FireEye Proposes ATT&CK Matrix for Converged Enterprise and ICS


    FireEye’s Mandiant Menace Intelligence and MITRE have collaborated on creating a brand new visualization capable of mix the 2 separate Enterprise ATT&CK and ICS ATT&CK risk knowledgebases right into a single holistic view combining each IT and OT assault behaviors.

    In creating its ICS ATT&CK matrix, MITRE burdened that it’s obligatory to grasp each Enterprise ATT&CK and ICS ATT&CK to precisely monitor risk actor behaviors throughout OT incidents. However simply because the historic divide between IT and OT can result in lack of visibility between the 2, so can also the separation of ATT&CK into Enterprise and ICS result in a lack of visibility on attacker behaviors.

    The issue is concentrated on what FireEye describes as ‘middleman methods’. These could structurally be a part of OT, however nonetheless run on normal enterprise working methods. They’re used to regulate the ICS gear, and consequently run non-enterprise software program methods. Enterprise ATT&CK can map attacker conduct as much as the middleman methods, however loses visibility within the handover to ICS. The issue in offering an entire view of assault conduct is that the majority of a classy assault’s conduct is discovered throughout the middleman methods.

    “Over the previous 5 to 10 years,” Nathan Brubaker, senior supervisor at Mandiant Menace Intelligence advised SecurityWeek, “each subtle ICS assault occasion we have now noticed has handed via these middleman methods on their approach to impacting ICS. This consists of malware like Stuxnet, Triton and most others. Ninety to ninety-five % of risk actor exercise happens on these middleman methods.” So. that is the more than likely place you are going to discover ICS attackers, and one of the best alternative to cease them. As soon as they get past the middleman methods and truly into the PLCs, there’s little that may be executed, and also you’re in hassle. Whereas MITRE, he continued, “has highlighted that Enterprise and ICS must be used and considered collectively, from our use case as a safety vendor, we expect it’s extra helpful and sensible to merge the 2 into one holistic view.”

    Be taught extra industrial cybersecurity at SecurityWeek’s 2020 ICS Cyber Safety Convention digital occasion

    When you can map a whole lot of the attackers’ middleman exercise in Enterprise, you’ll primarily see normal IT assaults — like knowledge theft. However you won’t be able to map the assaults in opposition to ICS methods that begin from right here. For instance, an HMI could possibly be used to close down an OT course of and affect the ICS and you will not be capable of map that in Enterprise.

    To make issues worse, stated Brubaker, “attackers are more and more immediately concentrating on the middleman methods. One latest instance was the assault on an Israeli water system in Spring 2020 that began with a direct assault in opposition to the middleman methods. On this case it was a Home windows machine working HMI software program that was linked to the web with out authentication. Such issues can simply be present in Shodan.”

    In a weblog posted Wednesday, FireEye describes its work on a brand new single matrix visualization. “It takes into consideration MITRE’s present work in progress geared toward making a STIX illustration of ATT&CK for ICS, incorporating ATT&CK for ICS into the ATT&CK Navigator instrument, and representing the IT parts of ICS assaults in ATT&CK for Enterprise. In consequence, this proposal focuses not solely on knowledge accuracy, but additionally on the instruments and knowledge codecs out there for customers.”

    ICS ATT&CK incorporates particulars of TTPs that specify threats to ICS, similar to PLCs and different embedded methods, however by design doesn’t embody the middleman methods that run on normal enterprise working methods. By the point the attacker reaches the PLCs, there’s little that may be executed — it is just about sport over. It’s higher, subsequently, to have the ability to see the assault holistically from the IT community via the middleman methods and into the ICS methods.

    To attain this holistic view of the total OT assault lifecycle, Mandiant Menace Intelligence has proposed a hybrid matrix comprising ICS/Enterprise overlap, ICS/Enterprise subtechnique overlap, ICS solely, and Enterprise solely strategies.

    “It presents a holistic view of an incident involving each ICS and Enterprise techniques and strategies all through the assault lifecycle,” says Mandiant Menace Intelligence.”

    Such an holistic view is turning into more and more essential. Whereas assaults in opposition to ICS methods particularly designed to trigger bodily injury stay comparatively uncommon due to the problem, value and sources to develop them (largely limiting them to nation-state attackers), frequent criminals are more and more concentrating on ICS methods with ransomware to extend the chance of a considerable extortion return.

    “The risk actors do not see two separate networks,” defined Brubaker, “they simply see networks and targets; and so they do not actually care how they get there. Think about monetary risk actors,” he added; “they don’t seem to be essentially concentrating on ICS, however the targets they’re going after have ICS and they’re interacting with these to get what they need — for instance by deploying ransomware in these methods to extend the ransom. By taking a look at it holistically, we are able to begin to bridge that divide between Enterprise and ICS, and never drop the ball between the 2. The hybrid mannequin will not cease assaults in opposition to ICS, however will improve information and understanding of how such assaults unfold; and can assist defenders put together in opposition to future assaults — for instance in writing guidelines for anomaly detection methods that can detect an assault in progress prone to affect ICS in time to cease it.”

    Associated: ‘Industroyer’ ICS Malware Linked to Ukraine Energy Grid Assault

    Associated: German Specialists See Russian Hyperlink in Lethal Hospital Hacking

    Associated: ICS-Focusing on Snake Ransomware Isolates Contaminated Programs Earlier than Encryption

    Associated: Honeywell Sees Rise in USB-Borne Malware That Can Trigger Main ICS Disruption

    view counter

    Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about excessive tech points since earlier than the start of Microsoft. For the final 15 years he has specialised in info safety; and has had many 1000’s of articles printed in dozens of various magazines – from The Instances and the Monetary Instances to present and long-gone pc magazines.

    Earlier Columns by Kevin Townsend:

    24hrs cyber hack,cyware blog,hacks that made the news,fireeye revenue 2019,crowdstrike holdings inc competition,owler proofpoint,palo alto networks inc competitors,fireeye customers,crowdstrike acquisitions

    Recent Articles

    FedRAMP – What’s the Big Deal?

      In case you are somebody who works for a cloud service supplier within the enterprise of federal contracting, you in all probability have already...

    Planning a Game Night? Here Are 5 Of the Best Multiplayer Games You Can Enjoy With Friends – NoobsLab

      It has been months because the quarantine has began, and we perceive that cabin fever is getting the perfect of us. The perfect factor...

    Bash How to Execute a Command in a Variable? – Linux Hint

    Bash scripts will be created in a wide range of alternative ways and most of us are aware of executing the straightforward instructions inside...

    Things you should know about IP address

      You employ wifi for years however don’t know concerning the IP deal with and all the time should ask for assist every time...

    55 New security vulnerabilities reported in Software and Services for Apple

      A workforce of 5 safety researchers analyzed a number of Apple on-line providers for 3 months and located as many as 55 vulnerabilities, 11...

    Related Stories