Operationalizing MITRE Engage: Deception Opportunities with APT Cyber Tools Targeting ICS/SCADA Devices

On April 13, 2022, the Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory (CSA) to warn that certain advanced persistent threat (APT) actors have exhibited the capability to gain full system access to multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices. (Note, the Resources section of this CSA references additional reporting from Mandiant and Dragos)

The CSA details the technical capabilities of the tools, as well as a series of mitigations defenders can implement to protect vulnerable systems. These denial activities are essential to ensure critical system security. However, for defenders looking to implement adversary engagement strategies, such denial activities are only part of the picture. As shown in the figure below, adversary engagement is supported by two pillars: denial AND deception.

Denial and deception, coupled with strategic planning and analysis, are the pillars of adversary engagement.

This short post is intended to complement the reported denial activities by outlining possible deception activities.

Deception Opportunities

The APT actors’ tools enable them to scan for, compromise, and control Schneider Electric PLCs, OMRON Sysmac NEX PLCs, and Open Platform Communications Unified Architecture (OPC UA) servers. Denial and deception activities can be used to manipulate and disrupt these capabilities in ways that are advantageous to the defender.

Within the Production Network

Firstly, defenders have several opportunities to introduce silent tripwires to alert on possible malicious activity. Some examples of using deception for tripwires includes:

• Defenders can include relevant decoy devices to identify scanning attempts or other malicious activities. Defenders may stand up actual devices as high-interaction honeypots or deploy simulated low-interaction honeypots. Some open-source simulated options are available in the section below entitled Open-Source ICS/SCADA Honeypots. The decision to use a high-interaction honeypot, a low-interaction honeypot, or some combination of both should consider the defender’s goals, the length of the operation, the specifics of a given piece of malware, etc. For example, a low-interaction honeypot may be more than sufficient to identify reconnaissance activity but fail to provide a realistic enough environment for prolonged threat intelligence collection.
• Defenders can setup decoy accounts with commonly used passwords to alert on brute-force attempts. Defenders should monitor for the use of these decoy credentials elsewhere in the network.
• Defenders can intentionally introduce vulnerable systems or weaken security controls on decoy systems to lure adversaries towards tripwires. By examining the mitigations listed in the CSA, as well as the reports by Mandiant and Dragos, defenders can begin to identify various knobs that can be used to encourage (i.e. more permission security controls) or discourage (i.e. less permissive security controls) malicious behavior. Defenders should be selective as they adjust these security controls and introduce vulnerabilities as a network that is overly permissive or vulnerable can be a red flag for adversaries.

In addition to providing valuable high-fidelity alerts for the defender, decoy assets can be used to drive up the costs while driving down the value of the adversary’s operations. If the adversary is unaware of the deployed deception assets, they can waste time targeting fake assets. If the adversary is aware of the deception assets, they may still experience increased operating costs, as they are now required to spend time determining whether a given asset is real or fake. While the adversary may discover the deception on their own, in some instances the defender may choose to intentionally reveal the deception. Organizations should think carefully about the risk/reward balance before publicizing their use of deception. For a deeper discussion on Operations Security (OPSEC), check out the MITRE Engage Practical Guide to Adversary Engagement.

While decoys waste the adversary’s time, information manipulation can provide the adversary with false or misleading data. This false data may include fake design documents, schedules, rotational data, or similar artifacts that provide insight on operations. When creating fake data, it is important to plan your engagement narrative carefully. Planning will ensure that you are telling a consistent, coherent, and believable story that protects your most valuable data.

Within an Isolated Engagement Network

It may be possible to move adversaries into an isolated engagement environment to observe activities and gather valuable Cyber Threat Intelligence (CTI). Such an environment should be realistic enough to reassure the adversary of the environment’s legitimacy, and interesting enough to motivate the adversary to reveal additional Tactics, Techniques, and Procedures (TTPs). If an infected device is discovered, it can be moved to this engagement environment for continued analysis. In an isolated environment, defenders can include many of the same deceptive assets and configurations as described above. However, now, there should be no valuable production data or assets. On one hand this lowers the risk to production assets (there are no production assets!). On the other hand, the defender must create fake assets both as Lures and Pocket Litter to maintain believability. As mentioned above, defenders should be selective of which vulnerable assets and configurations are used. A network that is overly permissive or vulnerable can be a red flag for adversaries.

Open-Source ICS/SCADA Honeypots

HoneyPLC

https://github.com/sefcom/honeyplc

HoneyPLC is a high interaction PLC honeypot designed to simulate multiple PLC models from different vendors. It can log S7comm interactions and can store Ladder Logic programs injected by an attacker. It can also log SNMP get requests and HTTP login attempts. It is brought to you by the cybersecurity lab SEFCOM at Arizona State University and Efrén López. For more information, see the paper published by the HoneyPLC team: https://dl.acm.org/doi/10.1145/3372297.3423356

ConPot

http://conpot.org/

ConPot emulates a number of operational technology control systems. These include protocols like MODBUS, DNP3 and BACNET. It comes with a web server that can emulate a SCADA HMI as well.

GasPot

https://github.com/sjhilt/GasPot

GasPot emulates a Veeder Root Guardian AST that is commonly used for monitoring in the oil and gas industry.

©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited PR_21–01759–32