Detection Engineering in Industrial Control Systems—Ukraine 2016 Attack: Sandworm Team and Industroyer Case Study

By Michael McFail , Jordan Hanna , Daniel Rebori-Carretero

We engineer threat-based cyber detections for Industrial Control Systems (ICS) using research into adversary techniques and purple teaming activities. We establish technical requirements that inform analytics to implement or acquire.

Download Resources

We extend MITRE's TCHAMP threat hunting methodology to Industrial Control Systems (ICS), identifying and addressing challenges unique to ICS environments. We execute the defensive analytic development process leveraging the Ukraine 2016 cyber-attack as a use case from which we source requirements. We describe the use of purple teaming activities and research into technique execution to determine an appropriate level of technical depth to support the detection engineering process. Understanding how to map attacks to a target ICS environment and understanding the breadth of options available to an adversary are both critical to developing sufficiently specific detections.

The output of this process is a set of usable analytics ranging in maturity from proof-of-concept to ready-for-production deployment. We build upon work where possible from commercial and open-source tooling, using the exemplar use case to establish technical requirements for custom-built or commercially acquired detection capabilities. We cover the analytics we developed and discuss lessons learned for future ICS detection engineering efforts.