MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a knowledge base that models adversaries' behavior as seen in the wild. It has been widely adopted in the security community as one of the key resources for security teams to test for and defend against known threats and adversaries. While initially created out of a need to categorize actions in adversary emulation, it has become an essential tool for defenders to support a more focused and threat-informed defense approach.
The ATT&CK Matrix for Enterprise is already available in IriusRisk. It provides threats (mapped from techniques and sub-techniques), mitigations, and even data sources and detections. More details about the Enterprise matrix and how it is mapped to an IriusRisk library can be found here.
MITRE ATT&CK for ICS
Industrial control systems (ICS) include all devices, systems, networks, or controls used to operate or automate processes in the industrial sector and critical infrastructures. Facilities that leverage the MITRE ATT&CK framework will build a better understanding and tracking of their cyber exposure and mitigations, from a real-world perspective.
A recent survey, from the cybersecurity vendor Nozomi Networks and the SANS Institute, shows how MITRE ATT&CK gap analysis is important to improve coverage against attacker techniques and tactics observed in the wild. For instance, only 4% of respondents have reported full coverage of the techniques under the "initial access" tactic! We have built the MITRE ATT&CK for ICS library in IriusRisk to help our customers assess and improve the coverage across the entire kill chain of the ICS matrix.
What does the library include?
The MITRE ATT&CK framework is a living project, constantly updated with new data from attacks and adversaries in the wild. For instance, it has recently added the "Hardcoded Credentials" technique to the ICS matrix, which, incidentally, is one of the top vulnerabilities reported in CISA ICS advisories in 2022.
The IriusRisk library of the MITRE ATT&CK framework for ICS includes up-to-date tactics, techniques (the ICS matrix does not currently include any sub-techniques), as well as mitigations and data sources. The source is the STIX data representing MITRE ATT&CK and hosted in GitHub. The library includes the ICS tactics (mapped into Risk Patterns in IriusRisk), associated techniques (mapped into use cases and threats), and their mitigations. Figures 1 and 2 show the original ICS matrix and the mapping in IriusRisk.
Figure 1. The MITRE ATT&CK ICS Matrix.
Figure 2. The MITRE ATT&CK ICS Matrix in IriusRisk.
How to use it in IriusRisk?
IriusRisk provides the IEC 62443 library, parts 3-3 (Network and System Security) and 4-2 (Security for Industrial Automation and Control Systems), which address the security requirements for ICS systems and components. When threat modeling ICS systems, this library provides detailed security requirements associated with the seven foundational requirements, initially described in the IEC 62443 part 1-1, and used throughout the standard series.
Now, suppose you build a threat model of a simple configuration that includes a PLC, an actuator, and an engineering workstation that allows USB connections (Figure 3.). IriusRisk and the IEC 62443 library will automatically generate the security requirements, threats, and associated mitigations. The flexibility of IriusRisk, however, still allows importing data from additional sources, in this case, the MITRE ATT&CK library.
Figure 3. A simple ICS configuration.
Import a MITRE AT&ACK technique to a component
This is useful to add or assess against a particular MITRE ATT&CK threat. For instance, in case it is a mobile laptop, you may want to add the ‘Transient Cyber Asset (T0864)’ threat to the Engineering Workstation component (Figure 4.). In fact, if this critical asset is a transient device, and can travel throughout facility sites outside of the protection of a segmented plant network, it might necessitate additional mitigations from real-world attacks and adversaries documented in MITRE ATT&CK. Similarly, the ‘Replication Through Removable Media (T0847)’ technique can also be added to address real-world threats associated with the USB connection.
Figure 4. Adding a MITRE ATT&CK threat to a component.
Import a MITRE ATT&CK tactic to a component
This is useful to assess an entire MITRE ATT&CK tactic coverage associated with a system component. For instance, you might want to assess an asset managing or connected to your industrial network against the techniques under "initial access", or your field controllers/PLCs against techniques under the "Execution" tactic. This is done prior to generating threat models and will be reusable across threat models (Figure 5.). In fact, an ATT&CK tactic is represented as a risk pattern in IriusRisk, which is a reusable collection of use cases, threats, and mitigations that are automatically imported into your threat model at the inclusion of the associated component.
Figure 5. Adding an entire MITRE ATT&CK tactic to a component.
Leveraging the MITRE ATT&CK framework has become one of the most efficient ways to operationalize threat intelligence and threat hunting. MITRE ATT&CK is helping security teams focus on what matters to assess the organization's risk and to more accurately know what to prioritize. The MITRE ATT&CK libraries in IriusRisk allow shifting this discussion further left and incorporate this knowledge base into the design input for your systems and environments from their development, through their deployment, and their entire lifecycle.