In a follow-up to the initial round of MITRE Engenuity ATT&CK Evaluations for Industrial Control Systems (ICS), MITRE highlights the importance of detection context and the high level of visibility accomplished by the participant platforms. In addition to being able to parse OT-specific data sources and alert on suspicious behavior, these platforms should provide a level of context comparable to that of a narrative as a defining capability, according to a MITRE executive.
MITRE has analyzed that ICS detection platforms provide end-users with detection context. The reality of such platforms is based on MITRE’s evaluation, and some key steps that can be taken to help fill what is determined as the detection context gap.
Detection platforms would quickly and accurately identify all adversary behavior in the network, Otis Alexander, who led the ATT&CK Evaluations for ICS, wrote in a Medium post on Thursday. “An analyst would not have to worry about false positives because the platform would have the ability to properly classify standard actions of legitimate users and the control system. A sleek user interface (UI) would highlight all noteworthy actions in a timeline view, linking together related actions and giving relevant information about how each action could affect the OT network, control systems, and industrial processes,” he added.
In addition, the platform would provide a coherent narrative of adversary actions while including supporting details in the form of telemetry. The capability to have this type of awareness and convey it to the user was the vision of the research community before the ICS detection market existed, Alexander wrote.
Visibility referred to the proportion of substeps with either an analytic or detection, accomplished by the participants, making it an indicator of a platform’s capability to capture a large portion of the individual actions that were leveraged against the evaluation environment, according to Alexander. Having this accurate record of information is critical to many investigative activities such as threat hunting, incident response, and forensics.
Alexander also pointed out that whenever human interaction is required, it may be difficult for asset owners to hire and retain human resources with the necessary skills to effectively make sense of the voluminous data, and that there should be tools in place to lay greater emphasis on contextualizing the data.
“Context can provide greater awareness as to why detection is relevant and how it relates to other events captured in the platform. This could be a force multiplier in the industry’s quest to effectively monitor Operational Technology (OT) networks,” according to Alexander. “It should also be noted that while additional context can in many ways be the difference between detecting or not detecting adversary behavior, different behaviors will require different levels of context,” he added.
Identifying that asset owners and operators have a rough time in hiring and retaining staff with the necessary skills to monitor OT networks, Alexander said that detection platform vendors can drastically aid in alleviating this skills gap by adding more context to the voluminous telemetry data generated by their detection platforms. Context can provide greater awareness as to why detection is relevant and how it relates to other events captured in the platform, potentially leading to a force multiplier that effectively monitors the OT networks.
Last month, MITRE Engenuity has announced results from its initial round of independent ATT&CK evaluations, where products from Armis, Claroty, Dragos, the Institute for Information Industry, and Microsoft were assessed as part of the evaluation, which was paid for by the participating vendors. These products were examined to determine how they detected the threat of Russian-linked Triton malware.