MITRE's Call for Contributions to ICS ATT&CK Evaluations
The non-profit organization MITRE is seeking contributions for its ICS ATT&CK evaluations. This initiative aims to enrich emulation by integrating insights into adversary behaviors. The focus is on Round 2, which will evaluate product capabilities against insider threats in industrial control systems (ICS) and operational technology (OT) domains.
Understanding Insider Threats
According to Otis Alexander, ICS Lead for ATT&CK Evaluations at MITRE, insiders—whether malicious or negligent—pose a significant threat to asset owner infrastructure. With comprehensive knowledge of company operations and both physical and remote access, malicious insiders can execute stealthy, targeted attacks with critical impacts.
Focus on Insider Threat Activity
ICS Round 2 will hone in on insider threat activities in ICS/OT environments. MITRE seeks contributions detailing TTPs (tactics, techniques, and procedures) and activities reported in use by malicious insiders. This includes actions taken to manipulate process and alarm systems, targeting transient assets, remote infrastructure, and other novel information.
How to Contribute
Those interested in contributing should email MITRE with their information, including their real name. Contributions from company accounts enhance credibility, though independent researchers are also welcome. Information structured using ATT&CK tactics and techniques is beneficial but not mandatory.
Contributor Anonymity Options
MITRE offers contributors the option to be credited by name or company, or remain anonymous. For anonymous contributors, MITRE will work to produce a general visibility statement.
Contribution Guidelines
Contributors must only share information they own, ensuring no leaked, proprietary, or sensitive data is included without original source permission. Contributions are voluntary and aimed at sharing personal insights.
Recent Developments and Future Goals
Earlier this year, MITRE released ACID (ATT&CK-based Control-system Indicator Detection for Zeek), incorporating OT protocol indicators using CISA’s ICSNPP Parsers to identify behaviors in the ATT&CK framework for ICS. Additionally, MITRE announced its ATT&CK 2024 goals to enhance usability and defensive measures, with plans for ICS sub-techniques by October.
By seeking contributions, MITRE aims to create a comprehensive evaluation system that reflects diverse adversary behaviors, enhancing security measures for industrial control systems.
