Detection Engineering in Industrial Control Systems—Ukraine 2016 Attack: Sandworm Team and Industroyer Case Study

April 2022
Topics: Cybersecurity, Computer Security, Critical Infrastructure Protection
Michael L. McFail, The MITRE Corporation
Jordan Hanna, The MITRE Corporation
Daniel Rebori-Carretero, The MITRE Corporation
Download PDF (3.68 MB)

We extend MITRE's TCHAMP threat hunting methodology to Industrial Control Systems (ICS), identifying and addressing challenges unique to ICS environments. We execute the defensive analytic development process leveraging the Ukraine 2016 cyber-attack as a use case from which we source requirements. We describe the use of purple teaming activities and research into technique execution to determine an appropriate level of technical depth to support the detection engineering process. Understanding how to map attacks to a target ICS environment and understanding the breadth of options available to an adversary are both critical to developing sufficiently specific detections.

The output of this process is a set of usable analytics ranging in maturity from proof-of-concept to ready-for-production deployment. We build upon work where possible from commercial and open-source tooling, using the exemplar use case to establish technical requirements for custom-built or commercially acquired detection capabilities. We cover the analytics we developed and discuss lessons learned for future ICS detection engineering efforts.

Publications

Publication Search