MITRE Att&ck, which stands for Adversarial Tactics, Techniques and Common Knowledge, is a knowledge base of adversary tactics and techniques that help inform the cybersecurity industry. MITRE recently released an Att&ck knowledge base specifically designed for industrial control systems (ICS). ICS are found in industries such as electric, water, wastewater, oil and natural gas, transportation, chemical, pharmaceutical, and various manufacturing sectors. These systems enable the regular automation of key processes that everyone relies on, and any compromise on their operation could impact the health and safety of humans.
According to the MITRE Att&ck document, adversary TTPs associated with ATT&CK for ICS fall under the following broad categories:
• Blocked or delayed flow of information through ICS networks, which could disrupt ICS operation.
• Unauthorized changes to instructions, commands, or alarm thresholds, which could damage, disable, or shut down equipment, create environmental impacts, and/or endanger human life.
• Inaccurate information sent to system operators, either to disguise unauthorized changes, or to cause the operators to initiate inappropriate actions, which could have broad negative effects.
• ICS software or configuration settings modified, or ICS software infected with malware, which could have broad negative effects.
• Interference with the operation of equipment protection systems, which could endanger costly and difficult-to-replace equipment.
• Interference with the operation of safety systems, which could endanger human life.
To begin this blog series, we will first dive into External Remote Services. The aim is to help you understand the MITRE Att&ck walk-through, and their mitigation techniques, as well as offer our own insight.
How It’s Done:
Adversaries sometimes opt to use external remote services to gain initial entry into a network. Common external remote services include VPNs, Remote Desktop connections, and Active Directory, among others. External remote services are used by administration to gain access to control systems. Vendors or third parties often use them to gain access but must traverse the corporate network first. These actions sometimes require Internet access. When adversaries gain valid accounts to these services, they could gain access to the internal network. If the remote access system is compromised, an adversary could use this opportunity to launch an attack against the entire control system network.
A prime example of adversaries using external remote services to launch attacks on networks was when Xenotime used remote desktop jump boxes to move into the ICS environment in 2017. They targeted remote desktop protocol, and remote authentication and management portals.
Recommended Mitigation Techniques:
Your time matters, and your systems should work. Invest in a remote access system built from the ground up for industrial control networks, uniquely secured with moving target defense, with no compromises on security.
Ask us questions or get your demo at https://dispel.io