At Securicon, we take an OT-centered approach to asset owners. With the aid of the MITRE ATT&CK Framework (ATT&CK), we design tailor-made scenarios to test OT defenses and detection. By outlining methods for infiltrating a network, maintaining persistence and exfiltrating data, ATT&CK is a tool that can assist asset owners in building a cybersecurity program for industrial control systems (ICS).
Why Should Asset Owners Care?
Today, asset owners have begun to monitor information technology (IT) and operational technology (OT) events with a single security operation center (SOC). This allows them to receive security alerts from the enterprise level of the Purdue Model down to the process control layer from one location. With so much information, the ATT&CK Matrix helps us to identify what asset owners should be watching for in their environments.
Our Approach
Overview
At Securicon, we approach the ATT&CK framework as a punch list of events that asset owners should monitor carefully. We utilize these methods in our ICS threat simulation (Threat Prevention Team) to test the asset owners’ defensive analysts (Blue Team). Through these methods, we are able to identify the respective strengths and weaknesses of their security program. In the following sections, we will outline the steps a typical adversarial simulation.
Scoping & Initial Engagement
Securicon and trusted individuals working for the asset owner monitor the Threat Prevention Team’s activities to determine mission success. We start by developing scenarios of initial access for the asset owner to approve; a common arrangement includes a combination of vulnerability exploitation and social engineering used to gain unauthorized network access.
During the scoping process, asset owners are given the opportunity to select events from the ATT&CK framework for Securicon’s Threat Prevention Team to simulate. Otherwise, the Threat Prevention Team acts on its own discretion and expertise to accomplish the simulation’s objective.
During the Engagement
After scoping and initial contact are concluded, the Blue Team receives regular updates allowing them to observe simulation progress. Securicon uses numerous methods to move laterally through the asset owner’s network until we reach the OT layer. Using internal reconnaissance, exploitation and post-exploitation techniques, the Threat Prevention Team will continue until its mission is completed.
Post-Engagement
After the mission is complete, the Threat Prevention Team compiles their findings into a report for the asset owner’s trusted individuals. Additionally, asset owners will often request a presentation for their executive team. Using the ATT&CK Framework for reference, the Threat Prevention Team will explain their progression through the asset owner’s network with maps and other visual aids.
As OT malware like Triton/Trisis, Industroyer, BlackEnergy, and Stuxnet continue to propagate, asset owners need to be prepared for threat events. Asset owners in the process of building an ICS Security Program should utilize adversarial threat simulation services to discover security gaps.
While malware rarely conforms to the MITRE ATT&CK Framework point-by-point, Securicon’s senior consultants are prepared for any eventuality. We combine individual research and experience to assess defenses rigorously, leaving no stone unturned. Real life scenarios like Triton/Trisis can be perfectly simulated using custom-built ICS modules to imitate valid communication within the OT network.
Harry Thomas is a senior level cyber security consultant who works with industries that require security in high availability networks such as Electric Utilities, Healthcare, Oil & Gas, etc. He enhances security programs through methods of vulnerability assessments, penetration testing, reverse engineering, and security research. Harry harnesses his experience from both enterprise security and ICS security to build secure networks that enable organizations.
Securicon offers comprehensive digital security and compliance solutions to organizations. Our services include penetration testing and social engineering assessments which are trusted by critical infrastructure companies across the U.S and other critical organizations to find vulnerabilities and maximize safety. In 2019, there’s no room to be lax about security – contact us today!