Weitere ähnliche Inhalte Ähnlich wie What's New with ATTACK for ICS? (20) Mehr von MITRE - ATT&CKcon (20) Kürzlich hochgeladen (20) What's New with ATTACK for ICS?1. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17
What’s New with ATT&CK® for ICS?
Otis Alexander
https://attack.mitre.org/ics
@ojalexander
2. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17
3. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17
4. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17
ATT&CK for ICS Mitigations
https://collaborate.mitre.org/attackics/index.php/Mitigations
• M0800-M0816 are new to ATT&CK for ICS
• Each mitigation has mappings to IEC 62443 and NIST SP 800-53
• Mitigations target the following stakeholders:
• Asset owner/operators
• Integrators
• Device vendors
• Security vendors
• There is a significant focus on protecting operational and
management interfaces of embedded controllers
5. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17
STIX and Navigator Integration
•As part of ATT&CK v8, we released ATT&CK for ICS in
STIX
https://github.com/mitre/cti/tree/master/ics-attack
•A new version of ATT&CK Navigator was released as
well where you can pick the ICS domain
https://mitre-attack.github.io/attack-navigator/
7. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17
Updates to Data Sources
• Maintaining visibility into ICS networks is essential for
quickly detecting and remediating cyber threats.
• Understanding the various data sources that are available in
ICS networks is key to this endeavor. Network traffic is a
popular source of data in ICS networks but there are other
valuable sources of data that are often overlooked.
• Embedded device logs
• Application logs
• Operational databases
8. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17
Data Sources
Configuration
• Firmware
version
• System settings
• Control logic
• Parameters
Performance and
Statistics
• CPU, memory,
disk, ethernet,
etc.
• Network
connection
information
Process
Information
• I/O values
associated with
tags
• Alarms and
faults (e.g.,
digital fault
recorder)
• Events (e.g.,
command
execution)
• Process quality
(e.g., phasor
measurement
unit)
Asset
Management
• Condition-based
monitoring
• Predictive
maintenance
• Work order
system
Physical
• Physical sensors
(e.g., tamper
detection)
9. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17
ICS Attacks Mapped to Enterprise
• We’re currently working on mapping the following ICS attacks:
• Stuxnet
• Ukraine 2015
• Industroyer
• Triton
• Adversaries do not respect theoretical boundaries (i.e., IT/ICS)
so it is important to have a deep understanding of how IT
platforms are leveraged to access and impact ICS.
10. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17
We Need Your Help!
•How can we improve ATT&CK for ICS?
•How are you currently using mitigations?
•Do you have any opinions on our data
source focus?
11. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17
attack@mitre.org
@MITREattack
Otis Alexander
@ojalexander