Use Cases

The Defending OT with ATT&CK reference architecture, threat collection, and methodology are valuable resources for cyber professionals encompassing many roles and responsibilities associated with organizational cyber defense, risk management, and threat prevention. The resources provide a customized collection of adversary behaviors tailored to the attack surface and threat model for OT environments that support a variety of capabilities and use cases. The following is not meant to be a comprehensive list, but rather examples to demonstrate how project resources could be used.

Users

The existing communities providing, securing, and maintaining OT systems and environments include many roles and responsibilities associated with cybersecurity processes and procedures. These roles and responsibilities include:

Chief Information Security Officer (CISO)

Responsible for carrying out information security policies, procedures, and controls, and providing primary interface between senior managers and information system owners.

Information System Security Officer (ISSO)

Responsibilities include ensuring the appropriate operational security posture is maintained for information systems or programs.

Cyber Threat Intelligence (CTI) Analyst

Responsibilities include collecting data and information from across the threat landscape to identify, assess, and recommend countermeasures for cyber threats.

Red Team (RT) Engineer

Responsibilities include conducting security exercises that emulate real-world cyber threats to assess and improve the effectiveness of defensive measures.

Security Engineer (SE)

Responsibilities include identifying, developing, and implementing security controls and solutions to protect networks and systems from unauthorized access and attacks.

Usage

Defending OT with ATT&CK enables the following essential capabilities:

Threat Intelligence Mapping

Users can leverage ATT&CK’s full range of OT-related technique mappings used by real-world threat actors to describe adversary activities during a security event and understand how their behaviors may impact assets across an environment.

Red Teaming and Penetration Testing

Users can apply the project resources to conduct strategic adversarial simulations, including red teaming and penetration testing, to effectively evaluate real-world risks across the attack surface.

Security Architecture and Operations

Users can use the mapped information to more easily identify security control gaps to protect systems and environments from threats, develop detections for adversary activity, and plan appropriate response activities across their IT/OT environment.

Cyber Tabletop Exercises

Users can use project resources to conduct collaborative cyber tabletop exercises that passively evaluate adversarial risks and use combined participant knowledge and expertise to evaluate the employed organizational mitigating security technologies.

User Stories

This section describes user stories based on the roles identified above. These user stories are expressed as the who, what, and why, with a short exploration of how a user story may be achieved.

As a CISO/ISSO, I want to understand how our current security posture addresses real-world threats that my organization is likely to encounter:

Defending OT with ATT&CK provides a customized collection of ATT&CK techniques tailored to the attack surface and threat model for OT environments. The resulting resources can be used to conduct threat vector based compromise scenarios based on real-world adversary behaviors targeting IT/OT environments. These scenarios provide understanding of actual threats and risks and that knowledge can be applied to evaluate and employ appropriate security controls and mitigations.

As a CTI analyst, I need to know that we have sufficient countermeasures for threats against my organization:

The Defending OT with ATT&CK resources can be used by CTI analysts to understand and evaluate adversary activities associated specifically with OT systems and environments. Visiting the narrative pages for the mapped ATT&CK techniques and sub-techniques will provide information about behavior detections and mitigations, and often include links to available tools. This information can help CTI analysts recommend countermeasures for their IT/OT environments.

As a RT engineer, I want to have a complete picture of my organization’s attack surface and how it can be abused, to improve defensive measures:

The Defending OT with ATT&CK mappings provide a framework to comprehensively describe adversary behaviors at a flexible level across multiple platforms and technology domains. The resources provide RT engineers with adversarial techniques and scenarios that can be used for understanding their attack surface and identifying cyber defensive capabilities to mitigate threats to their systems and environments.

As a SE, I want to understand what mitigations are necessary to prevent classes of attacker activity:

SEs can use the Defending OT with ATT&CK resources to evaluate and employ security controls and mitigations for real-world adversary behaviors associated specifically with attacks targeting IT/OT systems used in OT environments. Most ATT&CK techniques and sub-techniques include information about relevant mitigations, and examination and correlation of these can suggest control improvements that can mitigate entire classes of adversary activity as well as individual threats.