MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration

Non-profit organization MITRE outlined Thursday that its ATT&CK 2024 goals are to bolster broader usability and enhance actionable defensive measures for practitioners across every domain. This includes exploring scope adjustments and platform rebalancing and implementing structural modifications with the introduction of ICS (industrial control system) sub-techniques by October. A core focus will be reinforcing defensive mechanisms and optimizing their user-friendliness. 

Amy L. Robertson wrote in a Medium post that ICS is leveling up this year. “Our goals include broadening ICS horizons with new asset coverage, exploring platform scope expansion, and continuing our multi-domain integration quest. We’ll also be diving deeper into adversary behaviors with the introduction of sub-techniques. v15 will showcase some of integration efforts, with the release of cross-mapped campaigns. These campaigns track IT to OT attack sequences, helping defenders better understand multi-domain intrusions and informing unified defense strategies across technology environments.”

“The October release will feature a structural shake-up, with the first tranche of the long-awaited sub-techniques,” according to Robertson. “Like Enterprise and Mobile sub-techniques, ICS subs will break down techniques into more detail. This increased granularity allows defenders to understand the nuances of adversaries’ execution of a given technique, enhancing their ability to detect and mitigate them.” 

She added that the technique restructuring will involve modifying the name and scope of techniques and integrating them more effectively with other domains. “This integration will foster a more comprehensive defensive approach on both the right and left of launch. You can expect a subs crosswalk to help you understand our decisions and how things map between deprecated and new techniques.”

The organization will also be exploring ways to integrate additional industries like maritime, rail, and electric.

Robertson added “We’ll be bridging Linux and macOS information gaps and enhancing prominent adversary representation. The ATT&CK Navigator, Workbench, and website will feature reengineering to improve accessibility and enable swifter ATT&CK Group/Software/Campaign updates. We’ll also be sunsetting the TAXII 2.0 server by December 18 in favor of the upgraded TAXII 2.1 version.” 

She also disclosed that “We’ll continue amplifying the key driver behind ATT&CK — community collaboration. This includes hosting ATT&CKcon 5.0 in October, and maintaining support for the European Union (EU) and Asia-Pacific (APAC) ATT&CK Community Workshops.”

Robertson detailed that “ATT&CK was designed to empower defenders precisely where they need it most. This is the core thesis for ATT&CK, and as its stewards, we’ll continue prioritizing measures that advance a more inclusive, relevant, and actionable framework.”

She further pointed out that October will also include some additional threats with Asset coverage expansion, building upon the Asset refactoring in v14. The refactoring strived to provide a clearer picture of the devices, systems, or platforms a specific technique could target and introduced the concept of Related Assets. Related Assets link cross-sector Assets that share similar functions, capabilities, and architectural locations/properties, highlighting that they may also be susceptible to the same techniques. 

Additionally, v16 will feature additional Related Assets with in-depth definitions; and refined mappings of technique relationships for different devices and systems. 

“You can start leveraging Assets for your defensive activities by viewing the technique mappings from Asset pages, or by reviewing Asset mappings from a technique page,” according to Robertson. “We’ll also be scouting how to incorporate additional sectors, such as maritime, rail, and electric.”

Robertson recognized 2023 as a dynamic year for ATT&CK. “We marked a decade of progress since the framework’s inception and achieved some key milestones to make ATT&CK more accessible to a wider community. Our scope (slightly) expanded to encompass activities adjacent to direct Enterprise interactions, such as non-technical, deceptive practices and social engineering techniques.”

Additionally, she pointed out that MITRE enhanced detection capabilities with integrated notes, pseudocode from CAR, and BZAR-based analytics. “The ICS matrix welcomed the addition of Assets to enhance inter-sector communication and mapping. We rolled out Mobile-specific data sources, structured detections, and behaviors like smishing, quishing, and vishing.”

Earlier this month, MITRE announced that its Engage team has introduced new mappings for techniques from the ATT&CK for Mobile and ICS Matrices. Defenders can now apply the same process of identifying engagement opportunities from adversary behavior for operations based in ICS and Mobile environments. The MITRE Engage mappings can be viewed through the Engage Matrix Explorer or in the raw data found on Github.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.