ATT&CK-based Control-system Indicator Detection for Zeek (ACID) is a collection of Operational Techonology (OT) protocol indicators developed to alert on specific ATT&CK for ICS behaviors. The goal of these indicators is to provide visibility into a subset of configuration management and other OT network traffic activity which is reported via the Zeek Notice Framework.
MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. ATT&CK tracks information about the TTPs adversaries have leveraged across multiple technology domains (Enterprise, Mobile, Cloud, and ICS). This specific project is focused on the behaviors used by adversaries within Industrial Control Systems environments.
Important
Please ensure relevant ICSNPP parsers are installed prior running ACID within your Zeek instance. The detection scripts will not load otherwise.
ACID depends on the usage of CISA's ICSNPP Parsers for protocol parsing. Since ACID's indicators are currently only defined for the S7COMM, ENIP/CIP, and BACnet protocols, only those parsers have to be downloaded and installed. Additionally, users should ensure that the ICSNPP parsers are loaded before ACID's __load__.zeek file so that the ACID scripts can verify the parsers' presence before running.
Our scripts were loaded and tested in the Zeek $PREFIX/share/zeek/site/local.zeek folder. Please see relevant Zeek documentation for more information.
Below are two methods of installing ACID. The first is through the Zeek package manager and the second is through a manual install.
ACID is available in the zkg package format and can be installed with the commands below :
inclusion into Zeek package source in progress
mkdir ACID && cd $_
git clone https://github.com/cisagov/ACID.git .
zkg install .
Verifying that the zkg package has been installed can be done by running zeek -N. If the package has been installed successfully, users will see MITRE::ACID displayed under installed packages.
Please follow the following steps to add the package to your site's local.zeek configuration file or follow the manual installation command line examples to test.
To install ACID directly to your ZeekControl Instance using the source code, please follow the steps below:
- Navigate to your Zeek installation's site directory ($ZEEKPREFIX/share/zeek/site).
- Clone or extract the ACID codebase in new folder named ACID (see code snippet below).
- Add the new line
@load ACID/__load__.zeekto the site's local.zeek file and save. - Verify that the ICSNPP parsers are installed on this site and/or Zeek instance.
- Reload the local policy script to have modifications take effect. This can be done by installing the policies through ZeekControl (
zeekctl) and redeploying the zeekctl instance. To do this, in your current instance or new instance of zeekctl, first runinstall, and then either thestartordeploycommand.
Step 2 Code Snippet:
mkdir $ZEEKPREFIX/share/zeek/site/ACID && cd $_
git clone https://github.com/cisagov/ACID.git .
- Clone or extract ACID codebase into new directory name ACID.
- Install ICSNPP parsers relevant to your PCAP or network.
Offline PCAP files:
zeek -r ./File.pcap icsnpp/bacnet icsnpp/enip icsnpp/s7comm ./ACID/__load__.zeek
Network interface via command line:
sudo zeek -i eth0 icsnpp/bacnet icsnpp/enip icsnpp/s7comm ./ACID/__load__.zeek
ACID was developed leveraging specific device and protocol versions; See below for more detail.
These indicators were derived from real over-the-wire traffic that was captured in controlled testing environments. The indicators were derived by isolating device behavior, inspecting the network traffic, determining which packets were responsible for provoking device responses, and cross-referencing those indicators with publicly available resources.
Devices included a Siemens S7-300 with CPU version 315-2 PN/DP communicating via TIA Portal, a Rockwell Allen-Bradley 1756-L71 ControlLogix 5571 running firmware version 20.54 communicating via RSLogix 5000 V20.05.00 (CPR 9 SR 10), and a Honeywell JACE WEB-8000 Controller communicating via Niagara Version 4.7.109.20.1.
Any technique with a X in indicates that the technique can be detected in that protocol by a unique indicator. Any technique that has an o in indicates that the technique can be detected in the protocol, but the indicator isn't unique to that behavior for that protocol (ex. Run Mode and Stop Mode both use the same indicator in BACnet). Any blank fields indicate that the technique cannot currently be detected or does not exist.
| ATT&CK Behavior | ENIP/CIP | S7Comm | BACnet |
|---|---|---|---|
| Program Download | X | X | X |
| Change Operating Mode | X | X | X |
| Run Mode | X | X | o |
| Stop Mode | X | X | o |
| Modify Parameter | X | X | X |
| Handshake | X | X | X |
| Remote System Discovery | X | ||
| Program Upload | X | X | |
| Force Tag | X | X | |
| Enable Forces | X | X | X |
| Disable Forces | X | X | X |
| Remote System Info Discovery | X | ||
| Manipulate I/O Image | X | ||
| Denial of Service | X |
| Legend | |
|---|---|
| Technique can be detected uniquely | X |
| Technique can be detected, may not be unique or includes overlaps | o |
| Technique is not detected | blank |
| Connection Information | Notice Type | Message | Sub-Message | Action |
|---|---|---|---|---|
| UID, Source IP & Port, Destination IP & Port, Protocol | ATT&CK Tactic Name | Technique ID, ATT&CK Technique Name, Metadata | Protocol / Parser | |
| CsH10L3oC8YHINF2sd, 192.168.1.1, 65123, 192.168.1.2, 44818, tcp | ATTACKICS::Privilege_Escalation | Device handshake (Class:0x8e - Service:0x5c) | enip/cip | Notice::ACTION_LOG |
ACID's code structure is organized into four major parts: Constants, Detection, Reporting, and Options.
Constants consists of code that is defined globally and intended to be used across all of the protocols. Some examples of constants can be seen below.
MITRE Defensive OT Signatures (mDOTS) Sets:
For more on mDOTS, see mDOTS
type Idx: record {
technique: string;
protocol: string;
};
type Val: record {
ind: set[string];
};
# Initialization of indicator table
global mDOTS_config_table: table[string, string] of Val = table();
ATT&CK Information
Techniques that are detected by ACID can be referenced by their ATT&CK Technique ID.
const attack_info : table[string] of string =
{
["t0836"] = "T0836 Modify Parameter",
["t0843"] = "T0843 Program Download",
["t0845"] = "T0845 Program Upload",
["t0858"] = "T0858 Change Operating Mode",
["t0878"] = "T0878 Alarm Suppression",
["t0801"] = "T0801 Monitor Process State",
...
} &redef;
For each OT protocol there is a defined detection script which watches for new events within their protocol-respective Zeek script files. As events get parsed by Zeek, ACID will use the following protocol fields to determine if that event falls under a given ATT&CK technique(s):
| Protocol | Field(s) |
|---|---|
| ENIP / CIP | class_id, service |
| S7comm | function_code, subfunction_code* |
| BACnet | pdu_service |
* indicates that this field is not always present
It should be noted that the format of the detection scripts follows from the event generation code found in the protocol respective CISA ICSNPP parsers. For example, BACnet ACID event indicators will have the format Function: *bacnet_pdu_function_name* where *bacnet_pdu_function_name* is the field bacnet_rec$pdu_service that is generated by code found in the CISA ICSNPP BACnet parser.
Zeek will report techniques that are detected by the Detection scripts. The fields that are sent to the notice.log file are: ATT&CK_Tactic, ATT&CK_Technique + protocol specific event information, protocol, and Zeek connection information (connection_id, src_ip, src_port, dst_ip, and dst_port). Below is the ACID code showing the same structure.
# T0835 Modify Program
function ics_t0835_log( uid : string, id : conn_id, evnt : string, protocol : string ) : bool
{
NOTICE([$note=ATTACKICS::Inhibit_Response,
$msg=cat("Indicator: ", ACID::attack_info["t0835"], " ", "(",evnt,")" ),
$sub=protocol,
$uid=uid,
$id=id]
);
return T;
}
ACID currently has defined options for enabling and disabling specific detections based on ATT&CK techniques and IP address. These options can be found in the ACID_ics_options.zeek file. To disable an option for an entire technique, change the T to an F. To filter specific IP addresses from being processed by specific techniques in any Detection script, add that IP address, in a string format, to either/both the orig or resp address sets. This should be done in quotation marks with no leading 0s. Ex: option cip_silence_orig_addrs : set[addr] = {"123.456.78.9"};
export {
# Option to control how input file indicators are loaded:
# True: enables dynamic loading for post-deployment changes.
# False: loads indicators at initialization and will not update with changes.
option DynamicIndicators = F;
option s7comm_detect = T;
option s7comm_silence_orig_addrs : set[addr] = {};
option s7comm_silence_resp_addrs : set[addr] = {};
option cip_detect = T;
option cip_silence_orig_addrs : set[addr] = {};
option cip_silence_resp_addrs : set[addr] = {};
option bacnet_detect = T;
option bacnet_silence_orig_addrs : set[addr] = {};
option bacnet_silence_resp_addrs : set[addr] = {};
#T0836 Modify Parameter
option s7comm_t0836_detect = T;
option cip_t0836_detect = T;
option bacnet_t0836_detect = T;
#T0843 Program Download
option s7comm_t0843_detect = T;
option cip_t0843_detect = T;
option bacnet_t0843_detect = T;
...
}
If a technique is disabled through the options file, the check within the protocol detection code for that technique will be short-circuited.
Example (ACID::t0836_detect is used to check the options parameter):
# T0836 Modify Parameter
if (ACID::cip_t0836_detect && cip_evnt in ACID::mDOTS_config_table["t0836", "cip"]$ind) {
ACID::ics_t0836_log(cip_rec$uid, cip_rec$id, cip_evnt, "enip/cip");
};
If an IP address is filtered from the detection script, the entire script will end right after the packet header is parsed.
Example:
# Enables option control via the ACID_ics_options configurations.
# This is used to enable / disable all ACID S7Comm notice events.
if ((!ACID::s7comm_detect) || (c$id$orig_h in ACID::s7comm_silence_orig_addrs) || (c$id$resp_h in ACID::s7comm_silence_resp_addrs)) {
return;
}
MITRE Defensive OT Signatures (mDOTS) are packages of signatures that are leveraged within ACID to associate OT protocol events and ATT&CK technique indicators. These signatures can be customized to fit specific protocol implementations or versions based on the visibility of the network traffic.
ACID is using the Zeek Input Framework to handle the ingesting of protocols' signatures. Signatures for device configuration changes can be found in the mDOTS_config_change file. This file is a Zeek Tab Separated Values (Zeek TSV) file with the following organization:
The line #fields technique protocol ind represents headers for the technique, protocol, and ind (indicator) columns that reside below them.
- The
techniquecolumn contains MITRE ATT&CK techniques, some of which are duplicated across multiple protocols (but never duplicated within the same protocol). - The
protocolcolumn contains network protocol names that are relevant to that technique and the following indicators. - The
indcolumn contains a list of indicators that are relevant to that technique and protocol.
A subset of the table would therefore look like:
#fields technique protocol ind
t0801 bacnet Function: subscribe_cov
t0845 bacnet Function: atomic_read_file
t0843 cip Class:0xac - Service:0x08
t0858 cip Class:0x8e - Service:0x06,Class:0x8e - Service:0x07
t0843 s7comm Function Code: 0x1a - Request Download
t0845 s7comm Function Code: 0x1d - Start Upload
The main benefit of using the Zeek Input Framework over hardcoding signatures into the ACID code itself is increased signature flexibility. The Zeek Input Framework can read values during runtime, meaning that signatures for already existing techniques can be added, removed, or edited without having to restart the script or bring down the Zeek instance.
To modify the signatures for a device configuration change, users would go into the mDOTS_config_change file, go to the desired existing technique and protocol combination, and add a new indicator to the already existing list. The following rules and suggestions apply to new indicators:
- The special characters ":" and "-" are known to work, however other special characters may cause issues.
- Tabs within indicators will cause issues and should be avoided. Tabs are used to denote new columns in Zeek input files.
- New indicators must be added with no spaces between the end of the prior indicator and start of the new one, however they may be used within a given indicator. For example,
indicator1: one,indicator2: two.
Building on top of the ATT&CK technique-to-protocol behavior reports defined above, we have built customizable features to associate related ACID events within sessions. This capability will allow you to set a timeframe to aggregate and report multiple indicators under a single notice event.
Incident Summary Report:
NOTICE([$note=ACID::Incident_Summary,
$msg=cat("Incident Summary: ", report ),
$sub=ACID::tr[c$uid]$proto,
$id=ACID::tr[c$uid]$c_id]
);
The initial set of indicators released for ACID focuses primarily on device and configuration management behaviors. In the future we are looking to build out signatures focused on areas such as remote access to ICS, process alarm visibility, file transfers, and other detection areas.
ACID is still under active development. We are interested in collaborating and getting feedback to further improve the capabilities of the ACID framework within Zeek, our indicators, and protocol understanding. We are most interested in protocol documentation, packet captures (PCAP) of related OT behaviors, or suggestions for new indicators.
© 2024 The MITRE Corporation.
Approved for Public Release; Distribution Unlimited. Case Number 23-3874.
(See LICENSE.md)
