Summary:
Non-profit organization MITRE announced a call for intelligence contributions for ATT&CK evaluations addressing ICS (industrial control systems) to enrich its emulation. The enhanced insight from contributors enables a more holistic emulation approach that reflects the breadth of adversary behaviors. Round 2 of ICS will focus on evaluating product capabilities against adversary behavior inspired by insider attacks within the ICS/OT domain.

“Whether malicious or negligent, insiders pose a significant threat to the operations of asset owner infrastructure,” Otis Alexander, ICS Lead for ATT&CK Evaluations at MITRE wrote in the notice. “With extensive knowledge about company operations coupled with physical and remote access, malicious insiders can pose critical impacts by executing stealthy and targeted attacks.”

Alexander noted that ICSR2 will focus on insider threat activity as it applies to incidents in the ICS/OT domain to see how participant solutions aid in addressing this type of threat.

He added that for this emulation, MITRE is looking for TTPs (tactics, techniques, and procedures) and other activities that have been reported in use by malicious insiders including actions taken by malicious insiders in ICS/OT environments, especially to manipulate the process and alarm systems; assets and technologies targeted by this activity, such as transient assets and remote access infrastructure; and any other relevant information that is novel (i.e. not widely documented publicly).

When it comes to community contributions, if interested in contributing to this upcoming round, the following steps must be followed including emailing at ‘ics@mitre-engenuity.org’ with the contribution. If the contributor prefers secure means, then they can email MITRE at the above address and they will get back with a secure sharing method. The real name must be included for the information to be considered.

Contributions from company accounts may add to the credibility of the information, but contributions from independent researchers are also welcomed. The search is on for information about insider threat behaviors as well as the overall way the activities are performed. Information structured using ATT&CK tactics and/or techniques is helpful but not required.

Alexander wrote that MITRE also gives contributors the choice to tell them how they would like to be credited. “You can choose to be credited with your name and/or company name or you can choose to remain anonymous. For any anonymous contributors, we will work with you to produce a short statement about the general visibility you have that led to you having access to the information.”

He also mentioned “We will not accept any leaked, proprietary, or sensitive information that was not released with the permission of the original source. Contributions are strictly on a voluntary basis for researchers and analysts who wish to share their own information.”

In conclusion, Alexander said “During the remainder of this year, we will be releasing more content.”

Security Officer Comments:
In June, MITRE introduced ACID (ATT&CK-based Control-system Indicator Detection for Zeek), a compilation of OT (operational technology) protocol indicators. These indicators utilize CISA’s ICSNPP Parsers to identify specific behaviors outlined in the ATT&CK framework for ICS (industrial control system).

Earlier in April, MITRE outlined that its ATT&CK 2024 goals are to bolster broader usability and enhance actionable defensive measures for practitioners across every domain. This includes exploring scope adjustments and platform rebalancing and implementing structural modifications with the introduction of ICS (industrial control system) sub-techniques by October.

Link(s):
https://industrialcyber.co/control-...r-ics-attck-evaluations-to-enhance-emulation/