Understanding MITRE ATT&CK ICS and Securing ICS with Zero Trust Segmentation
Many businesses choose to run their disparate systems on a single network to include IP cameras, human-machine interface systems, applications, and controllers to smart assets and IT critical infrastructure assets in the same segment. Lateral moving ransomware propagates freely across these types of networks.
Understanding the Triton malware attack
An attack like Triton can be dissected into concrete actions that reveal how the attacker executes his plan. One example of an evasive tactic is using a specific file name, “trilogy.” This file is designed to fool engineers into believing that they are viewing a legitimate log analysis tool. Once the engineer opens the file, he is tricked into executing a malicious payload. This demonstrates the attackers’ strategy and approaches to achieving their goal. By applying these techniques, we can improve our defenses against similar attacks.
Traditional OT networks use LAN solutions, such as VLANs on switches, to protect their networks from malware. However, these LAN solutions are not sufficient to prevent malware from spreading throughout an organization’s entire IT infrastructure.
The Triton virus spreads through the IT network by exploiting vulnerabilities in unpatched software on vulnerable computers. Once the virus has infected these machines, it then begins searching for additional hosts to infect.
MITRE frameworks simulate the actions of the TRISIS (aka Triton) cyberattack toolkit. It has been used to compromise critical infrastructure systems around the world, from oil refiners to water purification plants
SecOps teams continue to enable MITRE ATT&CK framework, Lockheed kills and attacks chain steps, IEC 62443, and Zero Trust. Without these tools, threat hunting and incident response functions take longer to complete.
Cybersecurity governance approach to attacks
Although VLANs are essential to any ICS/IT convergence strategy, they do not provide adequate protection against advanced threats. VLANs allow devices to freely exchange data across a single subnet’s boundaries. However, if a device is compromised, it may be able to send malicious traffic to other devices on the same subnet. In addition, VLANs cannot inspect the communication within the same subnet. A compromised device could communicate with other devices on the same VLAN without detection.
Understanding MITRE ATT&CK ICS framework and threat modeling
(Image Source: https://www.mitre.org/)
If we look at the discovery and lateral movement phase of the attack as per MITRE:
The adversary technique is locating information to assess and identify their targets in your environment.
Discovery is a process whereby one identifies potential targets within a given environment. Once identified, the target is assessed for vulnerabilities. Once identified, the intruder moves laterally across the system to attack additional targets.
The adversary is trying to move through your ICS environment.
The threat landscape today includes lateral movement and masquerading techniques, which can be performed by any means, including social engineering, phishing, malware, credentials theft, and brute force attack. Once inside the target system, an attacker can steal data, install malicious software, modify configuration settings, or delete files.
So both phases of attack require much attention. Organizations are now adopting the zero trust model to ensure the best possible security measures for them.
How Agentless Segmentation or Micro-segmentation can Eliminate Threat Movement
Zero-trusting architectures follow the principle “Never Trusted, Always Verify”. They enforce security by blocking inappropriate actions based on context (such as the user’s identity, device, and the requested resource).
Microsegmentation allows you to create more fine-grained controls over network connections within your infrastructure. You can use them to ensure that specific devices (such as PLCs) can’t talk to one another without explicit permission from IT administrators.
A PLC is an industrial computer that is ruggedized and designed for controlling production processes, such as assembly line robots, machines, etc.
To ensure that our systems are best protected from the discovery and lateral movement phase of the attack, MITRE has also guided a remediation plan.
We need to make sure that:
Define the network: To implement a zero-trust policy, first define the attack surface by identifying which critical apps, systems, data, and services need protection.
Map traffic: Traffic mapping helps organizations understand how different parts of their networks communicate. Organizations can better control access to sensitive data and applications by understanding these interactions.
Architect the network: A zero trust architecture should be tailored to a company’s specific needs. A next-generation firewall (NGFW) provides a segmented gateway for companies to add additional layers of security and inspection internally.
Create a policy: A zero trust policy allows an organization to create a whitelist of devices (and people) with specific permissions to use certain resources.
Monitor and maintain: Finally, the strategy should be monitored regularly to gain insights into network activity and be updated when necessary.
Benefits of Airgap Networks
Many organizations have already invested in hardware and software-defined network segmentation strategies. Many of these strategies in time became unmanageable and never produced a true security value to the clients. The cost of software-defined networking (SDN) deployment along with the investment in human capital makes this strategy decision challenging, with no real-time value recognition.
The complexity of today’s hybrid, multi-cloud and on-premises environments make it difficult for organizations to get micro-segmentation up and running. Airgap takes the agentless approach and solves a year-long problem by providing an efficient and forklift-free way to deploy granular and zero-trust security policies without disrupting your current IT network investments.
Aligning the MITRE ATT&CK framework gives threat hunters and incident response team guidance to determine where in the organization the attacks are impacting most.
Network segmentation reduces the impact of attacks. When segmenting a network, NetSecOps teams divide the network into smaller domains for better security control and restriction of protocol and port per segment. Segmented networks can improve network performance by restricting specific traffic only to the portions of the network that need access.