SlideShare a Scribd company logo

MITRE ATT&CK Updates: ICS

M
MITRE ATT&CK

Jake Steele is the lead for MITRE's ATT&CK for ICS framework. He discusses why ATT&CK for ICS was created to address differences between IT and operational technology (OT) environments. The framework models adversary behavior using techniques and relates them to targeted ICS assets. Assets were identified by surveying control systems and mapping devices to their functional roles. The framework can be used for threat modeling, defense analysis, and education. Future work includes expanding sector coverage and incorporating standard mitigation approaches.

Technology
1 of 20
Downloaded 84 times
1
2
3
4
5
6
7
8
Most read
9
10
11
12
Most read
13
Most read
14
15
16
17
18
19
20
MITRE ATT&CK® Updates: ICS Jake Steele: ICS ATT&CK Lead, MITRE © 2023 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 23-00696-11.
Who am I? Part of ATT&CK for ICS’s original creation § Co-author to the ATT&CK for ICS philosophy https://my.aacsb.edu/Portals/0/assets/images/contact/George-Mason-University.png and have too many hobbies.. © 2023 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 23-00696-11.
Why do we need an ATT&CK for ICS? Enterprise ATT&CK ICS ATT&CK Process Basic Control Area Control Operations Management Supervisory Control Enterprise Systems Level 5 Level 4 Level 3 Level 2 Level 1 Level 0 IT OT Source: Purdue Model, http://www.pera.net/Pera/PurdueReferenceModel/ReferenceModel.pdf © 2023 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 23-00696-11.
What's different about ATT&CK for ICS? § Adversary motivations are different § Objective depends on target § Interaction with physical world § Technologies are different § Protocols vary by sector § Different ways of defending them © 2023 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 23-00696-11.
Assets © 2023 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 23-00696-11.
Why do we need Assets in ICS? § Lots of industries § Assets and their functional roles § Process context & physics § Different dependencies, concerns, names, and definitions https://advantidge.com/wp-content/uploads/2022/02/critical-infrastructure-security.png © 2023 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 23-00696-11.
How we went about it 1. Identify based on CTI § Survey, much like mapping for techniques 2. Research and refine based on Industry standard definitions and names § NIST 800-82 § ISA 62443 § Device vendor documentation https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf https://www.dragos.com/wp-content/uploads/TRISIS-01.pdf https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf https://web-assets.esetstatic.com/wls/2017/06/Win32_Industroyer.pdf © 2023 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 23-00696-11.
How we went about it 3. Perform analysis based on device features to associate with ATT&CK Techniques § Device Hardware § Wireless, USB, Modules, etc. § Software § Operating system(s), security features, § Architecture features § Network connectivity § Network Services § Intended Functional Role © 2023 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 23-00696-11.
What it looks like © 2023 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 23-00696-11.
What it looks like © 2023 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 23-00696-11.
What it looks like © 2023 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 23-00696-11.
How you can use this § Similar use cases to the rest of ATT&CK, we just removed some manual steps § Adversary emulation § Defense gap analysis § Cyber Threat Intelligence enrichment* § Failure scenario development § Educational resource § Augment your threat modeling efforts with an Asset-based focus § Utilize as a common lexicon for talking across industrial sectors or to describe risk to leadership § Underrepresented and unreported sectors © 2023 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 23-00696-11.
What's Next § Include additional data related to Asset and Technique relationships § Engage with the community § Direct feedback about the current baseline § Interest in engaging with underrepresented sectors © 2023 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 23-00696-11.
Applying Industry Standards to ATT&CK Techniques © 2023 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 23-00696-11.
Original Understanding Based on Threat Reporting § Based on public reporting for ICS incidents this was the initial view: © 2023 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 23-00696-11.
Applying PLC Standards to Improve Understanding § IEC 61131: Programmable controllers – Part 3: Programming languages § Defines the program languages used within PLC § Underlying structures that should built into the controllers © 2023 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 23-00696-11.
Applying Standards to Mitigations Communicate defenses leveraging standards that the ICS community is already using § IEC 62443 3-3, 4-2 § NIST 800-53 © 2023 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 23-00696-11.
The Future © 2023 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 23-00696-11.
What’s next? § Improving cross-domain capability within ATT&CK § Continued campaign adoption § Triton next on the list § Expanding coverage of Asset sectors © 2023 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 23-00696-11.
© 2023 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 23-00696-11. https://attack.mitre.org attack@mitre.org @mitreattack Jake Steele

More Related Content

PDF
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...
MITRE ATT&CK
 
PDF
Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CK
MITRE ATT&CK
 
PDF
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
MITRE ATT&CK
 
PDF
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...
MITRE ATT&CK
 
PDF
Evaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
MITRE ATT&CK
 
PDF
ISO 27001:2022 Introduction
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
CISA usage of ATT&CK in Cybersecurity Advisories
MITRE ATT&CK
 
PDF
MITRE ATT&CK Framework
n|u - The Open Security Community
 
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...
MITRE ATT&CK
 
Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CK
MITRE ATT&CK
 
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
MITRE ATT&CK
 
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...
MITRE ATT&CK
 
Evaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
MITRE ATT&CK
 
ISO 27001:2022 Introduction
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
CISA usage of ATT&CK in Cybersecurity Advisories
MITRE ATT&CK
 
MITRE ATT&CK Framework
n|u - The Open Security Community
 

What's hot (20)

PDF
ATT&CK Updates- Defensive ATT&CK
MITRE ATT&CK
 
PDF
Updates from the Center for Threat-Informed Defense
MITRE ATT&CK
 
PDF
Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...
MITRE ATT&CK
 
PDF
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
MITRE ATT&CK
 
PDF
Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...
MITRE ATT&CK
 
PDF
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
 
PDF
MITRE ATT&CK based Threat Analysis for Electronic Flight Bag
MITRE ATT&CK
 
PDF
ATT&CKcon Intro
MITRE ATT&CK
 
PDF
Threat Modelling - It's not just for developers
MITRE ATT&CK
 
PDF
ATT&CKing the Red/Blue Divide
MITRE ATT&CK
 
PDF
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
MITRE ATT&CK
 
PDF
Mapping ATT&CK Techniques to ENGAGE Activities
MITRE ATT&CK
 
PDF
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
MITRE ATT&CK
 
PPTX
ATT&CKing with Threat Intelligence
Christopher Korban
 
PPTX
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
Adam Pennington
 
PDF
Automating the mundanity of technique IDs with ATT&CK Detections Collector
MITRE ATT&CK
 
PDF
One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK
MITRE ATT&CK
 
PDF
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE - ATT&CKcon
 
PDF
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Jorge Orchilles
 
PDF
ATT&CKING Containers in The Cloud
MITRE ATT&CK
 
ATT&CK Updates- Defensive ATT&CK
MITRE ATT&CK
 
Updates from the Center for Threat-Informed Defense
MITRE ATT&CK
 
Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...
MITRE ATT&CK
 
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
MITRE ATT&CK
 
Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...
MITRE ATT&CK
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
 
MITRE ATT&CK based Threat Analysis for Electronic Flight Bag
MITRE ATT&CK
 
ATT&CKcon Intro
MITRE ATT&CK
 
Threat Modelling - It's not just for developers
MITRE ATT&CK
 
ATT&CKing the Red/Blue Divide
MITRE ATT&CK
 
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
MITRE ATT&CK
 
Mapping ATT&CK Techniques to ENGAGE Activities
MITRE ATT&CK
 
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
MITRE ATT&CK
 
ATT&CKing with Threat Intelligence
Christopher Korban
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
Adam Pennington
 
Automating the mundanity of technique IDs with ATT&CK Detections Collector
MITRE ATT&CK
 
One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK
MITRE ATT&CK
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE - ATT&CKcon
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Jorge Orchilles
 
ATT&CKING Containers in The Cloud
MITRE ATT&CK
 
Ad

Similar to MITRE ATT&CK Updates: ICS (20)

PDF
State of the ATT&CK May 2023
Adam Pennington
 
PDF
MITRE ATT&CK Updates: State of the Cloud
MITRE ATT&CK
 
PDF
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...
Marina Krotofil
 
PPTX
Introduction to ThousandEyes
ThousandEyes
 
PDF
Challenges and Best Practices for Securing Modern Operational Technology Netw...
Enterprise Management Associates
 
PDF
Prisma Cloud - CyberTech ID Forum 24.pdf
satrioyoyo
 
PPTX
Introduction to ThousandEyes
ThousandEyes
 
PDF
philip_industry zero trust presentation ppt
JayLewis40
 
PPTX
Cisco Identity Services Engine (ISE) Zero Trust Workplace BDM.PPTX
Veronica916344
 
PPTX
Cisco Identity Services Engine (ISE) Zero Trust Workplace BDM.PPTX
Veronica916344
 
PPTX
Introduction to ThousandEyes
ThousandEyes
 
PDF
Cybridge Secure Content Filter for SCADA Networks
George Wainblat
 
PDF
CABA Whitepaper - Cybersecurity in Smart Buildings
Iron Mountain
 
PDF
MITRE ATT&CK Updates: Software
MITRE ATT&CK
 
PDF
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET Journal
 
PPTX
Cisco ucs overview ibm team 2014 v.2 - handout
Sarmad Ibrahim
 
PDF
MULTI-FACTOR AUTHENTICATION SECURITY FRAMEWORK USING BlOCKCHAIN IN CLOUD COMP...
IRJET Journal
 
PPTX
emea_cisco_live_webinar_150623.pptx
ThousandEyes
 
PDF
Reimagining the multi-tenant network - presented by Marvell.pdf
BillChen166362
 
PDF
Booz Allen Industrial Cybersecurity Threat Briefing
Booz Allen Hamilton
 
State of the ATT&CK May 2023
Adam Pennington
 
MITRE ATT&CK Updates: State of the Cloud
MITRE ATT&CK
 
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...
Marina Krotofil
 
Introduction to ThousandEyes
ThousandEyes
 
Challenges and Best Practices for Securing Modern Operational Technology Netw...
Enterprise Management Associates
 
Prisma Cloud - CyberTech ID Forum 24.pdf
satrioyoyo
 
Introduction to ThousandEyes
ThousandEyes
 
philip_industry zero trust presentation ppt
JayLewis40
 
Cisco Identity Services Engine (ISE) Zero Trust Workplace BDM.PPTX
Veronica916344
 
Cisco Identity Services Engine (ISE) Zero Trust Workplace BDM.PPTX
Veronica916344
 
Introduction to ThousandEyes
ThousandEyes
 
Cybridge Secure Content Filter for SCADA Networks
George Wainblat
 
CABA Whitepaper - Cybersecurity in Smart Buildings
Iron Mountain
 
MITRE ATT&CK Updates: Software
MITRE ATT&CK
 
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET Journal
 
Cisco ucs overview ibm team 2014 v.2 - handout
Sarmad Ibrahim
 
MULTI-FACTOR AUTHENTICATION SECURITY FRAMEWORK USING BlOCKCHAIN IN CLOUD COMP...
IRJET Journal
 
emea_cisco_live_webinar_150623.pptx
ThousandEyes
 
Reimagining the multi-tenant network - presented by Marvell.pdf
BillChen166362
 
Booz Allen Industrial Cybersecurity Threat Briefing
Booz Allen Hamilton
 
Ad

More from MITRE ATT&CK (20)

PDF
Next-Gen Threat-Informed Defense: Human-Assisted Intelligent Agents - Rajesh ...
MITRE ATT&CK
 
PDF
Birds of a Feather: The Evolution of Threat Actor Prioritization, Gap Analysi...
MITRE ATT&CK
 
PDF
Using ATT&CK and MITRE CTID’s StP Frameworks to Assess Threat Detection Resil...
MITRE ATT&CK
 
PDF
Bridging the Gap: Enhancing Detection Coverage with Atomic Red Team, Sigma, a...
MITRE ATT&CK
 
PDF
SaaSy ATT&CK – Practical ATT&CK usage for SaaS-based Telemetry - Aaron Shelmire
MITRE ATT&CK
 
PDF
I'll take ATT&CK techniques that can be done for $1000, Alex. - Ben Langrill
MITRE ATT&CK
 
PDF
Practical Application of MITRE ATT&CK: Real World Usage in a Corporate Enviro...
MITRE ATT&CK
 
PDF
This is why we don’t shout “Bingo”: Analyzing ATT&CK Integration in Endpoint ...
MITRE ATT&CK
 
PDF
Every Cloud Has a Purple Lining - Arun Seelagan
MITRE ATT&CK
 
PDF
Confession: 3 Things I Wish I Knew About MITRE ATT&CK When I Was an FBI Profi...
MITRE ATT&CK
 
PDF
ATT&CKcon 5.0 Keynote - From Ticket Closers to Practitioners- How Great Secu...
MITRE ATT&CK
 
PDF
ATT&CKcon 5.0 Lightning Talks - Various Speakers
MITRE ATT&CK
 
PDF
MITRE ATT&CK Updates: Defensive ATT&CK - Lex Crumpton
MITRE ATT&CK
 
PDF
MITRE ATT&CK Updates: Enterprise - Casey Knerr
MITRE ATT&CK
 
PDF
MITRE ATT&CK Updates: CTI - Path Forward - Joe Slowik
MITRE ATT&CK
 
PDF
MITRE ATT&CK Updates: Software - Jared Ondricek
MITRE ATT&CK
 
PDF
State of the ATT&CK 2024 - Adam Pennington
MITRE ATT&CK
 
PDF
Sources of ATT&CK: A Bibliographic Journey through Enterprise ATT&CK - Robert...
MITRE ATT&CK
 
PDF
Updates from The Center for Threat Informed Defense - Jon Baker
MITRE ATT&CK
 
PDF
Go Go Ransom Rangers: Diving into Akira’s Linux Variant with ATT&CK - Nicole ...
MITRE ATT&CK
 
Next-Gen Threat-Informed Defense: Human-Assisted Intelligent Agents - Rajesh ...
MITRE ATT&CK
 
Birds of a Feather: The Evolution of Threat Actor Prioritization, Gap Analysi...
MITRE ATT&CK
 
Using ATT&CK and MITRE CTID’s StP Frameworks to Assess Threat Detection Resil...
MITRE ATT&CK
 
Bridging the Gap: Enhancing Detection Coverage with Atomic Red Team, Sigma, a...
MITRE ATT&CK
 
SaaSy ATT&CK – Practical ATT&CK usage for SaaS-based Telemetry - Aaron Shelmire
MITRE ATT&CK
 
I'll take ATT&CK techniques that can be done for $1000, Alex. - Ben Langrill
MITRE ATT&CK
 
Practical Application of MITRE ATT&CK: Real World Usage in a Corporate Enviro...
MITRE ATT&CK
 
This is why we don’t shout “Bingo”: Analyzing ATT&CK Integration in Endpoint ...
MITRE ATT&CK
 
Every Cloud Has a Purple Lining - Arun Seelagan
MITRE ATT&CK
 
Confession: 3 Things I Wish I Knew About MITRE ATT&CK When I Was an FBI Profi...
MITRE ATT&CK
 
ATT&CKcon 5.0 Keynote - From Ticket Closers to Practitioners- How Great Secu...
MITRE ATT&CK
 
ATT&CKcon 5.0 Lightning Talks - Various Speakers
MITRE ATT&CK
 
MITRE ATT&CK Updates: Defensive ATT&CK - Lex Crumpton
MITRE ATT&CK
 
MITRE ATT&CK Updates: Enterprise - Casey Knerr
MITRE ATT&CK
 
MITRE ATT&CK Updates: CTI - Path Forward - Joe Slowik
MITRE ATT&CK
 
MITRE ATT&CK Updates: Software - Jared Ondricek
MITRE ATT&CK
 
State of the ATT&CK 2024 - Adam Pennington
MITRE ATT&CK
 
Sources of ATT&CK: A Bibliographic Journey through Enterprise ATT&CK - Robert...
MITRE ATT&CK
 
Updates from The Center for Threat Informed Defense - Jon Baker
MITRE ATT&CK
 
Go Go Ransom Rangers: Diving into Akira’s Linux Variant with ATT&CK - Nicole ...
MITRE ATT&CK
 

Recently uploaded (20)

PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Approach and Philosophy of On baking technology
30anthuong17
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Encapsulation theory and applications.pdf
gurumoop
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Teaching material agriculture food technology
LiaRayya
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 

MITRE ATT&CK Updates: ICS

  • 1. MITRE ATT&CK® Updates: ICS Jake Steele: ICS ATT&CK Lead, MITRE © 2023 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 23-00696-11.
  • 2. Who am I? Part of ATT&CK for ICS’s original creation § Co-author to the ATT&CK for ICS philosophy https://my.aacsb.edu/Portals/0/assets/images/contact/George-Mason-University.png and have too many hobbies.. © 2023 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 23-00696-11.
  • 3. Why do we need an ATT&CK for ICS? Enterprise ATT&CK ICS ATT&CK Process Basic Control Area Control Operations Management Supervisory Control Enterprise Systems Level 5 Level 4 Level 3 Level 2 Level 1 Level 0 IT OT Source: Purdue Model, http://www.pera.net/Pera/PurdueReferenceModel/ReferenceModel.pdf © 2023 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 23-00696-11.
  • 4. What's different about ATT&CK for ICS? § Adversary motivations are different § Objective depends on target § Interaction with physical world § Technologies are different § Protocols vary by sector § Different ways of defending them © 2023 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 23-00696-11.
  • 5. Assets © 2023 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 23-00696-11.
  • 6. Why do we need Assets in ICS? § Lots of industries § Assets and their functional roles § Process context & physics § Different dependencies, concerns, names, and definitions https://advantidge.com/wp-content/uploads/2022/02/critical-infrastructure-security.png © 2023 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 23-00696-11.
  • 7. How we went about it 1. Identify based on CTI § Survey, much like mapping for techniques 2. Research and refine based on Industry standard definitions and names § NIST 800-82 § ISA 62443 § Device vendor documentation https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf https://www.dragos.com/wp-content/uploads/TRISIS-01.pdf https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf https://web-assets.esetstatic.com/wls/2017/06/Win32_Industroyer.pdf © 2023 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 23-00696-11.
  • 8. How we went about it 3. Perform analysis based on device features to associate with ATT&CK Techniques § Device Hardware § Wireless, USB, Modules, etc. § Software § Operating system(s), security features, § Architecture features § Network connectivity § Network Services § Intended Functional Role © 2023 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 23-00696-11.
  • 9. What it looks like © 2023 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 23-00696-11.
  • 10. What it looks like © 2023 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 23-00696-11.
  • 11. What it looks like © 2023 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 23-00696-11.
  • 12. How you can use this § Similar use cases to the rest of ATT&CK, we just removed some manual steps § Adversary emulation § Defense gap analysis § Cyber Threat Intelligence enrichment* § Failure scenario development § Educational resource § Augment your threat modeling efforts with an Asset-based focus § Utilize as a common lexicon for talking across industrial sectors or to describe risk to leadership § Underrepresented and unreported sectors © 2023 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 23-00696-11.
  • 13. What's Next § Include additional data related to Asset and Technique relationships § Engage with the community § Direct feedback about the current baseline § Interest in engaging with underrepresented sectors © 2023 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 23-00696-11.
  • 14. Applying Industry Standards to ATT&CK Techniques © 2023 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 23-00696-11.
  • 15. Original Understanding Based on Threat Reporting § Based on public reporting for ICS incidents this was the initial view: © 2023 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 23-00696-11.
  • 16. Applying PLC Standards to Improve Understanding § IEC 61131: Programmable controllers – Part 3: Programming languages § Defines the program languages used within PLC § Underlying structures that should built into the controllers © 2023 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 23-00696-11.
  • 17. Applying Standards to Mitigations Communicate defenses leveraging standards that the ICS community is already using § IEC 62443 3-3, 4-2 § NIST 800-53 © 2023 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 23-00696-11.
  • 18. The Future © 2023 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 23-00696-11.
  • 19. What’s next? § Improving cross-domain capability within ATT&CK § Continued campaign adoption § Triton next on the list § Expanding coverage of Asset sectors © 2023 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 23-00696-11.
  • 20. © 2023 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 23-00696-11. https://attack.mitre.org attack@mitre.org @mitreattack Jake Steele