MITRE-Engenuity
Published in

MITRE-Engenuity

ATT&CK Evaluations Expands to Industrial Control Systems

Two years ago, we launched ATT&CK Evaluations to drive the enhancement of endpoint detection solutions. Although the ATT&CK knowledge base provided a common language to map adversary tactics and communicate the capabilities of different solutions, it was impossible to make authoritative claims of where solutions provide detection coverage without a common independent assessment. ATT&CK evaluations were designed to fill this information gap and add transparency to the effectiveness of these solutions in detecting known adversary behavior. The evaluations gave users reliable information about tool performance, and gave endpoint detection vendors objective information based on how to improve their products.

ATT&CK Evaluations have grown rapidly since their launch. The first round of ATT&CK Evaluations, emulating APT3, started with seven vendors in late 2018, with five additional rolling admission entries released by October 2019. The second round, emulating APT29, extended to 21 vendors, with the results released this past April. We recently announced the latest round, emulating the threat groups identified as Carbanak and FIN7.

This third round marked the move of ATT&CK Evaluations to MITRE Engenuity, MITRE’s tech foundation that collaborates with the private sector on challenges that require public interest solutions. Moving to MITRE Engenuity provides us more flexibility to expand the scope ATT&CK Evaluations, giving us a platform from which to make the same impact on other areas of cybersecurity that we have had on endpoint detection. We have a lot of ideas in the works, but for now, we wanted to share our first major expansion:

Introducing ATT&CK Evaluations for ICS

Today, we’re announcing ATT&CK Evaluations for Industrial Control Systems (ICS), that is, the systems and networks used to manage critical infrastructure and industrial systems. In January 2020, MITRE released ATT&CK for ICS, an ATT&CK knowledge base of the tactics and techniques that cyber adversaries use when attacking the industrial control systems (ICS). It highlights the unique aspects of the specialized applications and protocols that ICS system operators typically use, and adversaries take advantage of, to interface with physical equipment.

The ICS network detection landscape has changed rapidly in recent years, with the development of new solutions, consolidation of vendors, and improving technological approaches. These changes have made it difficult for consumers to understand the capabilities of various solutions, even as these solutions have become more widely adopted. Based on our early conversations with vendors, we recognized that ATT&CK Evaluations could help bring clarity to the market for both users and the vendors, and the newly-developed ATT&CK for ICS knowledge base gives us the tool to help develop one. Just as we did with the endpoint detection market, the new ATT&CK Evaluations for ICS will help to improve the practice of ICS network detection by empowering users to make more informed decisions about ICS network detection and drive the solutions to address known adversary behavior. ATT&CK for ICS provides the common language, and adversary emulation will allow us to test “in the style of” a specific adversary, allowing us to scope the evaluation and ensure our evaluations are informed by known threats. The ICS evaluations will focus on ICS detection platforms that use anomaly, configuration, and/or behavior detection methodologies.

As with our enterprise ATT&CK Evaluations, these evaluations are not a competitive analysis. We will not rank or rate the products, nor will we declare a “winner.” Instead, we will openly publish how each vendor detects and contextualizes the threat’s use of specific techniques and tactics within the context of the ATT&CK for ICS knowledge base so that the general public may benefit from our findings and conclusions.

TRITON Malware (TEMP.VELES/XENOTIME) Adversary Emulation

For the first round of the ATT&CK Evaluations for ICS, we will extract and emulate the behaviors of TRITON, a malware framework designed to manipulate industrial safety systems, most notably used in an attack against a petrochemical and refinery complex in Saudi Arabia in 2017. TRITON has been attributed to a Russia-based threat group that has targeted critical infrastructure[1], identified by FireEye as TEMP.Veles[2] and by Dragos as XENOTIME[3].

TRITON has been used to target and compromise industrial systems, specifically systems that are designed to provide safety and protective functions. TRITON has been used against oil & gas and electrical sectors in the Middle East, Europe, and North America and has also been reported to have been targeted against ICS vendors, manufacturers, and organizations in the Middle East. This malware is one of the few in the ICS space with reported destructive capabilities.

The TRITON malware is most famously known for inhibiting response functions in an ICS network.[4] Specifically, TRITON is known for trying to prevent safety systems from responding to a failure, hazard, or unsafe state. In addition, TRITON shows the capability to simultaneously impair process control to disrupt control logic and cause detrimental effects to processes being controlled in the target environment. The combination of these two goals has resulted in TRITON being dubbed the “world’s most murderous malware.”[5]

One of the most striking differences between our new ATT&CK Evaluations for ICS and our ATT&CK Evaluations for enterprise is the testbed on which they operate. While ATT&CK Evaluations for enterprise use a cloud-based test environment, the ICS evaluations will leverage a testbed environment that represents elements of the burner management function of the Saudi petrochemical facility that was targeted by the TRITON malware in 2017.

Community Contributions

As we did with our recent rounds of ATT&CK Evaluations, we welcome your contributions on the TRITON (also known as TRISIS) malware and TEMP.VELES/XENOTIME adversary to help inform our emulation plans. In order to make this adversary emulation open call as effective as possible, we ask that you focus your contributions on the following questions:

* Do you have clear information about how TEMP.VELES/XENOTIME operates in ICS environments outside of the use of TRITON/TRISIS?

* Are there behaviors regarding ATT&CK for ICS techniques used in the TRITON/TRISIS malware or otherwise used by TEMP.VELES/XENOTIME that are not currently captured in the Technique Scope (see the synopsis posted at https://mitre-engenuity.org/attackevaluations/)?

* Is there any other relevant information that should be considered for an emulation of the TRITON/TRISIS malware and TEMP.VELES/XENOTIME that you believe is novel (i.e. not well documented publicly) yet supported by credible and shareable evidence?

Contributions will be due June 1, 2020 to ensure we have time to review your inputs and integrate them into our emulation plans. The process for sharing is the same as always:

Email us your contribution (If you’d prefer secure means, email us and we’ll get back to you with a secure sharing method). Your real name must be included for your information to be considered. Contributions from company accounts may add to the credibility of the information, but we are always happy to accept contributions from independent researchers.

We are looking for information about the group behaviors as well as the overall way they perform intrusions. Information structured using ATT&CK for ICS tactics and/or techniques is helpful, but not required.

Tell us how you would like to be credited. You can choose to be credited with your name and/or company name, or alternatively, you can choose to remain anonymous. For any anonymous contributors, we will work with you to produce a short statement about the general visibility you have that led to you having access to the information.

We will not accept any leaked, proprietary, or sensitive information that was not released with the permission of the original source. Contributions are strictly on a voluntary basis for researchers and analysts who wish to share their own information.

Join ATT&CK Evaluations for ICS!

We have had the opportunity to collaborate with great companies and amazing people from across the industry during our previous ATT&CK Evaluations. We have been able to see how products in the endpoint detection space are evolving to address emerging threats. We’re excited to be tackling the new challenge of working in the ICS space, and are looking forward to engaging with a whole new set of innovative vendors. If you’re interested in participating in the TRITON ICS ATT&CK Evaluation or are looking for more information, including a detailed synopsis containing more information on the scope and environment, please contact us.

[1] https://www.cyberscoop.com/trisis-russia-fireeye/

[2] https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html

[3] https://dragos.com/resource/xenotime/

[4] https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html

[5] https://www.technologyreview.com/s/613054/cybersecurity-critical-infrastructure-triton-malware/

© 2020 MITRE Engenuity. Approved for public release. Document number AT0002