Before you can defend your Industrial Control System (ICS) infrastructure, you need to understand how an adversary might attack it. The new MITRE ATT&CK™ for ICS framework helps security practitioners —
The Armis Agentless Device Security Platform is the fastest, most efficient way to identify ATT&CK techniques in ICS and OT environments. As you will see in the matrix below, The Armis Platform provides comprehensive coverage for MITRE ATT&CK for ICS techniques. The Armis Platform passively monitors network traffic to detect attacks on ICS devices as well as other devices that, similarly, cannot accommodate security agents.
Armis is able to detect and alert on abnormal traffic or communication behavior which may indicate that an adversary is attempting to compromise, or has already compromised, the Data Historian.
Armis’ policy engine can be configured to alert and take action whenever Armis observes a device accessing unauthorized or known malicious websites. Armis’ threat feeds automatically populate the list of known malicious sites, and a predefined policy can alert if a device reaches out to a site on the list.
Armis is able to alert on abnormal traffic or communication behavior which may indicate that an engineering workstation, SCADA or HMI has been compromised.
Armis is able to detect software vulnerabilities on Internet-facing applications; this helps security managers take proactive steps to update the software or otherwise mitigate the risk of exploitation. Also, Armis continuously monitors the behavior of systems hosting public-facing applications to detect if they have been compromised.
Armis passively monitors device communications including active ports, services, and protocols. Armis compares patterns of remote service usage to normal patterns in order to detect unusual remote service activity.
Armis’ passive monitoring can identify specific devices that are communicating with the internet and therefore are internet accessible, and can alert on those devices that should not be exhibiting this type of communication.
Armis monitors network traffic, so once a malicious application is active on the network, even those transferred through removable media, Armis will be able to detect malicious activity.
If a system has been compromised through a spearfishing attachment, Armis will detect and alert on abnormal behavior caused by the malware / attacker.
Armis passively and continuously monitors the behavior of every device on our customers’ networks. Armis compares every device’s real-time activity to the established and “known-good” activity baseline for the specific device which is stored in our Device Knowledge Base. When abnormal behavior in your network is detected, Armis updates the risk score and generates a security alert. In the event of a supply chain compromise, Armis will alert when the compromised product behaves abnormal compared to other legitimate products.
Armis passively monitors all communications in the 2.3 and 5 GHz frequency spectrum which is used by Wi-Fi, BLE, and other peer-to-peer protocols. Through this monitoring, Armis is able to detect and alert on unauthorized devices and unexpected or malicious wireless activity.
Armis is able to detect and alert on a wide range of PLC-specific network traffic, including the commands related to changing the program state on a device.
Armis is able to monitor remote access services such as SSH, Telnet, and RDP which are likely to be used by attackers who are attempting to access ICS environments via the command-line interface. When such remote access activity is abnormal (e.g. at an unusual time of the day, or the first such remote access ever observed), Armis can alert on the remote access service activity.
Armis can detect API calls and, through its threat detection engine, alert if the API activity, or the source of the API calls, is abnormal.
Armis’s passive monitoring of device communications patterns allows Armis to detect abnormal traffic which may indicate an adversary is remotely accessing a GUI to conduct malicious behavior.
Armis’s passive monitoring of device communications, including network traffic characteristics such things as TCP options and latency, allows Armis to detect anomalies which may indicate a Man-in-the-Middle attack.
Armis is able to detect and alert on a wide range of PLC specific network traffic, including the commands related to changing the program on a device.
Armis is able to detect when a PLC has been reprogrammed and alert on that activity.
If a malicious script is used to attack or alter a device, causing the device to behave abnormally, Armis will detect and alert on the abnormal behavior.
If a system is compromised through user execution, then Armis will detect when the system acts abnormally.
Armis’ passive network monitoring and device profiling enables Armis to detect when a system has been compromised and is redirecting API calls across the network. If the system acts abnormally or redirects the API calls across the network, then Armis will generate an alert.
Armis detects when firmware is downloaded to PLCs. Then, if the new firmware causes the behavior of a PLC to change abnormally, Armis will detect and issue an alert.
Armis detects when programs are downloaded to PLCs. Then, if the new program causes the behavior of a PLC to change abnormally, Armis will detect the abnormally and issue an alert.
Armis is able to detect when a PLC has been reprogrammed and alert on that activity.
Armis passively monitors device communications across the network, and is able to profile every device to determine the current version of system firmware that is operating. This gives our customer the ability to monitor the firmware version across devices, understand the known threats to the firmware, and intelligently manage their firmware upgrade strategy.
Armis passive monitoring and device profiling can detect when abnormal network connections are being made, which is indicative of an adversary using valid accounts to conduct lateral movement outside of the normal behavior for the legitimate account holder.
Armis identifies all known software vulnerabilities. This facilitates proactive attempts to remediate vulnerable devices, remove them from the network, or provide other forms of risk mitigations. Once a device has been exploited for evasion, Armis can detect and alert on behavioral changes.
Armis’s passive network monitoring is able to detect an adversary’s remote commands related to removing indications of their presence on a specific host.
Since Armis monitors the behavior of devices, not the files on the devices, Armis is not fooled by attackers’ masquerading techniques. Armis passively and continuously monitors the behavior of every device to detect and alert on abnormal behavior.
Armis passively monitors device communications and can alert whenever a device communicates with a rogue master device.
Armis’s passive network monitoring enables Armis to detect abnormal behavior which is indicative of a rootkit. If the adversary is targeting a PLC for the rootkit, Armis will detect when the configuration and firmware have been altered.
Armis’ passive network monitoring allows Armis to detect abnormal message traffic which may be indicative of message spoofing.
Armis is able to detect and alert on PLC Mode Changes.
Armis can detect abnormal network traffic which may indicate an adversarial attempt at conducting control device identification.
Armis’ passive network monitoring enables Armis to detect when an adversary attempts to conduct input/output discovery over the network.
Armis passively monitors device communications and can be configured to alert on the presence of unauthorized network scans, netstat use, or other abnormal network traffic indicative of network connection enumeration.
Armis detects and alerts on port scanning.
Armis’ passive network monitoring detects when an adversary attempts to exfiltrate information sniffed from a network.
Armis’ passive network monitoring and device profiling allows Armis to detect unauthorized or abnormal network traffic associated with remote system discovery.
Armis’ passive network monitoring and device profiling allows Armis to detect unauthorized or abnormal network traffic associated with querying a device for its serial connections information.
Armis’ passive monitoring of the network traffic, combined with device profiling, allows Armis to detect and alert on credentials transitioning across the network. It can also detect when one device connects to another, and is able to create alerts which may indicate that default credentials are being used.
Armis’ passive network monitoring allows Armis to detect when a device uses remote services in an abnormal manner, e.g. for lateral movement.
Armis’ passive network monitoring allows Armis to characterize the behavior of all network participants, even if they are entering the network through an external remote service. The network traffic from external remote services are monitored, and alerts can be created to alert on abnormal or suspicious behavior.
Armis is able to detect when a PLC has been reprogrammed, and policies can be created to alert on this behavior.
Armis’ passive monitoring and device profiling can detect when a system is remotely copying files.
Armis’ passive monitoring and device profiling can detect when abnormal network connections are being made, which is indicative of an adversary using valid accounts to conduct lateral movement outside of the normal behavior for the legitimate account holder.
Armis’ passive network monitoring is able to detect and alert on new or abnormal network activity to include the use of tools and scripts which are used for automated collection.
Armis’ passive network monitoring is able to detect and alert on unauthorized or abnormal connection attempts to connect to information repositories.
Armis is able to detect and alert on a wide range of PLC specific network traffic, including the commands related to monitoring the PLC status which would be used by an adversary to determine the current state of the PLC.
Armis is able to detect and alert on a wide range of PLC specific network traffic, including the commands related to monitoring the PLC status which would be used by an adversary to determine the current state of the PLC.
Armis’ passive network monitoring and device profiling can detect and alert on unauthorized connections to ICS devices which could be used to extract I/O images.
Armis’ passive network monitoring and device profiling can detect and alert on unauthorized connections to ICS devices which could be used to identify the device’s location.
Armis’ passive network monitoring and device profiling can detect and alert on unauthorized connections to ICS devices which could be used to detect the devices’ process state.
Armis’ passive network monitoring and device profiling can detect and alert on the network traffic associated with querying devices for their point and tag information.
Armis passively monitors device communications and can alert whenever Armis observes unauthorized file transfer such as a program upload.
Armis passively monitors device communications and can be configured to alert whenever Armis observes connections made to the network which an adversary may use to conduct reconnaissance to conduct role identification.
Armis’ passive network monitoring allows Armis to detect when a device is attempting to exfiltrate a screen capture to the adversary, and to cause an alert when detected.
Armis’ threat detection engine can detect when a commonly used port is being used to communicate in an abnormal manner.
Armis passively monitors device communications and associates active ports, services, and protocols. Armis’ policy engine can be configured to alert or remediate (e.g. quarantine) whenever Armis observes the use of an unauthorized connection proxy. If the traffic outbound of the proxy is monitored by Armis, then Armis can alert on traffic that is connecting to known malicious sites.
Armis’ passive network monitoring and device profiling allows Armis to establish “known good” traffic patterns over commonly used application protocols. If an adversary attempts to establish command and control over these commonly used protocols, Armis will detect and alert on this abnormal behavior.
Armis is able to detect a wide range of PLC specific commands including the commands related to updating or modifying the firmware.
Armis’ deep understanding of ICS protocols allows Armis to detect when a PLC has been altered or is behaving outside of normal parameters. If so, this may indicate that an adversary is attempting to suppress that device’s alarms.
Armis’ passive network monitoring, device profiling, and deep understanding of ICS protocols allows Armis to detect when a PLC has been altered or if the device is behaving outside of normal parameters which would be required prior to an adversary being able to block command messages.
Armis’ passive network monitoring, device profiling, and deep understanding of ICS protocols allows Armis to detect when a PLC has been altered or if the device is behaving outside of normal parameters which would be required prior to an adversary being able to block reporting messages.
Armis’ passive network monitoring, device profiling, and deep understanding of ICS protocols allows Armis to detect when a PLC has been altered or if the device is behaving outside of normal parameters which would be required prior to an adversary being able to block a serial communications port.
Armis’ passive network monitoring and device profiling allows Armis to detect and alert on abnormal network traffic associated with data destruction commands.
Armis is able to detect intentional or unintentional denial of service events and can be configured to alert when certain network thresholds are met.
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC messages including those used to shut down and restart a device.
Armis’ deep understanding of ICS protocols allows Armis to detect when a PLC has been altered, e.g. by an adversary is attempting to manipulate the device’s I/O image.
Armis can detect abnormal PLC modification which may be used by an adversary to modify the alarm settings.
Armis can detect abnormal PLC modification which may be used by an adversary to modify the control logic.
Armis’ passive network monitoring allows Armis to detect abnormal PLC modification which may be used by an adversary to modify the existing program in the PLC.
Armis’ passive network monitoring allows Armis to detect abnormal PLC modification such as the installation of a rootkit. And for any network device, Armis is able to detect abnormal behavior which may be indicative of a system which has an active rootkit installed. If an adversary manages to install a rootkit on a non-PLC host, the Armis can detect and alert on abnormal behavior associated with the rootkit behavior.
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC messages including those used to update the firmware on a device.
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC messages including those used to change the operating mode of a device.
Armis’ passive network monitoring allows Armis to detect abnormal I/O related network traffic indicative of brute force I/O.
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC activities and commands including configure commands which are used to change the program loaded on the device.
Since Armis monitors the behavior of devices, not the files on the devices, Armis is not fooled by attackers’ masquerading techniques. Armis passively and continuously monitors the behavior of every device to detect and alert on abnormal behavior or unauthorized devices.
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC activities and commands including configure commands which are used to change the program loaded on the device.
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC activities and commands including configure commands which are used to change the configuration of the device.
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC activities and commands including configure commands which are used to change the firmware of the device.
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC activities and commands including configure commands which are used to change the programming of the device.
Armis’ can be configured such that all control messages not generated from a legitimate master device triggers the alert.
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC activities and commands including Stop commands which are used to stop the service of the device.
Armis’ passive network monitoring allows Armis to detect abnormal message traffic which may be indicative of message spoofing.
Armis can create an alert if command messages are transmitted by unauthorized controllers.
Armis detects device vulnerabilities in the ICS environment which allows security managers to take proactive steps to mitigate risks in order to prevent a successful attack and prevent damage to property. If devices begin to act abnormally, alerts will be generated ideally in time to prevent any damage to property.
Armis’ passive network monitoring and device profiling enables Armis to detect and alert on the PLC messages required to prevent ICS devices from attempting to communicate with its controllers. Armis can be configured with policies which generate alerts if the devices do not connect to the controller as scheduled.
Armis’ passive network monitoring detects and tracks all device communications and can provide insight into when devices have last appeared on the network.
Armis’ passive network monitoring; device profiling; asset discovery; and vulnerability analysis allows Armis to help the customer secure their network and ICS devices, as well as detect adversarial efforts to cause a loss of availability.
Armis’ passive network monitoring; device profiling; asset discovery; and vulnerability analysis allows Armis to help the customer secure their network and ICS devices, as well as detect adversarial efforts to cause a loss of control.
Armis’ passive network monitoring; device profiling; asset discovery; and vulnerability analysis allows Armis to help the customer secure their network and ICS devices, as well as detect adversarial efforts to cause a loss of productivity and revenue.
Armis’ passive network monitoring; device profiling; asset discovery; and vulnerability analysis allows Armis to help the customer secure their network and ICS devices, as well as detect adversarial efforts to cause a loss of safety.
Armis can support a loss of view situation by providing customers detailed information on each device, when last seen on the network, and their last risk profile. This will assist customers to prioritize restoration of the connections to the ICS devices.
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC messages including those used to change the configuration and settings of the device.
Armis’ passive monitoring is able to detect and alert on a wide variety of PLC messages including those used to change the configuration and settings of the device.
Armis’ passive monitoring can be implemented with policies that generate alerts when unauthorized devices attempt to make connections to include the collection and exfiltration of operational data.