Using the MITRE ATT&CK Framework to Accelerate & Simplify OT/IoT Threat Response
Security Teams Are Unable to Respond Quickly to Increasing Complexity and Diversity of Cyberattacks
Bad actors are targeting converged OT/IoT environments with an increasing array of threats including malware, ransomware, and IoT botnets. Unfortunately, security teams often lack a consistent method of categorizing cyberattack activity directed towards OT/IoT environments, and understanding its significance.
When analysts detect potentially malicious activity, many rely on ad-hoc investigation and classification techniques to determine whether the activity is malicious, and how it relates to the overall attack chain.
Fortunately, MITRE created a MITRE ATT&CK Framework for ICS (based on its well-known MITRE ATT&CK Framework for Enterprise and Mobile) to help with this situation. The framework provides a fast and effective methodology for SOC analysts and incident responders to understand the significance of any behavior detected in OT environments. It categorizes malicious activity into 11 tactics that describe each step of the attack chain, from “Initial Access” to “Impact”. Within those 11 categories are approximately 100 separate techniques that include detailed descriptions of the specific threat represented by each technique.
Accelerate Your Threat Response By Using Guardian’s Integrated Support for the MITRE ATT&CK Framework for ICS
To help speed your threat response, Nozomi Networks incorporates the MITRE ATT&CK Framework for ICS into its alerting capabilities. The integration provides immediate context by associating malicious behavior with one or more techniques in the attack chain. This context reduces the need for additional research by SOC analysts to better understand the significance of the behavior and helps close any potential knowledge gaps that may exist within SOC staff.
For example, a request to stop a process could be part of an attack using well-known TRITON malware that targets industrial process. When Nozomi Networks detects an attempt to stop a process, it generates an “OT Device Stop Request” alert. Included in the alert is the identification of the appropriate technique in the MITRE ATT&CK Framework for ICS as the Change Program State technique (T875), which is associated with both Execution and Impair Process Control tactics.
Instrument Your OT/IoT Network Against Emerging Threats with Threat Intelligence
Guardian correlates continuously updated Threat Intelligence and Asset Intelligence with broader environmental behavior to deliver maximum security and visibility.
Let's get started
Discover how easy it is to anticipate, diagnose and respond to cyber threats by automating your IoT and OT asset discovery, inventory, and management.