MITRE Engenuity analyses five cybersecurity products for ability to handle Triton malware

MITRE Engenuity has announced results from its initial round of independent ATT&CK evaluations, which examined how cybersecurity products from five industrial control systems (ICS) vendors detected the threat of Russian-linked Triton malware. Products from Armis, Claroty, Dragos, the Institute for Information Industry and Microsoft were assessed as part of the evaluation, which was paid for by the participating vendors.

The MITRE ATT&CK for ICS Framework, originally released in January 2020 and updated in April 2021, provides a comprehensive taxonomy of attack techniques and supporting methods leveraged by adversaries targeting operational technology (OT) environments. 

The focal point of the MITRE Engenuity evaluation was on articulating how detections occur, rather than assigning scores to vendor capabilities.

For the evaluation, the lab categorized each detection and captured notes about how those detections occur. It organized the detections according to each technique. Techniques may have more than one detection if the capability detects the technique in different ways, and detections it observes are included in the results. “While we make every effort to capture different detections, vendor capabilities may be able to detect procedures in ways that we did not capture,” MITRE said as part of its evaluation. 

“To determine the appropriate category for a detection, we review the screenshot(s) provided, notes taken during the evaluation, results of follow-up questions to the vendor, and vendor feedback on draft results. We also independently test procedures in a separate lab environment and review open-source tool detections and forensic artifacts. This testing informs what is considered to be a detection for each technique,” MITRE added.

After performing detection categorizations, MITRE Engenuity calibrated the categories across all vendors to look for discrepancies and ensure categories are applied consistently. 

“We chose to emulate the Triton malware because it targets safety systems, which prevent some of the worst consequences from happening when something goes wrong in an industrial control setting,” Otis Alexander, who led the ATT&CK Evaluations for ICS, said in a press statement. “The amount of publicly reported data from the attacks and the devastating impact of the malware help ensure this is a robust emulation. We hope the evaluations can help organizations find security tools that are best suited to their individual needs.”

The evaluation was performed in a MITRE Engenuity lab against an environment functioning as a burner management system. Control system components such as PLCs, Windows host running ICS applications, and network infrastructure were physically implemented, while the industrial equipment and physical processes were simulated. The burner management solution was designed and programmed by an integration company focused on the energy sector.

Vendors shipped a physical appliance with their detection solution installed on it. All the vendor appliances simultaneously received network traffic which was distributed by a network aggregator connected to the SPAN port of the environment’s switch, according to details released by MITRE Engenuity. Windows event logs were centrally collected and then forwarded via syslog to each solution capable of collecting events in this fashion.

In addition, the opportunity to actively poll the PLCs for configuration changes (program and task modifications) was provided to vendors that offer this as a current feature of their solution. This was done outside of the execution phase as not to taint the network traffic collected by the other appliances. VPN access enabled the vendors to connect remotely to their appliances for management and monitoring purposes throughout the various phases of the evaluation, MITRE Engenuity added.

The MITRE Engenuity ATT&CK evaluations intend to help vendors and end-users better understand a product’s capabilities in relation to MITRE’s publicly accessible ATT&CK for ICS framework, which is a curated knowledge base of adversary tactics, techniques, and procedures based on known threats to industrial control systems.

TRITON malware targets safety systems, preventing operators from responding to failures, hazards and other unsafe conditions, potentially causing physical destruction that can lead to fatal consequences. The TRITON incident is the initial publicly reported incident demonstrating a targeted attack with a known effect to an operational Safety Instrumented Systems (SIS). Information describing initial access and the subsequent pivot to the safety system assets remains largely unknown. The group’s ultimate goals still remain uncovered.

The TRITON malware showcased its capability to affect or otherwise compromise the safety monitoring functions present within the target facility. The threat group behind TRITON has shown specific motivations for targeting the oil and gas sector. With certainty, the threat group exhibited a deep understanding of the target system and environment, MITRE Engenuity said. 

Notable ATT&CK tactics displayed in the TRITON scenario include execution, inhibition of response function, and impact. Specifically leveraging APIs and scripting for execution, the threat group was able to modify program state and control logic to achieve an impact of loss of safety. The threat group has also demonstrated prominent evasion capabilities in order to effectively masquerade its malicious behaviors.

TRITON was allegedly developed by Russia’s Central Scientific Research Institute of Chemistry and Mechanics, and used in an attack that shut down a Saudi refinery, leading the U.S. Department of Treasury to impose sanctions against the institute. The TRITON attack tool was built with a number of features, including the ability to read and write programs, read and write individual functions and query the state of the SIS controller. 

The Dragos Platform scored high in the visibility category with 93 percent, and scored highest amongst participants in the analytics category with 63 percent. 

“The Dragos Platform had 63% analytics coverage, which is the proportion of sub-steps that contained a detection that provides additional context in the form of MITRE ATT&CK techniques,” Austin Scott and Ben Miller, Dragos executives, wrote in a company blog post. “This context gives analysts a significant advantage by providing ICS and threat-relevant information that allows them to move faster, be more efficient, and make well-informed decisions. These results validate the effectiveness of Dragos’s intel-driven approach.” 

The performance of the Armis platform in the 2021 MITRE Engenuity ATT&CK Evaluations for ICS proves that purpose-built, forward-thinking solutions deliver broad, in-depth visibility across IT and OT/ICS, and automation that modern OT/ICS environments need to combat adversaries. 

“As evidenced by the results of the evaluation, the Armis platform excels at visibility and detection, and even more importantly, the autonomous mapping of data into fully indexed and correlated stories that allow users to completely and immediately understand the ‘what, why and how’ when an adversary makes a move,” Matt Hubbard, Armis’ senior technical product marketing manager, wrote in a company blog post. 

“As such, the framework is a useful tool for security teams who wish to ensure coverage across a broad array of industrial cybersecurity threats. The MITRE ICS ATT&CK Evaluation ran through a series of network-based and host-based detection techniques. We’re proud to report that in the MITRE ICS ATT&CK evaluation, Claroty achieved 90% visibility against the network-based evaluation criteria,” according to a Claroty blog post. 

“When complemented with a market leading Endpoint, Detection and Response (EDR) solution like CrowdStrike, enterprises can gain the most comprehensive detection for both known and unknown attacks. Based on these results, our customers should feel confident that they are leveraging a platform that provides market-leading asset inventory and vulnerability management, in addition to threat visibility,” it added.

Apart from the ATT&CK Evaluations for ICS, MITRE Engenuity also evaluates security products for enterprise networks. Most recently, MITRE Engenuity examined 29 products against the threat from cybercrime groups FIN7 and Carbanak, which have demonstrated the ability to compromise financial service and hospitality organizations, respectively, using malware and tradecraft.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with around 14 years of experience in the areas of security, data storage, virtualization and IoT. Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with around 14 years of experience in the areas of security, data storage, virtualization and IoT. Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with around 14 years of experience in the areas of security, data storage, virtualization and IoT. Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with around 14 years of experience in the areas of security, data storage, virtualization and IoT.