Attacks and Vulnerabilities
Critical infrastructure
ICS Security Framework
Industrial Cyber Attacks
News
Secure-by-Design
Technology & Solutions
Threat Landscape
Vulnerabilities

New MITRE Engage mappings released for ATT&CK for ICS, ATT&CK for Mobile

April 02, 2024
New MITRE Engage mappings released for ATT&CK for ICS, ATT&CK for Mobile

Non-profit organization MITRE announced Monday that its Engage team has introduced new mappings for techniques from the ATT&CK for Mobile and ICS Matrices. Defenders can now apply the same process of identifying engagement opportunities from adversary behavior for operations based in ICS and Mobile environments. The MITRE Engage mappings can be viewed through the Engage Matrix Explorer or in the raw data found on Github.

C​​urrently, MITRE Engage includes several mappings to the Enterprise ATT&CK Matrix, Maretta Morovitz wrote in a Medium post for MITRE Engage. “These mappings can be explored in detail through the Engage Matrix Explorer.”

In her post, Morovitz identified the work done by Dylan Hoffmann, Gabby Raymond, Emma Holt, and Ian Rodriguez.

She detailed that adversary engagement diverges from other defensive technologies in a crucial aspect: it understands the threat as human. “When the adversary is human, rather than mere code, they become susceptible to vulnerabilities and biases. These factors can lead them to make decisions detrimental to their malicious objectives but advantageous to the defender’s interests.” 

Morovitz added that even in scenarios lacking direct human involvement, such as when facing an autonomous cyber adversary, adversary engagement can prove effective by addressing the known challenges inherent in such operations. 

“One way we can do this is with MITRE ATT&CK,” Morovitz pointed out. “ATT&CK outlines the various tactics and techniques an adversary may engage in during the course of a malicious operation. We can use ATT&CK to look at each adversary tactic, technique and procedure (TTP), analyze how this behavior makes the adversary vulnerable to manipulation, detection, influence, or disruption, and ultimately identify the engagement opportunity space.”

The MITRE Engage Matrix is informed by adversary behavior observed in the real world and is intended to drive strategic cyber outcomes. The Engage Matrix is broken into several components. Across the top of the Matrix are the Engage Goals. Goals are the high-level outcomes that operations would like to accomplish. The next row contains the Engage Approaches, which enables tracking progress towards selected goals. The remainder of the Matrix is composed of the Engage Activities, driven by real adversary behavior, and are the concrete techniques used in the approach which are divided into two categories. 

Strategic goals, approaches, and activities bookend the Matrix and ensure that defenders appropriately drive operations with strategic planning and analysis. Engagement goals, approaches, and activities are the traditional cyber denial and deception activities that are used to drive progress toward the defender’s objectives. When an adversary engages in a specific behavior, they are vulnerable to exposing an unintended weakness. 

In Engage, “we look at each ATT&CK technique to examine the weaknesses revealed and identify an engagement activity or activities to exploit this weakness. By mapping the Engagement Activities to ATT&CK we can better plan which activities will enable us to reach our strategic objectives,” MITRE said. 

Morovitz said that the Engage team worked with experts from across MITRE including MITRE’s new Cyber Infrastructure Protection Innovation Center (CIPIC) under the direction of Mark Bristow, to develop these mappings.

Last week, MITRE launched its AI Assurance and Discovery Lab to discover and mitigate critical risks in artificial intelligence (AI)-enabled systems that need to operate in increasingly complex, uncertain, and high-stakes environments. The lab, which is based at MITRE’s McLean, Virginia, headquarters, features configurable space for risk discovery in simulated environments, AI red teaming, large language model evaluation, human-in-the-loop experimentation, and assurance plan development.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Claroty’s Team82 details exploitation of classic deserialization vulnerability in Siemens EnMPro line
Claroty’s Team82 details exploitation of classic deserialization vulnerability in Siemens EnMPro line
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
TXOne’s Portable Security Pro works towards improving security in ICS environments
TXOne Networks presents SageOne, its new CPS protection platform
Critical Start
Critical Start introduces managed detection and response services for OT environments
Shift5
Shift5 debuts GPS integrity module to combat GPS spoofing risks
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure