or refute those hypotheses. With the help of ATT&CK for ICS, teams can now avoid wasting time on irrelevant hunts by focusing on relevant and targeted attack patterns that are affecting other organizations or assets similar to theirs. By identifying a specific stage of the attack lifecycle and examining the associated behaviours that occurred before or after that stage, analysts can search for signs that these activities have impacted their own assets in a similar manner.
4. Evaluating detection competencies using the ATT&CK for ICS framework
One important step in utilizing the ATT&CK for ICS framework is to test an organization’s detection capabilities across the entire framework. By doing this, the organization can determine which areas of the framework they are lacking in terms of detection and response. It is important to conduct regular tests of detection capabilities, as threats and attacks are constantly evolving. By staying up to date with the latest threats and techniques, and testing the effectiveness of detection and response measures, organizations can improve their security posture and better protect their industrial control systems.
5. Minimizing the threat landscape
The threat landscape can be reduced by utilizing threat groups and their associated behaviour patterns. The ATT&CK for ICS framework can be used to identify relevant behaviours for the relevant sector, asset types, and critical processes. Concentrating on these behaviour groupings can help in efficiently detecting and hunting threats while building out protective controls to secure the industrial cybersecurity investments.
Additionally, it is crucial to stay vigilant for changes in the ATT&CK for ICS framework and be prepared to adjust to new or previously unknown behaviours. With the support of the community, detecting major shifts in TTPs has become easier and more collaborative.