This new content combines MITRE ATTACK ICS matrix with ArcSight's ESM ICS MITRE ATT&CK Monitoring detection to support users working in Windows, AWS Security Hub, Linux, AirMagnet Enterprise, Tenable Nessus, Snort and Microsoft Office 365 ICS environments.
Release 1.1 includes four new dashboards that allow you to visualize events and potential threats in real time in your ICS environment using logs from Windows, AWS Security Hub, Linux, Tenable Nessus, Snort, or Microsoft Office 365.
Release 1.0 introduces support for the following ICS MITRE ATT&CK techniques and tactics:
Collection: Data from Information Repositories T0811
Collection: Detect Operating Mode T0868
Collection: I/O Image T0877
Collection: Man in the Middle T0830
Collection: Program Upload T0845
Collection: Screen Capture T0852
Command and Control: Commonly Used Ports T0885
Command and Control: Connection Proxy T0884
ICS-Sandworm Exploit Detected
ICS-Suspicious Communication through Proxy
Command and Control: Standard Application Layer Protocol T0869
Discovery: Network Connection Enumeration T0840
ICS-IEC 61850 Device Connection Enumeration Attempt
ICS-Network Connection Enumeration
Discovery: Network Sniffing T0842
Discovery: Remote System Discovery T0846
ICS-Possible Atvise SCADA Enumeration Attempt
ICS-Remote System Discovery
Discovery: Remote System Information Discovery T0888
Evasion: Indicator Removal on Host T0872
ICS-File or Log Deleted on Host
ICS-Registry Deleted by Reg.exe or PowerShell
Evasion: Masquerading T0849
Execution: Change Operating Mode T0858
Execution: Command Line Interface T0807
Execution: Graphical User Interface T0823
ICS-Suspicious Remote Desktop Protocol
ICS-VNC Exploit Execution
Execution: Hooking T0874
Execution: Modify Controller Tasking T0821
Execution: Scripting T0853
Execution: User Execution T0863
ICS-Exploit of Client Application
Impact: Damage to Property T0879
Impact: Loss of View T0829
Impact: Theft of Operational Information T0882
Impair Process Control: Modify Parameter T0836 l
Impair Process Control: Unauthorized Command Message T0855
Inhibit Response Function: Data Destruction T0809
Inhibit Response Function: Denial of Service T0814
Inhibit Response Function: Device Restart/Shutdown T0816
Inhibit Response Function: Manipulate I/O Image T0835
Inhibit Response Function: Rootkit T0851
Inhibit Response Function: Service Stop T0881
Inhibit Response Function: System Firmware T0857
Initial Access: Drive-by-Compromise T0817
Initial Access: Exploit Public-Facing Application T0819
Initial Access: External Remote Services T0822
Initial Access: Replication Through Removable Media T0847
ICS-Replication Through Removable Media
ICS-USB Rubber Ducky Detected
Initial Access: Spearphishing Attachment T0865
Initial Access: Transient Cyber Asset T0864
Initial Access: Wireless Compromise T0860
ICS-Rogue Device Detected
ICS-Wireless Malicious Traffic Detected
ICS-Wireless Vulnerability Detected
Lateral Movement: Default Credentials T0812
Lateral Movement: Exploitation of Remote Services T0866
ICS-Exploit Detected on ICS Environment
ICS-SMBv1 MS17-010 Exploit Detected
Lateral Movement: Lateral Tool Transfer T0867
Lateral Movement: Remote Services T0886
Lateral Movement: Valid Accounts T0859
Persistence: Modify Program T0889
Persistence: Project File Infection T0873
Privilege Escalation: Exploitation for Privilege T0890
The ICS Asset filter by default limits event processing to source or destination assets or zones categorized as: /All Asset Categories/Industrial Control Systems/. You can customize it to suit your ICS environment. For example you could configure it to specify the following conditions:
The device machine is categorized as /All Asset Categories/Industrial Control Systems/.
The device machine's zone is categorized as /All Asset Categories/Industrial Control Systems/.
To Categorize Assets
1. Choose the asset you want to categorize.
For example, a Private Address Space Zone.
2 .Go to the Categories tab and click Add.
3. Select: /All Asset Categories/Industrial Control Systems/.
Requires ESM Default Content package 3.6 or later.
The .zip file contains three files:
package .arb file
signature .arb file
To install and deploy the package:
1. Go to the ArcSight Console.
2. Click Packages.
3. Click Import.
4. Select the package .arb from the .zip file.
5. Follow the prompts to import and install this package.
6. Categorize your ICS assets according to "Limit ICS Asset Filter".
7. Deploy the ICS rules.
Right-click the package from the ArcSight Console, then select Uninstall Package.
Verifying the Downloaded Installation Software
Micro Focus provides a digital public key to enable you to verify that the signed software you received is indeed from Micro Focus and has not been manipulated in any way by a third party.
Visit the following site for information and instructions:
Sample Replay Events
This zip file contains two files: replay events and readme.
In order to trigger/test rules in the ICS MITRE ATT&CK package, you need to:
1. Enable rules which you want to test
2. Define ICS zones, please edit All Zones/ArcSight System/Private Address Space Zones/RFC1918: 10.0.0.0-10.255.255.255
add All Asset Categories/Industrial Control Systems to the zone Categories
Requires ArcSight 7.2 or later.
Requires ESM Default Content package 3.6 or later.
Suggested for you are based on app category, product compatibility, popularity, rating and newness. Some apps may not show based on entitlements. Learn more about entitlements.
ICS MITRE ATT&CK Monitoring 1.1 includes four new dashboards that allow you to visualize events and potential threats in real time in your ICS environment using logs from Windows, AWS Security Hub, Linux, Tenable Nessus, Snort, or Microsoft Office 365.
This release introduces ArcSight ESM's industrial control systems (ICS) MITRE ATT&CK Monitoring package.
This new content combines MITRE ATT&CK's ICS matrix with ArcSight's ESM ICS MITRE ATTACK Monitoring detection to support users working in Windows, AWS Security Hub, Linux, AirMagnet Enterprise, Tenable Nessus, Snort and Microsoft Office 365 ICS environments.
Please upgrade to one of the following broswers: Internet Explorer 11 (or greater) or the latest version of Chrome or Firefox