MITRE ATT&CK for OT and ICS
MITRE ATT&CK® ICS is a comprehensive framework for identifying, assessing, and mitigating professional (e.g., state-sponsored) cyberattacks on industrial networks.
Cyberattacks are rarely as simple structured as they are often portrayed in the media. State-sponsored, targeted attacks in particular – for example CRASHOVERRIDE, the Windows Exchange exploits by hacker group Hafnium and the SolarWinds1 incident – follow a complex sequence. To that end, defense contractor Lockheed Martin has developed the Cyber Kill Chain® concept to better classify and describe cyberattacks on enterprises. Though, it offers only a rough outline and focuses on IT and classic malware. For this reason, the MITRE ATT&CK® framework has become established for industrial automation networks and more complex attack campaigns (see Fig. 1). MITRE ATT&CK® not only adds additional steps that have been observed in targeted attacks. The framework also describes their typical techniques.
This results in 14 attack phases (or tactics) with around 107 techniques (as of May 2021).
Disruption in 14 Steps
Before the network is attacked, there is usually an extensive phase of reconnaissance (1). Information about the target such as company structure, employees, suppliers, contacts, infrastructure, and background information from the target’s website is collected. This is followed by the weaponization (2), i.e. suitable attack methods are selected to gain access to the company network, including waterholing, spear phishing, bruteforce, default passwords from darknet lists as well as vulnerabilities in devices and software. Both phases or tactics occur outside the target network and thus outside the scope of the various security mechanisms (firewall, VPN, IDS, SIEM, OT monitoring) in the enterprise.
The attack continues with a campaign that focuses exclusively on gaining access to the network and delivery (3) of the initial malware. The first point of contact in this phase might not even be the final target but suppliers and service providers who function as a stepping stone. After the initial malware has been injected, execution (4) follows to take over the infected device. Furthermore, a beachhead or backdoor is installed for persistence (5). This ensures that access is not lost even if credentials are changed, the device is rebooted or the malware is detected.
The graphic shows the different phases of the Cyber Kill Chain® and the MITRE ATT&CK® Framework. The bottom section combines MITRE ATT&CK® Enterprise (phases 1-2) and MITRE ATT&CK® ICS (3-14) to create a complete picture of the attack phases and illustrate the mapping with the Cyber Kill Chain®.
From this point on, several phases run in parallel and interdependently. Discovery (8) and collection (10) target information on additional credentials, vulnerable devices, network and account structure (8), as well as the target system (10) on which the actual disruption (or impact) is supposed to be caused. The objective is to gain higher-level permission via privilege escalation (6) for an easier access. Often, this data is exported for the purpose of analysis, ransom, or resale. The captured information is used to start lateral movement (9) in the network and ultimately to deploy the corresponding payloads. Furthermore, they form the basis for establishing a secure and stable connection to the command & control server (11).
Parallel to each step, evasion (7) measures are taken to prevent detection. For example, the accumulated knowledge about network structure, protocols and communication structures is used to masquerade the malicious communication as normal communication. At higher levels of monitoring (typically firewalls), the communication is then indistinguishable from normal enterprise communication. Specific to industrial environments is that processes are constantly monitored for performance, and safety (Safety Instrumented Systems, SIS) to ensure process stability as well as to protect human life and equipment, respectively. Attackers would block monitoringsystems as well as forge sensor data (via man-in-the-middle) to inhibit response functions (12), i.e. alarm systems. Additionally, attackers might impair process control (13) to prevent a quick response by the control room. Once all payloads are in place, the actual attack on the target is initiated to cause the intended impact (14), e.g., process disruption, shutdown of devices, change of states.
Both the Cyber Kill Chain® and MITRE ATT&CK® illustrate how multilayered cyberattacks can be. While many unspecific attacks are usually intercepted by firewalls, sophisticated attacks from Advanced Persistent Threats use a variety of methods to bypass established security measures. Since time is often not critical, the attack is incremental, cautious, and in stealth mode concealing activity from firewalls and traditional intrusion detection systems. We will illustrate how such an attack could take place on the following pages.