Network Connection Enumeration

From attackics
Jump to navigation Jump to search
Network Connection Enumeration
ID T840
Tactic Discovery
Data Sources Process monitoring, API monitoring
Asset Human-Machine Interface


Adversaries may perform network connection enumeration to discover information about device communication patterns. If an adversary can inspect the state of a network connection with tools, such as netstat, in conjunction with System Firmware, then they can determine the role of certain devices on the network 1. The adversary can also use Network Sniffing to watch network traffic for details about the source, destination, protocol, and content.

Procedure Examples

  • Industroyer contains an IEC 61850 module that enumerates all connected network adapters to determine their TCP/IP subnet masks.2


  • Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Unauthorized and suspicious media should be avoided and kept away from systems and the network.3
  • Ensure ICS and IT network cables are kept separate and that devices are locked up when possible, to reduce the likelihood they can be tampered with.3
  • Restrict communications to and from devices over the network with access controls, such as whitelists.3
  • Utilize intrusion detection system (IDS) capabilities and heuristics to detect adversarial monitoring of the environment and modules or actions that deviate from normal functionality.3