This site has been deprecated in favor of https://attack.mitre.org and will remain in place until 11/1/22.

Difference between revisions of "Technique/T0883"

From attackics
Jump to navigation Jump to search
m (Text replacement - "Logon Session:" to "[https://github.com/mitre-attack/attack-datasources/blob/main/contribution-ics/logon_session.yml Logon Session]:")
m (Text replacement - "Network Traffic:" to "[https://github.com/mitre-attack/attack-datasources/blob/main/contribution-ics/network_traffic.yml Network Traffic]:")
 
Line 2: Line 2:
 
|Name=Internet Accessible Device
 
|Name=Internet Accessible Device
 
|Category=Initial Access
 
|Category=Initial Access
|Data Sources=Network Traffic: Network Traffic Flow, Network Traffic: Network Traffic Content, [https://github.com/mitre-attack/attack-datasources/blob/main/contribution-ics/logon_session.yml Logon Session]: Logon Session Metadata
+
|Data Sources=[https://github.com/mitre-attack/attack-datasources/blob/main/contribution-ics/network_traffic.yml Network Traffic]: Network Traffic Flow, [https://github.com/mitre-attack/attack-datasources/blob/main/contribution-ics/network_traffic.yml Network Traffic]: Network Traffic Content, [https://github.com/mitre-attack/attack-datasources/blob/main/contribution-ics/logon_session.yml Logon Session]: Logon Session Metadata
 
|Technical Description=Adversaries may gain access into industrial environments through systems exposed directly to the internet for remote access rather than through {{LinkByID|T0822}}. Internet Accessible Devices are exposed to the internet unintentionally or intentionally without adequate protections. This may allow for adversaries to move directly into the control system network. Access onto these devices is accomplished without the use of exploits, these would be represented within the {{LinkByID|T0819}} technique.
 
|Technical Description=Adversaries may gain access into industrial environments through systems exposed directly to the internet for remote access rather than through {{LinkByID|T0822}}. Internet Accessible Devices are exposed to the internet unintentionally or intentionally without adequate protections. This may allow for adversaries to move directly into the control system network. Access onto these devices is accomplished without the use of exploits, these would be represented within the {{LinkByID|T0819}} technique.
 
   
 
   

Latest revision as of 17:35, 20 October 2021

To visit this technique’s new page please go to and update your links to https://attack.mitre.org/techniques/T0883

Internet Accessible Device
Technique
ID T0883
Tactic Initial Access
Data Sources Network Traffic: Network Traffic Flow, Network Traffic: Network Traffic Content, Logon Session: Logon Session Metadata
Asset Control Server, Data Historian, Field Controller/RTU/PLC/IED, Human-Machine Interface, Input/Output Server, Safety Instrumented System/Protection Relay

Description

Adversaries may gain access into industrial environments through systems exposed directly to the internet for remote access rather than through External Remote Services. Internet Accessible Devices are exposed to the internet unintentionally or intentionally without adequate protections. This may allow for adversaries to move directly into the control system network. Access onto these devices is accomplished without the use of exploits, these would be represented within the Exploit Public-Facing Application technique.

Adversaries may leverage built in functions for remote access which may not be protected or utilize minimal legacy protections that may be targeted.1 These services may be discoverable through the use of online scanning tools.

In the case of the Bowman dam incident, adversaries leveraged access to the dam control network through a cellular modem. Access to the device was protected by password authentication, although the application was vulnerable to brute forcing.123

In Trend Micro’s manufacturing deception operations adversaries were detected leveraging direct internet access to an ICS environment through the exposure of operational protocols such as Siemens S7, Omron FINS, and EtherNet/IP, in addition to misconfigured VNC access.4


Mitigations

  • Network Segmentation - Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. Steps should be taken to periodically inventory internet accessible devices to determine if it differs from the expected.