FRAMEWORKS // MITRE ATT&CK for ICS

MITRE ATT&CK for ICS

A rich knowledgebase of real-world adversarial behavior

Armis Mitre Attack Framework

IT/OT Convergence has already changed your industry. What’s next?

Understand and defend.

Before you can defend your Industrial Control System (ICS) infrastructure, you need to understand how an adversary might attack it. The new MITRE ATT&CK™ for ICS framework helps security practitioners —

  • Identify the most active threat actors targeting ICS environments.
  • Understand tactics and techniques most commonly used by threat actors.
  • Prioritize each tactic and technique based on probability and potential impact.
  • Assess current defenses, understand gaps, and plan improved defenses.
mitre attack matrix

Comprehensive coverage for MITRE ATT&CK for ICS.

The Armis Agentless Device Security Platform is the fastest, most efficient way to identify ATT&CK techniques in ICS and OT environments. As you will see in the matrix below, The Armis Platform provides comprehensive coverage for MITRE ATT&CK for ICS techniques. The Armis Platform passively monitors network traffic to detect attacks on ICS devices as well as other devices that, similarly, cannot accommodate security agents.

INITIAL ACCESS

Data Historian Compromise

Armis is able to detect and alert on abnormal traffic or communication behavior which may indicate that an adversary is attempting to compromise, or has already compromised, the Data Historian.

Drive-by Compromise

Armis’ policy engine can be configured to alert and take action whenever Armis observes a device accessing unauthorized or known malicious websites. Armis’ threat feeds automatically populate the list of known malicious sites, and a predefined policy can alert if a device reaches out to a site on the list.

Engineering Workstation Compromise

Armis is able to alert on abnormal traffic or communication behavior which may indicate that an engineering workstation, SCADA or HMI has been compromised.

Exploit Public-Facing Application

Armis is able to detect software vulnerabilities on Internet-facing applications; this helps security managers take proactive steps to update the software or otherwise mitigate the risk of exploitation. Also, Armis continuously monitors the behavior of systems hosting public-facing applications to detect if they have been compromised.

External Remote Services*

Armis passively monitors device communications including active ports, services, and protocols. Armis compares patterns of remote service usage to normal patterns in order to detect unusual remote service activity.

Internet Accessible Device

Armis’ passive monitoring can identify specific devices that are communicating with the internet and therefore are internet accessible, and can alert on those devices that should not be exhibiting this type of communication.

Replication Through Removable Media

Armis monitors network traffic, so once a malicious application is active on the network, even those transferred through removable media, Armis will be able to detect malicious activity.

Spearphishing Attachment

If a system has been compromised through a spearfishing attachment, Armis will detect and alert on abnormal behavior caused by the malware / attacker.

Supply Chain Compromise

Armis passively and continuously monitors the behavior of every device on our customers’ networks. Armis compares every device’s real-time activity to the established and “known-good” activity baseline for the specific device which is stored in our Device Knowledge Base. When abnormal behavior in your network is detected, Armis updates the risk score and generates a security alert. In the event of a supply chain compromise, Armis will alert when the compromised product behaves abnormal compared to other legitimate products.

Wireless Compromise

Armis passively monitors all communications in the 2.3 and 5 GHz frequency spectrum which is used by Wi-Fi, BLE, and other peer-to-peer protocols. Through this monitoring, Armis is able to detect and alert on unauthorized devices and unexpected or malicious wireless activity.

EXECUTION

Change Program State

Armis is able to detect and alert on a wide range of PLC-specific network traffic, including the commands related to changing the program state on a device.

Command-Line Interface

Armis is able to monitor remote access services such as SSH, Telnet, and RDP which are likely to be used by attackers who are attempting to access ICS environments via the command-line interface. When such remote access activity is abnormal (e.g. at an unusual time of the day, or the first such remote access ever observed), Armis can alert on the remote access service activity.

Execution through API

Armis can detect API calls and, through its threat detection engine, alert if the API activity, or the source of the API calls, is abnormal.

Graphical User Interface

Armis’s passive monitoring of device communications patterns allows Armis to detect abnormal traffic which may indicate an adversary is remotely accessing a GUI to conduct malicious behavior.

Man in the Middle

Armis’s passive monitoring of device communications, including network traffic characteristics such things as TCP options and latency, allows Armis to detect anomalies which may indicate a Man-in-the-Middle attack.

Program Organization Units

Armis is able to detect and alert on a wide range of PLC specific network traffic, including the commands related to changing the program on a device.

Project File Infection

Armis is able to detect when a PLC has been reprogrammed and alert on that activity.

Scripting

If a malicious script is used to attack or alter a device, causing the device to behave abnormally, Armis will detect and alert on the abnormal behavior.

User Execution

If a system is compromised through user execution, then Armis will detect when the system acts abnormally.

PERSISTENCE

Hooking

Armis’ passive network monitoring and device profiling enables Armis to detect when a system has been compromised and is redirecting API calls across the network. If the system acts abnormally or redirects the API calls across the network, then Armis will generate an alert.

Module Firmware

Armis detects when firmware is downloaded to PLCs. Then, if the new firmware causes the behavior of a PLC to change abnormally, Armis will detect and issue an alert.

Program Download

Armis detects when programs are downloaded to PLCs. Then, if the new program causes the behavior of a PLC to change abnormally, Armis will detect the abnormally and issue an alert.

Project File Infection

Armis is able to detect when a PLC has been reprogrammed and alert on that activity.

System Firmware

Armis passively monitors device communications across the network, and is able to profile every device to determine the current version of system firmware that is operating. This gives our customer the ability to monitor the firmware version across devices, understand the known threats to the firmware, and intelligently manage their firmware upgrade strategy.

Valid Accounts

Armis passive monitoring and device profiling can detect when abnormal network connections are being made, which is indicative of an adversary using valid accounts to conduct lateral movement outside of the normal behavior for the legitimate account holder.

EVASION

Exploitation for Evasion

Armis identifies all known software vulnerabilities. This facilitates proactive attempts to remediate vulnerable devices, remove them from the network, or provide other forms of risk mitigations. Once a device has been exploited for evasion, Armis can detect and alert on behavioral changes.

Indicator Removal on Host

Armis’s passive network monitoring is able to detect an adversary’s remote commands related to removing indications of their presence on a specific host.

Masquerading

Since Armis monitors the behavior of devices, not the files on the devices, Armis is not fooled by attackers’ masquerading techniques. Armis passively and continuously monitors the behavior of every device to detect and alert on abnormal behavior.

Rogue Master Device

Armis passively monitors device communications and can alert whenever a device communicates with a rogue master device.

Rootkit

Armis’s passive network monitoring enables Armis to detect abnormal behavior which is indicative of a rootkit. If the adversary is targeting a PLC for the rootkit, Armis will detect when the configuration and firmware have been altered.

Spoof Reporting Message

Armis’ passive network monitoring allows Armis to detect abnormal message traffic which may be indicative of message spoofing.

Utilize/Change Operating Mode

Armis is able to detect and alert on PLC Mode Changes.

DISCOVERY

Control Device Identification

Armis can detect abnormal network traffic which may indicate an adversarial attempt at conducting control device identification.

I/O Module Discovery

Armis’ passive network monitoring enables Armis to detect when an adversary attempts to conduct input/output discovery over the network.

Network Connection Enumeration

Armis passively monitors device communications and can be configured to alert on the presence of unauthorized network scans, netstat use, or other abnormal network traffic indicative of network connection enumeration.

Network Service Scanning

Armis detects and alerts on port scanning.

Network Sniffing

Armis’ passive network monitoring detects when an adversary attempts to exfiltrate information sniffed from a network.

Remote System Discovery

Armis’ passive network monitoring and device profiling allows Armis to detect unauthorized or abnormal network traffic associated with remote system discovery.

Serial Connection Enumeration

Armis’ passive network monitoring and device profiling allows Armis to detect unauthorized or abnormal network traffic associated with querying a device for its serial connections information.

LATERAL MOVEMENT

Default Credentials

Armis’ passive monitoring of the network traffic, combined with device profiling, allows Armis to detect and alert on credentials transitioning across the network. It can also detect when one device connects to another, and is able to create alerts which may indicate that default credentials are being used.

Exploitation of Remote Services

Armis’ passive network monitoring allows Armis to detect when a device uses remote services in an abnormal manner, e.g. for lateral movement.

External Remote Services

Armis’ passive network monitoring allows Armis to characterize the behavior of all network participants, even if they are entering the network through an external remote service. The network traffic from external remote services are monitored, and alerts can be created to alert on abnormal or suspicious behavior.

Program Organization Units

Armis is able to detect when a PLC has been reprogrammed, and policies can be created to alert on this behavior.

Remote File Copy

Armis’ passive monitoring and device profiling can detect when a system is remotely copying files.

Valid Accounts

Armis’ passive monitoring and device profiling can detect when abnormal network connections are being made, which is indicative of an adversary using valid accounts to conduct lateral movement outside of the normal behavior for the legitimate account holder.

COLLECTION

Automated Collection

Armis’ passive network monitoring is able to detect and alert on new or abnormal network activity to include the use of tools and scripts which are used for automated collection.

Data from Information Repositories

Armis’ passive network monitoring is able to detect and alert on unauthorized or abnormal connection attempts to connect to information repositories.

Detect Operating Mode

Armis is able to detect and alert on a wide range of PLC specific network traffic, including the commands related to monitoring the PLC status which would be used by an adversary to determine the current state of the PLC.

Detect Program State

Armis is able to detect and alert on a wide range of PLC specific network traffic, including the commands related to monitoring the PLC status which would be used by an adversary to determine the current state of the PLC.

I/O Image

Armis’ passive network monitoring and device profiling can detect and alert on unauthorized connections to ICS devices which could be used to extract I/O images.

Location Identification

Armis’ passive network monitoring and device profiling can detect and alert on unauthorized connections to ICS devices which could be used to identify the device’s location.

Monitor Process State

Armis’ passive network monitoring and device profiling can detect and alert on unauthorized connections to ICS devices which could be used to detect the devices’ process state.

Point & Tag Identification

Armis’ passive network monitoring and device profiling can detect and alert on the network traffic associated with querying devices for their point and tag information.

Program Upload

Armis passively monitors device communications and can alert whenever Armis observes unauthorized file transfer such as a program upload.

Role Identification

Armis passively monitors device communications and can be configured to alert whenever Armis observes connections made to the network which an adversary may use to conduct reconnaissance to conduct role identification.

Screen Capture

Armis’ passive network monitoring allows Armis to detect when a device is attempting to exfiltrate a screen capture to the adversary, and to cause an alert when detected.

COMMAND AND CONTROL

Commonly Used Port

Armis’ threat detection engine can detect when a commonly used port is being used to communicate in an abnormal manner.

Connection Proxy

Armis passively monitors device communications and associates active ports, services, and protocols. Armis’ policy engine can be configured to alert or remediate (e.g. quarantine) whenever Armis observes the use of an unauthorized connection proxy. If the traffic outbound of the proxy is monitored by Armis, then Armis can alert on traffic that is connecting to known malicious sites.

Standard Application Layer Protocol

Armis’ passive network monitoring and device profiling allows Armis to establish “known good” traffic patterns over commonly used application protocols. If an adversary attempts to establish command and control over these commonly used protocols, Armis will detect and alert on this abnormal behavior.

INHIBIT RESPONSE FUNCTION

Activate Firmware Update Mode

Armis is able to detect a wide range of PLC specific commands including the commands related to updating or modifying the firmware.

Alarm Suppression

Armis’ deep understanding of ICS protocols allows Armis to detect when a PLC has been altered or is behaving outside of normal parameters. If so, this may indicate that an adversary is attempting to suppress that device’s alarms.

Block Command Message

Armis’ passive network monitoring, device profiling, and deep understanding of ICS protocols allows Armis to detect when a PLC has been altered or if the device is behaving outside of normal parameters which would be required prior to an adversary being able to block command messages.

Block Reporting Message

Armis’ passive network monitoring, device profiling, and deep understanding of ICS protocols allows Armis to detect when a PLC has been altered or if the device is behaving outside of normal parameters which would be required prior to an adversary being able to block reporting messages.

Block Serial COM

Armis’ passive network monitoring, device profiling, and deep understanding of ICS protocols allows Armis to detect when a PLC has been altered or if the device is behaving outside of normal parameters which would be required prior to an adversary being able to block a serial communications port.

Data Destruction

Armis’ passive network monitoring and device profiling allows Armis to detect and alert on abnormal network traffic associated with data destruction commands.

Denial of Service

Armis is able to detect intentional or unintentional denial of service events and can be configured to alert when certain network thresholds are met.

Device Restart/Shutdown

Armis’ passive monitoring is able to detect and alert on a wide variety of PLC messages including those used to shut down and restart a device.

Manipulate I/O Image

Armis’ deep understanding of ICS protocols allows Armis to detect when a PLC has been altered, e.g. by an adversary is attempting to manipulate the device’s I/O image.

Modify Alarm Settings

Armis can detect abnormal PLC modification which may be used by an adversary to modify the alarm settings.

Modify Control Logic

Armis can detect abnormal PLC modification which may be used by an adversary to modify the control logic.

Program Download

Armis’ passive network monitoring allows Armis to detect abnormal PLC modification which may be used by an adversary to modify the existing program in the PLC.

Rootkit

Armis’ passive network monitoring allows Armis to detect abnormal PLC modification such as the installation of a rootkit. And for any network device, Armis is able to detect abnormal behavior which may be indicative of a system which has an active rootkit installed. If an adversary manages to install a rootkit on a non-PLC host, the Armis can detect and alert on abnormal behavior associated with the rootkit behavior.

System Firmware

Armis’ passive monitoring is able to detect and alert on a wide variety of PLC messages including those used to update the firmware on a device.

Utilize/Change Operating Mode

Armis’ passive monitoring is able to detect and alert on a wide variety of PLC messages including those used to change the operating mode of a device.

IMPAIR PROCESS CONTROL

Brute Force I/O

Armis’ passive network monitoring allows Armis to detect abnormal I/O related network traffic indicative of brute force I/O.

Change Program State

Armis’ passive monitoring is able to detect and alert on a wide variety of PLC activities and commands including configure commands which are used to change the program loaded on the device.

Masquerading

Since Armis monitors the behavior of devices, not the files on the devices, Armis is not fooled by attackers’ masquerading techniques. Armis passively and continuously monitors the behavior of every device to detect and alert on abnormal behavior or unauthorized devices.

Modify Control Logic

Armis’ passive monitoring is able to detect and alert on a wide variety of PLC activities and commands including configure commands which are used to change the program loaded on the device.

Modify Parameter

Armis’ passive monitoring is able to detect and alert on a wide variety of PLC activities and commands including configure commands which are used to change the configuration of the device.

Module Firmware

Armis’ passive monitoring is able to detect and alert on a wide variety of PLC activities and commands including configure commands which are used to change the firmware of the device.

Program Download

Armis’ passive monitoring is able to detect and alert on a wide variety of PLC activities and commands including configure commands which are used to change the programming of the device.

Rogue Master Device

Armis’ can be configured such that all control messages not generated from a legitimate master device triggers the alert.

Service Stop

Armis’ passive monitoring is able to detect and alert on a wide variety of PLC activities and commands including Stop commands which are used to stop the service of the device.

Spoof Reporting Message

Armis’ passive network monitoring allows Armis to detect abnormal message traffic which may be indicative of message spoofing.

Unauthorized Command Message

Armis can create an alert if command messages are transmitted by unauthorized controllers.

IMPACT

Damage to Property

Armis detects device vulnerabilities in the ICS environment which allows security managers to take proactive steps to mitigate risks in order to prevent a successful attack and prevent damage to property. If devices begin to act abnormally, alerts will be generated ideally in time to prevent any damage to property.

Denial of Control

Armis’ passive network monitoring and device profiling enables Armis to detect and alert on the PLC messages required to prevent ICS devices from attempting to communicate with its controllers. Armis can be configured with policies which generate alerts if the devices do not connect to the controller as scheduled.

Denial of View

Armis’ passive network monitoring detects and tracks all device communications and can provide insight into when devices have last appeared on the network.

Loss of Availability

Armis’ passive network monitoring; device profiling; asset discovery; and vulnerability analysis allows Armis to help the customer secure their network and ICS devices, as well as detect adversarial efforts to cause a loss of availability.

Loss of Control

Armis’ passive network monitoring; device profiling; asset discovery; and vulnerability analysis allows Armis to help the customer secure their network and ICS devices, as well as detect adversarial efforts to cause a loss of control.

Loss of Productivity and Revenue

Armis’ passive network monitoring; device profiling; asset discovery; and vulnerability analysis allows Armis to help the customer secure their network and ICS devices, as well as detect adversarial efforts to cause a loss of productivity and revenue.

Loss of Safety

Armis’ passive network monitoring; device profiling; asset discovery; and vulnerability analysis allows Armis to help the customer secure their network and ICS devices, as well as detect adversarial efforts to cause a loss of safety.

Loss of View

Armis can support a loss of view situation by providing customers detailed information on each device, when last seen on the network, and their last risk profile. This will assist customers to prioritize restoration of the connections to the ICS devices.

Manipulation of Control

Armis’ passive monitoring is able to detect and alert on a wide variety of PLC messages including those used to change the configuration and settings of the device.

Manipulation of View

Armis’ passive monitoring is able to detect and alert on a wide variety of PLC messages including those used to change the configuration and settings of the device.

Theft of Operational Information

Armis’ passive monitoring can be implemented with policies that generate alerts when unauthorized devices attempt to make connections to include the collection and exfiltration of operational data.