The eagerly awaited 2021 MITRE Engenuity ATT&CK ® Evaluations for ICS results are in! One major benefit of the ATT&CK Evals is that the testing data is open and available to the public. In an effort to be transparent with our results, in this post, we will only discuss the numbers and metrics published by MITRE related to Armis. As such, below you will find a data-driven approach to understanding our exemplary performance in the evaluations. In short, Armis has:
- 100% visibility of all assets (OT/ICS and IT)
- 100% coverage of all ATT&CK for ICS tactics
- 100% real-time detection
- 100% detection of all initial access and lateral movement from IT to OT
- Real-time detection of PLC behavior critical changes
Read on to understand how the above metrics are critical to your ICS security posture.
100% Visibility Across ICS & IT
The foundation of a comprehensive ICS security solution is the ability to see every device across the entire infrastructure and beyond, while missing nothing in the process. With the increased frequency and sophistication of today’s attacks, depth and breadth of visibility are fundamental capabilities that an ICS security solution must deliver. Most breaches such as the recent Colonial Pipeline cyber-attack, begin on the IT environment and then move laterally to the OT environment. Thus, visibility into both the IT and OT/ICS sides of the house is paramount. Zero gaps means zero blind spots, mitigating an attacker’s ability to operate undetected. As the ATT&CK Evaluations results show, Armis had zero misses and provided 100% visibility of all IT and OT/ICS devices.
Comprehensive Coverage Across All ATT&CK for ICS Tactics and Techniques
Analytics Detection Coverages as opposed to Detection Counts should always be a factor when evaluating an ICS security solution. Having a higher number of general, tactic or technique detections leads to higher quality detections as this ensures that fewer attacks are missed. High-fidelity and high-quality detections give ICS security teams more time to investigate events, rather than sifting through a sea of data that could contain a high amount of false positives.
In the ATT&CK Evaluations, “Tactics” and “Techniques” are the key measures of data precision.
- Tactic – The next level down the hierarchy, representing categories of techniques that tell us the actor’s steps in achieving their ultimate goals (persistence, data egress, evasions, etc.) In short, the “what” and the “why”.
- Technique – The epitome of relevant and actionable data – fully contextualized data points that tell a story, indicating what happened, why it happened, and crucially, how it happened.
These two detection classifications are the core of the MITRE ATT&CK for ICS framework and are of the highest value when creating context. Armis achieved 100% coverage of all MITRE Engenuity ATT&CK Evaluations for ICS tactics and a near 90% detection rate of all steps performed by adversaries during the evaluation.
100% Real-time Detection
Time is a critical factor when detecting an attack. A delayed detection, according to MITRE, is not immediately available to the analyst; it may come minutes or hours after the adversary has performed malicious activity.
A delayed detection during the evaluation often means that the ICS security solution required a human analyst to manually confirm suspicious activity, due to the inability of the solution to do so on its own. The solution typically needs to send data to the analyst team or other third-party services for analysis and then alerts the customer, if required. However, many critical parts of this process are performed manually, which creates a window of opportunity for the adversary to do real damage. In addition to real-time detection, we also provide our customers the ability to explore and investigate the context of a threat directly from our console, and even the ability to redirect the alert to a 3rd party SIEM.
Adversaries operating at a high rate of speed need to be countered with a lightning-strike reaction and not one that requires human intervention. As the ATT&CK Evaluations results show, Armis had zero delayed detections.
100% Detection of All Initial Access and Lateral Movement from IT to OT
As mentioned above, protecting both IT and OT/ICS environments is paramount to any ICS security solution. Using passive monitoring technology and device profiling, Armis can detect and alert on devices entering into the network (initial access) and communicating across the network (lateral movement). Armis also detects when a device uses remote services in an abnormal manner and alerts on suspicious or potentially malicious behavior. In the ATT&CK Evaluations, Armis detected 100% of these activities.
Real-time Detection of PLC Critical Changes
In addition to real-time detection of devices and events, real-time and continuous threat detection for programmable logic controllers (PLCs) is of utmost importance. Adversaries can change/update the operational mode of a PLC to gain access to supervisory functions which can have a detrimental impact to OT operations.
Armis can identify the state and detect in real-time PLC changes such as Program, Mode, State, Firmware, and many others. Real-time detection of these critical changes will ensure that only known-good behavior is exhibited by every PLC and only approved changes are implemented, keeping your OT environment safe and secure.
What the Results Mean to You:
The Armis platform’s exceptional performance in the 2021 MITRE Enginuity ATT&CK Evaluations for ICS proves that purpose-built, forward-thinking solutions such as Armis deliver the broadest, most in-depth visibility across IT and OT/ICS, and automation, that modern OT/ICS environments need to combat adversaries. As evidenced by the results of the evaluation, the Armis platform excels at visibility and detection, and even more importantly, the autonomous mapping of data into fully indexed and correlated stories that allow users to completely and immediately understand the “what, why and how” when an adversary makes a move. And when combined with Armis’ world class threat research team who have discovered critical vulnerabilities impacting millions of OT, IoT, and IoMT devices including most recently, ModiPwn which affects Schneider Electric Modicon PLCs, security teams have the tools they need to keep their systems operational.
With Armis, customers can gain:
- 100% visibility of all assets (OT/ICS and IT)
- 100% coverage of all MITRE ATT&CK for ICS tactics
- 100% real-time detection
- 100% detection of all initial access and lateral movement from IT to OT
- Real-time detection of PLC critical changes
To learn more about the Armis platform’s coverage for the MITRE ATT&CK for ICS framework, click here.
For the full results and more information about MITRE Engenuity’s ATT&CK Evaluations, visit attackevals.mitre-engenuity.org.