Property:Has technical description

From attackics
Jump to navigation Jump to search

This is a property of type Text.

Showing 50 pages using this property.
A
Access Management technologies can be used to enforce authorization polices and decisions, especially when existing field devices do not provided sufficient capabilities to support user identification and authentication.[[CiteRef::mitigation - NIST 1800-2 IDAM - 201807]] These technologies typically utilize an in-line network device or gateway system to prevent access to unauthenticated users, while also integrating with an authentication service to first verify user credentials.[[CiteRef::Guidance - DHS Cert remote access - 201011]]  +
Configure features related to account use like login attempt lockouts, specific login times, etc.  +
Adversaries may activate firmware update mode on devices to prevent expected response functions from engaging in reaction to an emergency or process malfunction. For example, devices such as protection relays may have an operation mode designed for firmware installation. This mode may halt process monitoring and related functions to allow new firmware to be loaded. A device left in update mode may be placed in an inactive holding state if no firmware is provided to it. By entering and leaving a device in this mode, the adversary may deny its usual functionalities.  +
Configure Active Directory to prevent use of certain techniques; use security identifier (SID) Filtering, etc.  +
Adversaries may target protection function alarms to prevent them from notifying operators of critical conditions. Alarm messages may be a part of an overall reporting system and of particular interest for adversaries. Disruption of the alarm system does not imply the disruption of the reporting system as a whole. In the Maroochy Attack, the adversary suppressed alarm reporting to the central computer.[[CiteRef::Maroochy - MITRE - 200808]] A Secura presentation on targeting OT notes a dual fold goal for adversaries attempting alarm suppression: prevent outgoing alarms from being raised and prevent incoming alarms from being responded to.[[CiteRef::References - Secura - 2019]] The method of suppression may greatly depend on the type of alarm in question: * An alarm raised by a protocol message * An alarm signaled with I/O * An alarm bit set in a flag (and read) In ICS environments, the adversary may have to suppress or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring.[[CiteRef::References - Secura - 2019]] Methods of suppression may involve tampering or altering device displays and logs, modifying in memory code to fixed values, or even tampering with assembly level instruction code.  +
Use signatures or heuristics to detect malicious software. Within industrial control environments, antivirus/antimalware installations should be limited to assets that are not involved in critical or real-time operations. To minimize the impact to system availability, all products should first be validated within a representative test environment before deployment to production systems.[[CiteRef::Report - NCCIC AV update - 201808]]  +
This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.  +
Restrict the execution of code to a virtual environment on or in-transit to an endpoint system.  +
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. Perform periodic integrity checks of the device to validate the correctness of the firmware, software, programs, and configurations. Integrity checks, which typically include cryptographic hashes or digital signatures, should be compared to those obtained at known valid states, especially after events like device reboots, program downloads, or program restarts.  +
The device or system should restrict read, manipulate, or execute privileges to only authenticated users who require access based on approved security policies. Role-based Access Control (RBAC) schemes can help reduce the overhead of assigning permissions to the large number of devices within an ICS. For example, IEC 62351 provides examples of roles used to support common system operations within the electric power sector [[CiteRef::standard - IEC 62351 - 202007]], while IEEE 1686 defines standard permissions for users of IEDs.[[CiteRef::standard - IEEE 1686-2013 - 201401]]  +
Adversaries may automate collection of industrial environment information using tools or scripts. This automated collection may leverage native control protocols and tools available in the control systems environment. For example, the OPC protocol may be used to enumerate and gather information. Access to a system or interface with these native protocols may allow collection and enumeration of other attached, communicating servers and devices.  +
B
Adversaries may block a command message from reaching its intended target to prevent command execution. In OT networks, command messages are sent to provide instructions to control system devices. A blocked command message can inhibit response functions from correcting a disruption or unsafe condition.[[CiteRef::Research - Research - Taxonomy Cyber Attacks on SCADA]][[CiteRef::Ukraine15 - EISAC - 201603]]  +
Adversaries may block or prevent a reporting message from reaching its intended target. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. By blocking these reporting messages, an adversary can potentially hide their actions from an operator. Blocking reporting messages in control systems that manage physical processes may contribute to system impact, causing inhibition of a response function. A control system may not be able to respond in a proper or timely manner to an event, such as a dangerous fault, if its corresponding reporting message is blocked.[[CiteRef::Research - Research - Taxonomy Cyber Attacks on SCADA]][[CiteRef::Ukraine15 - EISAC - 201603]]  +
Adversaries may block access to serial COM to prevent instructions or configurations from reaching target devices. Serial Communication ports (COM) allow communication with control system devices. Devices can receive command and configuration messages over such serial COM. Devices also use serial COM to send command and reporting messages. Blocking device serial COM may also block command messages and block reporting messages. A serial to Ethernet converter is often connected to a serial COM to facilitate communication between serial and Ethernet devices. One approach to blocking a serial COM would be to create and hold open a TCP session with the Ethernet side of the converter. A serial to Ethernet converter may have a few ports open to facilitate multiple communications. For example, if there are three serial COM available -- 1, 2 and 3 --, the converter might be listening on the corresponding ports 20001, 20002, and 20003. If a TCP/IP connection is opened with one of these ports and held open, then the port will be unavailable for use by another party. One way the adversary could achieve this would be to initiate a TCP session with the serial to Ethernet converter at <code>10.0.0.1</code> via Telnet on serial port 1 with the following command: <code>telnet 10.0.0.1 20001</code>.  +
Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.  +
Adversaries may brute force I/O addresses on a device and attempt to exhaustively perform an action. By enumerating the full range of I/O addresses, an adversary may manipulate a process function without having to target specific I/O interfaces. More than one process function manipulation and enumeration pass may occur on the targeted I/O range in a brute force attempt.  +
C
Adversaries may change the operating mode of a controller to gain additional access to engineering functions such as Program Download. Programmable controllers typically have several modes of operation that control the state of the user program and control access to the controller’s API. Operating modes can be physically selected using a key switch on the face of the controller but may also be selected with calls to the controller’s API. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below: *Program - This mode must be enabled before changes can be made to a device’s program. This allows program uploads and downloads between the device and an engineering workstation. Often the PLC’s logic Is halted, and all outputs may be forced off.[[CiteRef::reference - Forum Automation OP mode - 012020]] *Run - Execution of the device’s program occurs in this mode. Input and output (values, points, tags, elements, etc.) are monitored and used according to the program’s logic. <span class="smw-format list-format "><span class="smw-row"><span class="smw-field"><span class="smw-value">[[Technique/T0845|Program Upload]]</span></span></span></span> and <span class="smw-format list-format "><span class="smw-row"><span class="smw-field"><span class="smw-value">[[Technique/T0843|Program Download]]</span></span></span></span> are disabled while in this mode.[[CiteRef::reference - Omron OP mode - 012020]][[CiteRef::reference - machine info systems OP mode - 012020]][[CiteRef::reference - Forum Automation OP mode - 012020]][[CiteRef::reference - PLCguru OP mode - 012020]] *Remote - Allows for remote changes to a PLC’s operation mode.[[CiteRef::reference - PLCguru OP mode - 012020]] *Stop - The PLC and program is stopped, while in this mode, outputs are forced off.[[CiteRef::reference - machine info systems OP mode - 012020]] *Reset - Conditions on the PLC are reset to their original states. Warm resets may retain some memory while cold resets will reset all I/O and data registers.[[CiteRef::reference - machine info systems OP mode - 012020]] *Test / Monitor mode - Similar to run mode, I/O is processed, although this mode allows for monitoring, force set, resets, and more generally tuning or debugging of the system. Often monitor mode may be used as a trial for initialization.[[CiteRef::reference - Omron OP mode - 012020]]  
Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.  +
Adversaries may utilize command-line interfaces (CLIs) to interact with systems and execute commands. CLIs provide a means of interacting with computer systems and are a common feature across many types of platforms and devices within control systems environments.[[CiteRef::EAttack Command-Line Interface]] Adversaries may also use CLIs to install and run new software, including malicious tools that may be installed over the course of an operation. CLIs are typically accessed locally, but can also be exposed via services, such as SSH, Telnet, and RDP. Commands that are executed in the CLI execute with the current permissions level of the process running the terminal emulator, unless the command specifies a change in permissions context. Many controllers have CLI interfaces for management purposes.  +
Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend in with normal network activity, to avoid more detailed inspection. They may use the protocol associated with the port, or a completely different protocol. They may use commonly open ports, such as the examples provided below. * TCP:80 (HTTP) * TCP:443 (HTTPS) * TCP/UDP:53 (DNS) * TCP:1024-4999 (OPC on XP/Win2k3) * TCP:49152-65535 (OPC on Vista and later) * TCP:23 (TELNET) * UDP:161 (SNMP) * TCP:502 (MODBUS) * TCP:102 (S7comm/ISO-TSAP) * TCP:20000 (DNP3) * TCP:44818 (Ethernet/IP)  +
When communicating over an untrusted network, utilize secure network protocols that both authenticate the message sender and can verify its integrity. This can be done either through message authentication codes (MACs) or digital signatures, to detect spoofed network messages and unauthorized connections.  +
Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications. The definition of a proxy can also be expanded to encompass trust relationships between networks in peer-to-peer, mesh, or trusted connections between networks consisting of hosts or systems that regularly communicate with each other. The network may be within a single organization or across multiple organizations with trust relationships. Adversaries could use these types of relationships to manage command and control communications, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion.[[CiteRef::EAttack Connection Proxy]]  +
D
Adversaries may cause damage and destruction of property to infrastructure, equipment, and the surrounding environment when attacking control systems. This technique may result in device and operational equipment breakdown, or represent tangential damage from other techniques used in an attack. Depending on the severity of physical damage and disruption caused to control processes and systems, this technique may result in <span class="smw-format list-format "><span class="smw-row"><span class="smw-field"><span class="smw-value">[[Technique/T0880|Loss of Safety]]</span></span></span></span>. Operations that result in <span class="smw-format list-format "><span class="smw-row"><span class="smw-field"><span class="smw-value">[[Technique/T0827|Loss of Control]]</span></span></span></span> may also cause damage to property, which may be directly or indirectly motivated by an adversary seeking to cause impact in the form of <span class="smw-format list-format "><span class="smw-row"><span class="smw-field"><span class="smw-value">[[Technique/T0828|Loss of Productivity and Revenue]]</span></span></span></span>. The German Federal Office for Information Security (BSI) reported a targeted attack on a steel mill under an incidents affecting business section of its 2014 IT Security Report.[[CiteRef::German Steel Mill - German Federal Office for Information Security - 2014]] These targeted attacks affected industrial operations and resulted in breakdowns of control system components and even entire installations. As a result of these breakdowns, massive impact and damage resulted from the uncontrolled shutdown of a blast furnace. In the Maroochy Attack, Vitek Boden gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. This ultimately led to 800,000 liters of raw sewage being spilled out into the community. The raw sewage affected local parks, rivers, and even a local hotel. This resulted in harm to marine life and produced a sickening stench from the community's now blackened rivers.[[CiteRef::Maroochy - MITRE - 200808]] A Polish student used a remote controller device to interface with the Lodz city tram system in Poland.[[CiteRef::LodzTram-LondonReconnections-2017-12]][[CiteRef::LodzTram-InHomelandSecurity-2008-02]][[CiteRef::LodzTram-Schneier-2008-01]] Using this remote, the student was able to capture and replay legitimate tram signals. This resulted in damage to impacted trams, people, and the surrounding property. Reportedly, four trams were derailed and were forced to make emergency stops.[[CiteRef::LodzTram-InHomelandSecurity-2008-02]] Commands issued by the student may have also resulted in tram collisions, causing harm to those on board and the environment outside.[[CiteRef::LodzTram-Schneier-2008-01]]  
Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans [[CiteRef::mitigation - developing IR - 200910]], including the management of 'gold-copy' back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.  +
Adversaries may perform data destruction over the course of an operation. The adversary may drop or create malware, tools, or other non-native files on a target system to accomplish this, potentially leaving behind traces of malicious activities. Such non-native files and other data may be removed over the course of an intrusion to maintain a small footprint or as a standard part of the post-intrusion cleanup process.[[CiteRef::EAttack File Deletion]] Data destruction may also be used to render operator interfaces unable to respond and to disrupt response functions from occurring as expected. An adversary may also destroy data backups that are vital to recovery after an incident. Standard file deletion commands are available on most operating system and device interfaces to perform cleanup, but adversaries may use other tools as well. Two examples are Windows Sysinternals SDelete and Active@ Killdisk.  +
Adversaries may compromise and gain control of a data historian to gain a foothold into the control system environment. Access to a data historian may be used to learn stored database archival and analysis information on the control system. A dual-homed data historian may provide adversaries an interface from the IT environment to the OT environment. Dragos has released an updated analysis on CrashOverride that outlines the attack from the ICS network breach to payload delivery and execution.[[CiteRef:: Industroyer - Dragos - 201810]] The report summarized that CrashOverride represents a new application of malware, but relied on standard intrusion techniques. In particular, new artifacts include references to a Microsoft Windows Server 2003 host, with a SQL Server. Within the ICS environment, such a database server can act as a data historian. Dragos noted a device with this role should be "expected to have extensive connections" within the ICS environment. Adversary activity leveraged database capabilities to perform reconnaissance, including directory queries and network connectivity checks.  +
Data Loss Prevention (DLP) technologies can be used to help identify adversarial attempts to exfiltrate operational information, such as engineering plans, trade secrets, recipes, intellectual property, or process telemetry. DLP functionality may be built into other security products such as firewalls or standalone suites running on the network and host-based agents. DLP may be configured to prevent the transfer of information through corporate resources such as email, web, and physical media such as USB for host-based solutions.  +
Adversaries may target and collect data from information repositories. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes. Examples of information repositories include reference databases or local machines in the process environment, as well as workstations and databases in the corporate network that might contain information about the ICS. [[CiteRef::Alert - CISA TA18-074A]] Information collected from these systems may provide the adversary with a better understanding of the operational environment, vendors used, processes, or procedures of the ICS.  +
Adversaries may leverage manufacturer or supplier set default credentials on control system devices. These default credentials may have administrative permissions and may be necessary for initial configuration of the device. It is general best practice to change the passwords for these accounts as soon as possible, but some manufacturers may have devices that have passwords or usernames that cannot be changed.[[CiteRef::Guidance - NIST SP800-82]] Default credentials are normally documented in an instruction manual that is either packaged with the device, published online through official means, or published online through unofficial means. Adversaries may leverage default credentials that have not been properly modified or disabled.  +
Adversaries may cause a denial of control to temporarily prevent operators and engineers from interacting with process controls. An adversary may attempt to deny process control access to cause a temporary loss of communication with the control device or to prevent operator adjustment of process controls. An affected process may still be operating during the period of control loss, but not necessarily in a desired state.[[CiteRef::Reference - Corero]][[CiteRef::Reference - SANS - 201510]][[CiteRef::Reference - RIoT]] In the Maroochy attack, the adversary was able to temporarily shut an investigator out of the network preventing them from issuing any controls. In the 2017 Dallas Siren incident operators were unable to disable the false alarms from the Office of Emergency Management headquarters.[[CiteRef::dallas siren – decipher 2017]]  +
Adversaries may perform Denial-of-Service (DoS) attacks to disrupt expected device functionality. Examples of DoS attacks include overwhelming the target device with a high volume of requests in a short time period and sending the target device a request it does not know how to handle. Disrupting device state may temporarily render it unresponsive, possibly lasting until a reboot can occur. When placed in this state, devices may be unable to send and receive requests, and may not perform expected response functions in reaction to other events in the environment. Some ICS devices are particularly sensitive to DoS events, and may become unresponsive in reaction to even a simple ping sweep. Adversaries may also attempt to execute a Permanent Denial-of-Service (PDoS) against certain devices, such as in the case of the BrickerBot malware.[[CiteRef::BrickerBot - ICS-CERT - Alert]] Adversaries may exploit a software vulnerability to cause a denial of service by taking advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in software that can be used to cause a or denial of service condition. Adversaries may have prior knowledge about industrial protocols or control devices used in the environment through <span class="smw-format list-format "><span class="smw-row"><span class="smw-field"><span class="smw-value">[[Technique/T0888|Remote System Information Discovery]]</span></span></span></span>. There are examples of adversaries remotely causing a <span class="smw-format list-format "><span class="smw-row"><span class="smw-field"><span class="smw-value">[[Technique/T0816|Device Restart/Shutdown]]</span></span></span></span> by exploiting a vulnerability that induces uncontrolled resource consumption.[[CiteRef::Industroyer - ICS-CERT ADV]][[CiteRef::Industroyer - CWE-400]][[CiteRef::Industroyer - CVE-2015-5374]] In the Maroochy attack, the adversary was able to shut an investigator out of the network.[[CiteRef::Maroochy - MITRE - 200808]]  
Adversaries may cause a denial of view in attempt to disrupt and prevent operator oversight on the status of an ICS environment. This may manifest itself as a temporary communication failure between a device and its control source, where the interface recovers and becomes available once the interference ceases.[[CiteRef::Reference - Corero]][[CiteRef::Reference - SANS - 201510]][[CiteRef::Reference - RIoT]] An adversary may attempt to deny operator visibility by preventing them from receiving status and reporting messages. Denying this view may temporarily block and prevent operators from noticing a change in state or anomalous behavior. The environment's data and processes may still be operational, but functioning in an unintended or adversarial manner. In the Maroochy attack, the adversary was able to temporarily shut an investigator out of the network, preventing them from viewing the state of the system.  +
Adversaries may gather information about a PLC’s or controller’s current operating mode. Operating modes dictate what change or maintenance functions can be manipulated and are often controlled by a key switch on the PLC (e.g., run, prog [program], and remote). Knowledge of these states may be valuable to an adversary to determine if they are able to reprogram the PLC. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below: *Program - This mode must be enabled before changes can be made to a device’s program. This allows program uploads and downloads between the device and an engineering workstation. Often the PLC’s logic Is halted, and all outputs may be forced off.[[CiteRef::reference - Forum Automation OP mode - 012020]] *Run - Execution of the device’s program occurs in this mode. Input and output (values, points, tags, elements, etc.) are monitored and used according to the program’s logic. <span class="smw-format list-format "><span class="smw-row"><span class="smw-field"><span class="smw-value">[[Technique/T0845|Program Upload]]</span></span></span></span> and <span class="smw-format list-format "><span class="smw-row"><span class="smw-field"><span class="smw-value">[[Technique/T0843|Program Download]]</span></span></span></span> are disabled while in this mode.[[CiteRef::reference - Omron OP mode - 012020]][[CiteRef::reference - machine info systems OP mode - 012020]][[CiteRef::reference - Forum Automation OP mode - 012020]][[CiteRef::reference - PLCguru OP mode - 012020]] *Remote - Allows for remote changes to a PLC’s operation mode.[[CiteRef::reference - PLCguru OP mode - 012020]] *Stop - The PLC and program is stopped, while in this mode, outputs are forced off.[[CiteRef::reference - machine info systems OP mode - 012020]] *Reset - Conditions on the PLC are reset to their original states. Warm resets may retain some memory while cold resets will reset all I/O and data registers.[[CiteRef::reference - machine info systems OP mode - 012020]] *Test / Monitor mode - Similar to run mode, I/O is processed, although this mode allows for monitoring, force set, resets, and more generally tuning or debugging of the system. Often monitor mode may be used as a trial for initialization.[[CiteRef::reference - Omron OP mode - 012020]]  
Adversaries may forcibly restart or shutdown a device in an ICS environment to disrupt and potentially negatively impact physical processes. Methods of device restart and shutdown exist in some devices as built-in, standard functionalities. These functionalities can be executed using interactive device web interfaces, CLIs, and network protocol commands. Unexpected restart or shutdown of control system devices may prevent expected response functions happening during critical states. A device restart can also be a sign of malicious device modifications, as many updates require a shutdown in order to take effect.  +
Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.  +
Adversaries may gain access to a system during a drive-by compromise, when a user visits a website as part of a regular browsing session.With this technique, the user's web browser is targeted and exploited simply by visiting the compromised website. The adversary may target a specific community, such as trusted third party suppliers or other industry specific groups, which often visit the target website. This kind of targeted attack relies on a common interest, and is known as a strategic web compromise or watering hole attack. The National Cyber Awareness System (NCAS) has issued a Technical Alert (TA) regarding Russian government cyber activity targeting critical infrastructure sectors.[[CiteRef:: Alert - CISA TA18-074A]] Analysis by DHS and FBI has noted two distinct categories of victims in the Dragonfly campaign on the Western energy sector: staging and intended targets. The adversary targeted the less secure networks of staging targets, including trusted third-party suppliers and related peripheral organizations. Initial access to the intended targets used watering hole attacks to target process control, ICS, and critical infrastructure related trade publications and informational websites.  +
E
Utilize strong cryptographic techniques and protocols to prevent eavesdropping on network communications.  +
Protect sensitive data-at-rest with strong encryption.  +
Adversaries may compromise and gain control of an engineering workstation for Initial Access into the control system environment. Access to an engineering workstation may occur through or physical means, such as a <span class="smw-format list-format "><span class="smw-row"><span class="smw-field"><span class="smw-value">[[Technique/T0859|Valid Accounts]]</span></span></span></span> with privileged access or infection by removable media. A dual-homed engineering workstation may allow the adversary access into multiple networks. For example, unsegregated process control, safety system, or information system networks. An [[Engineering Workstation]] is designed as a reliable computing platform that configures, maintains, and diagnoses control system equipment and applications. Compromise of an engineering workstation may provide access to, and control of, other control system applications and equipment. In the Maroochy attack, the adversary utilized a computer, possibly stolen, with proprietary engineering software to communicate with a wastewater system.[[CiteRef::Maroochy - MITRE - 200808]]  +
Block execution of code on a system through application control, and/or script blocking.  +
Adversaries may attempt to leverage Application Program Interfaces (APIs) used for communication between control software and the hardware. Specific functionality is often coded into APIs which can be called by software to engage specific functions on a device or other software.  +
Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.  +
Adversaries may leverage weaknesses to exploit internet-facing software for initial access into an industrial network. Internet-facing software may be user applications, underlying networking implementations, an assets operating system, weak defenses, etc. Targets of this technique may be intentionally exposed for the purpose of remote management and visibility. An adversary may seek to target public-facing applications as they may provide direct access into an ICS environment or the ability to move into the ICS network. Publicly exposed applications may be found through online tools that scan the internet for open ports and services. Version numbers for the exposed application may provide adversaries an ability to target specific known vulnerabilities. Exposed control protocol or remote access ports found in Commonly Used Port may be of interest by adversaries.  +
Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to evade detection. Vulnerabilities may exist in software that can be used to disable or circumvent security features. Adversaries may have prior knowledge through <span class="smw-format list-format "><span class="smw-row"><span class="smw-field"><span class="smw-value">[[Technique/T0888|Remote System Information Discovery]]</span></span></span></span> about security features implemented on control devices. These device security features will likely be targeted directly for exploitation. There are examples of firmware RAM/ROM consistency checks on control devices being targeted by adversaries to enable the installation of malicious <span class="smw-format list-format "><span class="smw-row"><span class="smw-field"><span class="smw-value">[[Technique/T0857|System Firmware]]</span></span></span></span>.  +
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.[[CiteRef::Eattack - Exploitation for Priv Escalation]] When initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This may be a necessary step for an adversary compromising an endpoint system that has been properly configured and limits other privilege escalation methods.[[CiteRef::Eattack - Exploitation for Priv Escalation]]  +
Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to enable remote service abuse. A common goal for post-compromise exploitation of remote services is for initial access into and lateral movement throughout the ICS environment to enable access to targeted systems.[[CiteRef::EAttack Exploitation of Remote Services]] ICS asset owners and operators have been affected by ransomware (or disruptive malware masquerading as ransomware) migrating from enterprise IT to ICS environments: WannaCry, NotPetya, and BadRabbit. In each of these cases, self-propagating (“wormable”) malware initially infected IT networks, but through exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks, producing significant impacts.[[CiteRef::Reference - Dragos - 201910]]  +
Adversaries may leverage external remote services as a point of initial access into your network. These services allow users to connect to internal network resources from external locations. Examples are VPNs, Citrix, and other access mechanisms. Remote service gateways often manage connections and credential authentication for these services.[[CiteRef::EAttack External Remote Services]] External remote services allow administration of a control system from outside the system. Often, vendors and internal engineering groups have access to external remote services to control system networks via the corporate network. In some cases, this access is enabled directly from the internet. While remote access enables ease of maintenance when a control system is in a remote area, compromise of remote access solutions is a liability. The adversary may use these services to gain access to and execute attacks against a control system network. Access to valid accounts is often a requirement. As they look for an entry point into the control system network, adversaries may begin searching for existing point‐to‐point VPN implementations at trusted third party networks or through remote support employee connections where split tunneling is enabled.[[CiteRef::Ukraine15 - EISAC - 201603]] In the Maroochy Attack, the adversary was able to gain remote computer access to the system over radio.  +
F
Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic. Perform inline allow/denylisting of network messages based on the application layer (OSI Layer 7) protocol, especially for automation protocols. Application allowlists are beneficial when there are well-defined communication sequences, types, rates, or patterns needed during expected system operations. Application denylists may be needed if all acceptable communication sequences cannot be defined, but instead a set of known malicious uses can be denied (e.g., excessive communication attempts, shutdown messages, invalid commands). Devices performing these functions are often referred to as deep-packet inspection (DPI) firewalls, context-aware firewalls, or firewalls blocking specific automation/SCADA protocol aware firewalls.[[CiteRef::Guidance - CPNI FW deployment - 200502]]  +
G
Adversaries may attempt to gain access to a machine via a Graphical User Interface (GUI) to enhance execution capabilities. Access to a GUI allows a user to interact with a computer in a more visual manner than a CLI. A GUI allows users to move a cursor and click on interface objects, with a mouse and keyboard as the main input devices, as opposed to just using the keyboard. If physical access is not an option, then access might be possible via protocols such as VNC on Linux-based and Unix-based operating systems, and RDP on Windows operating systems. An adversary can use this access to execute programs and applications on the target machine.  +
H
Adversaries may hook into application programming interface (API) functions used by processes to redirect calls for execution and privilege escalation means. Windows processes often leverage these API functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions.[[CiteRef::EAttack Hooking]] One type of hooking seen in ICS involves redirecting calls to these functions via import address table (IAT) hooking. IAT hooking uses modifications to a process’s IAT, where pointers to imported API functions are stored.[[CiteRef::Stuxnet - Symantec - 201102]]  +