Combating TRISIS with the MITRE ATT&CK Framework


TRISIS malware was first discovered in August 2017 on an industrial control system at an oil refinery in Saudi Arabia. Multinational energy company, Schneider Electric, was shut down by particularly malicious code that had never been seen before. But we’ve recently seen it again. In April 2019 TRISIS struck another critical infrastructure company in the Middle East. This gap in 18 months provides an opportunity to compare and contrast the tools and frameworks available then versus today. 

In the webcast, “Combating TRISIS with MITRE ATT&CK Framework,” Neal Humphrey, ThreatQuotient’s Director of Threat Intelligence Engineers North America, walks through the process then and now to demonstrate the advances we’ve made in investigating, understanding and protecting against attacks.

In 2017, security teams could use ThreatQ as a threat intelligence platform to aggregate and normalize indicators and other pieces of information about the TRISIS/TRITON/HatMan malware. The Threat Library stores this external threat data, augments it with internal threat and event data for context, and prioritizes based on relevance to your environment. However, much of the global intelligence available at the time was at the atomic indicator level, providing very little insight into adversaries and their methods and motivations. What’s more, because teams and tools were often siloed, the investigation process was time consuming and complex. It was difficult to gain a deep understanding of a threat and determine the appropriate response quickly. 

Fast forward to 2019 and two significant advancements – MITRE ATT&CK™ and ThreatQ Investigations – are now available to dramatically improve and accelerate security operations. 

MITRE ATT&CK dives deep into adversaries’ actions so security analysts can use that information to their advantage. It is a huge step forward in creating a knowledgebase of adversaries and associated tactics, techniques and procedures (TTPs) so you can start your threat hunt at the actor level. You can bring those adversary profiles into the ThreatQ platform and with a few simple searches can quickly understand each attack phase, the possible methodology and tooling used for each phase, and detection and remediation capabilities.

ThreatQ Investigations is a cybersecurity situation room designed for collaborative threat analysis, shared understanding and coordinated response. ThreatQ Investigations allows real-time visualization of an investigation as it unfolds within a shared environment. Fusing together threat data, evidence, users and actions, it enables teams to discover lateral movement and attack patterns, as well as coordinate response. 

We know from the first TRISIS attack that antivirus isn’t effective. MITRE recommends compensating controls and mitigation strategies. This allows security teams to have conversations about the response strategy across the entire company – not just with the threat intel team, security operations and incident response, but also with compliance and risk management as well as executives and the board. With recommendations from MITRE, a trusted third-party source, security analysts can explain with confidence why certain compensating controls should be put in place on a production network. 

Using ThreatQ for threat hunting and as a threat intelligence platform, in combination with MITRE ATT&CK, security analysts have a way to move forward positively, not just in the face of TRISIS but when facing whatever other attack comes our way. Watch the webcast on demand to see how.  



  1. Daily briefing. - The CyberWire - TLO - […] Combating TRISIS with the MITRE ATT&CK Framework (ThreatQuotient) MITRE ATT&CK dives deep into adversaries’ actions so security analysts can…

Blog Archive

About ThreatQuotient™

ThreatQuotient™ understands that the foundation of intelligence-driven security is people. The company’s open and extensible threat intelligence platform, ThreatQ™, empowers security teams with the context, customization and prioritization needed to make better decisions, accelerate detection and response and advance team collaboration.
Share This