Merge pull request #1 from center-for-threat-informed-defense/tiffb-u…

…pdate Project website documentation
center-for-threat-informed-defense · Jul 9, 2024 · c81e675 · c81e675
2 parents 97e4dce + 627001a
commit c81e675
Show file tree

Hide file tree

Showing 18 changed files with 156,873 additions and 26 deletions.
diff --git a/docs/_static/assets.png b/docs/_static/assets.png
diff --git a/docs/_static/caddywiper.png b/docs/_static/caddywiper.png
diff --git a/docs/_static/campaign.png b/docs/_static/campaign.png
diff --git a/docs/_static/enterprise_ics.png b/docs/_static/enterprise_ics.png
diff --git a/docs/_static/exercise.png b/docs/_static/exercise.png
diff --git a/docs/_static/hybrid_visual.png b/docs/_static/hybrid_visual.png
diff --git a/docs/_static/ref_arch.png b/docs/_static/ref_arch.png
diff --git a/docs/architecture.rst b/docs/architecture.rst
diff --git a/docs/collection.rst b/docs/collection.rst
@@ -0,0 +1,90 @@
+Threat Collection
+=================
+
+The Defending OT with ATT&CK threat collection is a customized collection of MITRE ATT&CK® 
+techniques tailored to the attack surface and threat model for OT environments. Historical attacks 
+against OT and adversarial tactics, techniques, and procedures (TTPs) as contained in 
+ATT&CK for Enterprise, ATT&CK for ICS, and other relevant ATT&CK datasets such as Cloud 
+and Containers were analyzed to identify and define a reference architecture and technology 
+domains of interest specific to OT. The resultant collection can be used by organizations 
+that use OT to evaluate, plan, and employ security controls based on known, real-world 
+adversary behaviors targeting those environments.
+
+Defending OT with ATT&CK provides a defined threat collection to assist defenders in 
+understanding which techniques adversaries could use within an IT/OT hybrid architecture. 
+This includes:
+
+* techniques that occur on enterprise systems used to manage OT,
+
+* techniques on Industrial Control Systems (ICS), and
+
+* techniques on OT assets that run similar operating systems, protocols, and applications as enterprise IT assets.
+
+ .. <<!-- TO DO --!>>
+   tagged techniques for OT environments
+   Total ATT&CK (sub-)techniques -> Mapped to each asset and count (i.e., 510 techniques mapped to each assets).
+   plus image
+   downloads:
+   - STIX bundle
+   - multi-domain ATT&CK matrix for Navigator
+
+Download the Threat Collection
+------------------------------
+
+.. raw:: html
+
+    <p>
+        <a class="btn btn-primary" target="_blank" href="..\modified_work_bench_file.json" download="modified_work_bench_file.json">
+        <i class="fa fa-download"></i> Download ATT&CK Workbench Collection (6.2mb)</a>
+
+        <a class="btn btn-primary" target="_blank" href="..\hybrid_att&ck_matrix.xlsx" download="hybrid_att&ck_matrix.xlsx">
+        <i class="fa fa-download"></i> Download Hybrid ATT&CK Matrix - EXCEL (32kb)</a>
+
+        <a class="btn btn-primary" target="_blank" href="..\defending-ot-with-att&ck-0.3.json" download="defending-ot-with-att&ck-0.3.json">
+        <i class="fa fa-download"></i> Download JSON Threat Collection (8.875mb)</a>
+    </p>
+
+Building the Threat Collection
+------------------------------
+
+Defending OT with ATT&CK builds upon prior work developed by the Center, including 
+`Defending IaaS with ATT&CK <https://mitre-engenuity.org/cybersecurity/center-for-threat-informed-defense/our-work/defending-iaas-with-attack/>`_ and `ATT&CK Workbench <https://github.com/center-for-threat-informed-defense/attack-workbench-frontend/blob/master/README.md>`_.
+
+**Defending IaaS with ATT&CK**
+
+Defending OT with ATT&CK uses the methodology and tooling created as part of the Center's 
+`Defending IaaS with ATT&CK project <https://center-for-threat-informed-defense.github.io/defending-iaas-with-attack/>`_ as a basis. The Defending IaaS project methodology provides
+steps to identify and select techniques across multiple ATT&CK matrices that align to a defined 
+attack surface, proving to be a solid foundation for developing Defending OT project resources.
+
+The Center developed Defending IaaS With ATT&CK project to provide the community with a 
+collection of MITRE ATT&CK® techniques tailored to the unique attack surface and threat model 
+for Infrastructure-as-a-Service (IaaS). This collection can be used to plan and evaluate security 
+controls for organizations that use IaaS based on the known adversary behaviors described by ATT&CK.
+
+**ATT&CK Workbench**
+
+The Defending OT with ATT&CK project team used `ATT&CK Workbench <https://github.com/center-for-threat-informed-defense/attack-workbench-frontend/blob/master/README.md>`_ to explore and map adversarial 
+techniques, target assets, and campaigns. The team employed ATT&CK Workbench's search and 
+filter features for ATT&CK for Enterprise and ATT&CK for ICS domains, determined mapping of 
+assets to multi-domains from ATT&CK for Enterprise and ATT&CK for ICS techniques, and added 
+rationale in Workbench's note sections, to generate the shared mapping file.
+
+The Center created ATT&CK Workbench to enable users to explore, create, annotate, and share 
+extensions of MITRE ATT&CK®. ATT&CK Workbench allows users to manage and extend their own 
+local version of ATT&CK and keep it synchronized with the ATT&CK knowledge base. ATT&CK Workrbench 
+is an open source tool publicly available on `GitHub <https://github.com/center-for-threat-informed-defense/attack-workbench-frontend>`_.
+
+ATT&CK Workbench enables a number of important use cases within the ATT&CK community, such as:
+
+* **Cyber Threat Intelligence:** Take notes on techniques, groups, and other objects to collaborate within a threat intelligence team.
+
+* **Red Teaming:** Track and manage coverage of Red Team engagements the same way you track your ATT&CK coverage.
+
+* **Defensive Planning:** Stay up to date with the evolving threat landscape by downloading new releases of ATT&CK automatically.
+
+* **Collaboration with ATT&CK and the community:** Share your custom datasets with the ATT&CK community and download datasets created by others.
+
+
+
+
diff --git a/docs/exercise.rst b/docs/exercise.rst
@@ -0,0 +1,80 @@
+Cyber Tabletop Exercise
+=======================
+
+Organizations need to proactively understand how to defend against advanced 
+persistent threat techniques that can be used to impact their operational 
+technology (OT) environment, regardless of whether these cyber-attacks affect 
+assets within different technology domains. To demonstrate how this project's 
+resources can be used to meet that need, a cyber tabletop exercise was conducted 
+by project participants. Exercise goals included assessing and improving 
+information technology (IT) and OT defensive strategies for advanced nation state 
+threat actor groups that use adversarial techniques overlapping Enterprise and 
+Industrial Control Systems (ICS) domains.
+
+The ATT&CK-based tabletop exercise scenario was based upon the 
+`2022 Ukraine Electric Power Attack <https://attack.mitre.org/campaigns/C0034/>`_ campaign. This real-world campaign by the 
+Russian threat actor group known as Sandworm Team used a combination of malware 
+and 15 ATT&CK techniques overlapping ATT&CK for Enterprise and ICS domains to gain 
+access to a Ukranian electric utility and send unauthorized commands to substation 
+devices, disrupting power across Ukraine. The attackers targeted IT environment 
+systems and used those system to conduct attacks against OT capabilities.
+
+During the exercise, project participants reviewed 20 ATT&CK techniques observed 
+during this adversarial campaign and the associated technical risks. This involved a 
+detailed review of each adversarial behavior, assets impacted in architecture, and 
+mitigating cyber defense guidance to minimize the risk. This information was used to 
+score potential adversarial risk, along with the protective and detective security 
+mechanisms captured. Upon conclusion of the exercise, participants held a brief hot wash, 
+identified areas of improvement for defense-in-depth, and developed recommendations 
+for security across multiple domains of the IT/OT environment.
+
+Conducting the Exercise
+-----------------------
+
+The exercise was conducted using the Defending OT with ATT&CK `reference architecture <./architecture.rst>`_. 
+This reference architecture is depicted in the image below. Exercise participants 
+assumed the role of cybersecurity experts for an organization with a technical environment 
+similar to the hacked power plant infrastructure. Red boxes are used to indicate 
+assets impacted during the campaign.
+
+.. image:: ./_static/exercise.png
+
+The ATT&CK techniques investigated during the exercise are provided in the table below, 
+organized under tactics - the reasons an advesary performs the action. A mix of techniques 
+in the ATT&CK for Enterprise and ICS domains were used to infiltrate the electric utility 
+and then send unauthorized commands from their SCADA (supervisory control and data acquisition)
+control system architecture. 
+
+.. image:: ./_static/campaign.png
+
+The following depicts an example of the presentation of adversarial threats for participant 
+discussion and evaluation, including consideration of potential mitigations, detection methods, 
+and risk scenarios:
+
+.. image:: ./_static/caddywiper.png
+
+Defensive Takeaways
+-------------------
+
+* Emphasize a threat-informed approach when evaluating the defense-in-depth of organizational security controls, particularly when securing and hardening enterprise assets. This was highlighted in the assessment of how threat actors exploit internet-facing assets during the initial stages of the cyber kill chain. 
+
+  * Without a threat-informed approach, security controls may not effectively address specific vulnerabilities exploited by threat actors, increasing the risk of successful cyber attacks.
+
+* Stress the importance of baselining and maintaining situational awareness in your operational environment through continuous monitoring of sensor health and status. This is crucial for identifying threat actor behaviors, including the use of living off the land (LoTL) techniques that blend with normal operational activities.
+
+  * Inadequate baselining and monitoring may lead to delayed detection of stealthy threat actor activities, potentially resulting in prolonged compromise and data exfiltration.
+
+* Prioritize privileged account management for shared administrator accounts and validate network segmentation across various zones, from enterprise (level 5) to operational and control (level 3), to mitigate lateral movement by threat actors or ingress of malicious artifacts.
+
+  * Poor privileged account management and inadequate network segmentation increase the risk of unauthorized access and lateral movement within the network, potentially leading to widespread compromise and data breach. 
+
+Offensive Takeaways
+-------------------
+
+* Consider repeating this exercise based on other cyber-attacks on Ukrainian Electric Plants in 2016 and 2020, and reviewing techniques associated with the Russian threat actor Sandworm.
+
+  * Ignoring historical attack patterns and specific threat actor techniques may result in overlooking critical vulnerabilities and attack vectors, leaving the organization vulnerable to similar cyber attacks.
+
+* Plan the next steps with a hands-on purple team exercise, where selected adversarial techniques are executed by a red team or programmatically using tools like Caldera and Caldera for OT. Evaluate the effectiveness of security controls and have the results assessed by a blue team of cyber-defenders.
+
+  * Without conducting a hands-on purple team exercise, the effectiveness of current security controls may not be accurately assessed, leading to gaps in defensive capabilities and increased exposure to cyber threats.