FireEye's Mandiant Threat Intelligence and MITRE have collaborated on developing a new visualization able to combine the two separate Enterprise ATT&CK and ICS ATT&CK threat knowledgebases into a single holistic view combining both IT and OT attack behaviors.
In developing its ICS ATT&CK matrix, MITRE stressed that it is necessary to understand both Enterprise ATT&CK and ICS ATT&CK to accurately track threat actor behaviors across OT incidents. But just as the historical divide between IT and OT can lead to loss of visibility between the two, so too can the separation of ATT&CK into Enterprise and ICS lead to a loss of visibility on attacker behaviors.
The problem is focused on what FireEye describes as 'intermediary systems'. These may structurally be part of OT, but nevertheless run on standard enterprise operating systems. They are used to control the ICS equipment, and consequently run non-enterprise software systems. Enterprise ATT&CK can map attacker behavior up to the intermediary systems, but loses visibility in the handover to ICS. The problem in providing a complete view of attack behavior is that most of a sophisticated attack's behavior is found within the intermediary systems.
"Over the past 5 to 10 years," Nathan Brubaker, senior manager at Mandiant Threat Intelligence told SecurityWeek, "every sophisticated ICS attack instance we have observed has passed through these intermediary systems on their way to impacting ICS. This includes malware like Stuxnet, Triton and most others. Ninety to ninety-five percent of threat actor activity occurs on these intermediary systems." So that's the most likely place you're going to find ICS attackers, and the best opportunity to stop them. Once they get beyond the i ..
Support the originator by clicking the read the rest link below.
