Webinars
MITRE ATT&CK® for ICS – Practical Applications
Watch Now
MITRE ATT&CK for ICS
A rich knowledgebase of real-world adversarial behavior
Understand and defend.
Before you can defend your Industrial Control System (ICS) infrastructure, you need to understand how an adversary might attack it. The new MITRE ATT&CK™ for ICS framework helps security practitioners —
- Identify the most active threat actors targeting ICS environments.
- Understand tactics and techniques most commonly used by threat actors.
- Prioritize each tactic and technique based on probability and potential impact.
- Assess current defenses, understand gaps, and plan improved defenses.
Comprehensive coverage for MITRE ATT&CK for ICS.
The Armis Agentless Device Security Platform is the fastest, most efficient way to identify ATT&CK techniques in ICS and OT environments. As you will see in the matrix below, The Armis Platform provides comprehensive coverage for MITRE ATT&CK for ICS techniques. The Armis Platform passively monitors network traffic to detect attacks on ICS devices as well as other devices that, similarly, cannot accommodate security agents.
INITIAL ACCESS
Data Historian Compromise
Armis is able to detect and alert on abnormal traffic or communication behavior which may indicate that an adversary is attempting to compromise, or has already compromised, the Data Historian.
Drive-by Compromise
Armis’ policy engine can be configured to alert and take action whenever Armis observes a device accessing unauthorized or known malicious websites. Armis’ threat feeds automatically populate the list of known malicious sites, and a predefined policy can alert if a device reaches out to a site on the list.
Engineering Workstation Compromise
Armis is able to alert on abnormal traffic or communication behavior which may indicate that an engineering workstation, SCADA or HMI has been compromised.
Exploit Public-Facing Application
Armis is able to detect software vulnerabilities on Internet-facing applications; this helps security managers take proactive steps to update the software or otherwise mitigate the risk of exploitation. Also, Armis continuously monitors the behavior of systems hosting public-facing applications to detect if they have been compromised.
External Remote Services*
Armis passively monitors device communications including active ports, services, and protocols. Armis compares patterns of remote service usage to normal patterns in order to detect unusual remote service activity.
Internet Accessible Device
Armis’ passive monitoring can identify specific devices that are communicating with the internet and therefore are internet accessible, and can alert on those devices that should not be exhibiting this type of communication.
Replication Through Removable Media
Armis monitors network traffic, so once a malicious application is active on the network, even those transferred through removable media, Armis will be able to detect malicious activity.
Spearphishing Attachment
If a system has been compromised through a spearfishing attachment, Armis will detect and alert on abnormal behavior caused by the malware / attacker.
Supply Chain Compromise
Armis passively and continuously monitors the behavior of every device on our customers’ networks. Armis compares every device’s real-time activity to the established and “known-good” activity baseline for the specific device which is stored in our Device Knowledge Base. When abnormal behavior in your network is detected, Armis updates the risk score and generates a security alert. In the event of a supply chain compromise, Armis will alert when the compromised product behaves abnormal compared to other legitimate products.
Wireless Compromise
Armis passively monitors all communications in the 2.3 and 5 GHz frequency spectrum which is used by Wi-Fi, BLE, and other peer-to-peer protocols. Through this monitoring, Armis is able to detect and alert on unauthorized devices and unexpected or malicious wireless activity.
EXECUTION
Change Program State
Armis is able to detect and alert on a wide range of PLC-specific network traffic, including the commands related to changing the program state on a device.
Command-Line Interface
Armis is able to monitor remote access services such as SSH, Telnet, and RDP which are likely to be used by attackers who are attempting to access ICS environments via the command-line interface. When such remote access activity is abnormal (e.g. at an unusual time of the day, or the first such remote access ever observed), Armis can alert on the remote access service activity.
Execution through API
Armis can detect API calls and, through its threat detection engine, alert if the API activity, or the source of the API calls, is abnormal.
Graphical User Interface
Armis’s passive monitoring of device communications patterns allows Armis to detect abnormal traffic which may indicate an adversary is remotely accessing a GUI to conduct malicious behavior.
Man in the Middle
Armis’s passive monitoring of device communications, including network traffic characteristics such things as TCP options and latency, allows Armis to detect anomalies which may indicate a Man-in-the-Middle attack.
Program Organization Units
Armis is able to detect and alert on a wide range of PLC specific network traffic, including the commands related to changing the program on a device.
Project File Infection
Armis is able to detect when a PLC has been reprogrammed and alert on that activity.
Scripting
If a malicious script is used to attack or alter a device, causing the device to behave abnormally, Armis will detect and alert on the abnormal behavior.
User Execution
If a system is compromised through user execution, then Armis will detect when the system acts abnormally.
PERSISTENCE
Hooking
Armis’ passive network monitoring and device profiling enables Armis to detect when a system has been compromised and is redirecting API calls across the network. If the system acts abnormally or redirects the API calls across the network, then Armis will generate an alert.
Module Firmware
Armis detects when firmware is downloaded to PLCs. Then, if the new firmware causes the behavior of a PLC to change abnormally, Armis will detect and issue an alert.
Program Download
Armis detects when programs are downloaded to PLCs. Then, if the new program causes the behavior of a PLC to change abnormally, Armis will detect the abnormally and issue an alert.
Project File Infection
Armis is able to detect when a PLC has been reprogrammed and alert on that activity.
System Firmware
Armis passively monitors device communications across the network, and is able to profile every device to determine the current version of system firmware that is operating. This gives our customer the ability to monitor the firmware version across devices, understand the known threats to the firmware, and intelligently manage their firmware upgrade strategy.
Valid Accounts
Armis passive monitoring and device profiling can detect when abnormal network connections are being made, which is indicative of an adversary using valid accounts to conduct lateral movement outside of the normal behavior for the legitimate account holder.
EVASION
Exploitation for Evasion
Armis identifies all known software vulnerabilities. This facilitates proactive attempts to remediate vulnerable devices, remove them from the network, or provide other forms of risk mitigations. Once a device has been exploited for evasion, Armis can detect and alert on behavioral changes.
Indicator Removal on Host
Armis’s passive network monitoring is able to detect an adversary’s remote commands related to removing indications of their presence on a specific host.
Masquerading
Since Armis monitors the behavior of devices, not the files on the devices, Armis is not fooled by attackers’ masquerading techniques. Armis passively and continuously monitors the behavior of every device to detect and alert on abnormal behavior.
Rogue Master Device
Armis passively monitors device communications and can alert whenever a device communicates with a rogue master device.
Rootkit
Armis’s passive network monitoring enables Armis to detect abnormal behavior which is indicative of a rootkit. If the adversary is targeting a PLC for the rootkit, Armis will detect when the configuration and firmware have been altered.
Spoof Reporting Message
Armis’ passive network monitoring allows Armis to detect abnormal message traffic which may be indicative of message spoofing.
Utilize/Change Operating Mode
Armis is able to detect and alert on PLC Mode Changes.
DISCOVERY
Control Device Identification
Armis can detect abnormal network traffic which may indicate an adversarial attempt at conducting control device identification.
I/O Module Discovery
Armis’ passive network monitoring enables Armis to detect when an adversary attempts to conduct input/output discovery over the network.
Network Connection Enumeration
Armis passively monitors device communications and can be configured to alert on the presence of unauthorized network scans, netstat use, or other abnormal network traffic indicative of network connection enumeration.
Network Service Scanning
Armis detects and alerts on port scanning.
Network Sniffing
Armis’ passive network monitoring detects when an adversary attempts to exfiltrate information sniffed from a network.
Remote System Discovery
Armis’ passive network monitoring and device profiling allows Armis to detect unauthorized or abnormal network traffic associated with remote system discovery.
Serial Connection Enumeration
Armis’ passive network monitoring and device profiling allows Armis to detect unauthorized or abnormal network traffic associated with querying a device for its serial connections information.
LATERAL MOVEMENT
Default Credentials
Armis’ passive monitoring of the network traffic, combined with device profiling, allows Armis to detect and alert on credentials transitioning across the network. It can also detect when one device connects to another, and is able to create alerts which may indicate that default credentials are being used.
Exploitation of Remote Services
Armis’ passive network monitoring allows Armis to detect when a device uses remote services in an abnormal manner, e.g. for lateral movement.
External Remote Services
Armis’ passive network monitoring allows Armis to characterize the behavior of all network participants, even if they are entering the network through an external remote service. The network traffic from external remote services are monitored, and alerts can be created to alert on abnormal or suspicious behavior.
Program Organization Units
Armis is able to detect when a PLC has been reprogrammed, and policies can be created to alert on this behavior.
Remote File Copy
Armis’ passive monitoring and device profiling can detect when a system is remotely copying files.
Valid Accounts
Armis’ passive monitoring and device profiling can detect when abnormal network connections are being made, which is indicative of an adversary using valid accounts to conduct lateral movement outside of the normal behavior for the legitimate account holder.
COLLECTION
Automated Collection
Armis’ passive network monitoring is able to detect and alert on new or abnormal network activity to include the use of tools and scripts which are used for automated collection.
Data from Information Repositories
Armis’ passive network monitoring is able to detect and alert on unauthorized or abnormal connection attempts to connect to information repositories.
Detect Operating Mode
Armis is able to detect and alert on a wide range of PLC specific network traffic, including the commands related to monitoring the PLC status which would be used by an adversary to determine the current state of the PLC.
Detect Program State
Armis is able to detect and alert on a wide range of PLC specific network traffic, including the commands related to monitoring the PLC status which would be used by an adversary to determine the current state of the PLC.
I/O Image
Armis’ passive network monitoring and device profiling can detect and alert on unauthorized connections to ICS devices which could be used to extract I/O images.
Location Identification
Armis’ passive network monitoring and device profiling can detect and alert on unauthorized connections to ICS devices which could be used to identify the device’s location.
Monitor Process State
Armis’ passive network monitoring and device profiling can detect and alert on unauthorized connections to ICS devices which could be used to detect the devices’ process state.
Point & Tag Identification
Armis’ passive network monitoring and device profiling can detect and alert on the network traffic associated with querying devices for their point and tag information.
Program Upload
Armis passively monitors device communications and can alert whenever Armis observes unauthorized file transfer such as a program upload.
Role Identification
Armis passively monitors device communications and can be configured to alert whenever Armis observes connections made to the network which an adversary may use to conduct reconnaissance to conduct role identification.
Screen Capture
Armis’ passive network monitoring allows Armis to detect when a device is attempting to exfiltrate a screen capture to the adversary, and to cause an alert when detected.
COMMAND AND CONTROL
Commonly Used Port
Armis’ threat detection engine can detect when a commonly used port is being used to communicate in an abnormal manner.
Connection Proxy
Armis passively monitors device communications and associates active ports, services, and protocols. Armis’ policy engine can be configured to alert or remediate (e.g. quarantine) whenever Armis observes the use of an unauthorized connection proxy. If the traffic outbound of the proxy is monitored by Armis, then Armis can alert on traffic that is connecting to known malicious sites.
Standard Application Layer Protocol
Armis’ passive network monitoring and device profiling allows Armis to establish “known good” traffic patterns over commonly used application protocols. If an adversary attempts to establish command and control over these commonly used protocols, Armis will detect and alert on this abnormal behavior.
INHIBIT RESPONSE FUNCTION
Activate Firmware Update Mode
Armis is able to detect a wide range of PLC specific commands including the commands related to updating or modifying the firmware.
Alarm Suppression
Armis’ deep understanding of ICS protocols allows Armis to detect when a PLC has been altered or is behaving outside of normal parameters. If so, this may indicate that an adversary is attempting to suppress that device’s alarms.
Block Command Message
Armis’ passive network monitoring, device profiling, and deep understanding of ICS protocols allows Armis to detect when a PLC has been altered or if the device is behaving outside of normal parameters which would be required prior to an adversary being able to block command messages.
Block Reporting Message
Armis’ passive network monitoring, device profiling, and deep understanding of ICS protocols allows Armis to detect when a PLC has been altered or if the device is behaving outside of normal parameters which would be required prior to an adversary being able to block reporting messages.
Block Serial COM
Armis’ passive network monitoring, device profiling, and deep understanding of ICS protocols allows Armis to detect when a PLC has been altered or if the device is behaving outside of normal parameters which would be required prior to an adversary being able to block a serial communications port.
Data Destruction
Armis’ passive network monitoring and device profiling allows Armis to detect and alert on abnormal network traffic associated with data destruction commands.
Denial of Service
Armis is able to detect intentional or unintentional denial of service events and can be configured to alert when certain network thresholds are met.
Device Restart/Shutdown
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC messages including those used to shut down and restart a device.
Manipulate I/O Image
Armis’ deep understanding of ICS protocols allows Armis to detect when a PLC has been altered, e.g. by an adversary is attempting to manipulate the device’s I/O image.
Modify Alarm Settings
Armis can detect abnormal PLC modification which may be used by an adversary to modify the alarm settings.
Modify Control Logic
Armis can detect abnormal PLC modification which may be used by an adversary to modify the control logic.
Program Download
Armis’ passive network monitoring allows Armis to detect abnormal PLC modification which may be used by an adversary to modify the existing program in the PLC.
Rootkit
Armis’ passive network monitoring allows Armis to detect abnormal PLC modification such as the installation of a rootkit. And for any network device, Armis is able to detect abnormal behavior which may be indicative of a system which has an active rootkit installed. If an adversary manages to install a rootkit on a non-PLC host, the Armis can detect and alert on abnormal behavior associated with the rootkit behavior.
System Firmware
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC messages including those used to update the firmware on a device.
Utilize/Change Operating Mode
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC messages including those used to change the operating mode of a device.
IMPAIR PROCESS CONTROL
Brute Force I/O
Armis’ passive network monitoring allows Armis to detect abnormal I/O related network traffic indicative of brute force I/O.
Change Program State
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC activities and commands including configure commands which are used to change the program loaded on the device.
Masquerading
Since Armis monitors the behavior of devices, not the files on the devices, Armis is not fooled by attackers’ masquerading techniques. Armis passively and continuously monitors the behavior of every device to detect and alert on abnormal behavior or unauthorized devices.
Modify Control Logic
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC activities and commands including configure commands which are used to change the program loaded on the device.
Modify Parameter
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC activities and commands including configure commands which are used to change the configuration of the device.
Module Firmware
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC activities and commands including configure commands which are used to change the firmware of the device.
Program Download
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC activities and commands including configure commands which are used to change the programming of the device.
Rogue Master Device
Armis’ can be configured such that all control messages not generated from a legitimate master device triggers the alert.
Service Stop
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC activities and commands including Stop commands which are used to stop the service of the device.
Spoof Reporting Message
Armis’ passive network monitoring allows Armis to detect abnormal message traffic which may be indicative of message spoofing.
Unauthorized Command Message
Armis can create an alert if command messages are transmitted by unauthorized controllers.
IMPACT
Damage to Property
Armis detects device vulnerabilities in the ICS environment which allows security managers to take proactive steps to mitigate risks in order to prevent a successful attack and prevent damage to property. If devices begin to act abnormally, alerts will be generated ideally in time to prevent any damage to property.
Denial of Control
Armis’ passive network monitoring and device profiling enables Armis to detect and alert on the PLC messages required to prevent ICS devices from attempting to communicate with its controllers. Armis can be configured with policies which generate alerts if the devices do not connect to the controller as scheduled.
Denial of View
Armis’ passive network monitoring detects and tracks all device communications and can provide insight into when devices have last appeared on the network.
Loss of Availability
Armis’ passive network monitoring; device profiling; asset discovery; and vulnerability analysis allows Armis to help the customer secure their network and ICS devices, as well as detect adversarial efforts to cause a loss of availability.
Loss of Control
Armis’ passive network monitoring; device profiling; asset discovery; and vulnerability analysis allows Armis to help the customer secure their network and ICS devices, as well as detect adversarial efforts to cause a loss of control.
Loss of Productivity and Revenue
Armis’ passive network monitoring; device profiling; asset discovery; and vulnerability analysis allows Armis to help the customer secure their network and ICS devices, as well as detect adversarial efforts to cause a loss of productivity and revenue.
Loss of Safety
Armis’ passive network monitoring; device profiling; asset discovery; and vulnerability analysis allows Armis to help the customer secure their network and ICS devices, as well as detect adversarial efforts to cause a loss of safety.
Loss of View
Armis can support a loss of view situation by providing customers detailed information on each device, when last seen on the network, and their last risk profile. This will assist customers to prioritize restoration of the connections to the ICS devices.
Manipulation of Control
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC messages including those used to change the configuration and settings of the device.
Manipulation of View
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC messages including those used to change the configuration and settings of the device.
Theft of Operational Information
Armis’ passive monitoring can be implemented with policies that generate alerts when unauthorized devices attempt to make connections to include the collection and exfiltration of operational data.
