Imagine a chart that maps out a range of cyber threats and attacks. One example that comes to mind is probably the MITRE ATT&CK framework. Now, picture a version tailored just for automotive security. This particular matrix was set in motion by a dedicated team at the Auto-ISAC at the start of 2020. In this blog post, we will be discussing what you can find inside the matrix (pun intended) and its applicability.
Overview of the Automotive Threat Matrix
According to the Auto-ISAC webpage, the “Automotive Threat Matrix (ATM) enumerates automotive adversary tactics and supporting techniques based on real-world observations such as validated automotive attacks and peer-reviewed and reproducible automotive exploit research.” It’s important to note here that it is a living document that’s updated regularly to include new types of cyber threats as they come to light each year. Entirely new attack paths and methods can be observed each year, and they need to be considered and applied to the Auto Threat Matrix. If you have taken the time to look up the ATM, you may have noticed that it seems familiar. If this is the case, you are correct – it is inspired by the well-known MITRE ATT&CK framework. It consists of 13 adversarial tactics and around 80 techniques.
You’ll also find the ATM on the ASRG’s website, where you’re welcome to suggest any updates or new ideas. In this article, however, we will reference the version from the Auto-ISAC page.
Understanding how it works
To start we have a list of various tactics, such as:
- Manipulate environment
- Initial access
- Execution
- Persistence
- Privilege escalation
- Defense evasion
- Credential access
- Discovery
- Lateral movement
- Collection
- Command and control
- Exfiltration
- Affect vehicle function
Each of these tactics are very distinct and have various techniques attributed to them. For example, if I select “Discovery,” it will have the following techniques attributed to it:
These are just a few examples. We can dive even deeper and select, for example, “Network service scanning.”
This will provide additional details, including a description, examples, and an ID . In this case the ID for Network service scanning is ATM-T0044, which helps us better identify what we’re talking about.
Applicability of the Automotive Threat Matrix
First, I’d like to extend my thanks to Karl Leboeuf for his presentation on the ATM at the 1st Annual European Cybersecurity Summit, and to Josh Poster, whose presentation I attended at this year’s event.
Below is some key information from their presentations
The ATM can be used for a variety of purposes, including:
- TARA and ISO/SAE 21434
With ATM completed, its techniques and tactics defined, and threat intelligence starting to flow into it, we can start thinking some more about how this can be used for TARA modeling to support R155 type approval.
There are good opportunities to use the ATM to fulfill the threat and risk assessment activities defined in clause 15 of ISO/SAE 21434.
Quick overview of clause 15:
- Identify assets and their specific cybersecurity properties you care about
- Identify damage scenarios and assign impact ratings
- Identify threat scenarios, i.e., the immediate cause of a damage scenario
- Identify attack paths that lead to each threat scenario
- Rate the feasibility of every attack path
ISO/SAE 21434 does not specify how to identify threats or attack paths or list any specific threats that need to be considered
- Claim 15.4.2 in ISO/SAE 21434 suggests that threats can be identified using EVITA, TVRA, PASTA, STRIDE, or ‘group discussion’
- STRIDE is more prescriptive than the others but not specific enough to prompt consideration for any specific adversarial tactic or technique in any given situation.
- Security Engineers
ATM can be used to systematically elicit attack paths
- Since ATM includes techniques that are observed to have been used, it helps make sure we don’t leave out something important.
The attack paths can be composed of ATM techniques, and as we mature ATM, most of these will have corresponding mitigations
- Future work could include developing a ‘MITRE D3FFEND’ equivalent for automotive.
The ATM should help security engineers (and especially less experienced security people) consider a broader set of threats than they otherwise would have.
As the ATM matures, threat intelligence can feed directly into it, updating techniques, tactics, heatmaps, etc., as they become available. his would allow it to serve as an accurate and up-to-date reflection of the threats we need to address.
- Intelligence sharing
The following bullet points outline how intelligence sharing is interconnected with the automotive threat matrix:
- Identify known tactics and techniques used in the new attack
- Identify new tactics and techniques not previously observed
- Understand why and how the adversary may be performing the identified actions
- Common definitions ensure we all know what we are all talking about
- Expedite report development by leveraging the ATM dataset, references, and resources
ATM Data governance and update management
Submissions and monthly review: The expectation is to receive public submissions and have them reviewed monthly by the ATM Working Group.
A person can contribute by selecting a specific technique and providing his insights:
Quarterly ATM Review and Approval: The ATM Working Group provides recommendations for approval. Next, the ATM Review panel, consisting of subject matter experts, reviews recommendations and approves them quarterly.
Quarterly Community Report: The ATM working group publishes additions and website notes/newsletters. The next steps are to distribute to the community mailing list and release notes on the website.
Conclusion
The Automotive Threat Matrix serves as a valuable tool for advancing automotive cybersecurity. By mapping real-world adversary tactics and techniques, it enhances our ability to perform threat and risk assessments, analyze attack trends, and respond to incidents. The collaborative nature of the ATM ensures that it remains a relevant and dynamic resource for various specialists. As the automotive landscape continues to evolve, the Automotive Threat Matrix will play a crucial role in helping professionals stay ahead of emerging threats, making it a critical asset in safeguarding vehicles against cyberattacks.