The MITRE matrix: tactics and techniques in industrial settings

Posted date 03/02/2022
Author
INCIBE (INCIBE)
MITRE matrix: TTP in ICS

The MITRE organization has developed a matrix to monitor and analyze the incidents detected in the industrial world that gathers many of the tactics, techniques and procedures used. This article intends to describe the contents of this matrix.

The ATT&CK project, presented in 2013, sought to be a standard to describe and categorize attackers’ behaviors and classify the same in tactics, techniques and procedures. The project currently has various matrices for various areas, where different tactics and techniques are collected depending on the issue addressed. The matrices are based in tactics, methods used to reach a specific target; and techniques, which define the way of carrying out specific actions or strategies in order to reach different targets defined in each tactic. Both have an associated unique identifier that allows them to be referenced without raising doubts.

Distribution of TTPs within a MITRE matrix

- Distribution of tactics and techniques within a MITRE matrix (ICS). Source: MITRE. -

Among the matrices, in addition to that related to Industrial Control Systems, others that also provide information of interest may be consulted:

  • PRE-ATT&CK – Matrix that compiles the tactics and techniques detected in some attacks and that are closely related to the first two phases (recognition and preparation) of the attack taxonomy proposed by Lockheed Martin (Cyber Kill Chain). It could be said that this matrix compiles the work done prior to the attack.
  • Enterprise – Related to attacks in corporate environments. Since corporate environments evolve as much as the technology deployed within them, different sub-matrices have been created, depending on the operating system (Windows, macOS and Linux), as well as some technologies such as the Cloud (AWS, GCP, Azure, Office 365, Azure AD, SaaS).
  • Mobile – MITRE has incorporated two specific ones within its matrices to deal with mobile devices, one related to access to devices, and the other for effects originating in the network that can be used by adversaries without access to devices. They have been defined for iOS and Android systems.

Possible uses of the matrices

Given that the matrices claim to be a knowledge base on the behaviors run by the attackers, all of its uses are focused on the exploitation of this knowledge. Both offensively, and defensively, the matrices provide a lot of information. Offensively they could be used for actions such as:

  • Pentesting tasks. Since a number of techniques are collected in the matrix, and in some cases tools are associated with them, many cybersecurity researchers can take advantage of all the collected information in order to replicate the attack technique, use the tools described, and note the detected vulnerability in their reports with reference to the applied technique.
  • Red teams. At the training level, and for describing tasks at the offensive level, the matrices provide these teams with information to follow that can be transformed into a methodology. This information can be used to simulate or emulate attacks by criminal groups with the goal of testing the defensive measures deployed in the organizations or as training for defensive equipment.
    Furthermore, the use of the tactics and techniques developed by MITRE enables organized exchanging of attack information, defensive controls and organized offensive groups or actors. This exchange guarantees the understanding between organization and Red teams when it comes time to plan actions that could impact production if we focus it on the industrial level.
    Some tools that enable the development of the aforementioned activities are:

For their part, defensively the matrices allow:

  • Detection of abnormal behavior and searching for threats (Threat Intelligence). By possessing behaviors from other previous attacks, actors or organized criminal groups, defensive equipment may be able to associate certain attackers’ characteristic behaviors and exploits. For example, on an industrial level, different cases of known malware can be consulted such as Industroyer or Crashoverride, which we’ve discussed in CrashOverride: the malware for ICS is back again.
  • Constructing measures on a defensive level. Thanks to knowledge obtained from different attacks, defensive teams can deploy more fine-tuned defensive solutions with the aim of hindering possible offensive actions. On an industrial level, among these solutions, we could talk about redesigning networks incorporating devices like firewalls, IDS, etc., using SIEM solutions in order to collect and correlate information, etc.
  • Improving defensive equipment. Defensive equipment such as Blue team or SOC IT/OT personnel, can greatly benefit from the knowledge provided by the matrices, as it will allow them to improve their operations, becoming more efficient and working, even more so, on the collaboration between equipment.

ICS matrix

Although this matrix is not very mature, given that it’s been shared by the community not long ago, it is constantly evolving, in addition to being a great source of information for being able to execute some tasks related to cyberattacks and defense against them.

One of the greatest differences between this matrix and the general MITRE one is the tactics it incorporates, given that they are specific to industrial environments. The following 11 are included:

  • Initial Access – The attacker tries to access the industrial environment.
  • Execution – The attacker tries to run malicious code.
  • Persistence – The attacker tries to maintain their foothold in the industrial environment by means of backdoors or obfuscated communications.
  • Evasion – The attacker tries to avoid being detected when running malicious actions.
  • Discovery – The attacker tries to detect as many assets within the industrial network as possible in order to select his target.
  • Lateral Movement – The attacker tries to compromise other assets in the industrial network, starting with an already compromised asset with the goal of accessing other networks, difficult to access systems, etc.
  • Collection – The attacker tries to gather all possible data of interest in order to execute the malicious actions in the industrial environment.
  • Command and Control – The attacker tries to communicate through servers in his possession with compromised assets within the industrial network in order to send out specific commands and thus execute malicious actions.
  • Inhibit Response Function – The attacker tries to prevent the activation of security functions and physical protections, the execution of legitimate actions by operators in the face of problems, failures or improper security statuses.
  • Impair Process Control – The attacker tries to manipulate, disable or damage the existing control processes on an industrial level within the attacked organization.
  • Impact – The attacker tries to make the executed attack have repercussions on the industrial process by interrupting it, altering data so that it does not work properly, destroying some important assets, etc.

destroying some important assets, etc.
It is important to emphasize that some IT environments build an important base for ICS. Therefore, some of the tactics and techniques applied in these environments cannot be ignored. In the ATT&CK matrix for ICS, the aim is to primarily include the Enterprise matrix techniques used against systems that take advantage of final stages and that, thanks to their exploitation, cause some kind of impact against the industrial process. In this way, tactics that are in some way related to the Enterprise matrix can be detected, but that shift their focus to an industrial environment. The same is true for the techniques used, which are specific to run in industrial environments or have been adapted given the characteristics of these environments.

For example, the use of this Network Sniffing – T842, related to the Discovery tactic, would make it possible to passively detect many of the assets present in the industrial network.

Lastly, in terms of the different industrial attacks, MITRE has prepared a knowledge base about the different groups of attackers and malware specifically developed for industrial environments. In this knowledge base, both the techniques typically used by the best known groups of attackers on an industrial level, and the techniques and tactics used in the different attacks such as Flame, Duqu, Triton, Stuxnet, etc. can be consulted.

Conclusion

Knowledge about attack tactics and techniques in the industrial sector provides great value for the community of cybersecurity experts, both offensively and defensively. Therefore, it is important to continue working in different lines to the future in order to:

  • Further refine the description of the techniques.
  • Sectorize, even more so, tactics and techniques since, depending on the sector, both attackers and defenders frequently encounter different protocols and devices.
  • Provide more defensive measures in order to detect some techniques or to prevent the exploitation of the same.