Light Dark
March 2, 2020 By Linu Varghese 3 min read
Intelligence & Analytics
Energy & Utility

Not too many of us have directly experienced the unavailability of a critical service or infrastructure (e.g., power outages, unavailability of hospital data, etc.), but we as a security community have seen an explosive growth of cyberattacks targeting operational technology (OT) environments recently. The IBM X-Force Threat Intelligence Index 2020 found that OT attacks increased by 2,000 percent last year compared to 2018, and this trend is expected to continue in the coming years.

In security operations centers (SOCs), we have already realized the value that MITRE ATT&CK provides through its encyclopedia of mapped tactics, techniques and procedures (TTPs) based on real-world observations of adversaries. The knowledge base enables security teams to link adversarial TTPs when conducting a gap analysis and threat modeling.

Why Was ATT&CK for ICS Created?

OT and industrial control systems (ICS) technologies operate in a different manner than traditional IT systems. Likewise, attackers follow TTPs specific to the OT domain and the targeted industry. Most ICS environments have IT systems, controllers, supervisory control and data acquisition (SCADA) systems and human-machine interfaces (HMIs) that connect with industrial systems and special protocols.

Therefore, adversary goals are unique in these situations — human safety could be endangered when these systems and processes are not controlled properly. This has created an interest among OT security teams around the globe to have a standardized view and knowledge of TTPs related to ICS, which could help clarify questions such as:

  • What are the common attack kill chains?
  • How should they be prioritized?
  • What are the gaps in detection and prevention controls for each TTP?

In response, MITRE released ATT&CK for ICS in January 2020, which sourced information from more than 100 individuals representing 39 organizations.

The Structure of ATT&CK for ICS

The core of MITRE ATT&CK for ICS provides an overview of the TTPs associated with threat actors that have carried out attacks against ICS systems. ATT&CK for ICS is industry agnostic and is therefore meant to work equally well for ICS systems that support a wide range of industrial processes for effective threat intelligence and incident response activities. ATT&CK for ICS has been mapped to seven separate ICS asset categories to enable a variety of organizations to use it easily by selecting and prioritizing cybersecurity activities. The seven asset categories currently covered include:

  1. Control Server
  2. Data Historian
  3. Engineering Workstation
  4. Field Controller/RTU/PLC/IED
  5. Human-Machine Interface
  6. Input/Output Server
  7. Safety Instrumented System/Protection Relay

ATT&CK for ICS also has detailed information about 96 attack techniques mapped against 11 objectives or tactics of adversaries. The mapping of these attack techniques to the above asset categories in ICS environments, 10 threat groups known to have launched attacks on ICS and 17 pieces of malicious software used for attacks enables organizations to select the techniques that are relevant to their specific environment.

How Security Teams Can Utilize ATT&CK for ICS

The power of ATT&CK for ICS is in how we apply it to specific security roles. Some critical use cases for ATT&CK for ICS include:

  • Standard language and terminology for threats and adversaries
  • Identification of gaps in ICS security controls and creation of defensive strategies
  • Creation of ICS/OT use cases for the SOC
  • Effective ICS threat intelligence and ICS incident triage and response activities
  • Understanding of ICS threat behaviors
  • Adversary emulation; testing of security controls and defenses
  • Training of the OT security workforce

Contribute to the Evolution of ATT&CK for ICS

ATT&CK is regularly updated with new information about attack tactics. For example, ATT&CK for Enterprise has lately added multiple techniques to cover adversary behaviors against cloud-based platforms. Similarly, ATT&CK for ICS is also expected to be updated when new techniques are informed and validated by MITRE. However, ICS systems are not always fully isolated from IT, meaning that TTPs for IT environments must also be considered by organizations that have both.

As the framework continues to evolve, organizations with ICS and OT infrastructure can give back by providing information to MITRE on emerging ICS attack techniques, refining current content and developing additional use cases for ATT&CK for ICS.

Download the IBM X-Force Threat Intelligence Index 2020

 |  |  |  |  |  |  |  | 
Linu Varghese
Sr. Security Consultant, IBM

More from Intelligence & Analytics
October 30, 2023

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

September 12, 2023

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

September 7, 2023

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature