| 1 |
© 2017 The MITRE Corporation. All rights reserved- Approved for Public Release – Case Number 17-4211
Otis Alexander
Dec 2017
ICS ATT&CK
| 2 |
© 2017 The MITRE Corporation. All rights reserved- Approved for Public Release – Case Number 17-4211
Some Overview
ATT&CK is a curated knowledge base and model for cyber
adversary behavior, reflecting the various phases of an
adversary’s lifecycle and the platforms they are known to
target.
ATT&CK is useful for understanding security risk against
known adversary behavior, for planning security
improvements, and verifying defenses work as expected.
| 3 |
© 2017 The MITRE Corporation. All rights reserved- Approved for Public Release – Case Number 17-4211
Bianco’s Pyramid of Pain
Source: David Bianco
https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
| 4 |
© 2017 The MITRE Corporation. All rights reserved- Approved for Public Release – Case Number 17-4211
Hard Questions
▪ How do I implement TTP-based detection?
▪ How effective is my defense?
▪ What is my detection coverage against APT29?
▪ Is the data I’m collecting useful?
▪ Do I have overlapping sensor coverage?
▪ Is the new product from vendor XYZ of any benefit to my organization?
| 5 |
© 2017 The MITRE Corporation. All rights reserved- Approved for Public Release – Case Number 17-4211
Cyber Attack Lifecycle
Recon
Weaponize
Deliver
Exploit
Control
Execute
Maintain
Traditional CND
ATT&CK™146 days - The median time an
adversary is in a network before
being detected-Mandiant, M-Trends 2016
Cyber Attack Lifecycle: The MITRE Corporation https://www.mitre.org/capabilities/cybersecurity/threat-based-defense
| 6 |
© 2017 The MITRE Corporation. All rights reserved- Approved for Public Release – Case Number 17-4211
ATT&CK: Deconstructing the Lifecycle
•Persistence•Privilege Escalation•Defense Evasion•Credential Access•Discovery•Lateral Movement•Execution•Collection•Exfiltration•Command and Control
Threat data informed adversary model
Higher fidelity on right-of-exploit, post-access phases
Describes behavior sans adversary tools
Working with world-class researchers to improve and
expand
| 7 |
© 2017 The MITRE Corporation. All rights reserved- Approved for Public Release – Case Number 17-4211
ATT&CK Matrix for Enterprise (Last updated July 2017)
Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and ControlPlist Modification Securityd Memory Network Share
DiscoveryAppleScript Video Capture Exfiltration Over
Physical MediumData Encoding
Valid Accounts Private Keys Third-party Software Audio Capture Remote File CopyDLL Search Order Hijacking Keychain Peripheral Device
DiscoveryWindows Remote Management Automated Collection Exfiltration Over
Command and ControlChannel
Multi-Stage ChannelsStartup Items Hidden Files and
DirectoriesInput Prompt Remote File Copy Trap Clipboard Data Web Service
Launch Daemon Bash History File and DirectoryDiscovery
Pass the Ticket Source Email Collection StandardNon-ApplicationLayer Protocol
Dylib Hijacking Space after Filename Create Account Replication ThroughRemovable Media
Launchctl Screen Capture Data EncryptedApplication Shimming LC_MAIN Hijacking Two-Factor
AuthenticationInterception
Permission GroupsDiscovery
Space after Filename Data Staged Automated ExfiltrationAppInit DLLs HISTCONTROL Windows Admin Shares Application Shimming Input Capture Exfiltration Over
Other Network MediumConnection Proxy
Web Shell Hidden Users Process Discovery Remote DesktopProtocol
Execution throughModule Load
Data from NetworkShared Drive
Multilayer EncryptionService Registry Permissions Weakness Clear Command History Credentials in Files System Network
Connections DiscoveryExfiltration Over
Alternative ProtocolStandard Application
Layer ProtocolScheduled Task Gatekeeper Bypass Input Capture Exploitation ofVulnerability
Regsvcs/Regasm Data from Local SystemNew Service Hidden Window Network Sniffing System Owner/User
DiscoveryInstallUtil Data from
Removable MediaData Transfer Size Limits Commonly Used Port
File System Permissions Weakness Deobfuscate/DecodeFiles or Information
Credential Dumping Logon Scripts Regsvr32 Scheduled Transfer Standard CryptographicProtocolPath Interception Brute Force System Network
Configuration DiscoveryRemote Services Execution through API Data Compressed
Accessibility Features Trusted DeveloperUtilities
Account Manipulation Application DeploymentSoftware
Process Hollowing Custom CryptographicProtocolLocal Port Monitor Exploitation of Vulnerability Application Window
DiscoveryPowerShell
Cron Job Exploitation of Vulnerability Taint Shared Content Rundll32 Data ObfuscationRe-opened Applications Access Token Manipulation Query Registry Pass the Hash Scripting Custom Command
and Control ProtocolRc.common Bypass User Account Control System Time Discovery Shared Webroot Graphical User InterfaceLogin Item DLL Injection Account Discovery Command-Line Interface Communication Through
Removable MediaLC_LOAD_DYLIB Addition Sudo Component ObjectModel Hijacking
System InformationDiscovery
Scheduled TaskLaunch Agent Setuid and Setgid Windows Management
InstrumentationUncommonly Used Port
Hidden Files andDirectories
InstallUtil Security SoftwareDiscovery
MultibandCommunicationRegsvr32 Trusted Developer
UtilitiesTrap Code Signing Network ServiceScanning
Fallback Channels
Service ExecutionLaunchctl Modify Registry
Office ApplicationStartup
Component Firmware Remote SystemDiscoveryRedundant Access
Authentication Package File Deletion System ServiceDiscoveryNetsh Helper DLL Timestomp
Change DefaultFile Association
NTFS ExtendedAttributes
Redundant Access Disabling Security Tools
Security SupportProvider
Rundll32DLL Side-Loading
Bootkit Indicator Removalon HostHypervisor
Registry RunKeys / Start Folder
ScriptingIndicator Blocking
Logon Scripts Software PackingModify Existing Service MasqueradingShortcut Modification Obfuscated Files or
Information.bash_profileand .bashrc Launchctl
External RemoteServices
Process Hollowing
Indicator Removalfrom ToolsComponent Object
Model Hijacking Regsvcs/Regasm
Windows ManagementInstrumentation
Event Subscription
Install Root Certificate
Network ShareConnection Removal
Component Firmware
| 8 |
© 2017 The MITRE Corporation. All rights reserved- Approved for Public Release – Case Number 17-4211
Example of Technique Details – Persistence: New Service
– Description: When operating systems boot up, they can start programs or applications called services that
perform background system functions. … Adversaries may install a new service which will be executed at
startup by directly modifying the registry or by using tools.
– Platform: Windows
– Permissions required: Administrator, SYSTEM
– Effective permissions: SYSTEM
– Detection:
▪ Monitor service creation through changes in the Registry and common utilities using command-line
invocation
▪ Tools such as Sysinternals Autoruns may be used to detect system changes that could be attempts at
persistence
▪ Monitor processes and command-line arguments for actions that could create services
– Mitigation:
▪ Limit privileges of user accounts and remediate Privilege Escalation vectors
▪ Identify and block unnecessary system utilities or potentially malicious software that may be used to create
services
– Data Sources: Windows Registry, process monitoring, command-line parameters
– Examples: Carbanak, Lazarus Group, TinyZBot, Duqu, CozyCar, CosmicDuke, hcdLoader, …
– CAPEC ID: CAPEC-550
| 9 |
© 2017 The MITRE Corporation. All rights reserved- Approved for Public Release – Case Number 17-4211
Use Cases
▪ Threat Intelligence
– Track a specific adversary’s set of techniques
– Information sharing
▪ Security Engineering
– Gap analysis with current defenses
– New technologies
– Research
▪ Operations
– Prioritization
– Detection
– Hunting
– Adversary Emulation
Threat Intelligence
Security Engineering
Operations
| 10 |
© 2017 The MITRE Corporation. All rights reserved- Approved for Public Release – Case Number 17-4211
Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control
DLL Search Order Hijacking Brute Force Account Discovery Windows Remote Management Automated Collection Automated Exfiltration Commonly Used Port
Legitimate CredentialsCredential Dumping Application Window Discovery
Third-party Software Clipboard Data Data Compressed Communication Through Removable MediaAccessibility Features Binary Padding Application Deployment
Software
Command-Line Data Staged Data Encrypted
AppInit DLLs Code SigningCredential Manipulation File and Directory Discovery
Execution through API Data from Local System Data Transfer Size Limits Custom Command and Control ProtocolLocal Port Monitor Component Firmware
Exploitation of VulnerabilityGraphical User Interface Data from Network Shared
DriveExfiltration Over Alternative
ProtocolNew Service DLL Side-Loading Credentials in Files Local Network Configuration Discovery
InstallUtil Custom Cryptographic ProtocolPath Interception Disabling Security Tools Input Capture Logon Scripts PowerShell
Data from Removable Media Exfiltration Over Command and Control Channel
Scheduled Task File Deletion Network Sniffing Local Network Connections Discovery
Pass the Hash Process Hollowing Data Obfuscation
File System Permissions WeaknessFile System Logical Offsets Two-Factor Authentication
Interception
Pass the Ticket Regsvcs/Regasm Email Collection Fallback Channels
Service Registry Permissions Weakness Network Service Scanning Remote Desktop Protocol Regsvr32 Input Capture Exfiltration Over Other Network Medium
Multi-Stage Channels
Web Shell Indicator Blocking Peripheral Device Discovery
Remote File Copy Rundll32 Screen CaptureMultiband Communication
Basic Input/Output SystemExploitation of Vulnerability Remote Services Scheduled Task Audio Capture Exfiltration Over Physical
MediumBypass User Account ControlPermission Groups Discovery
Replication Through Removable Media
Scripting Video Capture Multilayer Encryption
Bootkit DLL Injection Service Execution Scheduled Transfer Peer Connections
Change Default File Association
Component Object Model Hijacking Process Discovery Shared Webroot Windows Management Instrumentation
Remote File Copy
Indicator Removal from ToolsQuery Registry Taint Shared Content Standard Application Layer
ProtocolComponent Firmware Remote System Discovery Windows Admin Shares MSBuild
HypervisorIndicator Removal on Host Security Software Discovery
Execution through Module Load Standard Cryptographic
ProtocolLogon Scripts
Modify Existing Service InstallUtilSystem Information Discovery
Standard Non-Application Layer ProtocolRedundant Access Masquerading
Registry Run Keys / Start Folder
Modify RegistrySystem Owner/User Discovery
Uncommonly Used Port
NTFS Extended Attributes Web Service
Security Support Provider Obfuscated Files or Information
System Service Discovery Data Encoding
Shortcut Modification System Time Discovery
Windows Management Instrumentation Event
Subscription
Process Hollowing
Redundant Access
Regsvcs/Regasm
Winlogon Helper DLL Regsvr32
Netsh Helper DLL Rootkit
Authentication Package Rundll32
External Remote Services Scripting
Software Packing
Timestomp
MSBuild
Network Share Removal
Install Root Certificate
Notional Defense Gaps
High Confidence Med Confidence No Confidence
| 11 |
© 2017 The MITRE Corporation. All rights reserved- Approved for Public Release – Case Number 17-4211
Techniques: Deep Panda with Malware
Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control
DLL Search Order Hijacking Brute Force Account Discovery Windows Remote Management Automated Collection Automated Exfiltration Commonly Used Port
Legitimate CredentialsCredential Dumping Application Window Discovery
Third-party Software Clipboard Data Data Compressed Communication Through Removable MediaAccessibility Features Binary Padding Application Deployment
Software
Command-Line Data Staged Data Encrypted
AppInit DLLs Code SigningCredential Manipulation File and Directory Discovery
Execution through API Data from Local System Data Transfer Size Limits Custom Command and Control ProtocolLocal Port Monitor Component Firmware
Exploitation of VulnerabilityGraphical User Interface Data from Network Shared
DriveExfiltration Over Alternative
ProtocolNew Service DLL Side-Loading Credentials in Files Local Network Configuration Discovery
InstallUtil Custom Cryptographic ProtocolPath Interception Disabling Security Tools Input Capture Logon Scripts PowerShell
Data from Removable Media Exfiltration Over Command and Control Channel
Scheduled Task File Deletion Network Sniffing Local Network Connections Discovery
Pass the Hash Process Hollowing Data Obfuscation
Service File Permissions WeaknessFile System Logical Offsets Two-Factor Authentication
Interception
Pass the Ticket Regsvcs/Regasm Email Collection Fallback Channels
Service Registry Permissions Weakness Network Service Scanning Remote Desktop Protocol Regsvr32 Input Capture Exfiltration Over Other Network Medium
Multi-Stage Channels
Web Shell Indicator BlockingPeripheral Device Discovery
Remote File Copy Rundll32 Screen CaptureMultiband Communication
Basic Input/Output SystemExploitation of Vulnerability Remote Services Scheduled Task Exfiltration Over Physical
MediumBypass User Account ControlPermission Groups Discovery
Replication Through Removable Media
Scripting Multilayer Encryption
Bootkit DLL Injection Service Execution Scheduled Transfer Peer Connections
Change Default File Association
Indicator Removal from ToolsProcess Discovery Shared Webroot Windows Management
Instrumentation
Remote File Copy
Query Registry Taint Shared Content Standard Application Layer ProtocolComponent Firmware
Indicator Removal on HostRemote System Discovery Windows Admin Shares
HypervisorSecurity Software Discovery
Standard Cryptographic ProtocolLogon Scripts InstallUtil
Modify Existing Service MasqueradingSystem Information Discovery
Standard Non-Application Layer ProtocolRedundant Access Modify Registry
Registry Run Keys / Start Folder
NTFS Extended AttributesSystem Owner/User Discovery
Uncommonly Used Port
Obfuscated Files or Information
Web Service
Security Support Provider System Service Discovery
Shortcut Modification Process Hollowing
Windows Management Instrumentation Event
Subscription
Redundant Access
Regsvcs/Regasm
Regsvr32
Winlogon Helper DLL Rootkit
Rundll32
Scripting
Software Packing
Timestomp
LegendDeep Panda 28
| 12 |
© 2017 The MITRE Corporation. All rights reserved- Approved for Public Release – Case Number 17-4211
Adversary Emulation
▪ Common threat model used by both sides
▪ Test individual patterns of behavior focusing on defense effectiveness
– Identify detection data sources, analytics, mitigations work
– Identify gaps in visibility, defensive tools, process
– Address gaps with defenders
– Re-test with varied behavior over time
Persistence PrivilegeEscalation DefenseEvasion CredentialAccess Discovery LateralMovement Execution Collection Exfiltration CommandandControl
AccessibilityFeatures AccessibilityFeatures BinaryPadding BruteForce AccountDiscoveryApplicationDeployment
SoftwareCommand-Line AutomatedCollection AutomatedExfiltration CommonlyUsedPort
AppInitDLLs AppInitDLLsBypassUserAccount
ControlCredentialDumping
ApplicationWindow
Discovery
Exploitationof
VulnerabilityExecutionthroughAPI ClipboardData DataCompressed
CommunicationThrough
RemovableMedia
BasicInput/OutputSystemBypassUserAccount
ControlCodeSigning CredentialManipulation
FileandDirectory
DiscoveryLogonScripts GraphicalUserInterface DataStaged DataEncrypted
CustomCommandand
ControlProtocol
Bootkit DLLInjection ComponentFirmware CredentialsinFilesLocalNetwork
ConfigurationDiscoveryPasstheHash PowerShell DatafromLocalSystem DataTransferSizeLimits
CustomCryptographic
Protocol
ChangeDefaultFile
HandlersDLLSearchOrderHijacking DLLInjection
Exploitationof
Vulnerability
LocalNetworkConnections
DiscoveryPasstheTicket ProcessHollowing
DatafromNetworkShared
Drive
ExfiltrationOver
AlternativeProtocolDataObfuscation
ComponentFirmwareExploitationof
VulnerabilityDLLSearchOrderHijacking InputCapture NetworkServiceScanning RemoteDesktopProtocol Rundll32
DatafromRemovable
Media
ExfiltrationOverCommand
andControlChannelFallbackChannels
DLLSearchOrderHijacking LegitimateCredentials DLLSide-Loading NetworkSniffingPeripheralDevice
DiscoveryRemoteFileCopy ScheduledTask EmailCollection
ExfiltrationOverOther
NetworkMediumMulti-StageChannels
Hypervisor LocalPortMonitor DisablingSecurityToolsTwo-FactorAuthentication
Interception
PermissionGroups
DiscoveryRemoteServices ServiceExecution InputCapture
ExfiltrationOverPhysical
MediumMultibandCommunication
LegitimateCredentials NewServiceExploitationof
VulnerabilityProcessDiscovery
ReplicationThrough
RemovableMediaThird-partySoftware ScreenCapture ScheduledTransfer MultilayerEncryption
LocalPortMonitor PathInterception FileDeletion QueryRegistry SharedWebrootWindowsManagement
InstrumentationPeerConnections
LogonScripts ScheduledTask FileSystemLogicalOffsets RemoteSystemDiscovery TaintSharedContentWindowsRemote
ManagementRemoteFileCopy
ModifyExistingServiceServiceFilePermissions
WeaknessIndicatorBlockingonHost
SecuritySoftware
DiscoveryWindowsAdminShares
StandardApplicationLayer
Protocol
NewServiceServiceRegistry
PermissionsWeakness
IndicatorRemovalfrom
Tools
SystemInformation
Discovery
WindowsRemote
Management
StandardCryptographic
Protocol
PathInterception WebShell IndicatorRemovalonHostSystemOwner/User
Discovery
StandardNon-Application
LayerProtocol
RedundantAccess LegitimateCredentials SystemServiceDiscovery UncommonlyUsedPort
RegistryRunKeys/Start
FolderMasquerading WebService
ScheduledTask ModifyRegistry
SecuritySupportProvider NTFSExtendedAttributes
ServiceFilePermissions
Weakness
ObfuscatedFilesor
Information
ServiceRegistry
PermissionsWeaknessProcessHollowing
ShortcutModification RedundantAccess
WebShell Rootkit
WindowsManagement
InstrumentationEvent
Subscription
Rundll32
WinlogonHelperDLL Scripting
SoftwarePacking
Timestomp
| 13 |
© 2017 The MITRE Corporation. All rights reserved- Approved for Public Release – Case Number 17-4211
ICS ATT&CK Background
▪ATT&CK covers IT networks associated with
Industrial Control Systems (ICS) but doesn’t address
OT networks
▪Can ATT&CK be extended with additional tactics and
techniques to address adversarial behavior in OT
networks
| 14 |
© 2017 The MITRE Corporation. All rights reserved- Approved for Public Release – Case Number 17-4211
ICS Architecture
"NSTB Assessments Summary Report: Common Industrial Control System Cyber Security Weaknesses", Technical report Idaho National Laboratory (INL), May 2010.
| 15 |
© 2017 The MITRE Corporation. All rights reserved- Approved for Public Release – Case Number 17-4211
Generating Tactics and Techniques
▪Research papers
▪Research organizations (SANS, ICS-CERT, NIST,
CRED-C, Symantec)
– Assessment lessons learned
– Incident analysis
– Best practices
– Risk analysis
▪Repository of Industrial Security Incidents
▪Notional attacks
▪ Safety/Hazard/Failure analysis
| 16 |
© 2017 The MITRE Corporation. All rights reserved- Approved for Public Release – Case Number 17-4211
Tactics
▪Operator and Defense Evasion
– How can we fool the operator into thinking everything is OK
– How can we fool the operator into performing the wrong action
– How can we block the operator from be able to control the system
▪Disruption (Physical)
– How can we stop the process
– How can we degrade the process
▪Destruction (Physical)
– How can we destroy equipment
– How can we cause catastrophic failure
| 17 |
© 2017 The MITRE Corporation. All rights reserved- Approved for Public Release – Case Number 17-4211
ICS ATT&CK Matrix
Persistence Privilege EscalationDefense and Operator
EvasionCredential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control Disruption Destruction
External Remote
Service
Exploitation of
Vulnerability
Alternate Modes of
OperationBrute Force Account Enumeration Default Credentials API Interaction
Automated
CollectionAutomated Exfiltration Commonly Used Port
Alternate Modes of
Operation
Alternate Modes of
Operation
Firmware Loadable Module Block Comm Port Create Account Control ProcessExploitation of
Vulnerability
Alternate Modes of
OperationData Staged Data Compressed
Communication Through
Removable MediaBlock Comm Port
Block Command
Message
Interactive
ServiceValid Accounts
Block Reporting
Message
Credential
Dumping
File and Directory
Enumeration
External Remote
Service
Command-Line
Interface
Data from Local
SystemData Encoding Connection Proxy
Block Command
Message
Block Reporting
Message
Loadable
ModuleWeb Shell Code Signing Credentials in Files
I/O Module
EnumerationMan in the Middle
Exploitation of
Vulnerability
Data from Network
ServiceData Encrypted
Custom Command and
Control Protocol
Block Reporting
Message
Command-Line
Interface
Modify Control
Logic
Exploitation of
VulnerabilityDefault Credentials
Local Service
EnumerationRemote File Copy
Graphical User
Interface
Data from Network
Share
Data Transfer Size
Limits
Custom Cryptographic
Protocol
Command-Line
InterfaceDevice Shutdown
Modify System
SettingsFile Deletion
Exploitation of
VulnerabilityLocation Identification
Replication Through
Removable MediaInteractive Service
Data from
Removable Media
Exfiltration Over
Alternative ProtocolData Encoding Device Shutdown
Exploitation of
Vulnerability
Module
Firmware
Inhibit Security
Tools/SystemInput Capture
Network Connection
EnumerationTaint Shared Content Loadable Module Screen Capture
Exfiltration Over
Command and Control
Channel
Data ObfuscationExploitation of
VulnerabilityFirmware
Non-Interactive
ServiceMan in the Middle
Intercept Multi-
Factor
Authentication
Network Enumeration Third-party SoftwareModify System
SettingsVideo Capture
Exfiltration Over Other
Network Medium
Exfiltration Over
Command and Control
Channel
Firmware Man in the Middle
Rootkit Masquerading Modify AccountNetwork Service
EnumerationValid Accounts
Non-Interactive
ServiceWeb Service
Exfiltration Over
Physical MediumFallback Channels Man in the Middle Masquerading
Scheduled Task Memory Residence Network Sniffing Network SniffingVirtual Terminal
ServicesScheduled Task Scheduled Transfer Multi-Stage Channels Masquerading Modify Control Logic
Valid Accounts Modify Control Logic Password Manager Role Identification ScriptingVirtual Terminal
Services
Multiband
CommunicationModify Control Logic Modify Parameter
Web Shell Modify Event Log Private KeysSerial Connection
EnumerationThird-party Software Multilayer Encryption Modify Parameter
Modify Physical
Device Display
Modify Event Log
Settings
Virtual Terminal
ServicesRemote File Copy
Modify Physical
Device Display
Modify Reporting
Message
Modify HMI/Historian
ReportingWeb Shell
Standard Application
Layer Protocol
Modify Reporting
Message
Modify Reporting
Settings
Modify ParameterStandard Cryptographic
Protocol
Modify Reporting
SettingsModify Tag
Modify Physical
Device Display
Standard Non-
Application Layer
Protocol
Modify System
SettingsModule Firmware
Modify Reporting
MessageUncommonly Used Port Modify Tag Rootkit
Modify Reporting
SettingsVirtual Terminal Services Module Firmware
Spoof Command
Message
Modify Security
SettingsWeb Service Rootkit
Spoof Reporting
Message
Modify System
Settings
Spoof Command
Message
Modify TagSpoof Reporting
Message
Rootkit
Spoof Reporting
Message
Taint Shared Content
| 18 |
© 2017 The MITRE Corporation. All rights reserved- Approved for Public Release – Case Number 17-4211
CrashOverride
Persistence Privilege EscalationDefense and Operator
EvasionCredential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control Disruption Destruction
External Remote
Service
Exploitation of
Vulnerability
Alternate Modes of
OperationBrute Force Account Enumeration Default Credentials API Interaction
Automated
CollectionAutomated Exfiltration Commonly Used Port
Alternate Modes of
Operation
Alternate Modes of
Operation
Firmware Loadable Module Block Comm Port Create Account Control ProcessExploitation of
Vulnerability
Alternate Modes of
OperationData Staged Data Compressed
Communication Through
Removable MediaBlock Comm Port
Block Command
Message
Interactive
ServiceValid Accounts
Block Reporting
Message
Credential
Dumping
File and Directory
Enumeration
External Remote
Service
Command-Line
Interface
Data from Local
SystemData Encoding Connection Proxy
Block Command
Message
Block Reporting
Message
Loadable
ModuleWeb Shell Code Signing Credentials in Files
I/O Module
EnumerationMan in the Middle
Exploitation of
Vulnerability
Data from Network
ServiceData Encrypted
Custom Command and
Control Protocol
Block Reporting
Message
Command-Line
Interface
Modify Control
Logic
Exploitation of
VulnerabilityDefault Credentials
Local Service
EnumerationRemote File Copy
Graphical User
Interface
Data from Network
Share
Data Transfer Size
Limits
Custom Cryptographic
Protocol
Command-Line
InterfaceDevice Shutdown
Modify System
SettingsFile Deletion
Exploitation of
VulnerabilityLocation Identification
Replication Through
Removable MediaInteractive Service
Data from
Removable Media
Exfiltration Over
Alternative ProtocolData Encoding Device Shutdown
Exploitation of
Vulnerability
Module
Firmware
Inhibit Security
Tools/SystemInput Capture
Network Connection
EnumerationTaint Shared Content Loadable Module Screen Capture
Exfiltration Over
Command and Control
Channel
Data ObfuscationExploitation of
VulnerabilityFirmware
Non-Interactive
ServiceMan in the Middle
Intercept Multi-
Factor
Authentication
Network Enumeration Third-party SoftwareModify System
SettingsVideo Capture
Exfiltration Over Other
Network Medium
Exfiltration Over
Command and Control
Channel
Firmware Man in the Middle
Rootkit Masquerading Modify AccountNetwork Service
EnumerationValid Accounts
Non-Interactive
ServiceWeb Service
Exfiltration Over
Physical MediumFallback Channels Man in the Middle Masquerading
Scheduled Task Memory Residence Network Sniffing Network SniffingVirtual Terminal
ServicesScheduled Task Scheduled Transfer Multi-Stage Channels Masquerading Modify Control Logic
Valid Accounts Modify Control Logic Password Manager Role Identification ScriptingVirtual Terminal
Services
Multiband
CommunicationModify Control Logic Modify Parameter
Web Shell Modify Event Log Private KeysSerial Connection
EnumerationThird-party Software Multilayer Encryption Modify Parameter
Modify Physical
Device Display
Modify Event Log
Settings
Virtual Terminal
ServicesRemote File Copy
Modify Physical
Device Display
Modify Reporting
Message
Modify HMI/Historian
ReportingWeb Shell
Standard Application
Layer Protocol
Modify Reporting
Message
Modify Reporting
Settings
Modify ParameterStandard Cryptographic
Protocol
Modify Reporting
SettingsModify Tag
Modify Physical
Device Display
Standard Non-
Application Layer
Protocol
Modify System
SettingsModule Firmware
Modify Reporting
MessageUncommonly Used Port Modify Tag Rootkit
Modify Reporting
SettingsVirtual Terminal Services Module Firmware
Spoof Command
Message
Modify Security
SettingsWeb Service Rootkit
Spoof Reporting
Message
Modify System
Settings
Spoof Command
Message
Modify TagSpoof Reporting
Message
Rootkit
Spoof Reporting
Message
Taint Shared Content
| 19 |
© 2017 The MITRE Corporation. All rights reserved- Approved for Public Release – Case Number 17-4211
Stuxnet
Persistence Privilege EscalationDefense and Operator
EvasionCredential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control Disruption Destruction
External Remote
Service
Exploitation of
Vulnerability
Alternate Modes of
OperationBrute Force Account Enumeration Default Credentials API Interaction
Automated
CollectionAutomated Exfiltration Commonly Used Port
Alternate Modes of
Operation
Alternate Modes of
Operation
Firmware Loadable Module Block Comm Port Create Account Control ProcessExploitation of
Vulnerability
Alternate Modes of
OperationData Staged Data Compressed
Communication Through
Removable MediaBlock Comm Port
Block Command
Message
Interactive
ServiceValid Accounts
Block Reporting
Message
Credential
Dumping
File and Directory
Enumeration
External Remote
Service
Command-Line
Interface
Data from Local
SystemData Encoding Connection Proxy
Block Command
Message
Block Reporting
Message
Loadable
ModuleWeb Shell Code Signing Credentials in Files
I/O Module
EnumerationMan in the Middle
Exploitation of
Vulnerability
Data from Network
ServiceData Encrypted
Custom Command and
Control Protocol
Block Reporting
Message
Command-Line
Interface
Modify Control
Logic
Exploitation of
VulnerabilityDefault Credentials
Local Service
EnumerationRemote File Copy
Graphical User
Interface
Data from Network
Share
Data Transfer Size
Limits
Custom Cryptographic
Protocol
Command-Line
InterfaceDevice Shutdown
Modify System
SettingsFile Deletion
Exploitation of
VulnerabilityLocation Identification
Replication Through
Removable MediaInteractive Service
Data from
Removable Media
Exfiltration Over
Alternative ProtocolData Encoding Device Shutdown
Exploitation of
Vulnerability
Module
Firmware
Inhibit Security
Tools/SystemInput Capture
Network Connection
EnumerationTaint Shared Content Loadable Module Screen Capture
Exfiltration Over
Command and Control
Channel
Data ObfuscationExploitation of
VulnerabilityFirmware
Non-Interactive
ServiceMan in the Middle
Intercept Multi-
Factor
Authentication
Network Enumeration Third-party SoftwareModify System
SettingsVideo Capture
Exfiltration Over Other
Network Medium
Exfiltration Over
Command and Control
Channel
Firmware Man in the Middle
Rootkit Masquerading Modify AccountNetwork Service
EnumerationValid Accounts
Non-Interactive
ServiceWeb Service
Exfiltration Over
Physical MediumFallback Channels Man in the Middle Masquerading
Scheduled Task Memory Residence Network Sniffing Network SniffingVirtual Terminal
ServicesScheduled Task Scheduled Transfer Multi-Stage Channels Masquerading Modify Control Logic
Valid Accounts Modify Control Logic Password Manager Role Identification ScriptingVirtual Terminal
Services
Multiband
CommunicationModify Control Logic Modify Parameter
Web Shell Modify Event Log Private KeysSerial Connection
EnumerationThird-party Software Multilayer Encryption Modify Parameter
Modify Physical
Device Display
Modify Event Log
Settings
Virtual Terminal
ServicesRemote File Copy
Modify Physical
Device Display
Modify Reporting
Message
Modify HMI/Historian
ReportingWeb Shell
Standard Application
Layer Protocol
Modify Reporting
Message
Modify Reporting
Settings
Modify ParameterStandard Cryptographic
Protocol
Modify Reporting
SettingsModify Tag
Modify Physical
Device Display
Standard Non-
Application Layer
Protocol
Modify System
SettingsModule Firmware
Modify Reporting
MessageUncommonly Used Port Modify Tag Rootkit
Modify Reporting
SettingsVirtual Terminal Services Module Firmware
Spoof Command
Message
Modify Security
SettingsWeb Service Rootkit
Spoof Reporting
Message
Modify System
Settings
Spoof Command
Message
Modify TagSpoof Reporting
Message
Rootkit
Spoof Reporting
Message
Taint Shared Content
| 20 |
© 2017 The MITRE Corporation. All rights reserved- Approved for Public Release – Case Number 17-4211
Maroochy
Persistence Privilege EscalationDefense and Operator
EvasionCredential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control Disruption Destruction
External Remote
Service
Exploitation of
Vulnerability
Alternate Modes of
OperationBrute Force Account Enumeration Default Credentials API Interaction
Automated
CollectionAutomated Exfiltration Commonly Used Port
Alternate Modes of
Operation
Alternate Modes of
Operation
Firmware Loadable Module Block Comm Port Create Account Control ProcessExploitation of
Vulnerability
Alternate Modes of
OperationData Staged Data Compressed
Communication Through
Removable MediaBlock Comm Port
Block Command
Message
Interactive
ServiceValid Accounts
Block Reporting
Message
Credential
Dumping
File and Directory
Enumeration
External Remote
Service
Command-Line
Interface
Data from Local
SystemData Encoding Connection Proxy
Block Command
Message
Block Reporting
Message
Loadable
ModuleWeb Shell Code Signing Credentials in Files
I/O Module
EnumerationMan in the Middle
Exploitation of
Vulnerability
Data from Network
ServiceData Encrypted
Custom Command and
Control Protocol
Block Reporting
Message
Command-Line
Interface
Modify Control
Logic
Exploitation of
VulnerabilityDefault Credentials
Local Service
EnumerationRemote File Copy
Graphical User
Interface
Data from Network
Share
Data Transfer Size
Limits
Custom Cryptographic
Protocol
Command-Line
InterfaceDevice Shutdown
Modify System
SettingsFile Deletion
Exploitation of
VulnerabilityLocation Identification
Replication Through
Removable MediaInteractive Service
Data from
Removable Media
Exfiltration Over
Alternative ProtocolData Encoding Device Shutdown
Exploitation of
Vulnerability
Module
Firmware
Inhibit Security
Tools/SystemInput Capture
Network Connection
EnumerationTaint Shared Content Loadable Module Screen Capture
Exfiltration Over
Command and Control
Channel
Data ObfuscationExploitation of
VulnerabilityFirmware
Non-Interactive
ServiceMan in the Middle
Intercept Multi-
Factor
Authentication
Network Enumeration Third-party SoftwareModify System
SettingsVideo Capture
Exfiltration Over Other
Network Medium
Exfiltration Over
Command and Control
Channel
Firmware Man in the Middle
Rootkit Masquerading Modify AccountNetwork Service
EnumerationValid Accounts
Non-Interactive
ServiceWeb Service
Exfiltration Over
Physical MediumFallback Channels Man in the Middle Masquerading
Scheduled Task Memory Residence Network Sniffing Network SniffingVirtual Terminal
ServicesScheduled Task Scheduled Transfer Multi-Stage Channels Masquerading Modify Control Logic
Valid Accounts Modify Control Logic Password Manager Role Identification ScriptingVirtual Terminal
Services
Multiband
CommunicationModify Control Logic Modify Parameter
Web Shell Modify Event Log Private KeysSerial Connection
EnumerationThird-party Software Multilayer Encryption Modify Parameter
Modify Physical
Device Display
Modify Event Log
Settings
Virtual Terminal
ServicesRemote File Copy
Modify Physical
Device Display
Modify Reporting
Message
Modify HMI/Historian
ReportingWeb Shell
Standard Application
Layer Protocol
Modify Reporting
Message
Modify Reporting
Settings
Modify ParameterStandard Cryptographic
Protocol
Modify Reporting
SettingsModify Tag
Modify Physical
Device Display
Standard Non-
Application Layer
Protocol
Modify System
SettingsModule Firmware
Modify Reporting
MessageUncommonly Used Port Modify Tag Rootkit
Modify Reporting
SettingsVirtual Terminal Services Module Firmware
Spoof Command
Message
Modify Security
SettingsWeb Service Rootkit
Spoof Reporting
Message
Modify System
Settings
Spoof Command
Message
Modify TagSpoof Reporting
Message
Rootkit
Spoof Reporting
Message
Taint Shared Content
| 21 |
© 2017 The MITRE Corporation. All rights reserved- Approved for Public Release – Case Number 17-4211
Goal and Approach
▪ Goal: An affordable, secure, and resilient Operational Technology
(OT) infrastructure across Electric Power, Gas, Water,
Transportation sectors
▪ Approach
- Develop a practical cyber adversary model for OT systems
• Identify Common Adversary Techniques across sector OT infrastructures (initial
focus is on ICS/SCADA systems)
- Apply best practices for creating and operating an OT SOC tailored for
ICS/SCADA environments to other environments
• Initial focus is on intrusion detection
• Enhance monitoring techniques of ICS/SCADA environment
• Advance cyber analytics to detect attack patterns against ICS
• Mature incident analysis and response for ICS networks
• Goal: automate response to greatest extent possible
• Facilitate threat sharing within and across sectors
• Identify cyber defense best practices to increase resilience
| 22 |
© 2017 The MITRE Corporation. All rights reserved- Approved for Public Release – Case Number 17-4211
Use Case Technical Approach
ICS ATT&CK Tactics• Persistence
• Privilege Escalation
• Defense and Operator Evasion
• Credential Access
• Discovery
• Lateral Movement
• Execution
• Collection
• Exfiltration
• Command and Control
• Physical Disruption
• Physical Destruction
4. Develop ICS adversary emulation
5. Identify/develop/configure sensor technologies
6. Develop analytics for detection
7. Cyber games for validation (adversary emulation)
8. Validate technical architecture, capabilities in
representative test environment
9. Operational initiatives
1. Analysis of ICS vulnerabilities and attacks
2. Extend ATT&CK to ICS
3. Build ICS Adversary Model - ICS ATT&CKPersistence Privilege Escalation
Defense and
Operator EvasionCredential Access Discovery Lateral Movement Execution Collection Exfiltration
Command and
ControlDisruption Destruction
External Remote
Service
Exploitation of
Vulnerability
Alternate Modes of
OperationBrute Force Account Enumeration Default Credentials API Interaction Automated Collection
Automated
ExfiltrationCommonly Used Port
Alternate Modes of
Operation
Alternate Modes of
Operation
Firmware Loadable Module Block Comm Port Create Account Control ProcessExploitation of
Vulnerability
Alternate Modes of
OperationData Staged Data Compressed
Communication
Through Removable
Media
Block Comm PortBlock Command
Message
Interactive Service Valid AccountsBlock Reporting
MessageCredential Dumping
File and Directory
Enumeration
External Remote
Service
Command-Line
Interface
Data from Local
SystemData Encoding Connection Proxy
Block Command
Message
Block Reporting
Message
Loadable Module Web Shell Code Signing Credentials in FilesI/O Module
EnumerationMan in the Middle
Exploitation of
Vulnerability
Data from Network
ServiceData Encrypted
Custom Command
and Control Protocol
Block Reporting
Message
Command-Line
Interface
Modify Control LogicExploitation of
VulnerabilityDefault Credentials
Local Service
EnumerationRemote File Copy
Graphical User
Interface
Data from Network
Share
Data Transfer Size
Limits
Custom
Cryptographic
Protocol
Command-Line
InterfaceDevice Shutdown
Modify System
SettingsFile Deletion
Exploitation of
Vulnerability
Location
Identification
Replication Through
Removable MediaInteractive Service
Data from
Removable Media
Exfiltration Over
Alternative ProtocolData Encoding Device Shutdown
Exploitation of
Vulnerability
Module FirmwareInhibit Security
Tools/SystemInput Capture
Network Connection
EnumerationTaint Shared Content Loadable Module Screen Capture
Exfiltration Over
Command and
Control Channel
Data ObfuscationExploitation of
VulnerabilityFirmware
Non-Interactive
ServiceMan in the Middle
Intercept Multi-Factor
AuthenticationNetwork Enumeration Third-party Software
Modify System
SettingsVideo Capture
Exfiltration Over
Other Network
Medium
Exfiltration Over
Command and
Control Channel
Firmware Man in the Middle
Rootkit Masquerading Modify AccountNetwork Service
EnumerationValid Accounts
Non-Interactive
ServiceWeb Service
Exfiltration Over
Physical MediumFallback Channels Man in the Middle Masquerading
Scheduled Task Memory Residence Network Sniffing Network SniffingVirtual Terminal
ServicesScheduled Task Scheduled Transfer Multi-Stage Channels Masquerading Modify Control Logic
Valid Accounts Modify Control Logic Password Manager Role Identification ScriptingVirtual Terminal
Services
Multiband
CommunicationModify Control Logic Modify Parameter
Web Shell Modify Event Log Private KeysSerial Connection
EnumerationThird-party Software Multilayer Encryption Modify Parameter
Modify Physical
Device Display
Modify Event Log
Settings
Virtual Terminal
ServicesRemote File Copy
Modify Physical
Device Display
Modify Reporting
Message
Modify HMI/Historian
ReportingWeb Shell
Standard Application
Layer Protocol
Modify Reporting
Message
Modify Reporting
Settings
Modify Parameter
Standard
Cryptographic
Protocol
Modify Reporting
SettingsModify Tag
Modify Physical
Device Display
Standard Non-
Application Layer
Protocol
Modify System
SettingsModule Firmware
Modify Reporting
Message
Uncommonly Used
PortModify Tag Rootkit
Modify Reporting
Settings
Virtual Terminal
ServicesModule Firmware
Spoof Command
Message
Modify Security
SettingsWeb Service Rootkit
Spoof Reporting
Message
Modify System
Settings
Spoof Command
Message
Modify TagSpoof Reporting
Message
Rootkit
Spoof Reporting
Message
Taint Shared Content
| 23 |
© 2017 The MITRE Corporation. All rights reserved- Approved for Public Release – Case Number 17-4211
Identification of
Use Cases/Adversary
Model
(ATT&CK)
Adversary Emulation and Analytic Development Cycle
What questions do we want to
ask?
Sensor Architecture
Analytic Development
Adversary Emulation/Red
Team
Blue Team
What did we miss?
| 24 |
© 2017 The MITRE Corporation. All rights reserved- Approved for Public Release – Case Number 17-4211
Use Case: Breaker Trip with No Voltage Change
Description: An adversary may reverse the substation breaker status provided to the
substation control center HMI from open to closed or closed to open. During normal
operations when there is a short circuit fault on the power system, current flow increases
and the voltage level decreases. The protective device will sense the change and interrupt
the current by opening the relay. If there was no voltage change, then the breaker should
not have tripped.
▪ State of System: breaker open, no voltage
▪ Operator view: breaker closed, voltage nominal
Adversary: With a presence on the OT or IT network the adversary may accomplish
this by initiating a command to change the state of a breaker followed by preforming a
man-in-the-middle attack to mask the status feedback to the control center from the
breaker upstream from the substation RTAC/RTU.
| 25 |
© 2017 The MITRE Corporation. All rights reserved- Approved for Public Release – Case Number 17-4211
Identification of
Use Cases/Adversary
Model
(ATT&CK)
Adversary Emulation and Analytic Development Cycle
What questions do we want to
ask?
Sensor Architecture
Analytic Development
Adversary Emulation/Red
Team
Blue Team
What did we miss?
| 26 |
© 2017 The MITRE Corporation. All rights reserved- Approved for Public Release – Case Number 17-4211
Use Case: Adversary Emulation
▪Adversary Goal
– Shutdown power without operator knowing
▪ Tactics
– Operator and Defense Evasion
– Disruption
▪ Techniques
– Man in the Middle
– Spoof Command Message
▪ Commands device to open breaker shutting power off to customers
– Modify Reporting Message
▪ Hide status of the breaker from the operator
| 27 |
© 2017 The MITRE Corporation. All rights reserved- Approved for Public Release – Case Number 17-4211
Use Case:Operate Relay, Spoofing Device Messages
Persistence Privilege EscalationDefense and Operator
EvasionCredential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control Disruption Destruction
External Remote
Service
Exploitation of
Vulnerability
Alternate Modes of
OperationBrute Force Account Enumeration Default Credentials API Interaction
Automated
CollectionAutomated Exfiltration Commonly Used Port
Alternate Modes of
Operation
Alternate Modes of
Operation
Firmware Loadable Module Block Comm Port Create Account Control ProcessExploitation of
Vulnerability
Alternate Modes of
OperationData Staged Data Compressed
Communication Through
Removable MediaBlock Comm Port
Block Command
Message
Interactive
ServiceValid Accounts
Block Reporting
Message
Credential
Dumping
File and Directory
Enumeration
External Remote
Service
Command-Line
Interface
Data from Local
SystemData Encoding Connection Proxy
Block Command
Message
Block Reporting
Message
Loadable
ModuleWeb Shell Code Signing Credentials in Files
I/O Module
EnumerationMan in the Middle
Exploitation of
Vulnerability
Data from Network
ServiceData Encrypted
Custom Command and
Control Protocol
Block Reporting
Message
Command-Line
Interface
Modify Control
Logic
Exploitation of
VulnerabilityDefault Credentials
Local Service
EnumerationRemote File Copy
Graphical User
Interface
Data from Network
Share
Data Transfer Size
Limits
Custom Cryptographic
Protocol
Command-Line
InterfaceDevice Shutdown
Modify System
SettingsFile Deletion
Exploitation of
VulnerabilityLocation Identification
Replication Through
Removable MediaInteractive Service
Data from
Removable Media
Exfiltration Over
Alternative ProtocolData Encoding Device Shutdown
Exploitation of
Vulnerability
Module
Firmware
Inhibit Security
Tools/SystemInput Capture
Network Connection
EnumerationTaint Shared Content Loadable Module Screen Capture
Exfiltration Over
Command and Control
Channel
Data ObfuscationExploitation of
VulnerabilityFirmware
Non-Interactive
ServiceMan in the Middle
Intercept Multi-
Factor
Authentication
Network Enumeration Third-party SoftwareModify System
SettingsVideo Capture
Exfiltration Over Other
Network Medium
Exfiltration Over
Command and Control
Channel
Firmware Man in the Middle
Rootkit Masquerading Modify AccountNetwork Service
EnumerationValid Accounts
Non-Interactive
ServiceWeb Service
Exfiltration Over
Physical MediumFallback Channels Man in the Middle Masquerading
Scheduled Task Memory Residence Network Sniffing Network SniffingVirtual Terminal
ServicesScheduled Task Scheduled Transfer Multi-Stage Channels Masquerading Modify Control Logic
Valid Accounts Modify Control Logic Password Manager Role Identification ScriptingVirtual Terminal
Services
Multiband
CommunicationModify Control Logic Modify Parameter
Web Shell Modify Event Log Private KeysSerial Connection
EnumerationThird-party Software Multilayer Encryption Modify Parameter
Modify Physical
Device Display
Modify Event Log
Settings
Virtual Terminal
ServicesRemote File Copy
Modify Physical
Device Display
Modify Reporting
Message
Modify HMI/Historian
ReportingWeb Shell
Standard Application
Layer Protocol
Modify Reporting
Message
Modify Reporting
Settings
Modify ParameterStandard Cryptographic
Protocol
Modify Reporting
SettingsModify Tag
Modify Physical
Device Display
Standard Non-
Application Layer
Protocol
Modify System
SettingsModule Firmware
Modify Reporting
MessageUncommonly Used Port Modify Tag Rootkit
Modify Reporting
SettingsVirtual Terminal Services Module Firmware
Spoof Command
Message
Modify Security
SettingsWeb Service Rootkit
Spoof Reporting
Message
Modify System
Settings
Spoof Command
Message
Modify TagSpoof Reporting
Message
Rootkit
Spoof Reporting
Message
Taint Shared Content
| 28 |
© 2017 The MITRE Corporation. All rights reserved- Approved for Public Release – Case Number 17-4211
Adversary Emulation
Event Parsing & Ingest
Data Store
Monitoring/Detect
Visualization
Analytics Postprocessing
HistorianNetwork Sensors
Other Sensors
Open Source & Commercial Products
Tap #1
Substation Relay (IED)
RTU
Substation Breaker
HMI
Control Center
Tap #2
Historian
Emulate Observable
MTUOPCOPC
DNP3/IP
DNP3/IP
Discrete
CT s & PT s
Analog
Substation
Adversary
Step 2
Step 3
Step 4
Step 5
Step 1
Step 1: Inject/Craft Valid Packet to RTUStep 2: RTU forwards command to IED
Step 3: IED responds to RTU with
status changesStep 4: Modify existing packet
Step 5: Manipulate packet to not
reflect proper status of IED
| 29 |
© 2017 The MITRE Corporation. All rights reserved- Approved for Public Release – Case Number 17-4211
Identification of
Use Cases/Adversary
Model
(ATT&CK)
Adversary Emulation and Analytic Development Cycle
What questions do we want to
ask?
Sensor Architecture
Analytic Development
Adversary Emulation/Red
Team
Blue Team
What did we miss?
| 30 |
© 2017 The MITRE Corporation. All rights reserved- Approved for Public Release – Case Number 17-4211
Sensor Architecture
Event Parsing & Ingest
Data Store
Monitoring/Detect
Visualization
Analytics Postprocessing
HistorianNetwork Sensors
Other Sensors
Open Source & Commercial Products
Tap #1
Substation Relay (IED)
RTU
Substation Breaker
HMI
Control Center
Tap #2
Historian
Emulate Observable
MTUOPCOPC
DNP3/IP
DNP3/IP
Discrete
CT s & PT s
Analog
Substation
Adversary
Sensor Locations
| 31 |
© 2017 The MITRE Corporation. All rights reserved- Approved for Public Release – Case Number 17-4211
Identification of
Use Cases/Adversary
Model
(ATT&CK)
Adversary Emulation and Analytic Development Cycle
What questions do we want to
ask?
Sensor Architecture
Analytic Development
Adversary Emulation/Red
Team
Blue Team
What did we miss?
| 32 |
© 2017 The MITRE Corporation. All rights reserved- Approved for Public Release – Case Number 17-4211
Analytic Development
Event Parsing & Ingest
Data Store
Monitoring/Detect
Visualization
Analytics Postprocessing
HistorianNetwork Sensors
Other Sensors
Open Source & Commercial Products
Tap #1
Substation Relay (IED)
RTU
Substation Breaker
HMI
Control Center
Tap #2
Historian
Emulate Observable
MTUOPCOPC
DNP3/IP
DNP3/IP
Discrete
CT s & PT s
Analog
Substation
Adversary
| 33 |
© 2017 The MITRE Corporation. All rights reserved- Approved for Public Release – Case Number 17-4211
Analytic, Spoofing Control Signals
▪ An adversary may try to bypass controls at a higher level injecting a command to an IED or RTU at a level closer to the device.
▪ Uses data from Tap #2
▪ Pseudo Codeif DNP3Packet.type == Command
if DNP3Packet.dstIP !=
LastPacket.srcIP
Alert! No matching
upstream command!
if DNP3Packet.timestamp +
timewindow <
LastPacket.timestamp
Alert! No matching
upstream command within
timewindow!
| 34 |
© 2017 The MITRE Corporation. All rights reserved- Approved for Public Release – Case Number 17-4211
Analytic Example: Change Feedback
▪ An adversary may try to hide
their activity by changing the
feedback from the IED
▪ Uses data from Ethernet and
serial tap
▪ Pseudo Codeif Tap1DNP3Packet.type == Binary_Status
get Tap2DNP3Packet.type =
Binary_Status
if Tap1DNP3Packet.NumBinary !=
Tap2DPR3Packet.NumBinary
Alert! Data may have been
removed!
for BinaryValue in Tap1DNP3Packet:
if BinaryValue !=
Tap2DNP3Packet.binaryValue
Alert! Data has been
changed!
| 35 |
© 2017 The MITRE Corporation. All rights reserved- Approved for Public Release – Case Number 17-4211. .
FY18 Objectives
| 36 |
© 2017 The MITRE Corporation. All rights reserved- Approved for Public Release – Case Number 17-4211
FY18 Objectives
▪ Extend and validate existing Industrial Control Systems (ICS) ATT&CK model by applying the model to the oil and gas industry.
▪Develop reference sensor architecture specific to oil and gas control systems that meet the unique requirements of the environment to detect adversaries and enable advanced analytics.
▪ Expand existing ICS analytics to cover TTPs in ICS ATT&CK for oil and gas using both cyber and physical sensors.
▪Develop best practices for monitoring and responding to cyber incidents within operation technology (OT) environments
| 37 |
© 2017 The MITRE Corporation. All rights reserved- Approved for Public Release – Case Number 17-4211
▪ Extend and refine the existing ICS adversary model by exploring the oil and gas industry.– Assist in prioritizing network defenses that address hazard inducing
techniques by:
▪ Identifying methods to generate disruption and destruction techniques from domain specific hazard and safety analysis studies.
– Facilitate the early detection of adversary persistent presence and the proliferation of such presence by:
▪ Identifying techniques that adversaries use to persist on industrial automation devices.
▪ Identifying techniques that adversaries use to pivot from one industrial automation device to another.
▪ Through our review of the oil and gas industry, identify common artifacts generated by adversary TTPs described in the model between different ICS sectors that can be used to inform the continued development of a reference sensor architecture and analytic framework.
Application to Oil and Gas
| 38 |
© 2017 The MITRE Corporation. All rights reserved- Approved for Public Release – Case Number 17-4211
Oil and Gas - Areas of Interest
▪ Pipeline management, control and safety
– Compressor, Metering, Valve stations
▪ Pressure balancing to make certain that pressure setpoints are correct
▪ Flow monitoring
▪ Leak detection
▪ Safety systems used to ensure that the systems shut down in case of
malfunctions and out-of-bounds conditions
– High Integrity Pressure Protection System (HIPPS)
– Pneumatic Controls
| 39 |
© 2017 The MITRE Corporation. All rights reserved- Approved for Public Release – Case Number 17-4211
Approach – Bowtie Method
https://www.cgerisk.com/knowledgebase/images/1/14/Bowtie_Diagram.png
| 40 |
© 2017 The MITRE Corporation. All rights reserved- Approved for Public Release – Case Number 17-4211
Approach – Utilize Safety Studies
▪ IEC 61508 - Functional Safety -
Electrical/Electronic/Programmable Electronic Safety-
related Systems
▪ IEC 61511 - Functional safety - Safety instrumented
systems for the process industry sector
▪ (Hazard and Operability Study) HAZOP, (Probabilistic
Risk Assessment) PRA, Failure Mode and Effects
Analysis (FMEA)
▪ Event trees, Fault trees,
▪ Post-incident investigations
| 41 |
© 2017 The MITRE Corporation. All rights reserved- Approved for Public Release – Case Number 17-4211
Approach – Utilize Hardware in the Loop
http://www.hil-simulation.com/home/hil-testing.html
| 42 |
© 2017 The MITRE Corporation. All rights reserved- Approved for Public Release – Case Number 17-4211
Questions?