FireEye’s Mandiant Threat Analysis and MITRE have partnered to produce a new framework that will merge the two different information bases of Business ATT&CK and ICS ATT&CK vulnerability into a single unified perspective that incorporates the activities of IT and OT assault.
MITRE emphasised in designing its ICS ATT&CK matrix that both Business ATT&CK and ICS ATT&CK need to be understood to reliably map threat agent activities through OT events. But just as the historical division between IT and OT can lead to exposure loss between the two, the differentiation of ATT&CK into Company and ICS can also lead to a loss of information on the actions of the intruder.
The issue is dependent on what ‘intermediary networks’ are defined by FireEye. These may be part of OT structurally, but still operate on normal business operating systems. They are used to manage the facilities of the ICS and thus administer non-company software systems. In the handover to ICS, Enterprise ATT&CK will map attacker actions to the intermediate networks, but loses visibility. The issue with presenting a comprehensive view of attack activity is that within the intermediate structures, much of the activity of a sophisticated attack is contained.
Over the past 5 to 10 years, “They said to Nathan Brubaker, senior manager at Mandiant Threat Intelligence,” every advanced ICS attack instance we have seen has passed through these intermediate networks on its way to affecting ICS. This involves malware such as Stuxnet, Triton and most others. Ninety to ninety-five percent of the operation of threat actors happens on these intermediate networks. There is nothing that can be said until they get past the proxy systems and directly into the PLCs, and you’re in trouble. While MITRE, he stated, “has demonstrated that Business and ICS can be used and interpreted together, we assume it is more efficient and realistic to combine the two into a holistic view of our usage case as a defence provider.”
While you can chart a lot of the intermediary operation of the attackers in Business, you can mostly see typical IT attacks — like data theft. But the attacks against ICS systems that start from here will not be able to map you. For eg, an HMI might be used to shut down an OT process and effect the ICS, and in Industry, you won’t be able to map it.
“In order to make matters worse, Brubaker added,” attackers are gradually attacking the intermediary systems directly. One latest example was the attack on an Israeli water grid in Spring 2020 that started with a direct attack on the intermediary systems . In this case, without authorization, it was a Windows computer running HMI programme that was connecting to the internet. Such stuff can easily be found in Shodan.
FireEye outlines its work on a modern single matrix simulation in a blog written Wednesday. “It takes into account the latest work in progress by MITRE aimed at developing a STIX representation of ATT&CK for ICS, merging ATT&CK for ICS into the ATT&CK Navigator app, and representing ATT&CK for Enterprise’s IT portions of ICS attacks. As a result, this proposal focuses not only on data quality, but also on user-friendly applications and data formats.”
ICS ATT&CK provides specifics of TTPs that illustrate ICS risks, such as PLCs and other embedded systems, but does not include intermediary applications running on traditional business operating systems by default. There is nothing that can be said by the time the attacker hits the PLCs — it is pretty much game over. Thus, it is easier to be able to see the attack holistically through the intermediate networks and into the ICS systems from the IT network.
Mandiant Threat Intelligence has suggested a composite structure including ICS / Enterprise overlap, ICS / Enterprise subtechnique overlap, ICS only, and Enterprise only strategies to obtain this holistic view of the total OT attack lifecycle.
“Throughout the assault lifecycle, it provides a comprehensive viewpoint on an event affecting both ICS and Business tactics and strategies,” says Mandiant Threat Intelligence.
Such a comprehensive perspective is becoming increasingly necessary. While attacks on ICS systems directly intended to inflict physical damage remain relatively uncommon due to the complexity, costs and resources to build them (mainly limiting them to attackers from the nation-state), common criminals are increasingly targeting ransomware ICS systems to increase the probability of a successful extortion return.
Two different networks do not see threat agents, “Brubaker explained,” they see just networks and targets; and they don’t even care if they get there. Consider financial threat actors, “he said,” not specifically targeting ICS, but the aims they are following include ICS and they engage with others who want to get what they want — for example, by introducing ransomware to raise the ransom throughout certain networks. We will begin bridging the divide between Business and ICS by looking at it holistically, and not dropping the ball between the two. The hybrid model will not eliminate ICS attacks, but will improve visibility and comprehension of how those attacks occur; and will help advocates prepare against potential attacks — for example, by developing regulations for anomaly detection systems that would detect a disruptive attack that is likely to harm ICS in order to stop it.