Skip to main content

ARGUS US DoD ACI TTP

US DoD ACI TTP

The Advanced Cyber Industrial Control System Tactics, Techniques, and Procedures (ACI TTP) for Department of Defense (DoD) Industrial Control Systems (ICS) is designed to provide procedures that will enable IT and ICS managers to Detect nation-state-level cyber attacks; Mitigate the effects of those attacks; and Recover their networks following attacks.

The scope of the ACI TTP includes all DoD ICS. DoD ICS, which include supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other control system configurations, such as skid-mounted programmable logic controllers (PLC) are typical configurations found throughout the DoD. ICS are often used in the DoD to manage sectors of critical infrastructure such as electricity, water, wastewater, oil and natural gas, and transportation.

The ACI TTP is divided into four sections:

  • ACI TTP Concepts (chapters 2 through 4)
  • Threat-Response Procedures (Detection, Mitigation, Recovery) (enclosures A, B,
    and C)
  • Routine Monitoring of the Network and Baselining the Network (enclosures D and E)
  • Reference Materials (enclosures F through I and appendix A through E) 

Baselining and Routine Monitoring of the Network

Before the ACI TTP is adopted, ICS and IT managers should establish what a FMC network is as it pertains to their specific installations and missions. The ACI TTP defines FMC as a functional recovery point for both the ICS and the SCADA. Once this is defined, ICS and IT managers should capture the FMC condition of their network entry points (e.g., firewalls, routers, remote access terminals, wireless access points, etc.), network topology, network data flow, and machine/device configurations, then store these in a secure location. This information should be kept under configuration management and updated every time changes are made to the network. This information forms the FMC baseline. The FMC baseline is used to determine normal operational conditions versus anomalous conditions of the ICS.

Argus and the FMC Baseline

The ACI TTP is a great set of tactical procedures that can work well for ICS and IT networks.  When Argus is used in a network, the comprehensive network audit flow records that it generates can be used to establish FMC baselines of network flow.  The FMC baseline is not one data set, it really is a large collection of statistical data that describes the statistical behavior of all the entities in the network.   Its purpose is to provide the baseline information of what is normal in the network, and by comparison, you can realize abnormal behavior.

The Argus clients library has fundamental programs that are designed to generate network data baselines that can be used as a part of the FMC baseline.  The principal program that we use is racluster.1.  racluster is flexible enough to generate flow baselines for any aspect of network behavior.  And when stored, using programs like rasqlinsert.1, a system can be realized that can generate basic network baselines that extend for 12 months.

Examples of Argus Flow Data Support for the ACI TTP

A.2.10 Unusually High Network Traffic

One of the first integrated behavioral detections implemented in Argus was to monitor IP Fragments, to see if there was re-assembly overlapping.  This type of behavior is a direct indication of packet protocol manipulation, and is still today a very serious (nation state level)  indication of intrusion.

 

A.2.11 Network Flow - Unusually Traffic

One of the first integrated behavioral detections implemented in Argus was to monitor IP Fragments, to see if there was re-assembly overlapping.  This type of behavior is a direct indication of packet protocol manipulation, and is still today a very serious (nation state level)  indication of intrusion.

 

Server / Workstation Communication

A.3.2.4 Server/Workstation Communications Check

One of the first integrated behavioral detections implemented in Argus was to monitor IP Fragments, to see if there was re-assembly overlapping.  This type of behavior is a direct indication of packet protocol manipulation, and is still today a very serious (nation state level)  indication of intrusion.

 

Validate Data Flow

A.3.2.8 Validate Data Flow

One of the first integrated behavioral detections implemented in Argus was to monitor IP Fragments, to see if there was re-assembly overlapping.  This type of behavior is a direct indication of packet protocol manipulation, and is still today a very serious (nation state level)  indication of intrusion.

 

Potential Flow Data Use

 

Argus network audit flow data can be used to support a good number of the specific areas covered in the US DoD ACI TTP.