Fortinet black logo

Administration Guide

Home FortiDeceptor 4.3.0 Administration Guide

MITRE ICS

4.3.0
5.3.0
5.2.0
5.1.0
5.0.0
4.3.0
4.2.0
4.1.1
4.1.0
4.0.2
4.0.1
4.0.0
3.3.3
3.3.2
3.3.1
3.3.0
3.2.2
3.2.1
3.2.0
3.1.1
3.1.0
3.0.2
3.0.1
3.0.0
2.1.0
2.0.0
1.1.0
1.0.1
Copy Link
Copy Doc ID 94250e1c-2251-11ed-9eba-fa163e15d75b:963683
Download PDF

MITRE ICS

The MITRE ICS matrix provides an overview of the tactics and techniques in the ATT&CK for the ICS Knowledge Base. ATT&CK for ICS is a Knowledge Base used to describe an adversary's actions during an attack. The MITRE ICS page visually aligns individual techniques under the tactics where they can be applied. Some techniques span more than one tactic because they can be used for different purposes.

MITRE ICS is relevant to IoT/OT networks. To identify the network, you will need to tag each FortiDeceptor appliance.

To tag MITRE ICS a FortiDeceptor client with the CLI:

set tag ICS

To remove a tag from a FortiDeceptor client with the CLI:

unset tag

Viewing the MITRE ICS matrix

After the FortiDeceptor appliance is tagged, go to Incident > MITRE ICS to view the matrix. The matrix displays the Tactics as columns and the Techniques as tiles. Management devices display a blue banner at the top of the matrix that shows the tagged appliances in the network. Standalone devices do not display the banner. When an incident meets the Tactic criteria, the Technique tile displays a red dot with the number of incidents.

To view the MITRE ICS incidents, click a Technique tile in the Tactics column.

After you click a technique, you are redirected to the Incidents > Analysis page. The Analysis page displays the incidents that meet conditions for the technique you selected.

Note

The MITRE ICS page is only available in the FortiDeceptor appliances tagged with set tag ICS.

In the image below, the Analysis page displays the incidents that match MITRE ICS Technique: T0867.

Click an attack to view its details. Scroll down to the MITRE ICS Techniques field to view the techniques linked to the attack. Click a TXXX link to view a description of technique in the ATT&CK for the ICS Knowledge Base.

Previous
Next

MITRE ICS

The MITRE ICS matrix provides an overview of the tactics and techniques in the ATT&CK for the ICS Knowledge Base. ATT&CK for ICS is a Knowledge Base used to describe an adversary's actions during an attack. The MITRE ICS page visually aligns individual techniques under the tactics where they can be applied. Some techniques span more than one tactic because they can be used for different purposes.

MITRE ICS is relevant to IoT/OT networks. To identify the network, you will need to tag each FortiDeceptor appliance.

To tag MITRE ICS a FortiDeceptor client with the CLI:

set tag ICS

To remove a tag from a FortiDeceptor client with the CLI:

unset tag

Viewing the MITRE ICS matrix

After the FortiDeceptor appliance is tagged, go to Incident > MITRE ICS to view the matrix. The matrix displays the Tactics as columns and the Techniques as tiles. Management devices display a blue banner at the top of the matrix that shows the tagged appliances in the network. Standalone devices do not display the banner. When an incident meets the Tactic criteria, the Technique tile displays a red dot with the number of incidents.

To view the MITRE ICS incidents, click a Technique tile in the Tactics column.

After you click a technique, you are redirected to the Incidents > Analysis page. The Analysis page displays the incidents that meet conditions for the technique you selected.

Note

The MITRE ICS page is only available in the FortiDeceptor appliances tagged with set tag ICS.

In the image below, the Analysis page displays the incidents that match MITRE ICS Technique: T0867.

Click an attack to view its details. Scroll down to the MITRE ICS Techniques field to view the techniques linked to the attack. Click a TXXX link to view a description of technique in the ATT&CK for the ICS Knowledge Base.

Previous
Next