This presentation will describe how to map the ICS threat landscape to MITRE ICS ATT&CK. This approach correlates game theory modeling and the ICS ATT&CK framework to identify the leading security solution to win the game against the adversary.
The game theory modeling can be summarized as follows:
1) Game – the game-players are in a Simultaneous Static Game;
2) Strategy – the defender's strategy is to determine an optimal security system solution to detect the attacker traffic, and the attacker's strategy is to find the optimal sophistication level to elude the defender's security measurements;
3) Payoff – the model projects the payoff for each player's strategy based on mapping the threats to ICS ATT&CK.
The goal will then be to solve the game and find the equilibrium point, which is the best strategy for both players. This equilibrium will occur when the players do not have any profit deviation in using any other strategy.
In this game, mapping threats to ICS ATT&CK leads to identify the adversaries' sophistication level. The sophistication then guides the defender for the best strategy. When the adversary chooses a low sophistication threat, the defender can use the ICS security measurements and controls, in addition to isolating OT and IT by using Data Diode technology. If the adversary chooses a medium sophistication threat, the defender can use continuous monitoring suctions, i.e., Security Operating Center (SOC) and hunting service for non-target dual-use prolific exploits. When the adversary chooses advanced threats, the defender can apply defense-in-depth solutions such as hardware-based fingerprints detecting using NoiSense techniques. This approach provides stakeholders with holistic solutions to secure the ICS environment. Rashed Rabie, Threat hunter, and Ph.D. researcher. Deloitte & Touche LLP
© 2021 Deloitte Development LLC.