What Will Your Attack Look Like?

Adversary campaigns often use similar and

1 System Variables
recognizable techniques. As an ICS defender, your
defensive actions (or lack of actions) will determine
what your next attack will look like.
Your cyber environment includes many elements specific Altering any element affects the overall security
to your implementation, engineering, and operational of the system, with each element dependent upon
needs. Those elements combine to create a unique other elements in the overall system.
System Variables environment to defend and protect.
The various cyber, physical, and support
1 components found in an environment
TECHNOLOGY
Adopt and utilize technology
APPLICATIONS SYSTEM MANAGEMENT to improve security
Cyber Maturity SYSTEM VENDOR
In many cases, Third-party • Patching
Variables vendor-specific design applications required • Change control
2 O rganization culture, investment, and
criteria will determine
system requirements
for operational
function • Monitoring
• Alerting
management programs that shape
• Malware protection
cybersecurity capability • Account management

3 Adversary
Capabilities INFRASTRUCTURE
• Physical system
NETWORK
ARCHITECTURE
• Design decisions • Segmentation approaches
• Operating procedures • Perimeter defense

4 • Control philosophy • IDS

Adversary • Operating system • Managed network switches
Intent • Virtualization
• Directory services
•
•
Data diodes
Site-to-site encryption
• Centralized logging system WO R K A N C E
5 FO R C VER N
E GO
External
Drivers WO R K E FOUNDATION FOUNDATION
FO R C V E R NANC Invest in people Develop sound policies
E G O and procedures

2 Cyber Maturity Variables

Your actions as the system owner will affect the
attacker’s strategy and possibly the outcome. INITIAL STAGE
WORKFORCE Organizations at this What an attack at this maturity will look like:
40 60
Staffing investments

Take Action!
and training 20 80 maturity level may be • Information exfiltrated
ICS defenders must consider unaware of an ongoing • M ultiple access points obtained

Perspectives
0 100
prolonged enterprise-
opportunities to disrupt targeted attack with
• P rivileged accounts obtained
INVENTORY • E xternal party or adversary may identify
adversarial actions with
Effect of Attack

potential elements of
Know your assets: the attack
an ICS-focused attack.
HW, SW, and the goal of minimizing the

of a
configuration
ACCESS
CONTROL
impact of the attack on
SYSTEM DEFINED STAGE
Electronic and the process or operation.

Cyber Attack
physical HARDENING
EVENT AND Organizations at this What an attack at this maturity will look like:
Asset configuration
limited to required INCIDENT
maturity level may have • M ovement throughout the environment using
RESPONSE
elements
Logging, monitoring, The adversary tactics, already undergone an in-place tools and software
enterprise-targeted Stage-1 • C2 channel hidden in trusted
and responding to
events of interest
MALWARE techniques, and procedures attack or an ICS-focused communications
DEFENSE
Protection and ACCOUNT RECOVERY (TTP) used in your attack will Stage-2 attack and are • Targeted organization or external party may
MANAGEMENT CAPABILITIES
Defender Actions prevention
Individual, shared, Operational be influenced by the maturity
working on mitigation. identify the attack

P O S T E R Focused on Minimizing
and default functions, and
individual assets of your cybersecurity program,
OPTIMIZED STAGE
the Effect of the Attack the effectiveness of your
Organizations at this What an attack at this maturity will look like:
processes, and the capabilities maturity level are proactively • R elatively silent
of your defenders. monitoring and responding • R elies on external communications paths

ics.sans.org
to potential attacks with with trusted parties
Active Defense techniques to • May utilize zero-day elements
defend the enterprise and • Targeted organization will likely identify
ICS environments. the attack
JOIN THE ICS COMMUNITY Disruption Activities
https://ics-community.sans.org/signup
ICS-PSTR-ATTACK-0117-v1
 Adversary campaigns often 3 Adversary Capabilities
use similar and recognizable
System techniques. As an ICS defender, Seven Habits of an Effective APT
1 Variables your defensive actions (or lack of “Adversaries have managers Start with the Why
actions) will determine what your and PowerPoint too” Define the goal of the campaign and what success looks like:
-Robert M. Lee
next attack will look like. data sets, project files, operational data, and capability demonstration.

2 Cyber Maturity
Variables Execute
Perform final-stage attacks systematically, create Flexibility
collateral impacts to confound and confuse recovery efforts, Target environments change –
Adversary Capabilities and follow up on ICS defender’s defensive actions. maintain a variety of accessible tools
3 As an ICS defender, you can’t control whether your and capabilities to adapt to changes.
organization becomes the target of a capable adversary. Lead
Stay several steps ahead of the ICS defender.
Anticipate defensive responses upon discovery Understanding Human Behavior
4 Adversary Methods to ensure continuation of attack. Targeted employees generally have a desire to do a
ICS defenders do not control the intent, objectives, good job and help others, but they typically do not
or scope of the campaign. assess technical risks very well and may have a limited
Test to Win
5 Validating the exploits will achieve
understanding of the interconnectedness of cyber systems.
External Drivers desired outcomes in target environment.
Adversary objectives and scope can be fluid and may change Limit damage to non-target environments.
with external drivers such as geopolitical or economic events. Avoid Discovery by Appearing Normal
Eliminate reliance on initial attack footholds and blend in to behave
like a trusted user utilizing existing communication paths and tools.

4 Adversary Methods 5 External Drivers

Stage 1: Stage 2:
Cyber Intrusion Preparation and Execution
Building a bridge from ICS Attack Development and Execution
Stage 1 to Stage 2 SUCCESSES
• Information sharing following Ukraine electric system attack
• Information sharing following German steelmaker attack
PLANNING RECONNAISSANCE ATTACK DEVELOPMENT DEVELOP
& TUNING • Emerging and improving standards and certifications
REMOTE ACCESS SYSTEM MGMT SYSTEM USE
WEAPONIZATION
PREPARATION • Vendors • Patching • Data historians VALIDATION TEST
TARGETING • Support personnel • Monitoring • Environmental reporting
• Alternate sites • Alerting • Process performance
• Dial-up • Backups • Billing
• Waterholing • Configuration • Metering
• Social engineering • Change management
DELIVERY
ATTEMPT
CYBER INTRUSION
SUCCESS
EXPLOIT DELIVER Cyber
INSTALL/MODIFY ICS ATTACK INSTALL/MODIFY
MANAGEMENT & ENABLEMENT C2
Scale
PLAN A PLAN B PLAN C
EXECUTE ICS ATTACK FAILURES
SUSTAINMENT, ENTRENCHMENT ACT Utilize existing Install tools, escalate Utilize physical access • N ot patching assets
DEVELOPMENT & EXECUTION connections, privileges, and approaches to deliver • N o inventory of ICS components
credentials, and tools manipulate the autonomous attacks or
• Lack of segmentation
environment “phone home” when
connectivity allows • Internet-facing devices
• Auto run and unapproved removable
media use
DISCOVERY MOVEMENT INSTALL/EXECUTE LAUNCH ENABLING ATTACK INITIATING ATTACK SUPPORTING ATTACK
• N o antvirus or malicious code detection
TRIGGER MODIFY HIDE OUT OF • N o logging
CAPTURE COLLECT EXFILTRATE CLEAN/DEFEND DELIVER INJECT AMPLIFY BALANCE • N o monitoring
• Important opportunities to share,
learn, and improve
Stage 1 is based on the Cyber Kill Chain® model from Lockheed Martin