Using the MITRE ATT&CK Framework to Accelerate & Simplify OT/IoT Threat Response

Using the MITRE ATT&CK Framework to Accelerate & Simplify OT/IoT Threat Response

Security Teams Are Unable to Respond Quickly to Increasing Complexity and Diversity of Cyberattacks

Bad actors are targeting converged OT/IoT environments with an increasing array of threats including malware, ransomware, and IoT botnets. Unfortunately, security teams often lack a consistent method of categorizing cyberattack activity directed towards OT/IoT environments, and understanding its significance.

When analysts detect potentially malicious activity, many rely on ad-hoc investigation and classification techniques to determine whether the activity is malicious, and how it relates to the overall attack chain.

Fortunately, MITRE created a MITRE ATT&CK Framework for ICS (based on its well-known MITRE ATT&CK Framework for Enterprise and Mobile) to help with this situation. The framework provides a fast and effective methodology for SOC analysts and incident responders to understand the significance of any behavior detected in OT environments. It categorizes malicious activity into 11 tactics that describe each step of  the attack chain, from “Initial Access” to “Impact”. Within those 11 categories are approximately 100 separate techniques that include detailed descriptions of the specific threat represented by each technique.

Nozomi Networks’ integration with the MITRE Framework helps SOC analysts understand the significance of any behaviors detected by Guardian and its role in the overall attack chain. Click to enlarge.

Accelerate Your Threat Response By Using Guardian’s Integrated Support for the MITRE ATT&CK Framework for ICS

To help speed your threat response, Nozomi Networks incorporates the MITRE ATT&CK Framework for ICS into its alerting capabilities. The integration provides immediate context by associating malicious behavior with one or more techniques in the attack chain. This context reduces the need for additional research by SOC analysts to better understand the significance of the behavior and helps close any potential knowledge gaps that may exist within SOC staff.

For example, a request to stop a process could be part of an attack using well-known TRITON malware that targets industrial process. When Nozomi Networks detects an attempt to stop a process, it generates an “OT Device Stop Request” alert. Included in the alert is the identification of the appropriate technique in the MITRE ATT&CK Framework for ICS as the Change Program State technique (T875), which is associated with both Execution and Impair Process Control tactics.

Nozomi MITRE ATT&CK screenshot
Example of an “OT Device Stop Request” alert identifying potentially malicious behavior targeting an OT device alert including details and attack analysis.

Instrument Your OT/IoT Network Against Emerging Threats with Threat Intelligence

The Threat Intelligence service keeps your Guardian appliances updated against the latest threats so you can detect and respond to vulnerabilities and emerging threats faster.

Guardian correlates continuously updated Threat Intelligence and Asset Intelligence with broader environmental behavior to deliver maximum security and visibility.

Threat Intelligence feed