MITRE, partners design Defending OT with ATT&CK, set to bolster security posture across critical installations



Non-profit organization MITRE’s Center for Threat-Informed Defense, in collaboration with AttackIQ, Booz Allen Hamilton, Ensign InfoSecurity, Global Cyber Alliance, and Siemens, has created Defending OT with ATT&CK to identify and defend against adversarial techniques that impact operations on critical infrastructure. The agency assesses that organizations can evaluate and employ security controls for real-world adversary behaviors targeting those environments by identifying the threat landscape and communicating adversary behaviors affecting IT (information technology) and OT (operational technology) systems.

MITRE created three resources to identify assets and technologies in complex IT/OT environments and present an approach to identify adversarial behaviors targeting those systems comprehensively. These include threat model methodology; reference architecture; and a threat collection of unique adversary behaviors. The information is essential to implement defensive measures against adversaries’ techniques against critical infrastructure.

“Critical infrastructure such as electrical generation facilities, water treatment plants, and transportation systems are a lifeline for our communities,” Mike Cunningham, R&D program manager in the Center for Threat-Informed Defense at MITRE Engenuity, along with Adrian Garcia Gonzalez and Tiffany Bergeron, wrote in a Thursday Medium post. “Unfortunately, this dependence has made critical infrastructure a prime target for threat actors. Furthermore, these systems often lack security measures we see in enterprise networks, making them easier to attack,” he added.

Defending OT with ATT&CK provides a customized collection of MITRE ATT&CK techniques tailored to the attack surface and threat model for OT environments. Historical attacks against OT and adversarial techniques contained in ATT&CK for Enterprise, ATT&CK for ICS (industrial control systems), and other relevant ATT&CK platforms were analyzed to identify and define a reference architecture and threat collection of techniques adversaries could use within an IT/OT hybrid architecture. The resultant resources can be used by organizations that use OT to evaluate and employ security controls for real-world adversary behaviors targeting those environments.

The MITRE engineers wrote that to ensure a thorough analysis and documentation of potential adversarial techniques, this research project developed a methodology to model threats to a hybrid IT/OT environment that includes multiple domains and provides a customizable and repeatable framework for analyzing and building threat collections. The methodology expands the Center’s Defending IaaS with ATT&CK approach by presenting a comprehensive view of adversary behavior that could impact overall operations within a hybrid IT/OT environment.

For Defending OT with ATT&CK, the engineers wrote “We applied this methodology to identify the assets that constitute the attack surface of a hybrid IT/OT environment. From these assets, we developed the reference architecture. We then established selection criteria to assess the threats posed by each one of these technologies based on relevant factors, such as operating system risks or industrial control system (ICS) processes affected.”

The first step is to identify security boundaries and understand the technologies that form their architecture; then generate a comprehensive picture of adversarial risks; it is necessary to include CTI sources for the listed assets; and identify which adversarial risks apply to your scenario and asset and omit irrelevant sources. Subsequently, IT/OT environments must review and evaluate adversarial techniques for each asset to curate the final collection; and assemble the techniques into a custom threat collection to share throughout the organization.

To determine the attack surface where a threat actor can generate a cyber effect, MITRE has developed a reference architecture to visualize the technologies within an IT/OT environment. In defining architectural assets, “we considered several factors to ensure comprehensive coverage of risks – evaluate the boundaries between IT and OT systems; identify relevant attack vectors; and understand the adversary’s goals when targeting assets that could disrupt or impact operations.”

The Medium post recognized that this reference architecture provides a common, reusable view of assets and technologies used in IT/OT environments where a threat actor can impact operations. “It serves as a framework for depicting assets through functional components across the technology stack of an OT environment in hierarchical levels. All assets depicted in the architecture were mapped to ATT&CK for Enterprise’s platforms or ATT&CK for ICS’ assets, with nine hybrid assets overlapping techniques from multiple domains of ATT&CK.” 

Additionally, the architecture aids in evaluating security boundaries between different operational zones and assessing plausible attack vectors between IT and OT assets.

The Defending OT with ATT&CK threat collection is a set of ATT&CK techniques tailored to the attack surface and threat model for OT environments. To identify and define this multi-domain collection, we analyzed adversarial tactics, techniques, and procedures (TTPs) as contained in ATT&CK for Enterprise, ATT&CK for ICS, and other relevant ATT&CK datasets such as Cloud and Containers. The threat collection is designed to evaluate, plan, and employ mitigating security controls for adversarial techniques within an IT/OT architecture.

“We utilized the Center’s ATT&CK Workbench to build a custom collection of threats based on a compilation of real-world adversary behaviors documented in ATT&CK v15,” the engineers disclosed. “ATT&CK Workbench provides the flexibility and customization needed to identify specific adversarial risks associated with the 20 architectural assets outlined in the reference architecture. This process resulted in a comprehensive threat collection comprising 251 techniques and 441 sub-techniques.” 

They added that the ATT&CK Workbench streamlined the analysis of threats and facilitated the communication of various risks for each asset. “Additionally, we created a custom threat collection that can be exported and shared as a STIX bundle.”

Organizations looking to tailor research for specific needs can view the collection of techniques using the latest version of ATT&CK Workbench. These resources offer a template for organizations looking to extend the approach for their intended use cases, including threat intelligence mapping by leveraging real-world threats to understand how adversarial behaviors might impact assets across an environment; and red teaming and penetration testing by conducting strategic adversarial simulation and scenarios to comprehensively evaluate real-world risk across the attack surface.

Additionally, security architecture and operations develop capabilities for effective threat hunting, response to malicious activity, and eradicating threats within an IT/OT ecosystem. They also offer collaborative cyber tabletop exercises that assess adversarial risks and compare them with the organization’s existing security technologies.

Last month, MITRE announced a call for intelligence contributions for ATT&CK evaluations addressing ICS to enrich its emulation. The enhanced insight from contributors enables a more holistic emulation approach that reflects the breadth of adversary behaviors. Round 2 of ICS will focus on evaluating product capabilities against adversary behavior inspired by insider attacks within the ICS/OT domain.

Comments