The 2022 ATT&CK Evaluations for Managed Services Call for Participation is now open. Click here to learn how to participate.
Home  >  ICS  >  Participants  >  Institute for Information Industry  >  TRITON Configuration

Institute for Information Industry Configuration


Product Versions

  • ICTD Forenser v2021032
  • ICTD Threat Monitor (TM) v1.0.1
  • ICTD Windows Behavior Monitor v1.1

Description

ICTD Forenser, developed by III, is a multi-level Intrusion Detection System for Industrial Control System. It utilizes advanced behavior-based anomaly detection in Operational Technology network and sophisticated pattern matching for early identification of malicious activity.

The creative feature of ICTD Forenser, is that it sniffs & extracts the packets from the network, and uses machine-learning to learn the regular and normal process-to-process behaviors, generates detection rules, and detects the abnormal attacks. It is a non-invasive connection, immune behavior learning, and all processes are automatic. Furthermore, early in this year, ICTD Forenser added a new detection module, which can be used to analyze unknown industrial control protocols. By utilizing this module, ICTD Forenser can build a whitelist for any unencrypted industrial control protocols. Therefore, ICTD Forenser has the ability to further detect unknown malicious attacks for different ICS network environment even when encountering unknown industrial control protocols.

ICTD Threat Monitor (TM) is a non-invasive continuous threat monitoring system in the industrial control field. The major detection features include blacklist intrusion detection and AI-based anomaly behavior detection. ICTD TM can support the detection of known and unknown suspicious behavior incidents (attacks) to enhance the ability to detect unknown incidents in the field.

ICTD Windows Behavior Monitor is an anomaly detection tool for sysmon (system monitor). By utilizing this tool, the ICS administrator can easily find out the abnormal host behavior executed in the HMI.

Analysis

ICTD Forenser combines IT networking and OT physical operational behaviors and auto generates 3-level intrusion detection rules. ICTD Forenser could detect the advanced cyber-attack techniques, such as OT network penetration and scan action, man-in-middle attack, PLC command-injection, HMI false response, and so on. ICTD Forenser could also detect mis-operation behavior from a human. To validate the performance of ICTD product, we established a physical SCADA HMI/PLC water cycle operational system and verified using more than 35 different OT attack methods which cover almost 95% of ICS attacks, in which we reached 100% abnormal event detection.

ICTD TM has two major types of detections, the blacklist intrusion detection and AI-based anomaly behavior detection. The blacklist intrusion detection includes the IT and OT network intrusion behavior, such as reconnaissance, DoS attacks, OT malware network behavior, CVE exploit, and over 20 detection types. The AI-based anomaly behavior detection can detect the unknown or unpredicted network behavior. The AI model is customized based on the normal network behavior of the ICS field, and detected the abnormal behavior by the behavior outliers, such as newly added device IP traffic and port behavior that has never occurred. It can assist in verifying incidents that cannot be detected by the blacklist intrusion detection.

ICTD Windows Behavior Monitor has three major panels: 1) Alert panel, 2) Suspicious and Processed Log Count, 3) All Processed Logs. In “Alert panel”, the alert events from which process of computers are listed with the corresponding attack technique labels. In “Suspicious and Processed Log Count”, the suspicious attack and relative processed count are shown. All processed event logs are listed in “All Processed Log”, including normal or suspicious event.

Primary Features

ICTD Forenser provides anomaly detection rules with automatic learning & automatic deployment rather than time-consuming and labor-intensive manual detection rules.

ICTD Forenser establishes the whitelist behavior to perform anomaly detection to improve protection by using the blacklist.

By using the machine learning to generate the normal behavior patterns based on correlated operational data, ICTD Forenser can resolve the lack of detection capability for industrial network packet attacks lurking in legitimate hosts and devices.

ICTD TM customizes the field network behavior model and automatically updates the model mechanism to adapt to the current production line behavior to detect the unknown attacks.

ICTD TM supports the blacklist intrusion detection for well-known suspected (attack) behavior and provides the detail information to confirm.

All Processed Logs can be shown in the ICTD Windows Behavior Monitor. ICTD Windows Behavior Monitor provides additional telemetry information for process based anomaly detection.


Product Configuration

ICTD Forenser

  • Collection Features: All Enabled
Configuration Used During Detection Evaluation:
  • Signatures: On - Detect
  • Stand Technology: On - Detect
  • Protocol Free: On - Detect

ICTD TM

  • Collection Features: All Enabled
Configuration Used During Detection Evaluation:
  • Signatures: On - Detect
  • AI abnormal detection: Off

ICTD Windows Behavior Monitor

  • Collection Features: All Enabled
  • Anomaly: On - Detect