How Claroty Supports the MITRE ATT&CK for ICS Framework

Today, MITRE Engenuity released the initial round of ATT&CK® Evaluations for industrial control systems (ICS), in which Claroty participated. Originally released in January 2020 and updated in April 2021, the MITRE ATT&CK for ICS Framework is the most comprehensive taxonomy of attack techniques and supporting methods leveraged by adversaries targeting operational technology (OT) environments. As such, the framework is a useful tool for security teams who wish to ensure coverage across a broad array of industrial cybersecurity threats.

The MITRE ICS ATT&CK Evaluation ran through a series of network-based and host-based detection techniques. We're proud to report that in the MITRE ICS ATT&CK evaluation, Claroty achieved 90% visibility against the network-based evaluation criteria. When complemented with a market leading Endpoint, Detection and Response (EDR) solution like CrowdStrike, enterprises can gain the most comprehensive detection for both known and unknown attacks. Based on these results, our customers should feel confident that they are leveraging a platform that provides market-leading asset inventory and vulnerability management, in addition to threat visibility.

MITRE's recent evaluation demonstrates that visibility at both the network and host level is the most effective way to expose the full scope of a threat attacker's activity. In an industrial environment, network visibility is essential as over 95% of the assets connected to the network cannot be monitored with an agent. The Claroty Platform is capable of detecting all adversary techniques that correspond with the 12 tactics in the ATT&CK for ICS Framework.

Claroty achieves this by leveraging our five distinct detection engines: Anomaly Detection, Security Behaviors, Known Threats, Operational Behaviors, and Custom Rules. As The Claroty Platform is purpose-built for the unique needs and characteristics of OT environments, network-based detection is core to our expertise and focus. This approach enables us to deliver deeper, more-detailed visibility into indicators of potential threats affecting a broader range of ICS devices.

To gain deep visibility into threat actors' actions on a system like a Windows HMI, host visibility is a natural complement to the network visibility. A basic approach to monitoring hosts collects and analyzes logs – though much of an attacker's activity won't be presented in the logs – leaving a lot of gaps and providing a false sense of security. A more comprehensive approach is to monitor the endpoint with a purpose-built EDR agent that monitors the actual system calls and processes – and not just what is logged. While many EDRs provide this capability, Claroty has partnered with CrowdStrike, which offers best-in-class threat detection at the endpoint level. Crowdstrike has delivered exemplary results in the prior MITRE endpoint protection evaluations, as you'll see here.

Here is an overview of how Claroty's five detection engines correlate to each adversary technique across all 12 tactics in the MITRE ATT&CK for ICS Framework:

Stay tuned for our upcoming white paper, How Claroty Supports the MITRE ATT&CK for ICS Framework, which will deliver a deeper dive into how The Claroty Platform can help security teams identify the use of various tactics and techniques as described in the framework, as well as how it helps reduce the attack surface available to adversaries.