Property:Has technical description

From attackics
Jump to navigation Jump to search

This is a property of type Text.

Showing 20 pages using this property.
When communicating over an untrusted network, utilize secure network protocols that both authenticate the message sender and can verify its integrity. This can be done either through message authentication codes (MACs) or digital signatures, to detect spoofed network messages and unauthorized connections.  +
Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications. The definition of a proxy can also be expanded to encompass trust relationships between networks in peer-to-peer, mesh, or trusted connections between networks consisting of hosts or systems that regularly communicate with each other. The network may be within a single organization or across multiple organizations with trust relationships. Adversaries could use these types of relationships to manage command and control communications, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion.[[CiteRef::EAttack Connection Proxy]]  +
Adversaries may cause damage and destruction of property to infrastructure, equipment, and the surrounding environment when attacking control systems. This technique may result in device and operational equipment breakdown, or represent tangential damage from other techniques used in an attack. Depending on the severity of physical damage and disruption caused to control processes and systems, this technique may result in <span class="smw-format list-format "><span class="smw-row"><span class="smw-field"><span class="smw-value">[[Technique/T0880|Loss of Safety]]</span></span></span></span>. Operations that result in <span class="smw-format list-format "><span class="smw-row"><span class="smw-field"><span class="smw-value">[[Technique/T0827|Loss of Control]]</span></span></span></span> may also cause damage to property, which may be directly or indirectly motivated by an adversary seeking to cause impact in the form of <span class="smw-format list-format "><span class="smw-row"><span class="smw-field"><span class="smw-value">[[Technique/T0828|Loss of Productivity and Revenue]]</span></span></span></span>. The German Federal Office for Information Security (BSI) reported a targeted attack on a steel mill under an incidents affecting business section of its 2014 IT Security Report.[[CiteRef::German Steel Mill - German Federal Office for Information Security - 2014]] These targeted attacks affected industrial operations and resulted in breakdowns of control system components and even entire installations. As a result of these breakdowns, massive impact and damage resulted from the uncontrolled shutdown of a blast furnace. In the Maroochy Attack, Vitek Boden gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. This ultimately led to 800,000 liters of raw sewage being spilled out into the community. The raw sewage affected local parks, rivers, and even a local hotel. This resulted in harm to marine life and produced a sickening stench from the community's now blackened rivers.[[CiteRef::Maroochy - MITRE - 200808]] A Polish student used a remote controller device to interface with the Lodz city tram system in Poland.[[CiteRef::LodzTram-LondonReconnections-2017-12]][[CiteRef::LodzTram-InHomelandSecurity-2008-02]][[CiteRef::LodzTram-Schneier-2008-01]] Using this remote, the student was able to capture and replay legitimate tram signals. This resulted in damage to impacted trams, people, and the surrounding property. Reportedly, four trams were derailed and were forced to make emergency stops.[[CiteRef::LodzTram-InHomelandSecurity-2008-02]] Commands issued by the student may have also resulted in tram collisions, causing harm to those on board and the environment outside.[[CiteRef::LodzTram-Schneier-2008-01]]  
Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans [[CiteRef::mitigation - developing IR - 200910]], including the management of 'gold-copy' back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.  +
Adversaries may perform data destruction over the course of an operation. The adversary may drop or create malware, tools, or other non-native files on a target system to accomplish this, potentially leaving behind traces of malicious activities. Such non-native files and other data may be removed over the course of an intrusion to maintain a small footprint or as a standard part of the post-intrusion cleanup process.[[CiteRef::EAttack File Deletion]] Data destruction may also be used to render operator interfaces unable to respond and to disrupt response functions from occurring as expected. An adversary may also destroy data backups that are vital to recovery after an incident. Standard file deletion commands are available on most operating system and device interfaces to perform cleanup, but adversaries may use other tools as well. Two examples are Windows Sysinternals SDelete and Active@ Killdisk.  +
Adversaries may compromise and gain control of a data historian to gain a foothold into the control system environment. Access to a data historian may be used to learn stored database archival and analysis information on the control system. A dual-homed data historian may provide adversaries an interface from the IT environment to the OT environment. Dragos has released an updated analysis on CrashOverride that outlines the attack from the ICS network breach to payload delivery and execution.[[CiteRef:: Industroyer - Dragos - 201810]] The report summarized that CrashOverride represents a new application of malware, but relied on standard intrusion techniques. In particular, new artifacts include references to a Microsoft Windows Server 2003 host, with a SQL Server. Within the ICS environment, such a database server can act as a data historian. Dragos noted a device with this role should be "expected to have extensive connections" within the ICS environment. Adversary activity leveraged database capabilities to perform reconnaissance, including directory queries and network connectivity checks.  +
Data Loss Prevention (DLP) technologies can be used to help identify adversarial attempts to exfiltrate operational information, such as engineering plans, trade secrets, recipes, intellectual property, or process telemetry. DLP functionality may be built into other security products such as firewalls or standalone suites running on the network and host-based agents. DLP may be configured to prevent the transfer of information through corporate resources such as email, web, and physical media such as USB for host-based solutions.  +
Adversaries may target and collect data from information repositories. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes. Examples of information repositories include reference databases or local machines in the process environment, as well as workstations and databases in the corporate network that might contain information about the ICS. [[CiteRef::Alert - CISA TA18-074A]] Information collected from these systems may provide the adversary with a better understanding of the operational environment, vendors used, processes, or procedures of the ICS.  +
Adversaries may leverage manufacturer or supplier set default credentials on control system devices. These default credentials may have administrative permissions and may be necessary for initial configuration of the device. It is general best practice to change the passwords for these accounts as soon as possible, but some manufacturers may have devices that have passwords or usernames that cannot be changed.[[CiteRef::Guidance - NIST SP800-82]] Default credentials are normally documented in an instruction manual that is either packaged with the device, published online through official means, or published online through unofficial means. Adversaries may leverage default credentials that have not been properly modified or disabled.  +
Adversaries may cause a denial of control to temporarily prevent operators and engineers from interacting with process controls. An adversary may attempt to deny process control access to cause a temporary loss of communication with the control device or to prevent operator adjustment of process controls. An affected process may still be operating during the period of control loss, but not necessarily in a desired state.[[CiteRef::Reference - Corero]][[CiteRef::Reference - SANS - 201510]][[CiteRef::Reference - RIoT]] In the Maroochy attack, the adversary was able to temporarily shut an investigator out of the network preventing them from issuing any controls. In the 2017 Dallas Siren incident operators were unable to disable the false alarms from the Office of Emergency Management headquarters.[[CiteRef::dallas siren – decipher 2017]]  +
Adversaries may perform Denial-of-Service (DoS) attacks to disrupt expected device functionality. Examples of DoS attacks include overwhelming the target device with a high volume of requests in a short time period and sending the target device a request it does not know how to handle. Disrupting device state may temporarily render it unresponsive, possibly lasting until a reboot can occur. When placed in this state, devices may be unable to send and receive requests, and may not perform expected response functions in reaction to other events in the environment. Some ICS devices are particularly sensitive to DoS events, and may become unresponsive in reaction to even a simple ping sweep. Adversaries may also attempt to execute a Permanent Denial-of-Service (PDoS) against certain devices, such as in the case of the BrickerBot malware.[[CiteRef::BrickerBot - ICS-CERT - Alert]] Adversaries may exploit a software vulnerability to cause a denial of service by taking advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in software that can be used to cause a or denial of service condition. Adversaries may have prior knowledge about industrial protocols or control devices used in the environment through <span class="smw-format list-format "><span class="smw-row"><span class="smw-field"><span class="smw-value">[[Technique/T0888|Remote System Information Discovery]]</span></span></span></span>. There are examples of adversaries remotely causing a <span class="smw-format list-format "><span class="smw-row"><span class="smw-field"><span class="smw-value">[[Technique/T0816|Device Restart/Shutdown]]</span></span></span></span> by exploiting a vulnerability that induces uncontrolled resource consumption.[[CiteRef::Industroyer - ICS-CERT ADV]][[CiteRef::Industroyer - CWE-400]][[CiteRef::Industroyer - CVE-2015-5374]] In the Maroochy attack, the adversary was able to shut an investigator out of the network.[[CiteRef::Maroochy - MITRE - 200808]]  
Adversaries may cause a denial of view in attempt to disrupt and prevent operator oversight on the status of an ICS environment. This may manifest itself as a temporary communication failure between a device and its control source, where the interface recovers and becomes available once the interference ceases.[[CiteRef::Reference - Corero]][[CiteRef::Reference - SANS - 201510]][[CiteRef::Reference - RIoT]] An adversary may attempt to deny operator visibility by preventing them from receiving status and reporting messages. Denying this view may temporarily block and prevent operators from noticing a change in state or anomalous behavior. The environment's data and processes may still be operational, but functioning in an unintended or adversarial manner. In the Maroochy attack, the adversary was able to temporarily shut an investigator out of the network, preventing them from viewing the state of the system.  +
Adversaries may gather information about a PLC’s or controller’s current operating mode. Operating modes dictate what change or maintenance functions can be manipulated and are often controlled by a key switch on the PLC (e.g., run, prog [program], and remote). Knowledge of these states may be valuable to an adversary to determine if they are able to reprogram the PLC. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below: *Program - This mode must be enabled before changes can be made to a device’s program. This allows program uploads and downloads between the device and an engineering workstation. Often the PLC’s logic Is halted, and all outputs may be forced off.[[CiteRef::reference - Forum Automation OP mode - 012020]] *Run - Execution of the device’s program occurs in this mode. Input and output (values, points, tags, elements, etc.) are monitored and used according to the program’s logic. <span class="smw-format list-format "><span class="smw-row"><span class="smw-field"><span class="smw-value">[[Technique/T0845|Program Upload]]</span></span></span></span> and <span class="smw-format list-format "><span class="smw-row"><span class="smw-field"><span class="smw-value">[[Technique/T0843|Program Download]]</span></span></span></span> are disabled while in this mode.[[CiteRef::reference - Omron OP mode - 012020]][[CiteRef::reference - machine info systems OP mode - 012020]][[CiteRef::reference - Forum Automation OP mode - 012020]][[CiteRef::reference - PLCguru OP mode - 012020]] *Remote - Allows for remote changes to a PLC’s operation mode.[[CiteRef::reference - PLCguru OP mode - 012020]] *Stop - The PLC and program is stopped, while in this mode, outputs are forced off.[[CiteRef::reference - machine info systems OP mode - 012020]] *Reset - Conditions on the PLC are reset to their original states. Warm resets may retain some memory while cold resets will reset all I/O and data registers.[[CiteRef::reference - machine info systems OP mode - 012020]] *Test / Monitor mode - Similar to run mode, I/O is processed, although this mode allows for monitoring, force set, resets, and more generally tuning or debugging of the system. Often monitor mode may be used as a trial for initialization.[[CiteRef::reference - Omron OP mode - 012020]]  
Adversaries may forcibly restart or shutdown a device in an ICS environment to disrupt and potentially negatively impact physical processes. Methods of device restart and shutdown exist in some devices as built-in, standard functionalities. These functionalities can be executed using interactive device web interfaces, CLIs, and network protocol commands. Unexpected restart or shutdown of control system devices may prevent expected response functions happening during critical states. A device restart can also be a sign of malicious device modifications, as many updates require a shutdown in order to take effect.  +
Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.  +
Adversaries may gain access to a system during a drive-by compromise, when a user visits a website as part of a regular browsing session.With this technique, the user's web browser is targeted and exploited simply by visiting the compromised website. The adversary may target a specific community, such as trusted third party suppliers or other industry specific groups, which often visit the target website. This kind of targeted attack relies on a common interest, and is known as a strategic web compromise or watering hole attack. The National Cyber Awareness System (NCAS) has issued a Technical Alert (TA) regarding Russian government cyber activity targeting critical infrastructure sectors.[[CiteRef:: Alert - CISA TA18-074A]] Analysis by DHS and FBI has noted two distinct categories of victims in the Dragonfly campaign on the Western energy sector: staging and intended targets. The adversary targeted the less secure networks of staging targets, including trusted third-party suppliers and related peripheral organizations. Initial access to the intended targets used watering hole attacks to target process control, ICS, and critical infrastructure related trade publications and informational websites.  +
Utilize strong cryptographic techniques and protocols to prevent eavesdropping on network communications.  +
Protect sensitive data-at-rest with strong encryption.  +
Adversaries may compromise and gain control of an engineering workstation for Initial Access into the control system environment. Access to an engineering workstation may occur through or physical means, such as a <span class="smw-format list-format "><span class="smw-row"><span class="smw-field"><span class="smw-value">[[Technique/T0859|Valid Accounts]]</span></span></span></span> with privileged access or infection by removable media. A dual-homed engineering workstation may allow the adversary access into multiple networks. For example, unsegregated process control, safety system, or information system networks. An [[Engineering Workstation]] is designed as a reliable computing platform that configures, maintains, and diagnoses control system equipment and applications. Compromise of an engineering workstation may provide access to, and control of, other control system applications and equipment. In the Maroochy attack, the adversary utilized a computer, possibly stolen, with proprietary engineering software to communicate with a wastewater system.[[CiteRef::Maroochy - MITRE - 200808]]  +
Block execution of code on a system through application control, and/or script blocking.  +