● PERFORMANCE-BASED QUESTION

Activity: Threat Intelligence
Water Treatment ICS Incident

You're a cybersecurity intelligence analyst investigating an intrusion at a water treatment plant. Read the scenario, then use the dropdown selectors to analyze the incident across the MITRE ATT&CK kill chain, conduct threat hunting, and harden the network against future attacks.

Instructions

Based on the scenario, use the dropdown selectors to select the best option to analyze the threat incident, conduct threat hunting, and harden the network against threat vectors.

STAGE 01

Initial Access

Initial access could have been prevented by . Management should also .

STAGE 02

Execution

can prevent execution through API. based IAM, requiring multifactor authentication, and strong before executing code are also recommended by MITRE ATT&CK as mitigations in the execution phase.

STAGE 03

Privilege Escalation

In the scenario, escalation to system-level access privileges was accomplished by directly accessing hardware modules through API hooking. First, any must be . If the servers are Windows-based, must be .

STAGE 04

Evasion

Mitigations such as or may have prevented unknown code from executing or masquerading as good code.

STAGE 05

Command and Control (C2)

Command and control was achieved by obtaining access through commonly used ports, which could be prevented by .

STAGE 06

Persistence and Lateral Movement

Mitigations for preventing persistent access and lateral movement through abusing valid accounts include or a change to the . Secure verification of may have protected the module firmware.

STAGE 07

Impair Process Controls and Inhibit Response Function

Inhibiting security response via alarm suppression could have been mitigated by setting up a(n) . The intruders attempted to impair process control with report spoofing. Module firmware replacement may have been detected with the use of .

0/14

📋 BRIEFINGScenario

You are a cybersecurity intelligence analyst working for a cybersecurity contractor. You are assigned to investigate an intrusion incident that occurred in a water treatment plant. The incident involves a threat actor gaining access to hardware modules that serve as components of the plant's industrial control systems (ICS).

1. Initial Access

The threat actor obtained access through an engineering workstation via a spearphishing attachment. After gaining access, the attacker used known software exploits (unpatched, but patchable) to access valid account credentials. The attacker then used malware disguised as a legitimate application executable to redirect application programming interface (API) calls using import address table (IAT) hooking, thereby gaining direct access to the hardware automation and sensor modules.

2. Persistence and Lateral Movement

The attacker utilized this access to install altered firmware onto the cloud-enabled Supervisory Control and Data Acquisition (SCADA) control modules that monitor the treatment and distribution of the water, achieving command and control over them using standard UDP connections over a standard SNMP port 161. The devices use the default, as well as accessing Modbus communications. The attacker replaced report messages with spoofed reports, and disabled alarms alerting staff of issues with the equipment.

3. Impact

The spoofed reports could lead to oversights in hardware failures. These oversights could, in turn, endanger the health of the populace and the operation of essential utility services. Analysis of the altered module firmware suggests malware was embedded to trigger based on a timer. At this point, it would render the module useless while continuing to send spoofed reports.

Your Task

Your job is to analyze the incident in the context of threat frameworks, utilize intelligence collection methods to assist threat hunting, and harden the network against these attack vectors.