We recently announced that our RAM² - our OT-IoT digital and cyber risk management platform – integrates the MITRE ATT&CK for ICS framework in its “analyst-in-a-box” capability. In this post, we’ll take a quick look into what MITRE ATT&CK is, and why we felt it was important enough to tie so closely to our solution.
What are MITRE, MITRE ATT&CK and MITRE ATT&CK for ICS?
What is ATT&CK for ICS Used for?
Industrial cybersecurity stakeholders can use the ATT&CK ICS framework to develop potential asset failure scenarios, perform testing through red teaming or adversary emulation, assess defense gaps, enrich threat intelligence and improve defenses. It can also be used to educate teams and decrease the knowledge gap between operations and cybersecurity teams.
The problem is that – as helpful as the Matrix is – applying ATT&CK ICS is still largely a manual endeavor. For example, you can map event logs with Malware Archaeology’s ATT&CK Logging Cheat Sheet, which helps you map different events to ATT&CK techniques. Buy it is a highly time-consuming operation, and can only identify techniques that already triggered log-generating security events - overlooking many other techniques that attackers might use.
Some traditional security products, such as antivirus and IDS, already map data to various MITRE ATT&CK frameworks. While this is a good start in improving an organization’s detection capability, it does not provide full visibility of network and system security gaps. For example, we used MITRE’s mapping of existing detection methods to calculate that an IDS solution can at best cover 47% of the ICS ATT&CK Matrix, and an antivirus solution only up to 26% - leaving a significant portion of potential adversarial activity out of the detection loop altogether.
This is why we decided to integrate the MITRE ATT&CK ICS into our OT-IoT digital and cyber risk management platform, RAM2 SOAR Cybersecurity Platform.
Snapshot: ATT&CK ICS and RAM2
RAM2 integrates the MITRE ATT&CK for ICS framework in its “analyst-in-a-box” algorithm. This means that RAM² maps alerts from its own built-in sensor and from various data sources like EDRs, intrusion detection systems, firewalls, and more to ATT&CK techniques - enriching event data with ICS ATT&CK intelligence. The result is an 83% coverage of the MITRE ATT&CK ICS matrix.
Then, RAM² correlates events into meaningful adversary intent insights and offers clear mitigation instructions, created with the unique industrial environment in mind.
The Bottom Line
The MITRE ATT&CK for ICS framework is a valuable addition to the security analyst toolbox. Yet like any knowledge base, it is only as powerful in the real world as it is applicable.
For the first time, RAM² turns the ATT&CK for ICS framework into actionable insights. This makes analysts’ jobs easier and more efficient by providing automatic research-based correlations and allowing users to see security events in the context of adversarial intent – maximizing the amazing potential of MITRE ATT&CK for ICS.
Get the full report to learn more.