MITRE has introduced ACID (ATT&CK-based Control-system Indicator Detection for Zeek), a compilation of OT (operational technology) protocol indicators. These indicators utilize CISA’s ICSNPP Parsers to identify specific behaviors outlined in the ATT&CK framework for ICS (industrial control system). These indicators enhance visibility into specific aspects of configuration management and other OT network traffic activities, which are reported through the Zeek Notice Framework. The initiative underscores the increased effectiveness of a shared defense strategy within the community.
The non-profit organization detailed in a GitHub post that ACID depends on the usage of CISA’s ICSNPP Parsers for protocol parsing. “Since ACID’s indicators are currently only defined for the S7COMM, ENIP/CIP, and BACnet protocols, only those parsers have to be downloaded and installed. Additionally, users should ensure that the ICSNPP parsers are loaded before ACID’s __load__.zeek file so that the ACID scripts can verify the parsers’ presence before running,” it added.
CISA’s ICSNPP project, explicitly compatible with Zeek, is an ongoing initiative dedicated to providing open-source tools. The effort aims to enhance the operational network and process-level visibility for asset owners, operators, and OT security teams.
MITRE, however, said that ACID is still under active development. “We are interested in collaborating and getting feedback to further improve the capabilities of the ACID framework within Zeek, our indicators, and protocol understanding. We are most interested in protocol documentation, packet captures (PCAP) of related OT behaviors or suggestions for new indicators.”
ACID’s code structure is organized into four major parts: Constants, Detection, Reporting, and Options. Constants consist of code that is defined globally and intended to be used across protocols, while for each OT protocol, there is a defined detection script that watches for new events within their protocol-respective Zeek script files.
MITRE said that Zeek will report techniques that are detected by the Detection scripts. The fields that are sent to the notice[dot]log file are ATT&CK_Tactic, ATT&CK_Technique + protocol-specific event information, protocol, and Zeek connection information (connection_id, src_ip, src_port, dst_ip, and dst_port).
ACID currently has defined options for enabling and disabling specific detections based on ATT&CK techniques and IP addresses. These options can be found in the ACID_ics_options[dot]zeek file. To disable an option for an entire technique, change the T to an F. To filter specific IP addresses from being processed by specific techniques in any Detection script, add that IP address, in a string format, to either/both the orig or resp address sets.
The GitHub post also revealed that MITRE Defensive OT Signatures (mDOTS) are packages of signatures that are leveraged within ACID to associate OT protocol events and ATT&CK technique indicators. These signatures can be customized to fit specific protocol implementations or versions based on the visibility of the network traffic.
“ACID is using the Zeek Input Framework to handle the ingesting of protocols’ signatures. Signatures for device configuration changes can be found in the mDOTS_config_change file. This file is a Zeek Tab Separated Values (Zeek TSV) file,” MITRE wrote in the post. “The main benefit of using the Zeek Input Framework over hardcoding signatures into the ACID code itself is increased signature flexibility.”
It added that the Zeek Input Framework can read values during runtime, meaning that signatures for already existing techniques can be added, removed, or edited without having to restart the script or bring down the Zeek instance. “To modify the signatures for a device configuration change, users would go into the mDOTS_config_change file, go to the desired existing technique and protocol combination, and add a new indicator to the already existing list.”
In its upcoming features, MITRE has enhanced the capability of its system by building customizable features that associate related ACID events within sessions based on the ATT&CK technique-to-protocol behavior reports. This new functionality will enable users to set a specific timeframe to aggregate and report multiple indicators under a single notice event, enhancing the efficiency and comprehensiveness of the monitoring process.
The post said that the initial set of indicators released for ACID focuses primarily on device and configuration management behaviors. In the future “we are looking to build out signatures focused on areas such as remote access to ICS, process alarm visibility, file transfers, and other detection areas,” it added.
This post was originally published on the 3rd party site mentioned in the title of this this site