MITRE ATT&CK for ICS Framework: Detecting Adversary Techniques with Claroty

The MITRE ATT&CK for ICS framework was released in January 2020 to augment the MITRE Corporation’s existing, widely used ATT&CK Knowledge Base. As MITRE’s newest framework, ATT&CK for ICS serves as the most comprehensive taxonomy of attack techniques and supporting methods leveraged by adversaries targeting industrial environments. As such, the framework is a useful tool for security teams wishing to ensure they’re covering all the bases in terms of being able to detect all potential OT security threats.

As Claroty Co-Founder Galina Antova has previously discussed at-length on our blog, threat detection is crucial to securing ICS environments. The Claroty Platform—which includes Continuous Threat Detection (CTD) and Secure Remote Access (SRA)—is capable of detecting all adversary techniques that correspond with each of the 11 tactics in the MITRE ATT&CK for ICS framework.

To achieve this granular visibility into these techniques and tactics—among others—Claroty leverages five detection engines designed to overcome common challenges that often hinder efforts to identify threats within ICS environments:

  • Anomaly Detection Engine: Identifies changes in ICS communication patterns. Based on CTD’s Deep Packet Inspection (DPI), the Claroty’s Anomaly Detection Engine pinpoints unusual behavior of any kind, ranging from different code functions being used by human-machine interfaces (HMIs) to specific tag names or values.
  • Security Behaviors Engine: Identifies known, documented techniques that have been used by attackers, including OT-specific security patterns such as TAG/address scan or OT man-in-the-middle attacks, in addition to IT-specific security patterns.
  • Known Threats Engine: Powered by SNORT and YARA Rule engines, the Known Threats Engine leverages an expansive database of signatures and indicators of compromise (IoCs) from both open and internal sources. This engine equips threat hunters and incident responders with the context needed to detect and prevent targeted attacks early in the kill chain and mitigate the consequences of malware infections.
  • Operational Behaviors Engine: Identifies unusual ICS operational behaviors—including configuration download/upload, change mode, key state change and firmware upgrade—that occur in the network, over both proprietary and standard protocols.
  • Custom Rules Engine: Responsible for identifying specific, user-defined events, including out-of-range values or specific types of communications.

Leveraging the five detection engines above, The Claroty Platform can identify all of the adversary techniques that correspond with all 11 tactics covered in the MITRE ATT&CK for ICS framework. These include:

Tactic 1: Initial Access

How an adversary gains their initial foothold within a victim’s ICS environment, such as drive-by compromise, engineering workstation compromise, external remote services, and the exploitation of public-facing applications, among others. Devices with privileges spanning both IT and OT environments are particularly susceptible to this tactic, along with IT resources within OT environments and external remote services.

Tactic 2: Execution

Techniques that allow an adversary to run and control malicious code on a targeted system or device. For instance, an attacker may infect remote targets with programmed executables or leverage command-line interfaces, APIs, GUIs, or other available interfaces to issue execution commands.

Tactic 3: Persistence

How an adversary maintains their initial foothold within a compromised ICS environment despite potential disruptions such as restarts and credential changes. Specific techniques include replacing or hijacking project files and installing programs onto targeted devices.

Tactic 4: Evasion

Methods for avoiding detection by human operators and technical defenses during an attack. Evasion techniques may include removing indicators of compromise, spoofing communications and reporting, and abusing trusted devices and processes.

Tactic 5: Discovery

Methods used by adversaries to orient themselves and gather knowledge about an ICS environment’s internal network, devices, and processes in order to inform targeting and subsequent tactics. Discovery techniques include network communication enumeration, network sniffing, and control device identification.

Tactic 6: Lateral Movement

Describes how an adversary moves throughout a compromised ICS environment, possibly gaining access to additional assets and privileges. Methods include the use of default credentials, program organization units, or the remote file copy technique.

Tactic 7: Collection

How an adversary gathers data and domain knowledge to help inform their objectives within an ICS environment. This tactic is closely related to Discovery, and may include methods such as automated collection, data from information repositories, and point/tag identification.

Tactic 8: Command and Control

Describes the technique an adversary uses to communicate with and control compromised ICS systems, devices, and platforms through vectors such as ports, connection proxies, and standard application layer protocol. Oftentimes, this tactic is carried out by adversaries using commonly available resources in a manner that mimics expected network traffic in order to avoid suspicion.

Tactic 9: Inhibit Response Function

Techniques an adversary may use to prevent an organization from responding to failures, disruptions, and other anomalies within a targeted ICS environment, such as denial-of-service, alarm suppression, and the manipulation or destruction of data, programs, logic, devices, and communications.

Tactic 10: Impair Process Control

Methods of disabling, manipulating, or damaging physical control processes—such as brute force I/O, changes in program state, unauthorized command messages, and the prevention or manipulation of reporting elements and control logic.

Tactic 11: Impact

Lastly, the framework describes techniques for disrupting, manipulating, or destroying the integrity or availability of ICS systems, data, and their environment. Impact techniques—such as denial of control, loss of productivity and revenue, and theft of operational information—can greatly exacerbate short-term and long-term disruption and damage resulting from an ICS attack.


For a full breakdown of how The Claroty Platform is capable of detecting the aforementioned techniques and more, download our Claroty Support for the MITRE ATT&CK for ICS Framework report.



Read On