MITRE ATT&CK for ICS – a tool for challenging times
As critical infrastructure around the world faces a growing number of potential industrial threats that could potentially disrupt an organization’s operational technology (OT) infrastructure or assets, the task of building a robust cyber defense is becoming increasingly challenging. Unfortunately, despite the sheer volume of threats, there is never enough time or money to address every risk. This has created significant obstacles for organizations with industrial control systems (ICS) and OT environments as they try to develop effective security programs. Specifically, there are three major issues that hinder their ability to do so.
1. The expanding range of threats
Attack groups targeting ICS/OT systems are continually on the rise, with no decline in sight.
2. Inadequate cybersecurity resources for OT environments.
As the number of remote-accessible OT systems increases, and the frequency of attacks grows, completely eliminating cyber risk for industrial systems becomes challenging due to limited resources. Prioritization is key in managing these risks.
3. Underdeveloped or immature cybersecurity practices in ICS/OT with many enterprises lacking the skill to identify and properly react to attacks on their operational environment
The solution to this dilemma is using tools that help to act in a focused and resources efficient way. One such tool is the MITRE ATT&CK framework which can help enterprises with ICS/OT environments to concentrate their efforts on addressing the most significant threats.
MITRE ATT&CK for ICS (Industrial Control Systems) framework
The MITRE ATT&CK for ICS (Industrial Control Systems) framework is a comprehensive way to map potential attacker behaviors across various stages of the cyber kill chain. When implemented in operational technology (OT) environments, the framework can offer several benefits for organizations:
1. Behavioral-based threat intelligence
In the past, threat intelligence was mainly concerned with indicators of compromise (IoCs), such as IP addresses associated with rouge activities, which were used to inform detection and blocking systems. However, the problem with IoCs is that they are linked to attack aspects that are easy for the rogue actors to modify – often, automatically. For this reason, good threat intelligence now aims to move beyond IoCs and concentrate on behaviors, specifically the tactics, techniques, and procedures (TTPs) of the threat actors. Behaviors tend to be more persistent than IoCs because they are harder for attackers to change.
2. Cyber Kill Chain attack stages
The Cyber Kill Chain model details the stages that most attacks follow to achieve their objectives. Identifying an attack earlier in the kill chain allows organizations to counteract the threat faster and minimize the harmful impact. Threat intelligence that concentrates on behaviours that occur in different stages of the Cyber Kill Chain makes it easier to identify attacks at an earlier stage. The MITRE ATT&CK for ICS framework was designed with these principles in mind, creating a mapping of attackers’ behaviors in the context of the Cyber Kill Chain.
3. Proactive approach
By mapping potential attacker behaviors to the MITRE ATT&CK for ICS framework, organizations can take a more proactive approach to cybersecurity. The framework can help organizations anticipate and prepare for potential threats, rather than simply reacting to incidents as they occur.
4. Common language
Provides a common language to describe and understand attacks against ICS environments. This is particularly useful for both defenders and analysts, as it provides a standard way to communicate and collaborate on cybersecurity incidents. The framework can also help bridge the gap between IT and OT security teams, improving overall coordination and alignment.
5. Better resource allocation
Can help organizations identify critical assets and prioritize their security efforts accordingly. This can help organizations allocate their resources more effectively and efficiently, improving their overall security posture.
Overall, the MITRE ATT&CK for ICS framework can be a valuable tool for organizations looking to strengthen their OT cybersecurity strategy. By improving visibility, incorporating threat intelligence, providing a common language, taking a proactive approach, and improving resource allocation, organizations can better defend against potential threats and protect their critical OT systems.