A Threat Hunting Framework for Industrial Control Systems

An Industrial Control System (ICS) adversary often takes different actions to exploit vulnerabilities, pass the border between Information Technology (IT) and Operational Technology (OT) networks, and launch a targeted attack against OT networks. Detecting these threat actions in early phases before...

Ausführliche Beschreibung

Gespeichert in:

Bibliographische Detailangaben
Veröffentlicht in:	IEEE access 2021, Vol.9, p.164118-164130
Hauptverfasser:	Jadidi, Zahra, Lu, Yi
Format:	Artikel
Sprache:	eng
Schlagworte:	Analytical models Control systems cyber threat intelligence Cybersecurity Diamond Diamond model Hunting Hypotheses Industrial control industrial control systems Industrial electronics Information technology Integrated circuits Intelligence gathering Internet Malware MITRE ATT&CK Networks Product life cycle Programmable logic controllers Ransomware Security Threat evaluation Threat hunting
Online-Zugang:	Volltext
Tags:	Tag hinzufügen Keine Tags, Fügen Sie den ersten Tag hinzu!

container_end_page	164130
container_issue
container_start_page	164118
container_title	IEEE access
container_volume	9
creator	Jadidi, Zahra Lu, Yi
description	An Industrial Control System (ICS) adversary often takes different actions to exploit vulnerabilities, pass the border between Information Technology (IT) and Operational Technology (OT) networks, and launch a targeted attack against OT networks. Detecting these threat actions in early phases before the final stage of the attacks can be executed against industrial endpoints can help prevent adversaries from achieving their goals. Threat hunting in IT networks has been previously studied, and several hunting methods have been proposed. However, these methods are not sufficient for ICSs, as the integration of industrial legacy systems with advanced IT networks has introduced new types of vulnerabilities and changed the behaviour of attacks. The lack of a unified hunting solution for integrated IT and OT networks is the gap that is considered in our paper. The contribution of this paper is an ICS Threat Hunting Framework (ICS-THF) which focuses on detecting cyber threats against ICS devices in the earliest phases of the attack lifecycle. ICS-THF consists of three stages, threat hunting triggers, threat hunting, and cyber threat intelligence. The threat hunting trigger stage identifies events or external resources that can trigger the hunting stage. The hunting stage uses a combination of the MITRE ATT&CK Matrix and a Diamond model of intrusion analysis to generate a hunting hypothesis and to predict the future behaviour of the adversary. This hypothesis will be validated by analysing Diamond models of threat actions. Finally, the cyber threat intelligence stage is responsible for generating Indicators of Compromise (IoCs) to be used for future threat hunting. The Black Energy 3 malware, PLC-Blaster malware, and SWaT dataset are used in this paper to evaluate the efficiency of the proposed framework.
doi_str_mv	10.1109/ACCESS.2021.3133260
format	Article
fullrecord	<record><control><sourceid>proquest_ieee_</sourceid><recordid>TN_cdi_ieee_primary_9638634</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>9638634</ieee_id><doaj_id>oai_doaj_org_article_354f0b38165a48bea1f530caf9b4b810</doaj_id><sourcerecordid>2610984460</sourcerecordid><originalsourceid>FETCH-LOGICAL-c408t-1f052b4dcebd44704fed806d9a317f2f8100e6e23050a622447d3a0ba62f0d43</originalsourceid><addsrcrecordid>eNpNkF9rwjAUxcPYYOL8BL4U9lx386exfZSiUxD2oO8hbRJXVxuXpAy__eIqsvtyL5dzzk1-CE0xzDCG4m1RlsvdbkaA4BnFlBIOD2hEMC9SmlH--G9-RhPvjxArj6tsPkLFItl_Oi1Dsu670HSHZOXkSf9Y95UY65JNp3ofXCPbpLRdcLZNdhcf9Mm_oCcjW68ntz5G-9VyX67T7cf7plxs05pBHlJsICMVU7WuFGNzYEarHLgqJMVzQ0yOATTXhEIGkhMSNYpKqOJsQDE6RpshVll5FGfXnKS7CCsb8bew7iCkC03dakEzZqCi8WuZZHmlJTYZhVqaomJVvBOzXoess7PfvfZBHG3vuvh6QXhEmTPGryo6qGpnvXfa3K9iEFfiYiAursTFjXh0TQdXo7W-OwpOc04Z_QXM1XqH</addsrcrecordid><sourcetype>Open Website</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2610984460</pqid></control><display><type>article</type><title>A Threat Hunting Framework for Industrial Control Systems</title><source>IEEE Open Access Journals</source><source>DOAJ Directory of Open Access Journals</source><source>Elektronische Zeitschriftenbibliothek - Frei zugängliche E-Journals</source><creator>Jadidi, Zahra ; Lu, Yi</creator><creatorcontrib>Jadidi, Zahra ; Lu, Yi</creatorcontrib><description>An Industrial Control System (ICS) adversary often takes different actions to exploit vulnerabilities, pass the border between Information Technology (IT) and Operational Technology (OT) networks, and launch a targeted attack against OT networks. Detecting these threat actions in early phases before the final stage of the attacks can be executed against industrial endpoints can help prevent adversaries from achieving their goals. Threat hunting in IT networks has been previously studied, and several hunting methods have been proposed. However, these methods are not sufficient for ICSs, as the integration of industrial legacy systems with advanced IT networks has introduced new types of vulnerabilities and changed the behaviour of attacks. The lack of a unified hunting solution for integrated IT and OT networks is the gap that is considered in our paper. The contribution of this paper is an ICS Threat Hunting Framework (ICS-THF) which focuses on detecting cyber threats against ICS devices in the earliest phases of the attack lifecycle. ICS-THF consists of three stages, threat hunting triggers, threat hunting, and cyber threat intelligence. The threat hunting trigger stage identifies events or external resources that can trigger the hunting stage. The hunting stage uses a combination of the MITRE ATT&CK Matrix and a Diamond model of intrusion analysis to generate a hunting hypothesis and to predict the future behaviour of the adversary. This hypothesis will be validated by analysing Diamond models of threat actions. Finally, the cyber threat intelligence stage is responsible for generating Indicators of Compromise (IoCs) to be used for future threat hunting. The Black Energy 3 malware, PLC-Blaster malware, and SWaT dataset are used in this paper to evaluate the efficiency of the proposed framework.</description><identifier>ISSN: 2169-3536</identifier><identifier>EISSN: 2169-3536</identifier><identifier>DOI: 10.1109/ACCESS.2021.3133260</identifier><identifier>CODEN: IAECCG</identifier><language>eng</language><publisher>Piscataway: IEEE</publisher><subject>Analytical models ; Control systems ; cyber threat intelligence ; Cybersecurity ; Diamond ; Diamond model ; Hunting ; Hypotheses ; Industrial control ; industrial control systems ; Industrial electronics ; Information technology ; Integrated circuits ; Intelligence gathering ; Internet ; Malware ; MITRE ATT&CK ; Networks ; Product life cycle ; Programmable logic controllers ; Ransomware ; Security ; Threat evaluation ; Threat hunting</subject><ispartof>IEEE access, 2021, Vol.9, p.164118-164130</ispartof><rights>Copyright The Institute of Electrical and Electronics Engineers, Inc. (IEEE) 2021</rights><lds50>peer_reviewed</lds50><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c408t-1f052b4dcebd44704fed806d9a317f2f8100e6e23050a622447d3a0ba62f0d43</citedby><cites>FETCH-LOGICAL-c408t-1f052b4dcebd44704fed806d9a317f2f8100e6e23050a622447d3a0ba62f0d43</cites><orcidid>0000-0002-6694-7753 ; 0000-0001-6097-100X</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/9638634$$EHTML$$P50$$Gieee$$Hfree_for_read</linktohtml><link.rule.ids>314,776,780,860,2096,4010,27610,27900,27901,27902,54908</link.rule.ids></links><search><creatorcontrib>Jadidi, Zahra</creatorcontrib><creatorcontrib>Lu, Yi</creatorcontrib><title>A Threat Hunting Framework for Industrial Control Systems</title><title>IEEE access</title><addtitle>Access</addtitle><description>An Industrial Control System (ICS) adversary often takes different actions to exploit vulnerabilities, pass the border between Information Technology (IT) and Operational Technology (OT) networks, and launch a targeted attack against OT networks. Detecting these threat actions in early phases before the final stage of the attacks can be executed against industrial endpoints can help prevent adversaries from achieving their goals. Threat hunting in IT networks has been previously studied, and several hunting methods have been proposed. However, these methods are not sufficient for ICSs, as the integration of industrial legacy systems with advanced IT networks has introduced new types of vulnerabilities and changed the behaviour of attacks. The lack of a unified hunting solution for integrated IT and OT networks is the gap that is considered in our paper. The contribution of this paper is an ICS Threat Hunting Framework (ICS-THF) which focuses on detecting cyber threats against ICS devices in the earliest phases of the attack lifecycle. ICS-THF consists of three stages, threat hunting triggers, threat hunting, and cyber threat intelligence. The threat hunting trigger stage identifies events or external resources that can trigger the hunting stage. The hunting stage uses a combination of the MITRE ATT&CK Matrix and a Diamond model of intrusion analysis to generate a hunting hypothesis and to predict the future behaviour of the adversary. This hypothesis will be validated by analysing Diamond models of threat actions. Finally, the cyber threat intelligence stage is responsible for generating Indicators of Compromise (IoCs) to be used for future threat hunting. The Black Energy 3 malware, PLC-Blaster malware, and SWaT dataset are used in this paper to evaluate the efficiency of the proposed framework.</description><subject>Analytical models</subject><subject>Control systems</subject><subject>cyber threat intelligence</subject><subject>Cybersecurity</subject><subject>Diamond</subject><subject>Diamond model</subject><subject>Hunting</subject><subject>Hypotheses</subject><subject>Industrial control</subject><subject>industrial control systems</subject><subject>Industrial electronics</subject><subject>Information technology</subject><subject>Integrated circuits</subject><subject>Intelligence gathering</subject><subject>Internet</subject><subject>Malware</subject><subject>MITRE ATT&CK</subject><subject>Networks</subject><subject>Product life cycle</subject><subject>Programmable logic controllers</subject><subject>Ransomware</subject><subject>Security</subject><subject>Threat evaluation</subject><subject>Threat hunting</subject><issn>2169-3536</issn><issn>2169-3536</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2021</creationdate><recordtype>article</recordtype><sourceid>ESBDL</sourceid><sourceid>RIE</sourceid><sourceid>DOA</sourceid><recordid>eNpNkF9rwjAUxcPYYOL8BL4U9lx386exfZSiUxD2oO8hbRJXVxuXpAy__eIqsvtyL5dzzk1-CE0xzDCG4m1RlsvdbkaA4BnFlBIOD2hEMC9SmlH--G9-RhPvjxArj6tsPkLFItl_Oi1Dsu670HSHZOXkSf9Y95UY65JNp3ofXCPbpLRdcLZNdhcf9Mm_oCcjW68ntz5G-9VyX67T7cf7plxs05pBHlJsICMVU7WuFGNzYEarHLgqJMVzQ0yOATTXhEIGkhMSNYpKqOJsQDE6RpshVll5FGfXnKS7CCsb8bew7iCkC03dakEzZqCi8WuZZHmlJTYZhVqaomJVvBOzXoess7PfvfZBHG3vuvh6QXhEmTPGryo6qGpnvXfa3K9iEFfiYiAursTFjXh0TQdXo7W-OwpOc04Z_QXM1XqH</recordid><startdate>2021</startdate><enddate>2021</enddate><creator>Jadidi, Zahra</creator><creator>Lu, Yi</creator><general>IEEE</general><general>The Institute of Electrical and Electronics Engineers, Inc. (IEEE)</general><scope>97E</scope><scope>ESBDL</scope><scope>RIA</scope><scope>RIE</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>7SC</scope><scope>7SP</scope><scope>7SR</scope><scope>8BQ</scope><scope>8FD</scope><scope>JG9</scope><scope>JQ2</scope><scope>L7M</scope><scope>L~C</scope><scope>L~D</scope><scope>DOA</scope><orcidid>https://orcid.org/0000-0002-6694-7753</orcidid><orcidid>https://orcid.org/0000-0001-6097-100X</orcidid></search><sort><creationdate>2021</creationdate><title>A Threat Hunting Framework for Industrial Control Systems</title><author>Jadidi, Zahra ; Lu, Yi</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c408t-1f052b4dcebd44704fed806d9a317f2f8100e6e23050a622447d3a0ba62f0d43</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2021</creationdate><topic>Analytical models</topic><topic>Control systems</topic><topic>cyber threat intelligence</topic><topic>Cybersecurity</topic><topic>Diamond</topic><topic>Diamond model</topic><topic>Hunting</topic><topic>Hypotheses</topic><topic>Industrial control</topic><topic>industrial control systems</topic><topic>Industrial electronics</topic><topic>Information technology</topic><topic>Integrated circuits</topic><topic>Intelligence gathering</topic><topic>Internet</topic><topic>Malware</topic><topic>MITRE ATT&CK</topic><topic>Networks</topic><topic>Product life cycle</topic><topic>Programmable logic controllers</topic><topic>Ransomware</topic><topic>Security</topic><topic>Threat evaluation</topic><topic>Threat hunting</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Jadidi, Zahra</creatorcontrib><creatorcontrib>Lu, Yi</creatorcontrib><collection>IEEE All-Society Periodicals Package (ASPP) 2005-present</collection><collection>IEEE Open Access Journals</collection><collection>IEEE All-Society Periodicals Package (ASPP) 1998-Present</collection><collection>IEEE Electronic Library (IEL)</collection><collection>CrossRef</collection><collection>Computer and Information Systems Abstracts</collection><collection>Electronics & Communications Abstracts</collection><collection>Engineered Materials Abstracts</collection><collection>METADEX</collection><collection>Technology Research Database</collection><collection>Materials Research Database</collection><collection>ProQuest Computer Science Collection</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>Computer and Information Systems Abstracts Academic</collection><collection>Computer and Information Systems Abstracts Professional</collection><collection>DOAJ Directory of Open Access Journals</collection><jtitle>IEEE access</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Jadidi, Zahra</au><au>Lu, Yi</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>A Threat Hunting Framework for Industrial Control Systems</atitle><jtitle>IEEE access</jtitle><stitle>Access</stitle><date>2021</date><risdate>2021</risdate><volume>9</volume><spage>164118</spage><epage>164130</epage><pages>164118-164130</pages><issn>2169-3536</issn><eissn>2169-3536</eissn><coden>IAECCG</coden><abstract>An Industrial Control System (ICS) adversary often takes different actions to exploit vulnerabilities, pass the border between Information Technology (IT) and Operational Technology (OT) networks, and launch a targeted attack against OT networks. Detecting these threat actions in early phases before the final stage of the attacks can be executed against industrial endpoints can help prevent adversaries from achieving their goals. Threat hunting in IT networks has been previously studied, and several hunting methods have been proposed. However, these methods are not sufficient for ICSs, as the integration of industrial legacy systems with advanced IT networks has introduced new types of vulnerabilities and changed the behaviour of attacks. The lack of a unified hunting solution for integrated IT and OT networks is the gap that is considered in our paper. The contribution of this paper is an ICS Threat Hunting Framework (ICS-THF) which focuses on detecting cyber threats against ICS devices in the earliest phases of the attack lifecycle. ICS-THF consists of three stages, threat hunting triggers, threat hunting, and cyber threat intelligence. The threat hunting trigger stage identifies events or external resources that can trigger the hunting stage. The hunting stage uses a combination of the MITRE ATT&CK Matrix and a Diamond model of intrusion analysis to generate a hunting hypothesis and to predict the future behaviour of the adversary. This hypothesis will be validated by analysing Diamond models of threat actions. Finally, the cyber threat intelligence stage is responsible for generating Indicators of Compromise (IoCs) to be used for future threat hunting. The Black Energy 3 malware, PLC-Blaster malware, and SWaT dataset are used in this paper to evaluate the efficiency of the proposed framework.</abstract><cop>Piscataway</cop><pub>IEEE</pub><doi>10.1109/ACCESS.2021.3133260</doi><tpages>13</tpages><orcidid>https://orcid.org/0000-0002-6694-7753</orcidid><orcidid>https://orcid.org/0000-0001-6097-100X</orcidid><oa>free_for_read</oa></addata></record>
fulltext	fulltext
identifier	ISSN: 2169-3536
ispartof	IEEE access, 2021, Vol.9, p.164118-164130
issn	2169-3536 2169-3536
language	eng
recordid	cdi_ieee_primary_9638634
source	IEEE Open Access Journals; DOAJ Directory of Open Access Journals; Elektronische Zeitschriftenbibliothek - Frei zugängliche E-Journals
subjects	Analytical models Control systems cyber threat intelligence Cybersecurity Diamond Diamond model Hunting Hypotheses Industrial control industrial control systems Industrial electronics Information technology Integrated circuits Intelligence gathering Internet Malware MITRE ATT&CK Networks Product life cycle Programmable logic controllers Ransomware Security Threat evaluation Threat hunting
title	A Threat Hunting Framework for Industrial Control Systems
url	https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-02-01T01%3A39%3A43IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_ieee_&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=A%20Threat%20Hunting%20Framework%20for%20Industrial%20Control%20Systems&rft.jtitle=IEEE%20access&rft.au=Jadidi,%20Zahra&rft.date=2021&rft.volume=9&rft.spage=164118&rft.epage=164130&rft.pages=164118-164130&rft.issn=2169-3536&rft.eissn=2169-3536&rft.coden=IAECCG&rft_id=info:doi/10.1109/ACCESS.2021.3133260&rft_dat=%3Cproquest_ieee_%3E2610984460%3C/proquest_ieee_%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=2610984460&rft_id=info:pmid/&rft_ieee_id=9638634&rft_doaj_id=oai_doaj_org_article_354f0b38165a48bea1f530caf9b4b810&rfr_iscdi=true