CISA MITRE ATT&CK for ICS focuses on adversarial tactics, techniques disrupting industrial control process

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in coordination with the Homeland Security Systems Engineering and Development Institute (HSSEDI), updated the Best Practices for MITRE ATT&CK Mapping. The new version covers common analytical biases, mapping mistakes, and specific MITRE ATT&CK for ICS (industrial control systems), and changes made to the framework since CISA initially published the best practices in June 2021. 

Since the initial release of the MITRE ATT&CK mapping guidance in June 2021, malicious cyber operators and operations have continued to evolve at a rapid pace. To maintain relevancy and maximize impact for defenders, MITRE ATT&CK has also evolved the ATT&CK framework, adding major new structures, features, and techniques. 

Beginning with ATT&CK version nine (v9), these changes include the introduction of new platforms, expansion of macOS and Linux coverage, increased equity between the ICS, mobile, and enterprise matrices, redefinition of data sources and detections, and the addition of ATT&CK Campaigns. As of version 12 (v12) released last October, the ATT&CK for Enterprise contains 14 tactics, 193 techniques, 401 sub-techniques, 135 groups, 14 campaigns, and 718 pieces of software.

In the latest update, the Best Practices for MITRE ATT&CK Mapping covers the above list of ATT&CK updates, as well as common analytical biases, mapping mistakes, and specific ATT&CK mapping guidance for ICS. 

The MITRE ATT&CK for ICS focuses on tactics and techniques of adversaries whose primary goal is disrupting an industrial control process, including supervisory control and data acquisition (SCADA) systems, and other control system configurations. 

The guidance said that like applications of other ATT&CK knowledge bases, successful applications of the ATT&CK for ICS knowledge base should produce an accurate and consistent set of mappings that analysts can use in developing adversary profiles, conducting activity trend analyses, augmenting reports for detection, response, and mitigations.

“There are various ICS technology domain recommendations that analysts should consider in mapping to the ATT&CK for ICS knowledge base,” the guidance said. 

First, analysts should keep in mind that the knowledge base is heavily abstracted compared to the other knowledge bases in the ATT&CK ecosystem. The ICS technology domain collectively comprises a diversity of critical infrastructure sectors, industrial processes, assets, communication protocols, etc. 

The knowledge base authors have written the description of the ICS techniques at an abstraction level that considers this diversity. For this reason, analysts mapping to ATT&CK for ICS in reports must include the relevant procedure example details and context. These details and context will be useful to threat hunters, adversary emulators, and detection engineers focusing on this domain. 

Second, analysts should review the recommendations that address common mistakes that CISA and MITRE ATT&CK have observed in reports that map to ATT&CK for ICS. 

When it comes to leveraging ATT&CK knowledge bases together to represent the full scope of adversary behavior, the guidance identified. “Although the ATT&CK for ICS knowledge base contains TTPs that effectively explain threats to ICS—such as programmable logical controllers (PLCs) and other embedded systems—it by design does not include a comprehensive set of techniques related to the operational technology assets that run on operating systems, protocols, and applications similar to enterprise IT assets. ATT&CK for ICS relies on ATT&CK for Enterprise to categorize adversary behaviours affecting these assets.”

The guidance provides implementation details that describe how the adversary developed the capability, including network protocols and associated request/response sequences the capability leveraged, and how the adversary accomplished the functionality. “For example, did the adversary use vendor software, open-source software, a custom protocol implementation, or a vendor library/DLL as part of a custom binary? Including this level of detail can help to inform detection and mitigation approaches,” it added.

The MITRE ATT&CK for ICS said that many times, intelligence reports and forensic artifacts may not include all the relevant information for analysts to perform a complete mapping of adversary behavior to ATT&CK. “This is a common occurrence in ICS attacks where asset owners may be reluctant to share information or may not have comprehensive monitoring capabilities deployed.”

Analysts should explicitly address these gaps in intelligence—and why they occur—in reports that map to ATT&CK, the guidance added. “Providing these details can help make defenders aware that the mapping is not complete and that the inclusion of additional or more comprehensive defensive technologies in asset owner infrastructure could address the gap.”

The MITRE ATT&CK for ICS also provides background on the affected sectors, industrial processes, and technologies. Additional background can give defenders valuable context about whether the adversary behavior is applicable or could be relatively easily ported to related infrastructure. Background about the impacts on the sector and industrial processes can help defenders understand adversary intent and whether the capability could have a similar impact in a related environment. Likewise, details about affected technologies can help defenders assess technologies in their environment for similar functionality.

The guidance also shows where the adversary executed ATT&CK techniques. Technique names and descriptions provide context about what an adversary may gain by leveraging certain behaviors and how—and against which assets—techniques could be executed. Techniques do not cover all the configurations an asset owner may implement, however, so it is important to capture where an adversary executed a technique in the environment and against which assets in reports that map to ATT&CK for ICS. 

Logical separations of adversary capabilities based on where the adversary used the techniques and against which assets can help defenders know where to focus their attention. This information can also help defenders understand the most likely paths that an adversary uses to execute a technique, the proper data sources to collect to detect the behavior, and mitigations that defenders can apply to the relevant assets and communication channels.

Last May, the CISA released its latest version of Risk and Vulnerability Assessments (RVAs) conducted in the Fiscal Year 2021. The analysis and infographic detailing the findings from the 112 assessments carried out across the federal civilian executive branch (FCEB), critical infrastructure (CI), and state, local, tribal, and territorial (SLTT) stakeholders. Both the analysis and the infographic map hacker behavior to the MITRE ATT&CK framework.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.