FireEye Proposes Converged Enterprise and ICS ATT&CK Matrix
FireEye’s Mandiant Threat Intelligence and MITRE have collaborated on developing a new visualization able to combine the two separate Enterprise ATT&CK and ICS ATT&CK threat knowledgebases into a single holistic view combining both IT and OT attack behaviors.
In developing its ICS ATT&CK matrix, MITRE stressed that it is necessary to understand both Enterprise ATT&CK and ICS ATT&CK to accurately track threat actor behaviors across OT incidents. But just as the historical divide between IT and OT can lead to loss of visibility between the two, so too can the separation of ATT&CK into Enterprise and ICS lead to a loss of visibility on attacker behaviors.
The problem is focused on what FireEye describes as ‘intermediary systems’. These may structurally be part of OT, but nevertheless run on standard enterprise operating systems. They are used to control the ICS equipment, and consequently run non-enterprise software systems. Enterprise ATT&CK can map attacker behavior up to the intermediary systems, but loses visibility in the handover to ICS. The problem in providing a complete view of attack behavior is that most of a sophisticated attack’s behavior is found within the intermediary systems.
“Over the past 5 to 10 years,” Nathan Brubaker, senior manager at Mandiant Threat Intelligence told SecurityWeek, “every sophisticated ICS attack instance we have observed has passed through these intermediary systems on their way to impacting ICS. This includes malware like Stuxnet, Triton and most others. Ninety to ninety-five percent of threat actor activity occurs on these intermediary systems.” So that’s the most likely place you’re going to find ICS attackers, and the best opportunity to stop them. Once they get beyond the intermediary systems and actually into the PLCs, there is little that can be done, and you’re in trouble. While MITRE, he continued, “has highlighted that Enterprise and ICS should be used and viewed together, from our use case as a security vendor, we think it is more useful and practical to merge the two into one holistic view.”
Learn more industrial cybersecurity at SecurityWeek’s 2020 ICS Cyber Security Conference virtual event
While you can map a lot of the attackers’ intermediary activity in Enterprise, you will primarily see standard IT attacks — like data theft. But you will not be able to map the attacks against ICS systems that start from here. For example, an HMI could be used to shut down an OT process and impact the ICS and you won’t be able to map that in Enterprise.
To make matters worse, said Brubaker, “attackers are increasingly directly targeting the intermediary systems. One recent example was the attack on an Israeli water system in Spring 2020 that started with a direct attack against the intermediary systems. In this case it was a Windows machine running HMI software that was connected to the internet without authentication. Such things can easily be found in Shodan.”
In a blog posted Wednesday, FireEye describes its work on a new single matrix visualization. “It takes into consideration MITRE’s current work in progress aimed at creating a STIX representation of ATT&CK for ICS, incorporating ATT&CK for ICS into the ATT&CK Navigator tool, and representing the IT portions of ICS attacks in ATT&CK for Enterprise. As a result, this proposal focuses not only on data accuracy, but also on the tools and data formats available for users.”
ICS ATT&CK contains details of TTPs that explain threats to ICS, such as PLCs and other embedded systems, but by design does not include the intermediary systems that run on standard enterprise operating systems. By the time the attacker reaches the PLCs, there is little that can be done — it’s pretty much game over. It is better, therefore, to be able to see the attack holistically from the IT network through the intermediary systems and into the ICS systems.
To achieve this holistic view of the full OT attack lifecycle, Mandiant Threat Intelligence has proposed a hybrid matrix comprising ICS/Enterprise overlap, ICS/Enterprise subtechnique overlap, ICS only, and Enterprise only techniques.
“It presents a holistic view of an incident involving both ICS and Enterprise tactics and techniques throughout the attack lifecycle,” says Mandiant Threat Intelligence.”
Such an holistic view is becoming increasingly important. While attacks against ICS systems specifically designed to cause physical damage remain relatively rare because of the difficulty, cost and resources to develop them (largely limiting them to nation-state attackers), common criminals are increasingly targeting ICS systems with ransomware to increase the likelihood of a substantial extortion return.
“The threat actors don’t see two separate networks,” explained Brubaker, “they just see networks and targets; and they don’t really care how they get there. Consider financial threat actors,” he added; “they’re not necessarily targeting ICS, but the targets they are going after have ICS and they are interacting with those to get what they want — for example by deploying ransomware in those systems to increase the ransom. By looking at it holistically, we can start to bridge that divide between Enterprise and ICS, and not drop the ball between the two. The hybrid model won’t stop attacks against ICS, but will increase knowledge and understanding of how such attacks unfold; and will help defenders prepare against future attacks — for example in writing rules for anomaly detection systems that will detect an attack in progress likely to impact ICS in time to stop it.”