MITRE ATT&CK for ICS

A rich knowledge base of real-world adversarial behavior

Before you can defend your Industrial Control System (ICS) infrastructure, you need to understand how an adversary might attack it. The new MITRE ATT&CK™ for ICS tool helps security practitioners —

  • Identify the most active threat actors targeting ICS environments
  • Understand techniques most commonly used by threat actors
  • Prioritize each technique based on probability and potential impact 
  • Assess current defenses, understand gaps, and plan improved defenses

Armis is the fastest, most efficient way to identify ATT&CK
techniques in ICS and OT environments.

As you will see in the interactive matrix below, Armis provides comprehensive coverage for MITRE ATT&CK for ICS techniques. Armis is an agentless device security platform that passively monitors network traffic to detect attacks on ICS devices as well as other devices that, similarly, cannot accommodate security agents. 

Below is a list of all the MITRE ATT&CK for ICS techniques. Mouse over each cell to learn how Armis identifies each technique.

Legend
Techniques that Armis can detect at inception.
Techniques that Armis can detect subsequently, or where Armis may be one of many indicators necessary to validate that the technique has occurred.
INITIAL ACCESSEXECUTIONPERSISTENCE EVASIONDISCOVERYLATERAL MOVEMENTCOLLECTIONCOMMAND AND CONTROLINHIBIT RESPONSE FUNCTIONIMPAIR PROCESS CONTROLIMPACT
Data Historian Compromise
Data Historian Compromise X
Armis is able to detect and alert on abnormal traffic or communication behavior which may indicate that an adversary is attempting to compromise, or has already compromised, the Data Historian.
Change Program State *
Change Program State * X
Armis is able to detect and alert on a wide range of PLC-specific network traffic, including the commands related to changing the program state on a device.
Hooking
Hooking X
Armis’ passive network monitoring and device profiling enables Armis to detect when a system has been compromised and is redirecting API calls across the network. If the system acts abnormally or redirects the API calls across the network, then Armis will generate an alert.
Exploitation for Evasion
Exploitation for Evasion X
Armis identifies all known software vulnerabilities. This facilitates proactive attempts to remediate vulnerable devices, remove them from the network, or provide other forms of risk mitigations. Once a device has been exploited for evasion, Armis can detect and alert on behavioral changes.
Control Device Identification
Control Device Identification X
Armis can detect abnormal network traffic which may indicate an adversarial attempt at conducting control device identification.
Default Credentials
Default Credentials X
Armis’ passive monitoring of the network traffic, combined with device profiling, allows Armis to detect and alert on credentials transitioning across the network. It can also detect when one device connects to another, and is able to create alerts which may indicate that default credentials are being used.
Automated Collection
Automated Collection X
Armis’ passive network monitoring is able to detect and alert on new or abnormal network activity to include the use of tools and scripts which are used for automated collection.
Commonly Used Port
Commonly Used Port X
Armis’ threat detection engine can detect when a commonly used port is being used to communicate in an abnormal manner.
Activate Firmware Update Mode
Activate Firmware Update Mode X
Armis is able to detect a wide range of PLC specific commands including the commands related to updating or modifying the firmware.
Brute Force I/O
Brute Force I/O X
Armis’ passive network monitoring allows Armis to detect abnormal I/O related network traffic indicative of brute force I/O.
Damage to Property
Damage to Property X
Armis detects device vulnerabilities in the ICS environment which allows security managers to take proactive steps to mitigate risks in order to prevent a successful attack and prevent damage to property. If devices begin to act abnormally, alerts will be generated ideally in time to prevent any damage to property.
Drive-by Compromise
Drive-by Compromise X
Armis’ policy engine can be configured to alert and take action whenever Armis observes a device accessing unauthorized or known malicious websites. Armis’ threat feeds automatically populate the list of known malicious sites, and a predefined policy can alert if a device reaches out to a site on the list.
Command-Line Interface
Command-Line Interface X
Armis is able to monitor remote access services such as SSH, Telnet, and RDP which are likely to be used by attackers who are attempting to access ICS environments via the command-line interface. When such remote access activity is abnormal (e.g. at an unusual time of the day, or the first such remote access ever observed), Armis can alert on the remote access service activity.
Module Firmware*
Module Firmware* X
Armis detects when firmware is downloaded to PLCs. Then, if the new firmware causes the behavior of a PLC to change abnormally, Armis will detect and issue an alert.
Indicator Removal on Host
Indicator Removal on Host X
Armis’s passive network monitoring is able to detect an adversary’s remote commands related to removing indications of their presence on a specific host.
I/O Module Discovery
I/O Module Discovery X
Armis’ passive network monitoring enables Armis to detect when an adversary attempts to conduct input/output discovery over the network.
Exploitation of Remote Services
Exploitation of Remote Services X
Armis’ passive network monitoring allows Armis to detect when a device uses remote services in an abnormal manner, e.g. for lateral movement.
Data from Information Repositories
Data from Information Repositories X
Armis’ passive network monitoring is able to detect and alert on unauthorized or abnormal connection attempts to connect to information repositories.
Connection Proxy
Connection Proxy X
Armis passively monitors device communications and associates active ports, services, and protocols. Armis’ policy engine can be configured to alert or remediate (e.g. quarantine) whenever Armis observes the use of an unauthorized connection proxy. If the traffic outbound of the proxy is monitored by Armis, then Armis can alert on traffic that is connecting to known malicious sites.
Alarm Suppression
Alarm Suppression X
Armis’ deep understanding of ICS protocols allows Armis to detect when a PLC has been altered or is behaving outside of normal parameters. If so, this may indicate that an adversary is attempting to suppress that device’s alarms.
Change Program State
Change Program State X
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC activities and commands including configure commands which are used to change the program loaded on the device.
Denial of Control
Denial of Control X
Armis’ passive network monitoring and device profiling enables Armis to detect and alert on the PLC messages required to prevent ICS devices from attempting to communicate with its controllers. Armis can be configured with policies which generate alerts if the devices do not connect to the controller as scheduled.
Engineering Workstation Compromise
Engineering Workstation Compromise X
Armis is able to alert on abnormal traffic or communication behavior which may indicate that an engineering workstation, SCADA or HMI has been compromised.
Execution through API
Execution through API X
Armis can detect API calls and, through its threat detection engine, alert if the API activity, or the source of the API calls, is abnormal.
Program Download**
Program Download** X
Armis detects when programs are downloaded to PLCs. Then, if the new program causes the behavior of a PLC to change abnormally, Armis will detect the abnormally and issue an alert.
Masquerading*
Masquerading* X
Since Armis monitors the behavior of devices, not the files on the devices, Armis is not fooled by attackers’ masquerading techniques. Armis passively and continuously monitors the behavior of every device to detect and alert on abnormal behavior.
Network Connection Enumeration
Network Connection Enumeration X
Armis passively monitors device communications and can be configured to alert on the presence of unauthorized network scans, netstat use, or other abnormal network traffic indicative of network connection enumeration.
External Remote Services*
External Remote Services* X
Armis’ passive network monitoring allows Armis to characterize the behavior of all network participants, even if they are entering the network through an external remote service. The network traffic from external remote services are monitored, and alerts can be created to alert on abnormal or suspicious behavior.
Detect Operating Mode
Detect Operating Mode X
Armis is able to detect and alert on a wide range of PLC specific network traffic, including the commands related to monitoring the PLC status which would be used by an adversary to determine the current state of the PLC.
Standard Application Layer Protocol
Standard Application Layer Protocol X
Armis’ passive network monitoring and device profiling allows Armis to establish “known good” traffic patterns over commonly used application protocols. If an adversary attempts to establish command and control over these commonly used protocols, Armis will detect and alert on this abnormal behavior.
Block Command Message
Block Command Message X
Armis’ passive network monitoring, device profiling, and deep understanding of ICS protocols allows Armis to detect when a PLC has been altered or if the device is behaving outside of normal parameters which would be required prior to an adversary being able to block command messages.
Masquerading*
Masquerading* X
Since Armis monitors the behavior of devices, not the files on the devices, Armis is not fooled by attackers’ masquerading techniques. Armis passively and continuously monitors the behavior of every device to detect and alert on abnormal behavior or unauthorized devices.
Denial of View
Denial of View X
Armis’ passive network monitoring detects and tracks all device communications and can provide insight into when devices have last appeared on the network.
Exploit Public-Facing Application
Exploit Public-Facing Application X
Armis is able to detect software vulnerabilities on Internet-facing applications; this helps security managers take proactive steps to update the software or otherwise mitigate the risk of exploitation. Also, Armis continuously monitors the behavior of systems hosting public-facing applications to detect if they have been compromised.
Graphical User Interface
Graphical User Interface X
Armis’s passive monitoring of device communications patterns allows Armis to detect abnormal traffic which may indicate an adversary is remotely accessing a GUI to conduct malicious behavior.
Project File Infection*
Project File Infection* X
Armis is able to detect when a PLC has been reprogrammed and alert on that activity.
Rogue Master Device*
Rogue Master Device* X
Armis passively monitors device communications and can alert whenever a device communicates with a rogue master device.
Network Service Scanning
Network Service Scanning X
Armis detects and alerts on port scanning.
Program Organization Units*
Program Organization Units* X
Armis is able to detect when a PLC has been reprogrammed, and policies can be created to alert on this behavior.
Detect Program State
Detect Program State X
Armis is able to detect and alert on a wide range of PLC specific network traffic, including the commands related to monitoring the PLC status which would be used by an adversary to determine the current state of the PLC.
Detect Program State
Detect Program State X
Armis is able to detect and alert on a wide range of PLC specific network traffic, including the commands related to monitoring the PLC status which would be used by an adversary to determine the current state of the PLC.
Block Reporting Message
Block Reporting Message X
Armis’ passive network monitoring, device profiling, and deep understanding of ICS protocols allows Armis to detect when a PLC has been altered or if the device is behaving outside of normal parameters which would be required prior to an adversary being able to block reporting messages.
Modify Control Logic*
Modify Control Logic* X
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC activities and commands including configure commands which are used to change the program loaded on the device.
Loss of Availability
Loss of Availability X
Armis’ passive network monitoring; device profiling; asset discovery; and vulnerability analysis allows Armis to help the customer secure their network and ICS devices, as well as detect adversarial efforts to cause a loss of availability.
External Remote Services*
External Remote Services* X
Armis passively monitors device communications including active ports, services, and protocols. Armis compares patterns of remote service usage to normal patterns in order to detect unusual remote service activity.
Man in the Middle
Man in the Middle X
Armis’s passive monitoring of device communications, including network traffic characteristics such things as TCP options and latency, allows Armis to detect anomalies which may indicate a Man-in-the-Middle attack.
System Firmware*
System Firmware* X
Armis passively monitors device communications across the network, and is able to profile every device to determine the current version of system firmware that is operating. This gives our customer the ability to monitor the firmware version across devices, understand the known threats to the firmware, and intelligently manage their firmware upgrade strategy.
Rootkit*
Rootkit* X
Armis’s passive network monitoring enables Armis to detect abnormal behavior which is indicative of a rootkit. If the adversary is targeting a PLC for the rootkit, Armis will detect when the configuration and firmware have been altered.
Network Sniffing
Network Sniffing X
Armis’ passive network monitoring detects when an adversary attempts to exfiltrate information sniffed from a network.
Remote File Copy
Remote File Copy X
Armis’ passive monitoring and device profiling can detect when a system is remotely copying files.
I/O Image
I/O Image X
Armis’ passive network monitoring and device profiling can detect and alert on unauthorized connections to ICS devices which could be used to extract I/O images.
I/O Image
I/O Image X
Armis’ passive network monitoring and device profiling can detect and alert on unauthorized connections to ICS devices which could be used to extract I/O images.
Block Serial COM
Block Serial COM X
Armis’ passive network monitoring, device profiling, and deep understanding of ICS protocols allows Armis to detect when a PLC has been altered or if the device is behaving outside of normal parameters which would be required prior to an adversary being able to block a serial communications port.
Modify Parameter
Modify Parameter X
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC activities and commands including configure commands which are used to change the configuration of the device.
Loss of Control
Loss of Control X
Armis’ passive network monitoring; device profiling; asset discovery; and vulnerability analysis allows Armis to help the customer secure their network and ICS devices, as well as detect adversarial efforts to cause a loss of control.
Internet Accessible Device
Internet Accessible Device X
Armis’ passive monitoring can identify specific devices that are communicating with the internet and therefore are internet accessible, and can alert on those devices that should not be exhibiting this type of communication.
Program Organization Units*
Program Organization Units* X
Armis is able to detect and alert on a wide range of PLC specific network traffic, including the commands related to changing the program on a device.
Valid Accounts*
Valid Accounts* X
Armis passive monitoring and device profiling can detect when abnormal network connections are being made, which is indicative of an adversary using valid accounts to conduct lateral movement outside of the normal behavior for the legitimate account holder.
Spoof Reporting Message*
Spoof Reporting Message* X
Armis’ passive network monitoring allows Armis to detect abnormal message traffic which may be indicative of message spoofing.
Remote System Discovery
Remote System Discovery X
Armis’ passive network monitoring and device profiling allows Armis to detect unauthorized or abnormal network traffic associated with remote system discovery.
Valid Accounts
Valid Accounts X
Armis’ passive monitoring and device profiling can detect when abnormal network connections are being made, which is indicative of an adversary using valid accounts to conduct lateral movement outside of the normal behavior for the legitimate account holder.
Location Identification
Location Identification X
Armis’ passive network monitoring and device profiling can detect and alert on unauthorized connections to ICS devices which could be used to identify the device’s location.
Location Identification
Location Identification X
Armis’ passive network monitoring and device profiling can detect and alert on unauthorized connections to ICS devices which could be used to identify the device’s location.
Data Destruction
Data Destruction X
Armis’ passive network monitoring and device profiling allows Armis to detect and alert on abnormal network traffic associated with data destruction commands
Module Firmware*
Module Firmware* X
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC activities and commands including configure commands which are used to change the firmware of the device.
Loss of Productivity and Revenue
Loss of Productivity and Revenue X
Armis’ passive network monitoring; device profiling; asset discovery; and vulnerability analysis allows Armis to help the customer secure their network and ICS devices, as well as detect adversarial efforts to cause a loss of productivity and revenue.
Replication Through Removable Media
Replication Through Removable Media X
Armis monitors network traffic, so once a malicious application is active on the network, even those transferred through removable media, Armis will be able to detect malicious activity.
Project File Infection*
Project File Infection* X
Armis is able to detect when a PLC has been reprogrammed and alert on that activity.
Project File Infection*
Project File Infection* X
Armis is able to detect when a PLC has been reprogrammed and alert on that activity.
Utilize/Change Operating Mode*
Utilize/Change Operating Mode* X
Armis is able to detect and alert on PLC Mode Changes.
Serial Connection Enumeration
Serial Connection Enumeration X
Armis’ passive network monitoring and device profiling allows Armis to detect unauthorized or abnormal network traffic associated with querying a device for its serial connections information.
Serial Connection Enumeration
Serial Connection Enumeration X
Armis’ passive network monitoring and device profiling allows Armis to detect unauthorized or abnormal network traffic associated with querying a device for its serial connections information.
Monitor Process State
Monitor Process State X
Armis’ passive network monitoring and device profiling can detect and alert on unauthorized connections to ICS devices which could be used to detect the devices’ process state.
Monitor Process State
Monitor Process State X
Armis’ passive network monitoring and device profiling can detect and alert on unauthorized connections to ICS devices which could be used to detect the devices’ process state.
Denial of Service
Denial of Service X
Armis is able to detect intentional or unintentional denial of service events and can be configured to alert when certain network thresholds are met.
Program Download**
Program Download** X
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC activities and commands including configure commands which are used to change the programming of the device.
Loss of Safety
Loss of Safety X
Armis’ passive network monitoring; device profiling; asset discovery; and vulnerability analysis allows Armis to help the customer secure their network and ICS devices, as well as detect adversarial efforts to cause a loss of safety.
Spearphishing Attachment
Spearphishing Attachment X
If a system has been compromised through a spearfishing attachment, Armis will detect and alert on abnormal behavior caused by the malware / attacker.
Scripting
Scripting X
If a malicious script is used to attack or alter a device, causing the device to behave abnormally, Armis will detect and alert on the abnormal behavior.
Scripting
Scripting X
If a malicious script is used to attack or alter a device, causing the device to behave abnormally, Armis will detect and alert on the abnormal behavior.
Scripting
Scripting X
If a malicious script is used to attack or alter a device, causing the device to behave abnormally, Armis will detect and alert on the abnormal behavior.
Scripting
Scripting X
If a malicious script is used to attack or alter a device, causing the device to behave abnormally, Armis will detect and alert on the abnormal behavior.
Scripting
Scripting X
If a malicious script is used to attack or alter a device, causing the device to behave abnormally, Armis will detect and alert on the abnormal behavior.
Point & Tag Identification
Point & Tag Identification X
Armis’ passive network monitoring and device profiling can detect and alert on the network traffic associated with querying devices for their point and tag information.
Point & Tag Identification
Point & Tag Identification X
Armis’ passive network monitoring and device profiling can detect and alert on the network traffic associated with querying devices for their point and tag information.
Device Restart/Shutdown
Device Restart/Shutdown X
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC messages including those used to shut down and restart a device.
Rogue Master Device*
Rogue Master Device* X
Armis’ can be configured such that all control messages not generated from a legitimate master device triggers the alert.
Loss of View
Loss of View X
Armis can support a loss of view situation by providing customers detailed information on each device, when last seen on the network, and their last risk profile. This will assist customers to prioritize restoration of the connections to the ICS devices.
Supply Chain Compromise
Supply Chain Compromise X
Armis passively and continuously monitors the behavior of every device on our customers’ networks. Armis compares every device’s real-time activity to the established and “known-good” activity baseline for the specific device which is stored in our Device Knowledge Base. When abnormal behavior in your network is detected, Armis updates the risk score and generates a security alert. In the event of a supply chain compromise, Armis will alert when the compromised product behaves abnormal compared to other legitimate products.
User Execution
User Execution X
If a system is compromised through user execution, then Armis will detect when the system acts abnormally.
User Execution
User Execution X
If a system is compromised through user execution, then Armis will detect when the system acts abnormally.
User Execution
User Execution X
If a system is compromised through user execution, then Armis will detect when the system acts abnormally.
User Execution
User Execution X
If a system is compromised through user execution, then Armis will detect when the system acts abnormally.
User Execution
User Execution X
If a system is compromised through user execution, then Armis will detect when the system acts abnormally.
Program Upload
Program Upload X
Armis passively monitors device communications and can alert whenever Armis observes unauthorized file transfer such as a program upload.
Program Upload
Program Upload X
Armis passively monitors device communications and can alert whenever Armis observes unauthorized file transfer such as a program upload.
Manipulate I/O Image
Manipulate I/O Image X
Armis’ deep understanding of ICS protocols allows Armis to detect when a PLC has been altered, e.g. by an adversary is attempting to manipulate the device’s I/O image.
Service Stop
Service Stop X
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC activities and commands including Stop commands which are used to stop the service of the device.
Manipulation of Control
Manipulation of Control X
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC messages including those used to change the configuration and settings of the device.
Wireless Compromise
Wireless Compromise X
Armis passively monitors all communications in the 2.3 and 5 GHz frequency spectrum which is used by Wi-Fi, Bluetooth, BLE, Zigbee, and other peer-to-peer protocols. Through this monitoring, Armis is able to detect and alert on unauthorized devices and unexpected or malicious wireless activity.
Wireless Compromise
Wireless Compromise X
Armis passively monitors all communications in the 2.3 and 5 GHz frequency spectrum which is used by Wi-Fi, Bluetooth, BLE, Zigbee, and other peer-to-peer protocols. Through this monitoring, Armis is able to detect and alert on unauthorized devices and unexpected or malicious wireless activity.
Wireless Compromise
Wireless Compromise X
Armis passively monitors all communications in the 2.3 and 5 GHz frequency spectrum which is used by Wi-Fi, Bluetooth, BLE, Zigbee, and other peer-to-peer protocols. Through this monitoring, Armis is able to detect and alert on unauthorized devices and unexpected or malicious wireless activity.
Wireless Compromise
Wireless Compromise X
Armis passively monitors all communications in the 2.3 and 5 GHz frequency spectrum which is used by Wi-Fi, Bluetooth, BLE, Zigbee, and other peer-to-peer protocols. Through this monitoring, Armis is able to detect and alert on unauthorized devices and unexpected or malicious wireless activity.
Wireless Compromise
Wireless Compromise X
Armis passively monitors all communications in the 2.3 and 5 GHz frequency spectrum which is used by Wi-Fi, Bluetooth, BLE, Zigbee, and other peer-to-peer protocols. Through this monitoring, Armis is able to detect and alert on unauthorized devices and unexpected or malicious wireless activity.
Wireless Compromise
Wireless Compromise X
Armis passively monitors all communications in the 2.3 and 5 GHz frequency spectrum which is used by Wi-Fi, Bluetooth, BLE, Zigbee, and other peer-to-peer protocols. Through this monitoring, Armis is able to detect and alert on unauthorized devices and unexpected or malicious wireless activity.
Role Identification
Role Identification X
Armis passively monitors device communications and can be configured to alert whenever Armis observes connections made to the network which an adversary may use to conduct reconnaissance to conduct role identification.
Role Identification
Role Identification X
Armis passively monitors device communications and can be configured to alert whenever Armis observes connections made to the network which an adversary may use to conduct reconnaissance to conduct role identification.
Modify Alarm Settings
Modify Alarm Settings X
Armis can detect abnormal PLC modification which may be used by an adversary to modify the alarm settings.
Spoof Reporting Message*
Spoof Reporting Message* X
Armis’ passive network monitoring allows Armis to detect abnormal message traffic which may be indicative of message spoofing.
Manipulation of View
Manipulation of View X
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC messages including those used to change the configuration and settings of the device.
Manipulation of View
Manipulation of View X
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC messages including those used to change the configuration and settings of the device.
Manipulation of View
Manipulation of View X
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC messages including those used to change the configuration and settings of the device.
Manipulation of View
Manipulation of View X
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC messages including those used to change the configuration and settings of the device.
Manipulation of View
Manipulation of View X
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC messages including those used to change the configuration and settings of the device.
Manipulation of View
Manipulation of View X
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC messages including those used to change the configuration and settings of the device.
Manipulation of View
Manipulation of View X
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC messages including those used to change the configuration and settings of the device.
Screen Capture
Screen Capture X
Armis’ passive network monitoring allows Armis to detect when a device is attempting to exfiltrate a screen capture to the adversary, and to cause an alert when detected.
Screen Capture
Screen Capture X
Armis’ passive network monitoring allows Armis to detect when a device is attempting to exfiltrate a screen capture to the adversary, and to cause an alert when detected.
Modify Control Logic*
Modify Control Logic* X
Armis can detect abnormal PLC modification which may be used by an adversary to modify the control logic.
Unauthorized Command Message
Unauthorized Command Message X
Armis’s can create an alert if command messages are transmitted by unauthorized controllers.
Theft of Operational Information
Theft of Operational Information X
Armis’ passive monitoring can be implemented with policies that generate alerts when unauthorized devices attempt to make connections to include the collection and exfiltration of operational data.
Theft of Operational Information
Theft of Operational Information X
Armis’ passive monitoring can be implemented with policies that generate alerts when unauthorized devices attempt to make connections to include the collection and exfiltration of operational data.
Theft of Operational Information
Theft of Operational Information X
Armis’ passive monitoring can be implemented with policies that generate alerts when unauthorized devices attempt to make connections to include the collection and exfiltration of operational data.
Theft of Operational Information
Theft of Operational Information X
Armis’ passive monitoring can be implemented with policies that generate alerts when unauthorized devices attempt to make connections to include the collection and exfiltration of operational data.
Theft of Operational Information
Theft of Operational Information X
Armis’ passive monitoring can be implemented with policies that generate alerts when unauthorized devices attempt to make connections to include the collection and exfiltration of operational data.
Theft of Operational Information
Theft of Operational Information X
Armis’ passive monitoring can be implemented with policies that generate alerts when unauthorized devices attempt to make connections to include the collection and exfiltration of operational data.
Theft of Operational Information
Theft of Operational Information X
Armis’ passive monitoring can be implemented with policies that generate alerts when unauthorized devices attempt to make connections to include the collection and exfiltration of operational data.
Theft of Operational Information
Theft of Operational Information X
Armis’ passive monitoring can be implemented with policies that generate alerts when unauthorized devices attempt to make connections to include the collection and exfiltration of operational data.
Theft of Operational Information
Theft of Operational Information X
Armis’ passive monitoring can be implemented with policies that generate alerts when unauthorized devices attempt to make connections to include the collection and exfiltration of operational data.
Program Download**
Program Download** X
Armis’ passive network monitoring allows Armis to detect abnormal PLC modification which may be used by an adversary to modify the existing program in the PLC.
Program Download**
Program Download** X
Armis’ passive network monitoring allows Armis to detect abnormal PLC modification which may be used by an adversary to modify the existing program in the PLC.
Program Download**
Program Download** X
Armis’ passive network monitoring allows Armis to detect abnormal PLC modification which may be used by an adversary to modify the existing program in the PLC.
Program Download**
Program Download** X
Armis’ passive network monitoring allows Armis to detect abnormal PLC modification which may be used by an adversary to modify the existing program in the PLC.
Program Download**
Program Download** X
Armis’ passive network monitoring allows Armis to detect abnormal PLC modification which may be used by an adversary to modify the existing program in the PLC.
Program Download**
Program Download** X
Armis’ passive network monitoring allows Armis to detect abnormal PLC modification which may be used by an adversary to modify the existing program in the PLC.
Program Download**
Program Download** X
Armis’ passive network monitoring allows Armis to detect abnormal PLC modification which may be used by an adversary to modify the existing program in the PLC.
Program Download**
Program Download** X
Armis’ passive network monitoring allows Armis to detect abnormal PLC modification which may be used by an adversary to modify the existing program in the PLC.
Program Download**
Program Download** X
Armis’ passive network monitoring allows Armis to detect abnormal PLC modification which may be used by an adversary to modify the existing program in the PLC.
Program Download**
Program Download** X
Armis’ passive network monitoring allows Armis to detect abnormal PLC modification which may be used by an adversary to modify the existing program in the PLC.
Program Download**
Program Download** X
Armis’ passive network monitoring allows Armis to detect abnormal PLC modification which may be used by an adversary to modify the existing program in the PLC.
Rootkit*
Rootkit* X
Armis’ passive network monitoring allows Armis to detect abnormal PLC modification such as the installation of a rootkit. And for any network device, Armis is able to detect abnormal behavior which may be indicative of a system which has an active rootkit installed. If an adversary manages to install a rootkit on a non-PLC host, the Armis can detect and alert on abnormal behavior associated with the rootkit behavior.
Rootkit*
Rootkit* X
Armis’ passive network monitoring allows Armis to detect abnormal PLC modification such as the installation of a rootkit. And for any network device, Armis is able to detect abnormal behavior which may be indicative of a system which has an active rootkit installed. If an adversary manages to install a rootkit on a non-PLC host, the Armis can detect and alert on abnormal behavior associated with the rootkit behavior.
Rootkit*
Rootkit* X
Armis’ passive network monitoring allows Armis to detect abnormal PLC modification such as the installation of a rootkit. And for any network device, Armis is able to detect abnormal behavior which may be indicative of a system which has an active rootkit installed. If an adversary manages to install a rootkit on a non-PLC host, the Armis can detect and alert on abnormal behavior associated with the rootkit behavior.
Rootkit*
Rootkit* X
Armis’ passive network monitoring allows Armis to detect abnormal PLC modification such as the installation of a rootkit. And for any network device, Armis is able to detect abnormal behavior which may be indicative of a system which has an active rootkit installed. If an adversary manages to install a rootkit on a non-PLC host, the Armis can detect and alert on abnormal behavior associated with the rootkit behavior.
Rootkit*
Rootkit* X
Armis’ passive network monitoring allows Armis to detect abnormal PLC modification such as the installation of a rootkit. And for any network device, Armis is able to detect abnormal behavior which may be indicative of a system which has an active rootkit installed. If an adversary manages to install a rootkit on a non-PLC host, the Armis can detect and alert on abnormal behavior associated with the rootkit behavior.
Rootkit*
Rootkit* X
Armis’ passive network monitoring allows Armis to detect abnormal PLC modification such as the installation of a rootkit. And for any network device, Armis is able to detect abnormal behavior which may be indicative of a system which has an active rootkit installed. If an adversary manages to install a rootkit on a non-PLC host, the Armis can detect and alert on abnormal behavior associated with the rootkit behavior.
Rootkit*
Rootkit* X
Armis’ passive network monitoring allows Armis to detect abnormal PLC modification such as the installation of a rootkit. And for any network device, Armis is able to detect abnormal behavior which may be indicative of a system which has an active rootkit installed. If an adversary manages to install a rootkit on a non-PLC host, the Armis can detect and alert on abnormal behavior associated with the rootkit behavior.
Rootkit*
Rootkit* X
Armis’ passive network monitoring allows Armis to detect abnormal PLC modification such as the installation of a rootkit. And for any network device, Armis is able to detect abnormal behavior which may be indicative of a system which has an active rootkit installed. If an adversary manages to install a rootkit on a non-PLC host, the Armis can detect and alert on abnormal behavior associated with the rootkit behavior.
Rootkit*
Rootkit* X
Armis’ passive network monitoring allows Armis to detect abnormal PLC modification such as the installation of a rootkit. And for any network device, Armis is able to detect abnormal behavior which may be indicative of a system which has an active rootkit installed. If an adversary manages to install a rootkit on a non-PLC host, the Armis can detect and alert on abnormal behavior associated with the rootkit behavior.
Rootkit*
Rootkit* X
Armis’ passive network monitoring allows Armis to detect abnormal PLC modification such as the installation of a rootkit. And for any network device, Armis is able to detect abnormal behavior which may be indicative of a system which has an active rootkit installed. If an adversary manages to install a rootkit on a non-PLC host, the Armis can detect and alert on abnormal behavior associated with the rootkit behavior.
Rootkit*
Rootkit* X
Armis’ passive network monitoring allows Armis to detect abnormal PLC modification such as the installation of a rootkit. And for any network device, Armis is able to detect abnormal behavior which may be indicative of a system which has an active rootkit installed. If an adversary manages to install a rootkit on a non-PLC host, the Armis can detect and alert on abnormal behavior associated with the rootkit behavior.
System Firmware*
System Firmware* X
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC messages including those used to update the firmware on a device.
System Firmware*
System Firmware* X
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC messages including those used to update the firmware on a device.
System Firmware*
System Firmware* X
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC messages including those used to update the firmware on a device.
System Firmware*
System Firmware* X
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC messages including those used to update the firmware on a device.
System Firmware*
System Firmware* X
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC messages including those used to update the firmware on a device.
System Firmware*
System Firmware* X
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC messages including those used to update the firmware on a device.
System Firmware*
System Firmware* X
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC messages including those used to update the firmware on a device.
System Firmware*
System Firmware* X
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC messages including those used to update the firmware on a device.
System Firmware*
System Firmware* X
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC messages including those used to update the firmware on a device.
System Firmware*
System Firmware* X
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC messages including those used to update the firmware on a device.
System Firmware*
System Firmware* X
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC messages including those used to update the firmware on a device.
Utilize/Change Operating Mode*
Utilize/Change Operating Mode* X
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC messages including those used to change the operating mode of a device.
Utilize/Change Operating Mode*
Utilize/Change Operating Mode* X
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC messages including those used to change the operating mode of a device.
Utilize/Change Operating Mode*
Utilize/Change Operating Mode* X
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC messages including those used to change the operating mode of a device.
* - technique is used in two different tactics
** - technique is used in three different tactics

See every device.

See every connection.

See a live demonstration of the Armis agentless device security platform.