Article

Mar 10, 2020

MITRE Att&ck for IT ICS: Remote System Discovery

0 min read

About MITRE Att&ck for IT Industrial Control Systems (ICS)

About MITRE 

MITRE Att&ck, which stands for Adversarial Tactics, Techniques, and Common Knowledge, is a knowledge base of adversary tactics and techniques that help inform the cybersecurity industry. MITRE recently released an Att&ck knowledge base specifically designed for industrial control systems (ICS).

IT ICS are found in industries such as electric, water, wastewater, oil and natural gas, transportation, chemical, pharmaceutical, and various manufacturing sectors. These systems enable the regular automation of key processes that everyone relies on, and any compromise on their operation could impact the health and safety of humans.

According to the MITRE Att&ck document, adversary TTPs associated with ATT&CK for ICS fall under the following broad categories:

  • Blocked or delayed flow of information through ICS networks, which could disrupt ICS operation.

  • Unauthorized changes to instructions, commands, or alarm thresholds, which could damage equipment, create environmental impacts, and/or endanger human life.

  • Inaccurate information sent to system operators, either to disguise unauthorized changes or to cause the operators to initiate inappropriate actions, which could have broad negative effects.

  • ICS software or configuration settings modified, or ICS software infected with malware, which could have broad negative effects.

  • Interference with the operation of equipment protection systems, which could endanger costly and difficult-to-replace equipment.

  • Interference with the operation of safety systems, which could endanger human life.


Remote System Discovery (T846):

Remote System Discovery identifies the presence of hosts on a network, collecting details such as their IP address, and hostname, along with other identifying information to move laterally within the system. Remote system discovery allows adversaries to map out hosts on the network and TCP/IP ports that are open closed or filtered for future-attack targets.

An example of this is the Backdoor, Oldrea ICS malware plugin. This plugin works to discover all servers reachable by a compromised machine over the network, including OPC Servers, by using Windows (WNet).

Recommended Mitigation Techniques:

  • Use VLANs: Segment the network with VLANs to allow switches to enforce security policies and segregate traffic at the Ethernet layer.

    • Your network can be segmented to any configuration using the Wicket-Enclave system. Wickets provide whitelisting capabilities, and Enclaves provide segmented access channels to the subnets.

  • Restrict authorization: Secure and limit authorization to the control room and the physical environment, and confine ICS devices to designated areas.

    • Dispel ensures that authorization is limited to a specific system, to which only certain admins have access after strong authentication.

  • Employ VPNs: Utilize VPNs to further restrict access in and out of control system computers and controllers.

    • More secure than traditional VPNs, all of Dispel’s networks are moving target defense SD-WANs which facilitate traffic and access in and out of control system computers and controllers.

  • Keep tabs on the network: Monitor the network and enforce access control practices; e.g. whitelisting.

    • Dispel Wickets provide real-time whitelisting out of the box.

  • Develop a detection plan: Implement heuristics to detect monitoring and invasive probing activity on the network, and ensure devices and patches are current.

    • Although this is mostly left as an exercise to management, Dispel provides full traffic logs which can be pushed to a storage server or integrated with a pre-existing intrusion detection system.

Remote access has become a necessity for organizations operating IT ICS. Your time matters and your systems should work. Invest in a remote access system built from the ground up for industrial control networks, uniquely secured with moving target defense, with no compromises on security.

About MITRE Att&ck for IT Industrial Control Systems (ICS)

About MITRE 

MITRE Att&ck, which stands for Adversarial Tactics, Techniques, and Common Knowledge, is a knowledge base of adversary tactics and techniques that help inform the cybersecurity industry. MITRE recently released an Att&ck knowledge base specifically designed for industrial control systems (ICS).

IT ICS are found in industries such as electric, water, wastewater, oil and natural gas, transportation, chemical, pharmaceutical, and various manufacturing sectors. These systems enable the regular automation of key processes that everyone relies on, and any compromise on their operation could impact the health and safety of humans.

According to the MITRE Att&ck document, adversary TTPs associated with ATT&CK for ICS fall under the following broad categories:

  • Blocked or delayed flow of information through ICS networks, which could disrupt ICS operation.

  • Unauthorized changes to instructions, commands, or alarm thresholds, which could damage equipment, create environmental impacts, and/or endanger human life.

  • Inaccurate information sent to system operators, either to disguise unauthorized changes or to cause the operators to initiate inappropriate actions, which could have broad negative effects.

  • ICS software or configuration settings modified, or ICS software infected with malware, which could have broad negative effects.

  • Interference with the operation of equipment protection systems, which could endanger costly and difficult-to-replace equipment.

  • Interference with the operation of safety systems, which could endanger human life.


Remote System Discovery (T846):

Remote System Discovery identifies the presence of hosts on a network, collecting details such as their IP address, and hostname, along with other identifying information to move laterally within the system. Remote system discovery allows adversaries to map out hosts on the network and TCP/IP ports that are open closed or filtered for future-attack targets.

An example of this is the Backdoor, Oldrea ICS malware plugin. This plugin works to discover all servers reachable by a compromised machine over the network, including OPC Servers, by using Windows (WNet).

Recommended Mitigation Techniques:

  • Use VLANs: Segment the network with VLANs to allow switches to enforce security policies and segregate traffic at the Ethernet layer.

    • Your network can be segmented to any configuration using the Wicket-Enclave system. Wickets provide whitelisting capabilities, and Enclaves provide segmented access channels to the subnets.

  • Restrict authorization: Secure and limit authorization to the control room and the physical environment, and confine ICS devices to designated areas.

    • Dispel ensures that authorization is limited to a specific system, to which only certain admins have access after strong authentication.

  • Employ VPNs: Utilize VPNs to further restrict access in and out of control system computers and controllers.

    • More secure than traditional VPNs, all of Dispel’s networks are moving target defense SD-WANs which facilitate traffic and access in and out of control system computers and controllers.

  • Keep tabs on the network: Monitor the network and enforce access control practices; e.g. whitelisting.

    • Dispel Wickets provide real-time whitelisting out of the box.

  • Develop a detection plan: Implement heuristics to detect monitoring and invasive probing activity on the network, and ensure devices and patches are current.

    • Although this is mostly left as an exercise to management, Dispel provides full traffic logs which can be pushed to a storage server or integrated with a pre-existing intrusion detection system.

Remote access has become a necessity for organizations operating IT ICS. Your time matters and your systems should work. Invest in a remote access system built from the ground up for industrial control networks, uniquely secured with moving target defense, with no compromises on security.

About MITRE Att&ck for IT Industrial Control Systems (ICS)

About MITRE 

MITRE Att&ck, which stands for Adversarial Tactics, Techniques, and Common Knowledge, is a knowledge base of adversary tactics and techniques that help inform the cybersecurity industry. MITRE recently released an Att&ck knowledge base specifically designed for industrial control systems (ICS).

IT ICS are found in industries such as electric, water, wastewater, oil and natural gas, transportation, chemical, pharmaceutical, and various manufacturing sectors. These systems enable the regular automation of key processes that everyone relies on, and any compromise on their operation could impact the health and safety of humans.

According to the MITRE Att&ck document, adversary TTPs associated with ATT&CK for ICS fall under the following broad categories:

  • Blocked or delayed flow of information through ICS networks, which could disrupt ICS operation.

  • Unauthorized changes to instructions, commands, or alarm thresholds, which could damage equipment, create environmental impacts, and/or endanger human life.

  • Inaccurate information sent to system operators, either to disguise unauthorized changes or to cause the operators to initiate inappropriate actions, which could have broad negative effects.

  • ICS software or configuration settings modified, or ICS software infected with malware, which could have broad negative effects.

  • Interference with the operation of equipment protection systems, which could endanger costly and difficult-to-replace equipment.

  • Interference with the operation of safety systems, which could endanger human life.


Remote System Discovery (T846):

Remote System Discovery identifies the presence of hosts on a network, collecting details such as their IP address, and hostname, along with other identifying information to move laterally within the system. Remote system discovery allows adversaries to map out hosts on the network and TCP/IP ports that are open closed or filtered for future-attack targets.

An example of this is the Backdoor, Oldrea ICS malware plugin. This plugin works to discover all servers reachable by a compromised machine over the network, including OPC Servers, by using Windows (WNet).

Recommended Mitigation Techniques:

  • Use VLANs: Segment the network with VLANs to allow switches to enforce security policies and segregate traffic at the Ethernet layer.

    • Your network can be segmented to any configuration using the Wicket-Enclave system. Wickets provide whitelisting capabilities, and Enclaves provide segmented access channels to the subnets.

  • Restrict authorization: Secure and limit authorization to the control room and the physical environment, and confine ICS devices to designated areas.

    • Dispel ensures that authorization is limited to a specific system, to which only certain admins have access after strong authentication.

  • Employ VPNs: Utilize VPNs to further restrict access in and out of control system computers and controllers.

    • More secure than traditional VPNs, all of Dispel’s networks are moving target defense SD-WANs which facilitate traffic and access in and out of control system computers and controllers.

  • Keep tabs on the network: Monitor the network and enforce access control practices; e.g. whitelisting.

    • Dispel Wickets provide real-time whitelisting out of the box.

  • Develop a detection plan: Implement heuristics to detect monitoring and invasive probing activity on the network, and ensure devices and patches are current.

    • Although this is mostly left as an exercise to management, Dispel provides full traffic logs which can be pushed to a storage server or integrated with a pre-existing intrusion detection system.

Remote access has become a necessity for organizations operating IT ICS. Your time matters and your systems should work. Invest in a remote access system built from the ground up for industrial control networks, uniquely secured with moving target defense, with no compromises on security.

About MITRE Att&ck for IT Industrial Control Systems (ICS)

About MITRE 

MITRE Att&ck, which stands for Adversarial Tactics, Techniques, and Common Knowledge, is a knowledge base of adversary tactics and techniques that help inform the cybersecurity industry. MITRE recently released an Att&ck knowledge base specifically designed for industrial control systems (ICS).

IT ICS are found in industries such as electric, water, wastewater, oil and natural gas, transportation, chemical, pharmaceutical, and various manufacturing sectors. These systems enable the regular automation of key processes that everyone relies on, and any compromise on their operation could impact the health and safety of humans.

According to the MITRE Att&ck document, adversary TTPs associated with ATT&CK for ICS fall under the following broad categories:

  • Blocked or delayed flow of information through ICS networks, which could disrupt ICS operation.

  • Unauthorized changes to instructions, commands, or alarm thresholds, which could damage equipment, create environmental impacts, and/or endanger human life.

  • Inaccurate information sent to system operators, either to disguise unauthorized changes or to cause the operators to initiate inappropriate actions, which could have broad negative effects.

  • ICS software or configuration settings modified, or ICS software infected with malware, which could have broad negative effects.

  • Interference with the operation of equipment protection systems, which could endanger costly and difficult-to-replace equipment.

  • Interference with the operation of safety systems, which could endanger human life.


Remote System Discovery (T846):

Remote System Discovery identifies the presence of hosts on a network, collecting details such as their IP address, and hostname, along with other identifying information to move laterally within the system. Remote system discovery allows adversaries to map out hosts on the network and TCP/IP ports that are open closed or filtered for future-attack targets.

An example of this is the Backdoor, Oldrea ICS malware plugin. This plugin works to discover all servers reachable by a compromised machine over the network, including OPC Servers, by using Windows (WNet).

Recommended Mitigation Techniques:

  • Use VLANs: Segment the network with VLANs to allow switches to enforce security policies and segregate traffic at the Ethernet layer.

    • Your network can be segmented to any configuration using the Wicket-Enclave system. Wickets provide whitelisting capabilities, and Enclaves provide segmented access channels to the subnets.

  • Restrict authorization: Secure and limit authorization to the control room and the physical environment, and confine ICS devices to designated areas.

    • Dispel ensures that authorization is limited to a specific system, to which only certain admins have access after strong authentication.

  • Employ VPNs: Utilize VPNs to further restrict access in and out of control system computers and controllers.

    • More secure than traditional VPNs, all of Dispel’s networks are moving target defense SD-WANs which facilitate traffic and access in and out of control system computers and controllers.

  • Keep tabs on the network: Monitor the network and enforce access control practices; e.g. whitelisting.

    • Dispel Wickets provide real-time whitelisting out of the box.

  • Develop a detection plan: Implement heuristics to detect monitoring and invasive probing activity on the network, and ensure devices and patches are current.

    • Although this is mostly left as an exercise to management, Dispel provides full traffic logs which can be pushed to a storage server or integrated with a pre-existing intrusion detection system.

Remote access has become a necessity for organizations operating IT ICS. Your time matters and your systems should work. Invest in a remote access system built from the ground up for industrial control networks, uniquely secured with moving target defense, with no compromises on security.

From the Editor

We're raising the standard for factory optimization

See what makes Dispel better

Access Windows

Create Access Window

Access Windows (8)

Archived On

Requested on

Stephen Maturin

Approved

7/19/14

6/19/14

Jack Aubrey

Approved

7/19/14

6/19/14

2798

Savannah Nguyen

Approved

7/19/14

6/19/14

2798

Jacob Jones

Approved

7/19/14

6/19/14

2798

Kathryn Murphy

Rejected

7/19/14

6/19/14

2798

Albert Flores

Approved

7/19/14

6/19/14

2798

Jane Cooper

Approved

7/19/14

6/19/14

We're raising the standard for factory optimization

Discover the power of Dispel with a personalized demo and a free 30-day trial

Access Windows

Create Access Window

Access Windows (8)

Stephen Maturin

Approved

6/19/14

Jack Aubrey

Approved

6/19/14

2798

Savannah Nguyen

Approved

7/19/14

6/19/14

2798

Jacob Jones

Approved

7/19/14

6/19/14

2798

Kathryn Murphy

Rejected

7/19/14

6/19/14

2798

Albert Flores

Approved

7/19/14

6/19/14

2798

Jane Cooper

Approved

7/19/14

6/19/14

We're raising the standard for factory optimization

Discover the power of Dispel with a personalized demo and a free 30-day trial

Access Windows

Create Access Window

Access Windows (8)

Archived On

Requested on

Stephen Maturin

Approved

7/19/14

6/19/14

Jack Aubrey

Approved

7/19/14

6/19/14

Savannah Nguyen

Approved

7/19/14

6/19/14

2798

Jacob Jones

Approved

7/19/14

6/19/14

2798

Kathryn Murphy

Rejected

7/19/14

6/19/14

2798

Albert Flores

Approved

7/19/14

6/19/14

2798

Jane Cooper

Approved

7/19/14

6/19/14

61 Greenpoint Ave, Brooklyn, NY 11222

© 2015 - 2024 Dispel, LLC & Dispel Global, Inc | Dispel and logos are Reg. U.S. Pat. & Tm. Off