Interview News

Understanding Attack Path Analysis in Industrial Control Systems

Dick Bussiere

In India, ransomware has emerged as the most significant threat, with a 53% increase in ransomware attacks reported by CERT-in since 2022

Security teams can identify weaknesses attackers could leverage, and put the organisations’ defences to the test against realistic cyber threats

Dick Bussiere, Technical Director, Tenable

Why is MITRE ATT&CK for ICS crucial to proactive security and evaluating an organisation’s security posture? 

The MITRE framework takes a strikingly different approach from other existing cybersecurity frameworks. Instead of viewing security as a reactive measure, the MITRE ATT&CK framework flips this perspective and provides valuable insights into the phases and techniques attackers are likely to use. 

It offers security practitioners a fresh perspective on their defensive position and what gaps they can be filled to improve their security posture. The framework is invaluable in understanding both the different phases of an attack and the unique techniques an attacker leverages, enabling security teams to view their defence posture through the lens of an attacker. This ensures effective countermeasures can be put in place to improve security.  

Why does ICS need its own MITRE ATT&CK framework? 

Although the fundamental concept of the framework remains unchanged, which involves breaking down actions into tactics and ultimately understanding the attacker’s goal, the MITRE ATT&CK framework goes further by providing insight into the “how” behind the attacker’s achievement of those goals. Operational technology (OT) environments encompass both OT and IT assets, even though the boundaries between them have become blurred. The communication dynamics and device types in IT environments significantly differ from those in OT environments. In OT environments, interference with systems and communications has serious consequences since the physical world is being manipulated. These differences necessitated the development of an ICS-specific framework. 

The initial step towards addressing the ICS ATT&CK framework is implementing preventive measures to address OT threats. While the MITRE ATT&CK framework for ICS plays a crucial role in assessing security readiness, it represents just one component of the larger picture. Achieving significant risk reduction requires continuous vulnerability management and threat monitoring processes based on thorough research and comprehensive visibility into the entire attack surface. This approach decreases the overall likelihood of lateral movement by promptly addressing risk exposure across IT, OT, and IoT systems. 

How can attack path analysis help reduce cyber risk in OT organisations? 

In any attack, the first step is gaining initial access to the network. Bad actors do this either by phishing or exploiting a known vulnerability – almost always on the IT network. Then comes lateral movement where the threat actor maintains access to the environment, elevates their privileges and laterally moves between network devices. Finally, attackers perform the attack, which may involve malicious cyberphysical activity, and possibly the deployment of ransomware against highly vulnerable systems within the OT environment.  Depending on the state of any network, attackers use multiple techniques to perpetuate an attack and accomplish their objectives. Attack path analysis allows defenders to understand the likely ways that lateral movement may be accomplished, highlighting vulnerable systems along the way. The ATT&CK framework illustrates the methods that an adversary will use to do this.  [Text Wrapping Break] 

Solutions that automate attack path analysis are crucial as they combine organisational data with advanced graph analytics and the MITRE ATT&CK framework. Security teams can identify weaknesses attackers could leverage, and put the organisations’ defences to the test against realistic cyber threats. It also helps identify gaps in security so they are addressed proactively, before an attack even occurs. 

Is attack path analysis enough to maintain a good security posture? What else must the ICS community focus on?  

Attack path analysis is an invaluable strategy in any defender’s arsenal but only if it is implemented correctly. Cybersecurity teams can use the MITRE ATT&CK framework along with exposure management to gain a deeper understanding of what their critical assets are, what adversaries would likely target and why. Attack path analysis is an important part of exposure management, but must be augmented with vulnerability management, configuration management, and continuous network monitoring to have a full view of the security posture. In essence, practise the old security practitioners’ rule of “assume compromise” and act accordingly. 

What kind of challenges do organisations face with regard to skill shortage?  

One of the things that keeps security practitioners up at night is the lack of visibility into their infrastructure. And operational technology (OT) environments encompass vast attack surfaces with multiple potential attack vectors. Without visibility, it is not a matter of whether an attack will occur but when it will happen. Adding to this problem is that new cybersecurity threats arise as technology evolves and the cyber skills shortage only compounds the difficulty of acquiring expertise in emerging areas like cloud security, artificial intelligence, Internet of Things (IoT), and blockchain, creating gaps in knowledge and defence. 

What kind of cyber-attacks are common in India and what are the primary motives?  

In India, ransomware has emerged as the most significant threat, with a 53% increase in ransomware attacks reported by CERT-in since 2022. Ransomware groups have adopted innovative approaches to enhance the chances of successful attacks.  

Ransomware-as-a-Service (RaaS) actors now prioritize speed and performance to achieve their goals. Rather than encrypting entire files, they are opting to encrypt only a portion of the files to save time. They also leverage multithreading techniques to expedite the encryption and decryption processes. 

[Text Wrapping Break]To breach networks effectively, threat actors are utilising Living Off the Land Binaries (LOLBINS) and legitimate tools accessible on open-source libraries such as Github. By doing so, they can evade detection by security solutions and disable anti-malware applications, facilitating the deployment of malware. Additionally, these actors are storing exfiltrated data in the cloud to bypass firewall detection. It is evident that threat actors constantly seek ways to refine their tactics, and organizations seeking to protect their infrastructure require proactive security solutions to establish deterrence against such attacks, rather than relying on reactive measures. 

The motives for attacks are manifold. Most of the time it is motivated by money, where the bad actor attempts to extort money from the victim in exchange for the restoration of data. In some situations the motives are more insidious, including supply chain disruption, interference with critical infrastructure and more. Regardless of the motive, all attacks against OT will have serious financial and reputational repercussions for the victim.  

What is your growth strategy for 2023 in India?  

With the evolution and interconnectedness of the attack surface, the potential attack vectors multiply significantly. Depending solely on conventional monitoring and detection methods creates significant gaps in visibility, allowing attackers to operate covertly and cause more extensive and long-lasting harm. This risk is further heightened by predictable and inadequate response efforts. Our primary focus is to provide our customers with the essential tools to achieve comprehensive visibility throughout the modern attack surface. By anticipating threats, prioritising preventive measures, and effectively communicating cyber risk, organisations can make informed decisions. The implementation of Exposure Management enables this level of protection and risk management to be within reach. 

Related posts

Canon India with JIM enhances its Training Program Under Skill India Initiative


IFS to acquire Copperleaf


Navigating the Deepfakes Challenge with Proactive measures