Exploring ICS ATT&CK

Query ATT&CK

Import TAXII Libraries

ATT&CK users can use the initial Server class to instantiate a server object pointing to the framework’s public TAXII server URL https://cti-taxii.mitre.org/taxii/

from taxii2client.v20 import Server

import logging
logging.getLogger('taxii2client').setLevel(logging.CRITICAL)
server = Server("https://cti-taxii.mitre.org/taxii/")

Available API Roots can be referenced from the server object. API Roots are logical groupings of TAXII Channels and Collections and can be thought of as instances of the TAXII API available at different URLs, where each API Root is the “root” URL of that particular instance of the TAXII API:

server.api_roots
[<taxii2client.v20.ApiRoot at 0x20994e51670>]
api_root = server.api_roots[0]

Explore ATT&CK TAXII Collections

The collections attribute can then be used and get more information about them via their respective available properties:

api_root.collections
[<taxii2client.v20.Collection at 0x20994e54190>,
 <taxii2client.v20.Collection at 0x20994e62430>,
 <taxii2client.v20.Collection at 0x20994e62ca0>,
 <taxii2client.v20.Collection at 0x20994e62100>]
for collection in api_root.collections:
    print(collection.title, "->", collection.description)
Enterprise ATT&CK -> This data collection holds STIX objects from Enterprise ATT&CK
PRE-ATT&CK -> This data collection holds STIX objects from PRE-ATT&CK
Mobile ATT&CK -> This data collection holds STIX objects from Mobile ATT&CK
ICS ATT&CK -> This data collection holds STIX objects from ICS ATT&CK
api_root.collections[3].title
'ICS ATT&CK'
api_root.collections[3].id
'02c3ef24-9cd4-48f3-a99f-b74ce24f1d34'

Set ICS ATT&CK TAXII Collection ID Variable

ICS_ATTACK = "02c3ef24-9cd4-48f3-a99f-b74ce24f1d34"

Initialize TAXII Collection Sources

According to STIX2 docs, the TAXIICollectionSource API provides an interface for searching/retrieving STIX objects from a local/remote TAXII Collection endpoint. In our case, we are pointing to our ATT&CK TAXII Collection instances (https://cti-taxii.mitre.org/stix/collections/)

from stix2 import TAXIICollectionSource, Filter
from taxii2client.v20 import Collection
ATTACK_STIX_COLLECTIONS = "https://cti-taxii.mitre.org/stix/collections/"
ICS_COLLECTION = Collection(ATTACK_STIX_COLLECTIONS + ICS_ATTACK + "/")
TC_ICS_SOURCE = TAXIICollectionSource(ICS_COLLECTION)

Retrieve all ICS Techniques

Now that we can query the ICS ATT&CK TAXIICollection. We can use the query method and a set of filter to retrieve STIX objects of type “attack-pattern” -> “Techniques”

ICS_TECHNIQUES = TC_ICS_SOURCE.query(Filter("type", "=", "attack-pattern"))
ICS_TECHNIQUES[0]
AttackPattern(type='attack-pattern', id='attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2021-10-14T15:25:32.143Z', modified='2021-10-14T15:25:32.143Z', name='Transient Cyber Asset', description='Adversaries may target devices that are transient across ICS networks and external networks. Normally, transient assets are brought into an environment by authorized personnel and do not remain in that environment on a permanent basis. (Citation: NERC June 2021) Transient assets are commonly needed to support management functions and may be more common in systems where a remotely managed asset is not feasible, external connections for remote access do not exist, or 3rd party contractor/vendor access is required.\n\nAdversaries may take advantage of transient assets in different ways. For instance, adversaries may target a transient asset when it is connected to an external network and then leverage its trusted access in another environment to launch an attack. They may also take advantage of installed applications and libraries that are used by legitimate end-users to interact with control system devices.\n\nTransient assets, in some cases, may not be deployed with a secure configuration leading to weaknesses that could allow an adversary to propagate malicious executable code, e.g., the transient asset may be infected by malware and when connected to an ICS environment the malware propagates onto other systems.\n\nIn the Maroochy attack, the adversary utilized a computer, possibly stolen, with proprietary engineering software to communicate with a wastewater system. (Citation: Maroochy - MITRE - 200808)', kill_chain_phases=[KillChainPhase(kill_chain_name='mitre-ics-attack', phase_name='initial-access-ics')], revoked=False, external_references=[ExternalReference(source_name='mitre-ics-attack', url='https://collaborate.mitre.org/attackics/index.php/Technique/T0864', external_id='T0864'), ExternalReference(source_name='NERC June 2021', description=' North American Electric Reliability Corporation. (2021, June 28). Glossary of Terms Used in NERC Reliability Standards. Retrieved October 11, 2021.', url='https://www.nerc.com/files/glossary_of_terms.pdf'), ExternalReference(source_name='Maroochy - MITRE - 200808', description='Marshall Abrams. (2008, July 23). Malicious Control System Cyber Security Attack Case Study– Maroochy Water Services, Australia. Retrieved March 27, 2018.', url='https://www.mitre.org/sites/default/files/pdf/08%201145.pdf'), ExternalReference(source_name='NIST Apr 2013', description='National Institute of Standards and Technology. (2013, April). Security and Privacy Controls for Federal Information Systems and Organizations. Retrieved September 17, 2020.', url='https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'), ExternalReference(source_name='NAFT Dec 2019', description='North America Transmission Forum. (2019, December). NATF Transient Cyber Asset Guidance. Retrieved September 25, 2020.', url='https://www.natf.net/docs/natf/documents/resources/security/natf-transient-cyber-asset-guidance.pdf'), ExternalReference(source_name='Emerson Exchange', description='Emerson Exchange. (n.d.). Increase Security with TPM, Secure Boot, and Trusted Boot. Retrieved September 25, 2020.', url='https://emersonexchange365.com/products/control-safety-systems/f/plc-pac-systems-industrial-computing-forum/8383/increase-security-with-tpm-secure-boot-and-trusted-boot'), ExternalReference(source_name='National Security Agency Feb 2016', description='National Security Agency. (2016, February). Position Zero: Integrity Checking Windows-Based ICS/SCADA Systems. Retrieved September 25, 2020.', url='https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/industrial-control-systems/position-zero-integrity-checking-windows-based-ics-scada-systems.cfm')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_data_sources=['Network Traffic: Network Flows', 'Network Traffic: Network Connections', 'Assets: Asset Inventory'], x_mitre_platforms=['Engineering Workstation'])
for TECHNIQUE in ICS_TECHNIQUES:
    print(TECHNIQUE['external_references'][0]['external_id'], "--", TECHNIQUE['name'])
T0864 -- Transient Cyber Asset
T0888 -- Remote System Information Discovery
T0834 -- Native API
T0890 -- Exploitation for Privilege Escalation
T0889 -- Modify Program
T0821 -- Modify Controller Tasking
T0886 -- Remote Services
T0837 -- Loss of Protection
T0878 -- Alarm Suppression
T0806 -- Brute Force I/O
T0885 -- Commonly Used Port
T0810 -- Data Historian Compromise
T0815 -- Denial of View
T0818 -- Engineering Workstation Compromise
T0866 -- Exploitation of Remote Services
T0824 -- I/O Module Discovery
T0826 -- Loss of Availability
T0829 -- Loss of View
T0849 -- Masquerading
T0836 -- Modify Parameter
T0840 -- Network Connection Enumeration
T0844 -- Program Organization Units
T0850 -- Role Identification
T0851 -- Rootkit
T0865 -- Spearphishing Attachment
T0882 -- Theft of Operational Information
T0860 -- Wireless Compromise
T0802 -- Automated Collection
T0875 -- Change Program State
T0884 -- Connection Proxy
T0811 -- Data from Information Repositories
T0868 -- Detect Operating Mode
T0871 -- Execution through API
T0822 -- External Remote Services
T0872 -- Indicator Removal on Host
T0827 -- Loss of Control
T0830 -- Man in the Middle
T0841 -- Network Service Scanning
T0845 -- Program Upload
T0846 -- Remote System Discovery
T0852 -- Screen Capture
T0856 -- Spoof Reporting Message
T0855 -- Unauthorized Command Message
T0887 -- Wireless Sniffing
T0800 -- Activate Firmware Update Mode
T0805 -- Block Serial COM
T0809 -- Data Destruction
T0814 -- Denial of Service
T0817 -- Drive-by Compromise
T0877 -- I/O Image
T0867 -- Lateral Tool Transfer
T0880 -- Loss of Safety
T0832 -- Manipulation of View
T0833 -- Modify Control Logic
T0843 -- Program Download
T0848 -- Rogue Master
T0881 -- Service Stop
T0857 -- System Firmware
T0859 -- Valid Accounts
T0803 -- Block Command Message
T0858 -- Change Operating Mode
T0808 -- Control Device Identification
T0812 -- Default Credentials
T0870 -- Detect Program State
T0819 -- Exploit Public-Facing Application
T0823 -- Graphical User Interface
T0883 -- Internet Accessible Device
T0828 -- Loss of Productivity and Revenue
T0835 -- Manipulate I/O Image
T0838 -- Modify Alarm Settings
T0839 -- Module Firmware
T0842 -- Network Sniffing
T0873 -- Project File Infection
T0853 -- Scripting
T0869 -- Standard Application Layer Protocol
T0804 -- Block Reporting Message
T0807 -- Command-Line Interface
T0879 -- Damage to Property
T0813 -- Denial of Control
T0816 -- Device Restart/Shutdown
T0820 -- Exploitation for Evasion
T0874 -- Hooking
T0825 -- Location Identification
T0831 -- Manipulation of Control
T0801 -- Monitor Process State
T0861 -- Point & Tag Identification
T0847 -- Replication Through Removable Media
T0854 -- Serial Connection Enumeration
T0862 -- Supply Chain Compromise
T0863 -- User Execution

ICS ATT&CK Available since attackcti 0.3.4.3

Reference: https://pypi.org/project/attackcti/

from attackcti import attack_client
lift = attack_client()

ICS_TECHNIQUES = lift.get_ics_techniques()
print("Techniques Count:",len(ICS_TECHNIQUES))
Techniques Count: 78
ICS_TECHNIQUES[0]
AttackPattern(type='attack-pattern', id='attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2021-10-14T15:25:32.143Z', modified='2021-10-14T15:25:32.143Z', name='Transient Cyber Asset', description='Adversaries may target devices that are transient across ICS networks and external networks. Normally, transient assets are brought into an environment by authorized personnel and do not remain in that environment on a permanent basis. (Citation: NERC June 2021) Transient assets are commonly needed to support management functions and may be more common in systems where a remotely managed asset is not feasible, external connections for remote access do not exist, or 3rd party contractor/vendor access is required.\n\nAdversaries may take advantage of transient assets in different ways. For instance, adversaries may target a transient asset when it is connected to an external network and then leverage its trusted access in another environment to launch an attack. They may also take advantage of installed applications and libraries that are used by legitimate end-users to interact with control system devices.\n\nTransient assets, in some cases, may not be deployed with a secure configuration leading to weaknesses that could allow an adversary to propagate malicious executable code, e.g., the transient asset may be infected by malware and when connected to an ICS environment the malware propagates onto other systems.\n\nIn the Maroochy attack, the adversary utilized a computer, possibly stolen, with proprietary engineering software to communicate with a wastewater system. (Citation: Maroochy - MITRE - 200808)', kill_chain_phases=[KillChainPhase(kill_chain_name='mitre-ics-attack', phase_name='initial-access-ics')], revoked=False, external_references=[ExternalReference(source_name='mitre-ics-attack', url='https://collaborate.mitre.org/attackics/index.php/Technique/T0864', external_id='T0864'), ExternalReference(source_name='NERC June 2021', description=' North American Electric Reliability Corporation. (2021, June 28). Glossary of Terms Used in NERC Reliability Standards. Retrieved October 11, 2021.', url='https://www.nerc.com/files/glossary_of_terms.pdf'), ExternalReference(source_name='Maroochy - MITRE - 200808', description='Marshall Abrams. (2008, July 23). Malicious Control System Cyber Security Attack Case Study– Maroochy Water Services, Australia. Retrieved March 27, 2018.', url='https://www.mitre.org/sites/default/files/pdf/08%201145.pdf'), ExternalReference(source_name='NIST Apr 2013', description='National Institute of Standards and Technology. (2013, April). Security and Privacy Controls for Federal Information Systems and Organizations. Retrieved September 17, 2020.', url='https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'), ExternalReference(source_name='NAFT Dec 2019', description='North America Transmission Forum. (2019, December). NATF Transient Cyber Asset Guidance. Retrieved September 25, 2020.', url='https://www.natf.net/docs/natf/documents/resources/security/natf-transient-cyber-asset-guidance.pdf'), ExternalReference(source_name='Emerson Exchange', description='Emerson Exchange. (n.d.). Increase Security with TPM, Secure Boot, and Trusted Boot. Retrieved September 25, 2020.', url='https://emersonexchange365.com/products/control-safety-systems/f/plc-pac-systems-industrial-computing-forum/8383/increase-security-with-tpm-secure-boot-and-trusted-boot'), ExternalReference(source_name='National Security Agency Feb 2016', description='National Security Agency. (2016, February). Position Zero: Integrity Checking Windows-Based ICS/SCADA Systems. Retrieved September 25, 2020.', url='https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/industrial-control-systems/position-zero-integrity-checking-windows-based-ics-scada-systems.cfm')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_data_sources=['Network Traffic: Network Flows', 'Network Traffic: Network Connections', 'Assets: Asset Inventory'], x_mitre_platforms=['Engineering Workstation'])

Get All Data Sources Mapped to ICS ATT&CK Techniques

ICS_DATA_SOURCES = []
for TECHNIQUE in ICS_TECHNIQUES:
    if 'x_mitre_data_sources' in TECHNIQUE.keys():
        for DS in TECHNIQUE['x_mitre_data_sources']:
            if DS not in ICS_DATA_SOURCES:
                ICS_DATA_SOURCES.append(DS)
ICS_DATA_SOURCES
['Network Traffic: Network Flows',
 'Network Traffic: Network Connections',
 'Assets: Asset Inventory',
 'Network Traffic: Network Traffic Content',
 'Application Log: Application Log Content',
 'Process: OS API Execution',
 'File: File Modification',
 'Asset: Software/Firmware',
 'Command: Command Execution',
 'Logon Session: Logon Session Creation',
 'Network Share: Network Share Access',
 'Network Traffic: Network Connection Creation',
 'Network Traffic: Network Traffic Flow',
 'Process: Process Creation',
 'Operational Databases: Process History/Live Data',
 'Operational Databases: Process/Event Alarm',
 'File: File Metadata',
 'Scheduled Job: Scheduled Job Metadata',
 'Scheduled Job: Scheduled Job Modification',
 'Service: Service Creation',
 'Service: Service Metadata',
 'Operational Databases: Device Alarm',
 'Asset: Device Configuration/Parameters',
 'Drive: Drive Modification',
 'Firmware: Firmware Modification',
 'Module: Module Load',
 'File: File Access',
 'Script: Script Execution',
 'Logon Session: Logon Session Metadata',
 'File: File Deletion',
 'User Account: User Account Authentication',
 'Windows Registry: Windows Registry Key Deletion',
 'Windows Registry: Windows Registry Key Modification',
 'Process: Process Termination',
 'File: File Creation',
 'Drive: Drive Creation']

Get All Groups from ICS ATT&CK

ICS_GROUPS = lift.get_ics_groups()
for GROUP in ICS_GROUPS:
    print(GROUP['name'])
TEMP.Veles
Dragonfly 2.0
HEXANE
APT33
OilRig
Dragonfly
Sandworm Team
Lazarus Group
ALLANITE

Get All Malware from ICS ATT&CK

ICS_MALWARE = lift.get_ics_malware()
for MALWARE in ICS_MALWARE:
    print(MALWARE['name'])
Conficker
EKANS
Bad Rabbit
KillDisk
Industroyer
Stuxnet
REvil
Ryuk
LockerGoga
Triton
VPNFilter
PLC-Blaster
NotPetya
WannaCry
Flame
Backdoor.Oldrea
ACAD/Medre.A
BlackEnergy
Duqu