In 2011, Difenda was asked by a customer to run attack scenarios against their OT environment to determine potential risk and assist in demonstrating the benefits on a Microsoft Defender for IoT implementation. Due to the sensitivity of the OT environment, Difenda worked with one of our OT/ICS partners, IdeaWorks, to build a simulated lab environment, designed to replicate a small subset of the customer’s environment.
The attack scenario developed by Difenda’s Cyber Research & Response team was based on Industrial Controls System (ICS) attacks Havex and Triton, with the following attack tactics considered when developing the attack strategy: Reconnaissance, Persistence, Credential Access, and lateral Movement.
During the exercise, the attack team leveraged ‘live off the land” techniques to gather information about the OT network. As the attack progressed, the information gathered allowed the attacker to connect directly to the engineering workstation and access core configuration files for a PLC, developed, implemented, and tested new detection rules within Microsoft Defender for IoT. The newly developed rule was enabled, and the attach was replayed. As the attacker moved to update the file on the PLC, Difenda’s defensive team was able to detect the threat.