A document that cybersecurity professionals consult in analyzing hacking groups will soon expand to include attack techniques used against industrial control systems, a recognition of the growing number of adversaries that target critical infrastructure.
The goal is to help organizations understand and defend against disruptive cyberattacks like the one that cut power for some 225,000 people in Ukraine in 2015. That means filling in gaps in the cybersecurity community’s knowledge base of the hacking methods that are unique to industrial environments as well as those that also apply to IT networks.
The document, known as the “ATT&CK” framework, should account for the “full gamut of adversary behavior,” said Otis Alexander, one of the lead cybersecurity engineers who helps maintain it at MITRE Corp., a federally funded not-for-profit organization.
The updated framework could be available to network defenders as soon as December. It will cover attacks against ICS protocols and ways in which hackers might hinder incident response, Alexander said at MITRE’s ATT&CKcon conference on Wednesday. The framework seeks to answer key questions such as at what point a given strain of ransomware becomes a relevant threat to ICS asset owners.
Where the cybersecurity industry sometimes creates confusion — the same grouping of Russian state-backed hackers can have five different names, depending on the company publishing the research — the ATT&CK framework cuts through to focus on hackers’ methods. The original framework, which MITRE began developing in 2013, categorizes the way different hacking groups exfiltrate data, move within a compromised network, and retain access to that network.
Bryson Bort, founder of cybersecurity companies SCYTHE and GRIMM, said the forthcoming framework would provide a common language for ICS asset owners looking to share threat information.
“It could be like the Periodic Table of Elements for ICS,” he told CyberScoop.
This update has been a couple years in the making and was inspired, at least in part, by the cyberattacks in Ukraine in 2015 and 2016, Alexander told CyberScoop. Those hacking operations, carried out by Russian government-linked hackers, drew much greater attention to the way that malware can be tailored to disrupt industrial environments.
The “Industroyer” malware used in the 2016 attack on a power substation in Ukraine, for example, ran on Windows machines but also sent commands to specialized hardware interacting with the substations, explained Robert Lipovsky, senior malware researcher at cybersecurity company ESET. Distinguishing between the IT and OT (operational technology)-related functionality of that attack can help organizations defend against it.
“The ICS version of ATT&CK will be helpful for describing those OT types of functionalities and talking about the impacts in a better way,” Lipovsky told CyberScoop.