MITRE’s open source Caldera adversary emulation platform allows red and purple teams—as well as network security teams—to run automated exercises that expose weak spots based on a threat actor’s known tactics, techniques, and procedures.
In September, a new extension tailored for threats to operational technology (OT) was made publicly available. Caldera for OT features plugins for dnp, Modbus, and BACnet, three popular OT protocols that are prevalent in many commercial products regardless of industry.
The plugins allow red teams, and asset owners and operators, to conduct exercises against their environments that would allow defenders to understand soft spots in the respective protocols that attackers could leverage in order to disrupt processes or manipulate information as it flows from Level 1 and 2 devices.
In this episode of the Nexus podcast, Caldera for OT squad leads Misha Belisle and Blaine Jeffries of MITRE join to discuss the development of the extensions, the problems they solve, how they can be used, and by whom.
“It's very much protocol focused, and at the end of the day what we're really doing with these Caldera for OT plugins is exposing the native protocol functionality,” Jeffries said, clarifying that Caldera for OT does not contain exploits, for example, but rather mimics the abilities and procedures of a known attacker who would live-off-the-land in an OT environment.
“Abilities are the actual TTP down to the procedural level that's going to be run on the enterprise side. The most simple ability could be a simple one line command like a whoami,” he said.
The BACnet plugin, for example, exposes the BACnet whois discovery capability, which is built into the protocol that when broadcast on the network gets a response from all BACnet devices on the subnet.
“We see that adversaries are going to use that built-in functionality because that’s all you really need to have these severe impacts in these environments,” Jeffries said.
Caldera for OT has value not only for red teams, but also for network defenders looking for gaps in order to apply mitigations or have a complete understanding of what’s happening in an OT environment.
“For example, we might look at testing and developing cyber defenses: What might anomalous behavior look like in my environment; can I understand what that will look like before an attack actually comes through?” Belisle said. “I think that's a critical point to think about especially with respect to what the day-to-day operations look like. So if we expect to see some anomalous native protocol functionality, can we recognize that and can we pick it out?”
The core Caldera platform and Caldera for OT were developed by the Homeland Security Systems Engineering and Development Institute, which is a federally funded R&D center managed by MITRE and CISA. MITRE ATT&CK for ICS also fuels Caldera for OT and the development of these plugins, Belisle and Jeffries said. They added that Caldera for OT also supports Factory and Security Acceptance Testing (FAT/SAT) and can also be a training aid for engineers and asset managers.
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.