Remote System Discovery
| Remote System Discovery | |
|---|---|
| Technique | |
| ID | T0846 |
| Tactic | Discovery |
| Data Sources | Process monitoring, Process use of network, Process command-line parameters, Network protocol analysis |
| Asset | Control Server, Data Historian, Safety Instrumented System/Protection Relay, Field Controller/RTU/PLC/IED, Human-Machine Interface |
Description
Remote System Discovery is the process of identifying the presence of hosts on a network1, and details about them. This process is common to network administrators validating the presence of machines and services, as well as adversaries mapping out a network for future-attack targets. An adversary may attempt to gain information about the target network via network enumeration techniques such as port scanning. One of the most popular tools for enumeration is Nmap. Remote System Discovery allows adversaries to map out hosts on the network as well as the TCP/IP ports that are open, closed, or filtered. Remote System Discovery tools also aid in by attempting to connect to the service and determine its exact version. The adversary may use this information to pick an exploit for a particular version if a known vulnerability exists.
Procedure Examples
- The Backdoor.Oldrea ICS malware plugin relies on Windows networking (WNet) to discover all the servers, including OPC servers, that are reachable by the compromised machine over the network.2
- The Industroyer IEC 61850 payload enumerates all possible IP addresses for each of the subnet masks for the interfaces on the infected machine, and tries to connect to port 102 on each of those addresses. Therefore, this component has the ability to discover relevant devices in the network automatically.3
- PLC-Blaster scans the network to find other Siemens S7 PLC devices to infect. It locates these devices by checking for a service listening on TCP port 102.4
- Stuxnet scanned the network to identify the Siemens PLCs that it was targeting.5
- Triton uses a Python script that is capable of detecting Triconex controllers on the network by sending a specific UDP broadcast packet over port 1502.6
Mitigations
- Static Network Configuration - ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols.78 Examples of automation protocols with discovery capabilities include OPC UA Device Discovery 9, BACnet 10, and Ethernet/IP.11
References
- ^ Enterprise ATT&CK. (2018, January 11). Remote System Discovery. Retrieved May 17, 2018.
- ^ Julian Rrushi, Hassan Farhangi, Clay Howey, Kelly Carmichael, Joey Dabell. (2015, December 08). A Quantitative Evaluation of the Target Selection of Havex ICS Malware Plugin. Retrieved April 1, 2019.
- ^ Anton Cherepanov, ESET. (2017, June 12). Win32/Industroyer: A new threat for industrial control systems. Retrieved September 15, 2017.
- ^ Spenneberg, Ralf, Maik Brüggemann, and Hendrik Schwartke. (2016, March 31). Plc-blaster: A worm living solely in the plc.. Retrieved September 19, 2017.
- ^ Nicolas Falliere, Liam O Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier (Version 1.4). Retrieved September 22, 2017.
- ^ DHS CISA. (2019, February 27). MAR-17-352-01 HatMan—Safety System Targeted Malware (Update B). Retrieved March 8, 2019.
- ^ D. Parsons and D. Wylie. (2019, September). Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged – Discover and Defend Your Assets. Retrieved September 25, 2020.
- ^ Colin Gray. (n.d.). How SDN Can Improve Cybersecurity in OT Networks. Retrieved September 25, 2020.
- ^ Josh Rinaldi. (2016, April). Still a Thrill: OPC UA Device Discovery. Retrieved September 25, 2020.
- ^ Aditya K Sood. (2019, July). Discovering and fingerprinting BACnet devices. Retrieved September 25, 2020.
- ^ Langner. (2018, November). Why Ethernet/IP changes the OT asset discovery game. Retrieved September 25, 2020.
