Difference between revisions of "Evasion"

From attackics
Jump to navigation Jump to search
(username removed)
(username removed)
Line 2: Line 2:
 
|ShortSummary=Evasion
 
|ShortSummary=Evasion
 
|Summary=The adversary is trying to avoid being detected.
 
|Summary=The adversary is trying to avoid being detected.
|Description= Evasion consists of techniques that adversaries use to avoid detection by both human and technical defenses throughout their compromise. Techniques used for evasion include uninstalling/disabling security software, blocking and modifying communications and reporting, and impersonating controller devices. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.
+
|Description= Evasion consists of techniques that adversaries use to avoid detection by both human operator and technical defenses throughout their compromise. Techniques used for evasion include uninstalling/disabling security software and blocking and modifying communications and reporting. Adversaries also leverage and abuse trusted devices and processes to hide and masquerade as master controllers and native software. The particular techniques used may depend on whether the target of evasion is human or technological. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting operators and defenses.
 
|Date=2019/09/26
 
|Date=2019/09/26
 
}}
 
}}

Revision as of 10:09, 17 October 2019

Description

The adversary is trying to avoid being detected.

Evasion consists of techniques that adversaries use to avoid detection by both human operator and technical defenses throughout their compromise. Techniques used for evasion include uninstalling/disabling security software and blocking and modifying communications and reporting. Adversaries also leverage and abuse trusted devices and processes to hide and masquerade as master controllers and native software. The particular techniques used may depend on whether the target of evasion is human or technological. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting operators and defenses.

Techniques in this Tactics Category

Below is a list of all the Evasion techniques in ATT&CK for ICS:

NameTacticsTechnical Description
Change Operating ModeExecution
Evasion
Adversaries may change the operating mode of a controller to gain additional access to engineering functions such as Program Download.

Programmable controllers typically have several modes of operation that control the state of the user program and control access to the controller’s API. Operating modes can be physically selected using a key switch on the face of the controller but may also be selected with calls to the controller’s API. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below:

  • Program - This mode must be enabled before changes can be made to a device’s program. This allows program uploads and downloads between the device and an engineering workstation. Often the PLC’s logic Is halted, and all outputs may be forced off.1
  • Run - Execution of the device’s program occurs in this mode. Input and output (values, points, tags, elements, etc.) are monitored and used according to the program’s logic. Program Upload and Program Download are disabled while in this mode.2314
  • Remote - Allows for remote changes to a PLC’s operation mode.4
  • Stop - The PLC and program is stopped, while in this mode, outputs are forced off.3
  • Reset - Conditions on the PLC are reset to their original states. Warm resets may retain some memory while cold resets will reset all I/O and data registers.3
  • Test / Monitor mode - Similar to run mode, I/O is processed, although this mode allows for monitoring, force set, resets, and more generally tuning or debugging of the system. Often monitor mode may be used as a trial for initialization.2
Exploitation for EvasionEvasionAdversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to evade detection. Vulnerabilities may exist in software that can be used to disable or circumvent security features. Adversaries may have prior knowledge through Remote System Information Discovery about security features implemented on control devices. These device security features will likely be targeted directly for exploitation. There are examples of firmware RAM/ROM consistency checks on control devices being targeted by adversaries to enable the installation of malicious System Firmware.
Indicator Removal on HostEvasionAdversaries may attempt to remove indicators of their presence on a system in an effort to cover their tracks. In cases where an adversary may feel detection is imminent, they may try to overwrite, delete, or cover up changes they have made to the device.
MasqueradingEvasionAdversaries may use masquerading to disguise a malicious application or executable as another file, to avoid operator and engineer suspicion. Possible disguises of these masquerading files can include commonly found programs, expected vendor executables and configuration files, and other commonplace application and naming conventions. By impersonating expected and vendor-relevant files and applications, operators and engineers may not notice the presence of the underlying malicious content and possibly end up running those masquerading as legitimate functions. Applications and other files commonly found on Windows systems or in engineering workstations have been impersonated before. This can be as simple as renaming a file to effectively disguise it in the ICS environment.
RootkitEvasion
Inhibit Response Function
Adversaries may deploy rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting and modifying operating-system API calls that supply system information. Rootkits or rootkit-enabling functionality may reside at the user or kernel level in the operating system, or lower.5 Firmware rootkits that affect the operating system yield nearly full control of the system. While firmware rootkits are normally developed for the main processing board, they can also be developed for I/O that can be attached to the asset. Compromise of this firmware allows the modification of all of the process variables and functions the module engages in. This may result in commands being disregarded and false information being fed to the main device. By tampering with device processes, an adversary may inhibit its expected response functions and possibly enable Impact.
Spoof Reporting MessageEvasion
Impair Process Control
Adversaries may spoof reporting messages in control system environments for evasion and to impair process control. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. Reporting messages are important for monitoring the normal operation of a system or identifying important events such as deviations from expected values.

If an adversary has the ability to Spoof Reporting Messages, they can impact the control system in many ways. The adversary can Spoof Reporting Messages that state that the process is operating normally, as a form of evasion. The adversary could also Spoof Reporting Messages to make the defenders and operators think that other errors are occurring in order to distract them from the actual source of a problem.6

In the Maroochy Attack, the adversary used a dedicated analog two-way radio system to send false data and instructions to pumping stations and the central computer.7