What is MITRE ATT&CK and How to implement it?

In January 2020, MITRE followed up its MITRE ATT&CK Framework from 2013 with the MITRE ATT&CK Framework for ICS to address threats to human life and the physical environment found with our ICS networks. It is a framework that deftly maps technologies adversaries use to affect industrial control systems and help inform their defenses. Made up of Tactics and Techniques (TPP), the framework aims to help mitigate the catastrophic failures that affect a property or human life.

Sounds ominous, but when we think of energy transmission and distribution plants, oil refineries, wastewater treatment facilities, transportation systems, and more, the impacts from these attacks, which range from disruption to operational productivity to serious harm to actual human life and the surrounding environment, we can understand what’s at stake.

None of the actual techniques used is groundbreaking, but what is the taxonomy in which the tactics and techniques are presented.

How to use the MITRE ATT&CK framework

Made up of 11 Tactics and over 80 different techniques used within those tactics, the MITRE ATT&CK for ICS Framework looks to normalize the discussion and allow concerted efforts to protect our ICS networks.

Visit our dedicated post about MITRE ATT&CK techniques for ICS to look closer at the actual tactics and procedures (TPP).

Here you will see a detailed listing of the various vectors and methods used to infiltrate our ICS networks. What is particularly of interest within the MITRE ATT&CK for ICS framework is the breadth of the techniques. Spanning from supply chain attacks outside the ICS enterprise to man-in-the-middle attacks to control parameter changes in PLCs, the Framework is a comprehensive approach that should be top of mind when speaking with ICS stakeholders.

So how do we implement such a framework? 

Outside of asking security platform vendors if they have incorporated the MITRE ATT&CK for ICS Framework into their solution, there are actions that your team can take within our ICS organization to ensure the most detrimental of threats is accounted for.

These include some of the following activities:

• Adversary Emulation

• Behavioral Analytics

• Cyber Threat Intelligence Enrichment

• Defensive Gap Assessment

• Red Teaming

• SOC Maturity Assessment

• Failure Scenario Development

• Cross-Domain Adversary Tracking

• Educational Resource

Who should be involved? 

Such a framework is best addressed with cross-functional teams from IT, OT, Security, and Network as securing ICS is not a job to be done in a silo. Identifying scenarios and their pending outcomes based on severity is a great place to start. Gap analysis to identify all the ‘what-ifs’ based upon worst-case scenarios will certainly be eye-opening, but that is the intent of the framework – to begin a conversation with cross-functional stakeholders, with the common goal of protecting the jewels of the organization.