SOLUTIONS

---

Attack Description

Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. These applications are often websites, but can include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other applications with Internet accessible open sockets, such as web servers and related services.

---

Attack example

Fox Kitten has exploited known vulnerabilities in Fortinet, PulseSecure, and Palo Alto VPN appliances.

---

Mitigation using ES portfolio

• BNS: BNS can protect any management ports of network devices making them effectively invisible to attacks.
• ZTMFW: ZTMFW would segment the network to make sure hackers or malware cannot do any lateral movement after compromising a device.

---

---

Attack Description

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.

---

Attack example

Dtrack used hard-coded credentials to gain access to a network share.

---

Mitigation using ES portfolio

• BNS: BNS can protect any management ports of network devices making them effectively invisible to attacks.
• ZTMFW: ZTMFW would segment the network to make sure hackers or malware cannot do any lateral movement after compromising a device.

---

---

Attack Description

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various Remote Services in order to achieve remote Execution.

---

Attack example

Donut can generate shellcode outputs that execute via Ruby.

---

Mitigation using ES portfolio

• BNS: BNS can would block any non-standard traffic based on ports, addresses or content.
• ZTMFW: ZTMFW would segment the network to make sure hackers or malware cannot do any lateral movement after compromising a server.

---

---

Attack Description

By modifying an authentication process, an adversary may be able to authenticate to a service or system without using Valid Accounts. Adversaries may maliciously modify a part of this process to either reveal credentials or bypass authentication mechanisms.

---

Attack example

Ebury can intercept private keys using a trojanized ssh-add function.

---

Mitigation using ES portfolio

• BNS: BNS would block any non-standard packets based on ports, addresses or content.
• ZTMFW: would segment the network to make sure hackers or malware cannot do any lateral movement after compromising a device.

---

---

Attack Description

Abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system.

---

Attack example

Trojan.Mebromi performs BIOS modification and can download and execute a file as well as protect itself from removal

---

Mitigation using ES portfolio

• BNS: BNS would block any non-standard packets based on ports, addresses or content.
• ZTMFW: would segment the network to make sure hackers or malware cannot do any lateral movement after compromising a device.

---

---

Attack Description

Abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.

---

Attack example

OwaAuth is a Web shell that appears to be exclusively used by Threat Group-3390. It is installed as an ISAPI filter on Exchange servers and shares characteristics with the China Chopper Web shell.

---

Mitigation using ES portfolio

• BNS: BNS would block any non-standard packets based on ports, addresses or content.
• ZTMFW: would segment the network to make sure hackers or malware cannot do any lateral movement after compromising a device.

---

---

Attack Description

Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task.

---

Attack example

Penquin will connect to C2 only after sniffing a “magic packet” value in TCP or UDP packets matching specific conditions.

---

Mitigation using ES portfolio

• BNS: BNS would block any non-standard packets based on ports, addresses or content.
• ZTMFW: would segment the network to make sure hackers or malware cannot do any lateral movement after compromising a device.

---

---

Attack Description

Covered under (Initial access)

---

Attack example

Covered under (Initial access)

---

Mitigation using ES portfolio

Covered under (Initial access)

---

---

Attack Description

Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.

---

Attack example

APT38 have created firewall exemptions on specific ports, including ports 443, 6443, 8443, and 9443.

---

Mitigation using ES portfolio

• BNS: BNS would block any non-standard packets based on ports, addresses or content. It can also make firewalls or devices invisible to the network while allowing them to work normally.
• ZTMFW: would segment the network to make sure hackers cannot do any lateral movement after compromising a device.

---

---

Attack Description

Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses.

---

Attack example

Rising Sun can clear a memory blog in the process by overwriting it with junk bytes.

---

Mitigation using ES portfolio

• BNS: BNS would block any non-standard packets based on ports, addresses or content. This would disable all malware communication
• ZTMFW: would segment the network to make sure malware cannot do lateral movement

---

---

Attack Description

Covered under (Persistence)

---

Attack example

Covered under (Persistence)

---

Mitigation using ES portfolio

Covered under (Persistence)

---

---

Attack Description

Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves.

---

Attack example

SYNful Knock is malware that is inserted into a network device by patching the operating system image.

---

Mitigation using ES portfolio

• BNS: BNS prevent the network device from being accessed maliciously and if a compromised device inserted in the network, BNS would be able to detect and block anomalous activity.
• ZTMFW: would segment the network to make sure malware cannot do lateral movement

---

---

Attack Description

Adversaries may bridge network boundaries by compromising perimeter network devices or internal devices responsible for network segmentation. Breaching these devices may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.

---

Attack example

Adversaries may use Patch System Image to change the operating system of a network device, implementing their own custom NAT mechanisms to further obscure their activities

---

Mitigation using ES portfolio

• BNS: Once deployed, routing information cannot be updated by insiders including updating system image. In addition BNS would block any non-standard packets based on ports, addresses or content.
• ZTMFW: Block any lateral non standard communication

---

---

Attack Description

Covered under (Persistence)

---

Attack example

Covered under (Persistence)

---

Mitigation using ES portfolio

Covered under (Persistence)

---

---

Attack Description

Covered under (Persistence)

---

Attack example

Covered under (Persistence)

---

Mitigation using ES portfolio

Covered under (Persistence)

---

---

Attack Description

Covered under (Initial Access)

---

Attack example

Covered under (Initial Access)

---

Mitigation using ES portfolio

Covered under (Initial Access)

---

---

Attack Description

Adversaries can compromise and manipulate devices that perform encryption of network traffic. For example, through behaviors such as Modify System Image, Reduce Key Space, and Disable Crypto Hardware, an adversary can negatively effect and/or eliminate a device’s ability to securely encrypt network traffic.

---

Attack example

Adversaries may modify the key size used and other encryption parameters using specialized commands in a Network Device CLI introduced to the system through Modify System Image to change the configuration of the device.

---

Mitigation using ES portfolio

• BNS: BNS prevent the network device from being accessed maliciously and if a compromised device inserted in the network, BNS would be able to detect and block anomalous activity.
• ZTMFW: would segment the network to make sure malware cannot do lateral movement

---

---

Attack Description

Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation. By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.

---

Attack example

Cleaver has used custom tools to facilitate ARP cache poisoning

---

Mitigation using ES portfolio

• BNS: Two BNS devices can establish a tunnel between them and make sure the communication can not be monitored or altered. In addition BNS can make sure only communication within set rules is allowed, automatically blocking non standard communication
• ZTMFW: Block any lateral non standard communication

---

---

Attack Description

Adversaries may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.

---

Attack example

North Korean Lazarus Group has performed brute force attacks against administrator accounts.

---

Mitigation using ES portfolio

• BNS: BNS would automatically block any unusual communication requests, like abnormal number of log-in attempts.
• ZTMFW: Log in attempts would be allowed when happen from the designated sources. So a compromised device, would not result in any lateral movement.

---

---

Attack Description

Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture).

---

Attack example

Kobalos has used a compromised SSH client to capture the hostname, port, username and password used to establish an SSH connection from the compromised host.

---

Mitigation using ES portfolio

• BNS: BNS would automatically block any unusual communication requests, like a compromised system transmitting information to an unusual IP address
• ZTMFW: Log in attempts would be allowed when happen from the designated sources. So a compromised device, would not result in any lateral movement.

---

---

Attack Description

Covered under (Persistence)

---

Attack example

Covered under (Persistence)

---

Mitigation using ES portfolio

Covered under (Persistence)

---

---

Attack Description

Using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

---

Attack example

Penquin can sniff network traffic to look for packets matching specific conditions

---

Mitigation using ES portfolio

• BNS: Can create a tunnel between two devices where all the communication is encrypted with white Box Cryptography and cannot be evesdropped.
• ZTMFW: Is built for just such use cases. ZTMFW completely blocks any communication not intended to designated device, preventing any lateral attack.

---

---

Attack Description

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

---

Attack example

Fox Kitten has used WizTree to obtain network files and directory listings

---

Mitigation using ES portfolio

• BNS: Blocks any unusual activities such as enumeration of network devices, directories, password policy or services requests coming from unusual sources.
• ZTMFW: Will make sure that one device cannot access any other device on the network for directory, service enumeration or otherwise

---

---

Attack Description

Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.

---

Attack example

OilRig has used the publicly available tool SoftPerfect Network Scanner as well as a custom tool called GOLDIRONY to conduct network scanning.[

---

Mitigation using ES portfolio

• BNS: Blocks any unusual activities such as enumeration of network devices, directories, password policy or services requests coming from unusual sources.
• ZTMFW: Will make sure that one device cannot access any other device on the network for directory, service enumeration or otherwise

---

---

Attack Description

Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment.

---

Attack example

Chimera has used the NtdsAudit utility to collect information related to accounts and passwords.

---

Mitigation using ES portfolio

• BNS: Blocks any unusual activities such as enumeration of network devices, directories, password policy or services requests coming from unusual sources.
• ZTMFW: Will make sure that one device cannot access any other device on the network for directory, service enumeration or otherwise

---

---

Attack Description

Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.

---

Attack example

Arp can be used to display a host’s ARP cache, which may include address resolutions for remote systems.

---

Mitigation using ES portfolio

• BNS: Blocks any unusual activities such as enumeration of network devices, directories, password policy or services requests coming from unusual sources.
• ZTMFW: Will make sure that one device cannot access any other device on the network for directory, service enumeration or otherwise

---

---

Attack Description

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.

---

Attack example

Elise executes systeminfo after initial communication is made to the remote server.[

---

Mitigation using ES portfolio

• BNS: Blocks any unusual activities such as enumeration of network devices, directories, password policy or services requests coming from unusual sources.
• ZTMFW: Will make sure that one device cannot access any other device on the network for directory, service enumeration or otherwise

---

---

Attack Description

Covered under (Credential Access)

---

Attack example

Covered under (Credential Access)

---

Mitigation using ES portfolio

Covered under (Credential Access)

---

---

Attack Description

Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route.Adversaries may also leverage a Network Device CLI on network devices to gather information about configurations and settings, such as IP addresses of configured interfaces and static/dynamic routes (e.g. show ip route, show ip interface).

---

Attack example

Hydraq creates a backdoor through which remote attackers can retrieve IP addresses of compromised machines.[

---

Mitigation using ES portfolio

• BNS: Blocks any unusual activities such as enumeration of network devices, directories, password policy or services requests coming from unusual sources.
• ZTMFW: Will make sure that one device cannot access any other device on the network for directory, service enumeration or otherwise

---

---

Attack Description

Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. An adversary who gains access to a system that is part of a cloud-based environment may map out Virtual Private Clouds or Virtual Networks in order to determine what systems and services are connected. The actions performed are likely the same types of discovery techniques depending on the operating system, but the resulting information may include details about the networked cloud environment relevant to the adversary’s goals. Cloud providers may have different ways in which their virtual networks operate. Similarly, adversaries who gain access to network devices may also perform similar discovery activities to gather information about connected systems and services.

---

Attack example

APT41 has enumerated IP addresses of network resources and used the netstat command as part of network reconnaissance. The group has also used a malware variant, HIGHNOON, to enumerate active RDP sessions.[

---

Mitigation using ES portfolio

• BNS: Blocks any unusual activities such as enumeration of network devices, directories, password policy or services requests coming from unusual sources.
• ZTMFW: Will make sure that one device cannot access any other device on the network for directory, service enumeration or otherwise

---

---

Attack Description

Covered under Credential Access

---

Attack example

Covered under Credential Access

---

Mitigation using ES portfolio

Covered under Credential Access

---

---

Attack Description

Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices.

---

Attack example

Adversaries can use common management tools and protocols, such as Simple Network Management Protocol (SNMP) and Smart Install (SMI), to access network configuration files.

---

Mitigation using ES portfolio

• BNS: Block any non-standard requests to network devices or from them. This would both block access to the devices and permit outbound data leakage
• ZTMFW: Block any lateral movement from a compromised device to access any other device including network devices. This would also prevent data leakage

---

---

Attack Description

Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration. Adversaries may do this using a Command and Scripting Interpreter, such as cmd as well as a Network Device CLI, which have functionality to interact with the file system to gather information. Adversaries may also use Automated Collection on the local system.

---

Attack example

DnsSystem can upload files from infected machines after receiving a command with uploaddd in the string.

---

Mitigation using ES portfolio

• BNS: Block any non-standard requests to network devices or from them. This would both block access to the devices and permit outbound data leakage
• ZTMFW: Block any lateral movement from a compromised device to access any other device including network devices. This would also prevent data leakage

---

---

Attack Description

Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when OS Credential Dumping efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured.

---

Attack example

XAgentOSX contains keylogging functionality that will monitor for active application windows and write them to the log, it can handle special characters, and it will buffer by default 50 characters before sending them out over the C2 infrastructure

---

Mitigation using ES portfolio

• BNS: Block any non-standard requests to network devices or from them. This would both block access to the devices and permit outbound data leakage
• ZTMFW: Block any lateral movement from a compromised device to access any other device including network devices. This would also prevent data leakage

---

---

Attack Description

Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. ICMP communication between hosts is one example.[2] Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts.[3] However, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.

---

Attack example

The Regin malware platform can use ICMP to communicate between infected computers. Winnti for Linux has used ICMP, custom TCP, and UDP in outbound communications.

---

Mitigation using ES portfolio

• BNS: Block any non-standard requests to network devices or from them. This would both block access to the devices and permit outbound data leakage
• ZTMFW: Block any lateral movement from a compromised device to access any other device including network devices. This would also prevent data leakage

---

---

Attack Description

Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure.

---

Attack example

Dridex contains a backconnect module for tunneling network traffic through a victim’s computer. Infected computers become part of a P2P botnet that can relay C2 traffic to other infected peers.

---

Mitigation using ES portfolio

• BNS: Can create an ultra secure tunnel where to devices only accept communication that went through BNSs and other communication is dropped.
• ZTMFW: Block any lateral movement from a compromised device to access any other device including network devices. This would also prevent data leakage.

---

---

Attack Description

Covered under (Persistence)

---

Attack example

Covered under (Persistence)

---

Mitigation using ES portfolio

Covered under (Persistence)

---

---

Attack Description

Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection. When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over C2 Channel and Exfiltration Over Alternative Protocol.

---

Attack example

StrongPity can automatically exfiltrate collected documents to the C2 server. When a document is found matching one of the extensions in the configuration, TINYTYPHON uploads it to the C2 server.

---

Mitigation using ES portfolio

• BNS: : Block any non-standard requests to network devices or from them. This would both block access to the devices and permit outbound data leakage
• ZTMFW: Block any lateral movement from a compromised device to access any other device including network devices. This would also prevent data leakage

---

---

Attack Description

Manipulate, overwrite, or corrupt firmware in order to deny the use of the system or devices. For example, corruption of firmware responsible for loading the operating system for network devices may render the network devices inoperable. Depending on the device, this attack may also result in Data Destruction.

---

Attack example

Bad Rabbit has used an executable that installs a modified bootloader to prevent normal boot-up.

---

Mitigation using ES portfolio

• BNS: Block any non-standard requests to network devices or from them. Including ransomware propagating attempts.
• ZTMFW: Block any lateral movement from a compromised device to access any other device including network devices. This would also prevent ransomware propagating activity.

---

---

Attack Description

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. reload). Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.

---

Attack example

Lazarus Group has rebooted systems after destroying files and wiping the MBR on infected systems.

---

Mitigation using ES portfolio

• BNS: Block any non-standard requests to network devices or from them. Including ransomware propagating attempts.
• ZTMFW: Block any lateral movement from a compromised device to access any other device including network devices. This would also prevent ransomware propagating activity.

---

---

Attack Description

User’s web browser is targeted and exploited simply by visiting the compromised website.

---

Attack example

Analysis by DHS and FBI has noted two distinct categories of victims in the Dragonfly campaign on the Western energy sector: staging and intended targets. The adversary targeted the less secure networks of staging targets, including trusted third-party suppliers and related peripheral organizations. Initial access to the intended targets used watering hole attacks to target process control, ICS, and critical infrastructure related trade publications and informational websites.

---

Mitigation using ES portfolio

• BNS/ZTMFW: Limit protocols and target of outbound communication from ICS environment
• Diode: One way access doesn’t allow internet browsing

---

---

Attack Description

Targeting public-facing applications as they may provide direct access into an ICS environment or the ability to move into the ICS network. Publicly exposed applications may be found through online tools that scan the internet for open ports and services.

---

Attack example

Sandworm Team actors exploited vulnerabilities in GE’s Cimplicity HMI and Advantech/Broadwin WebAccess HMI software which had been directly exposed to the internet.

---

Mitigation using ES portfolio

• BNS/ZTMFW/Diode: public facing applications would not be able to access ICS system directly due to IT/OT segmentation

---

---

Attack Description

Taking advantage of a programming error in a program, service, or within the operating system software or kernel itself to enable remote service abuse. A common goal for post-compromise exploitation of remote services is for initial access into and lateral movement throughout the ICS environment to enable access to targeted systems.

---

Attack example

WannaCry, NotPetya, and BadRabbit: propagating (“wormable”) malware initially infected IT networks, but through exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks, producing significant impacts.

---

Mitigation using ES portfolio

• BNS/Diode: Limit protocols and target of outbound communication from ICS environment
• ZTMFW: Block lateral (PLC-PLC) communication and only allow PLC access to specific servers/protocols

---

---

Attack Description

Use remote access solutions (e.g. VPN, RDP) to gain access to and execute attacks against a control system network.

---

Attack example

In the Ukraine 2015 Incident, Sandworm Team harvested VPN worker credentials and used them to remotely log into control system networks.

---

Mitigation using ES portfolio

• BNS: ICS operator can use ultra secure remote access physical appliance
• ZTMFW/Diode: Only outbound communication would be allowed, remote access wouldn’t be possible

---

---

Attack Description

Internet Accessible Devices are exposed to the internet unintentionally or intentionally without adequate protections.

---

Attack example

In Trend Micro’s manufacturing deception operations adversaries were detected leveraging direct internet access to an ICS environment through the exposure of operational protocols such as Siemens S7, Omron FINS, and EtherNet/IP, in addition to misconfigured VNC access.

---

Mitigation using ES portfolio

• BNS/Diode: Limit protocols and target of outbound communication from ICS environment
• ZTMFW: Block lateral (PLC-PLC) communication and only allow PLC access to specific servers/protocols

---

---

Attack Description

Adversaries may leverage such remote services as RDP, SMB, SSH to move between assets and network segments.

---

Attack example

Sandworm Team appears to use MS-SQL access to a pivot machine, allowing code execution throughout the ICS network.

---

Mitigation using ES portfolio

• BNS/Diode: Limit protocols and target of outbound communication from ICS environment
• ZTMFW: Block lateral (PLC-PLC) communication and only allow PLC access to specific servers/protocols

---

---

Attack Description

Copying malware to removable media which is inserted into the control systems environment. ICS machine is infected without the use of network

---

Attack example

Operators of the German nuclear power plant, Gundremmingen, discovered malware on a facility computer not connected to the internet.12 The malware included Conficker and W32.Ramnit, which were also found on eighteen removable disk drives in the facility.

---

Mitigation using ES portfolio

• BNS/Diode: Block any attempt of the malware to move from less secured to ICS network
• ZTMFW: Block any attempt of the malware to replicate itself to another ICS device

---

---

Attack Description

Adversaries may setup a rogue master to leverage control server functions to communicate with outstations. A rogue master can be used to send legitimate control messages to other control system devices, affecting processes in unintended ways.

---

Attack example

In the Maroochy Attack, Vitek Boden falsified network addresses in order to send false data and instructions to pumping stations.1

---

Mitigation using ES portfolio

• ZTMFW: Block lateral (PLC-PLC) communication and only allow PLC access to specific servers/protocols

---

---

Attack Description

Adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution and access.

---

Attack example

ALLANITE utilized spear phishing to gain access into energy sector environments

---

Mitigation using ES portfolio

• BNS/ZTMFW: SMTP/POP3/etc. would not be part of the allowed protocols to operational environment
• Diode: One way access doesn’t allow receiving email in ICS environment Endpoint Security Suite is required: E.g. Sentinel

---

---

Attack Description

Supply chain compromise is the manipulation of products, such as devices or software, or their delivery mechanisms before receipt by the end consumer

---

Attack example

Dragonfly 2.0 trojanized legitimate software to deliver malware disguised as standard windows applications.

---

Mitigation using ES portfolio

• ZTMFW: Once inside the network the device would not be able to perform lateral movement
• BNS/Diode: Unregistered device would not have permission to either receive commands or sent information

---

---

Attack Description

Adversaries may target devices that are transient across ICS networks and external networks. Normally, transient assets are brought into an environment by authorized personnel and do not remain in that environment on a permanent basis. Once in the network these devices can be used to launch attack,

---

Attack example

In the Maroochy attack, the adversary utilized a computer, possibly stolen, with proprietary engineering software to communicate with a wastewater system.

---

Mitigation using ES portfolio

• ZTMFW: Once inside the network the device would not be able to perform lateral movement
• BNS/Diode: Unregistered device would not have permission to either receive commands or sent information

---

---

Attack Description

Access to a wireless network may be gained through the compromise of a wireless device. Adversaries may also utilize radios and other wireless communication devices on the same frequency as the wireless network. Wireless compromise can be done as an initial access vector from a remote distance.

---

Attack example

The adversary disrupted Maroochy Shire’s radio-controlled sewage system by driving around with stolen radio equipment and issuing commands with them.

---

Mitigation using ES portfolio

• BNS/ZTMFW: Encrypt the traffic between operators and critical infrastructure so no interference is possible

---

---

Attack Description

Adversaries may change the operating mode of a controller to gain additional access to engineering functions such as Program Download. Operating modes can be physically selected using a key switch on the face of the controller but may also be selected with calls to the controller’s API.

---

Attack example

PLC-Blaster stops the execution of the user program on the target to enable the transfer of its own code. The worm then copies itself to the target and subsequently starts the target PLC again

---

Mitigation using ES portfolio

• BNS/ZTMFW: Block all unauthorized attempts to remotely change system settings. Block all unusual traffic.
• Diode: Only allow logging traffic to SCADA replica server, thus quickly notice indicator of compromise

---

---

Attack Description

Command-Line Interfaces (CLIs) are accessed locally or be exposed via services, such as SSH, Telnet, and RDP. Adversaries may use CLIs to install and run new software, including malicious tools that may be installed over the course of an operation.

---

Attack example

Sandworm Team uses the MS-SQL server xp_cmdshell command, and PowerShell to execute commands.

---

Mitigation using ES portfolio

• BNS: Block all non-standard communication attempts including API requests, RDP/VNCconnections, CLI requests
• ZTMFW: Block any lateral movement including API requests, RDP/VNCconnections, CLI requests
• Diode: Block any attempt to access ICS devices from IT environment including API requests, RDP/VNC connections, CLI requests

---

---

Attack Description

Adversaries may attempt to gain access to a machine via a Graphical User Interface (GUI) to enhance execution capabilities. Access might be possible via protocols such as VNC (Unix), RDP (Windows)

---

Attack example

In the Oldsmar water treatment attack, adversaries utilized the operator HMI interface through the graphical user interface.

---

Mitigation using ES portfolio

• BNS: Block all non-standard communication attempts including API requests, RDP/VNCconnections, CLI requests
• ZTMFW: Block any lateral movement including API requests, RDP/VNCconnections, CLI requests
• Diode: Block any attempt to access ICS devices from IT environment including API requests, RDP/VNC connections, CLI requests

---

---

Attack Description

Adversaries may hook into application programming interface (API) functions used by processes to redirect calls for execution and privilege escalation means.

---

Attack example

Stuxnet modifies the Import Address Tables DLLs to hook specific APIs that are used to open project files.

---

Mitigation using ES portfolio

• BNS: Block all non-standard communication attempts including API requests, RDP/VNCconnections, CLI requests
• ZTMFW: Block any lateral movement including API requests, RDP/VNCconnections, CLI requests
• Diode: Block any attempt to access ICS devices from IT environment including API requests, RDP/VNC connections, CLI requests

---

---

Attack Description

Adversaries may attempt to leverage Application Program Interfaces (APIs) used for communication between control software and the hardware. Specific functionality is often coded into APIs which can be called by software to engage specific functions on a device or other software.

---

Attack example

Triton leverages a reconstructed TriStation protocol within its framework to trigger APIs related to program download, program allocation, and program changes.

---

Mitigation using ES portfolio

• BNS: Block all non-standard communication attempts including API requests, RDP/VNCconnections, CLI requests
• ZTMFW: Block any lateral movement including API requests, RDP/VNCconnections, CLI requests
• Diode: Block any attempt to access ICS devices from IT environment including API requests, RDP/VNC connections, CLI requests

---

---

Attack Description

Adversaries may modify the tasking of a controller to allow for the execution of their own programs. This can allow an adversary to manipulate the execution flow and behavior of a controller.

---

Attack example

Stuxnet infects OB1 so that its malicious code sequence is executed at the start of a cycle. It also infects OB35. OB35 acts as a watchdog, and on certain conditions, it can stop the execution of OB1.

---

Mitigation using ES portfolio

• BNS: Block all non-standard communication attempts including malware distribution, unauthorized firmware updates, email access
• ZTMFW: Block any lateral movement including malware distribution, email
• Diode: Block any attempt to access ICS devices from IT environment including malware distribution, unauthorized firmware updates, email access

---

---

Attack Description

Adversaries may directly interact with the native OS application programming interface (API) to access system functions. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.

---

Attack example

PLC-Blaster uses the system function blocks TCON and TDISCON to initiate and destroy TCP connections to arbitrary systems. Buffers may be sent and received on these connections with TRCV und TSEND system function blocks

---

Mitigation using ES portfolio

• BNS: Block all non-standard communication attempts including malware distribution, unauthorized firmware updates, email access
• ZTMFW: Block any lateral movement including malware distribution, email
• Diode: Block any attempt to access ICS devices from IT environment including malware distribution, unauthorized firmware updates, email access

---

---

Attack Description

Scripting language interpreters may be abused by the adversary to execute code in the target environment. Due to the nature of scripting languages, this allows for weaponized code to be deployed to a target easily, and leaves open the possibility of on-the-fly scripting to perform a task.

---

Attack example

APT33 utilized PowerShell scripts to establish command and control and install files for execution.

---

Mitigation using ES portfolio

• BNS: Block all non-standard communication attempts including malware distribution, unauthorized firmware updates, email access
• ZTMFW: Block any lateral movement including malware distribution, email
• Diode: Block any attempt to access ICS devices from IT environment including malware distribution, unauthorized firmware updates, email access

---

---

Attack Description

Adversaries may embed malicious code or visual basic code into files such as Microsoft Word and Excel documents or software installers.1 Execution of this code requires that the user enable scripting or write access within the document. Embedded code may not always be noticeable to the user especially in cases of trojanized software.

---

Attack example

Execution of Backdoor.Oldrea relies on a user opening a trojanized installer attached to an email.

---

Mitigation using ES portfolio

• BNS: Block all non-standard communication attempts including malware distribution, unauthorized firmware updates, email access
• ZTMFW: Block any lateral movement including malware distribution, email
• Diode: Block any attempt to access ICS devices from IT environment including malware distribution, unauthorized firmware updates, email access

---

---

Attack Description

Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system.

---

Attack example

Triton allows an insecurely-written system call to be exploited to achieve an arbitrary 2-byte write primitive, which is then used to gain supervisor privileges.

---

Mitigation using ES portfolio

• BNS: Block all non-standard communication attempts including malware distribution, unauthorized firmware updates, email access
• ZTMFW: Block any lateral movement including malware distribution, email
• Diode: Block any attempt to access ICS devices from IT environment including malware distribution, unauthorized firmware updates, email access

---

---

Attack Description

Modify or add a program on a controller to affect how it interacts with the physical process, peripheral devices and other hosts on the network using a Program Download in addition to other types of program modification such as online edit and program append.

---

Attack example

PLC-Blaster copies itself to various Program Organization Units (POU) on the target device. The POUs include the Data Block, Function, and Function Block

---

Mitigation using ES portfolio

• BNS: Block all non-standard communication attempts including malware distribution, unauthorized firmware updates
• ZTMFW: Block any lateral movement including malware distribution
• Diode: Block any attempt to access ICS devices from IT environment including malware distribution, unauthorized firmware updates

---

---

Attack Description

Install malicious or vulnerable firmware onto modular hardware devices. Control system devices often contain modular hardware devices. These devices may have their own set of firmware that is separate from the firmware of the main control system equipment. An easy point of access for an adversary is the Ethernet card, which may have its own CPU, RAM, and operating system. Results in a device re-image

---

Attack example

Sednit also known as APT28, Sofacy, Strontium and Fancy Bear – has been operating since at least 2004

---

Mitigation using ES portfolio

• BNS: Block all non-standard communication attempts including malware distribution, unauthorized firmware updates
• ZTMFW: Block any lateral movement including malware distribution
• Diode: Block any attempt to access ICS devices from IT environment including malware distribution, unauthorized firmware updates

---

---

Attack Description

Export malicious code into project files with conditions to execute at specific intervals. Malicious programs allow adversaries control of all aspects of the process enabled by the PLC. Once the project file is downloaded to a PLC the workstation device may be disconnected with the infected project file still executing.

---

Attack example

Stuxnet copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is loaded.

---

Mitigation using ES portfolio

• BNS: Block all non-standard communication attempts including malware distribution, unauthorized firmware updates
• ZTMFW: Block any lateral movement including malware distribution
• Diode: Block any attempt to access ICS devices from IT environment including malware distribution, unauthorized firmware updates

---

---

Attack Description

Exploit the firmware update feature on accessible devices to upload malicious or out-of-date firmware. Malicious modification of device firmware may provide an adversary with root access to a device, given firmware is one of the lowest programming abstraction layers.

---

Attack example

In the Ukraine 2015 Incident, Sandworm Team developed and used malicious firmware to render communication devices inoperable.

---

Mitigation using ES portfolio

• BNS: Block all non-standard communication attempts including malware distribution, unauthorized firmware updates
• ZTMFW: Block any lateral movement including malware distribution
• Diode: Block any attempt to access ICS devices from IT environment including malware distribution, unauthorized firmware updates

---

---

Attack Description

Steal the credentials of a specific user or service account using credential access techniques. Compromised credentials may be used to bypass access controls placed on various resources on hosts and within the network, and may even be used for persistent access to remote systems.

---

Attack example

ALLANITE utilized credentials collected through phishing and watering hole attacks.

---

Mitigation using ES portfolio

• BNS: Block all non-standard communication attempts, use White Box Cryptography instead of account credentials
• ZTMFW: Block any lateral movement
• Diode: Block any attempt to access ICS devices from IT environment

---

---

Attack Description

Adversaries may change the operating mode of a controller to gain additional access to engineering functions such as Program Download

---

Attack example

PLC-Blaster stops the execution of the user program on the target to enable the transfer of its own code. The worm then copies itself to the target and subsequently starts the target PLC again

---

Mitigation using ES portfolio

• BNS: Block all non-standard communication attempts including ones to distribute malware, unauthorized commands
• ZTMFW: Block any lateral movement including malware distribution
• Diode: Block any attempt to access ICS devices from IT environment including malware distribution, unauthorized commands

---

---

Attack Description

Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to evade detection.

---

Attack example

Triton disables a firmware RAM/ROM consistency check after injects a payload (imain.bin) into the firmware memory region.

---

Mitigation using ES portfolio

• BNS: Block all non-standard communication attempts including ones to distribute malware, unauthorized commands
• ZTMFW: Block any lateral movement including malware distribution
• Diode: Block any attempt to access ICS devices from IT environment including malware distribution, unauthorized commands

---

---

Attack Description

In cases where an adversary may feel detection is imminent, they may try to overwrite, delete, or cover up changes they have made to the device.

---

Attack example

KillDisk deletes application, security, setup, and system event logs from Windows systems.

---

Mitigation using ES portfolio

• BNS: Block all non-standard communication attempts including ones to distribute malware, unauthorized commands
• ZTMFW: Block any lateral movement including malware distribution
• Diode: Block any attempt to access ICS devices from IT environment including malware distribution, unauthorized commands

---

---

Attack Description

Disguise a malicious application or executable as another file, to avoid operator and engineer suspicion.

---

Attack example

Sandworm Team transfers executable files as .txt. and then renames them to .exe, likely to avoid detection through extension tracking.

---

Mitigation using ES portfolio

• BNS: Block all non-standard communication attempts including ones to distribute malware, unauthorized commands
• ZTMFW: Block any lateral movement including malware distribution
• Diode: Block any attempt to access ICS devices from IT environment including malware distribution, unauthorized commands

---

---

Attack Description

Rootkits are programs that hide the existence of malware by intercepting and modifying operating-system API calls that supply system information.

---

Attack example

One of Stuxnet’s rootkits is contained entirely in the fake s7otbxdx.dll.

---

Mitigation using ES portfolio

• BNS: Block all non-standard communication attempts including ones to distribute malware, unauthorized commands
• ZTMFW: Block any lateral movement including malware distribution
• Diode: Block any attempt to access ICS devices from IT environment including malware distribution, unauthorized commands

---

---

Attack Description

Adversaries may spoof reporting messages in control system environments for evasion and to impair process control.

---

Attack example

In the Maroochy Attack, the adversary used a dedicated analog two-way radio system to send false data and instructions to pumping stations and the central computer.

---

Mitigation using ES portfolio

• BNS: Block all non-standard communication attempts including ones to distribute malware, unauthorized commands
• ZTMFW: Block any lateral movement including malware distribution
• Diode: Block any attempt to access ICS devices from IT environment including malware distribution, unauthorized commands

---

---

Attack Description

Adversaries may perform network connection enumeration to discover information about device communication patterns with tools, such as netstat and determine the role of certain devices on the network

---

Attack example

Industroyer contains an IEC 61850 module that enumerates all connected network adapters to determine their TCP/IP subnet masks.

---

Mitigation using ES portfolio

• BNS: Block all non-standard communication attempts including unauthorized commands including enumeration. Traffic is encrypted end-to-end, sniffing is impossible
• ZTMFW: Block any lateral enumeration. Each device will only have access to packets targeted to it.
• Diode: Block any attempt to access ICS devices from IT environment including for enumeration. Only authorized traffic on specific protocols would be accessible in IT environment

---

---

Attack Description

Using a network interface on a computer system to monitor or capture information1 regardless of whether it is the specified destination for the information

---

Attack example

The VPNFilter packet sniffer looks for basic authentication as well as monitors ICS traffic, and is specific to the TP-LINK R600-VPN.

---

Mitigation using ES portfolio

• BNS: Block all non-standard communication attempts including unauthorized commands including enumeration. Traffic is encrypted end-to-end, sniffing is impossible
• ZTMFW: Block any lateral enumeration. Each device will only have access to packets targeted to it.
• Diode: Block any attempt to access ICS devices from IT environment including for enumeration. Only authorized traffic on specific protocols would be accessible in IT environment

---

---

Attack Description

Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for subsequent Lateral Movement or Discovery techniques.

---

Attack example

The Backdoor.Oldrea ICS malware plugin relies on Windows networking (WNet) to discover all the servers, including OPC servers, that are reachable by the compromised machine over the network.

---

Mitigation using ES portfolio

• BNS: Block all non-standard communication attempts including unauthorized commands including enumeration. Traffic is encrypted end-to-end, sniffing is impossible
• ZTMFW: Block any lateral enumeration. Each device will only have access to packets targeted to it.
• Diode: Block any attempt to access ICS devices from IT environment including for enumeration. Only authorized traffic on specific protocols would be accessible in IT environment

---

---

Attack Description

An adversary may attempt to get detailed information about remote systems and their peripherals, such as make/model, role, and configuration.

---

Attack example

The Backdoor.Oldrea payload gathers server information that includes CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth.

---

Mitigation using ES portfolio

• BNS: Block all non-standard communication attempts including unauthorized commands including enumeration. Traffic is encrypted end-to-end, sniffing is impossible
• ZTMFW: Block any lateral enumeration. Each device will only have access to packets targeted to it.
• Diode: Block any attempt to access ICS devices from IT environment including for enumeration. Only authorized traffic on specific protocols would be accessible in IT environment

---

---

Attack Description

Adversaries may seek to capture radio frequency (RF) communication used for remote control and reporting in distributed environments. RF communication frequencies vary between 3 kHz to 300 GHz, although are commonly between 300 MHz to 6 GHz.

---

Attack example

In the 2017 Dallas Siren incident, it is suspected that adversaries likely captured wireless command message broadcasts on a 700 MHz frequency during a regular test of the system. These messages were later replayed to trigger the alarm systems.

---

Mitigation using ES portfolio

• BNS: All communication would be encrypted therefore, sniffing and replying would not result in a compromise
• ZTMFW: Block any unauthorized lateral communication. One compromised device would not help attackers access other devices.

---

---

Attack Description

Adversaries may leverage manufacturer or supplier set default credentials on control system devices.

---

Attack example

Stuxnet uses a default password hardcoded the WinCC software’s database server as one of the mechanisms used to propagate to nearby systems.

---

Mitigation using ES portfolio

• BNS: Block all non-standard communication attempts including unauthorized login attempts
• ZTMFW: Block any lateral access. Each device will only have access to packets targeted to it.
• Diode: Block any attempt to access ICS devices from IT environment including for login

---

---

Attack Description

Covered under (Initial Access)

---

Attack example

Covered under (Initial Access)

---

Mitigation using ES portfolio

Covered under (Initial Access)

---

---

Attack Description

In control systems environments, malware may use SMB and other file sharing protocols to move laterally through industrial networks.

---

Attack example

Bad Rabbit can move laterally through industrial networks by means of the SMB service.

---

Mitigation using ES portfolio

• BNS: Block all non-standard communication attempts including file transfers.
• ZTMFW: Block any lateral access. Each device will only have access to packets targeted to it.
• Diode: Block any attempt to access ICS devices from IT environment including for file transfer.

---

---

Attack Description

Adversaries may perform a program download to transfer a user program to a controller.

---

Attack example

PLC-Blaster utilizes the PLC communication and management API to load executable Program Organization Units.

---

Mitigation using ES portfolio

• BNS: Block all non-standard communication attempts including file transfers.
• ZTMFW: Block any lateral access. Each device will only have access to packets targeted to it.
• Diode: Block any attempt to access ICS devices from IT environment including for file transfer.

---

---

Attack Description

Covered under (Initial Access)

---

Attack example

Covered under (Initial Access)

---

Mitigation using ES portfolio

Covered under (Initial Access)

---

---

Attack Description

Covered under (Persistence)

---

Attack example

Covered under (Persistence)

---

Mitigation using ES portfolio

Covered under (Persistence)

---

---

Attack Description

Adversaries may automate collection of industrial environment information using tools or scripts. This automated collection may leverage native control protocols and tools available in the control systems environment. Access to a system or interface with these native protocols may allow collection and enumeration of other attached, communicating servers and devices.

---

Attack example

Using OPC, a component of Backdoor.Oldrea gathers any details about connected devices and sends them back to the C21 for the attackers to analyze.

---

Mitigation using ES portfolio

• BNS: Block all non-standard communication attempts including enumeration.
• ZTMFW: Block any lateral access. Each device will only have access to packets targeted to it.
• Diode: Block any attempt to access ICS devices from IT environment including for enumeration, information collection

---

---

Attack Description

Adversaries may target and collect data from information repositories. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes.

---

Attack example

ACAD/Medre.A collects information related to the AutoCAD application. The worm collects AutoCAD (*.dwg) files with drawings from information repositories.

---

Mitigation using ES portfolio

• BNS: Protect the IT network from unauthorized internal and external access

---

---

Attack Description

Adversaries may gather information about a PLC’s or controller’s current operating mode. Knowledge of these states may be valuable to an adversary to determine if they are able to reprogram the PLC.

---

Attack example

Triton contains a file named TS_cnames.py which contains default definitions for key state (TS_keystate). Key state is referenced in TsHi.py

---

Mitigation using ES portfolio

• BNS: Block all non-standard communication attempts including operating mode enumeration or I/O image access.
• ZTMFW: Block any lateral access. Each device will only have access to packets targeted to it.
• Diode: Block any attempt to access ICS devices from IT environment including for information collection

---

---

Attack Description

Collect the I/O Image state of a PLC by utilizing a device’s Native API to access the memory regions directly. The collection of the PLC’s I/O state could be used to replace values or inform future stages of an attack

---

Attack example

Stuxnet copies the input area of an I/O image into data blocks with a one second interval between copies, forming a 21 second recording of the input area.

---

Mitigation using ES portfolio

• BNS: Block all non-standard communication attempts including operating mode enumeration or I/O image access.
• ZTMFW: Block any lateral access. Each device will only have access to packets targeted to it.
• Diode: Block any attempt to access ICS devices from IT environment including for information collection

---

---

Attack Description

Intercept traffic to and/or from a particular device on the network. If a MITM attack is established, then the adversary has the ability to block, log, modify, or inject traffic into the communication stream.

---

Attack example

The VPNFilter’s ssler module configures the device’s iptables to redirect all traffic destined for port 80 to its local service listening on port 8888. Any outgoing web requests on port 80 are now intercepted by ssler and can be inspected by the ps module and manipulated before being sent to the legitimate HTTP service.

---

Mitigation using ES portfolio

• BNS: Block all communication to non standard IP addresses. Establish end-to-end white box cryptography tunneling
• ZTMFW: Block any lateral access. Each device will only have access to packets targeted to it.
• Diode: Block any attempt to access ICS devices from IT environment.

---

---

Attack Description

Gather information about the physical process state. This information may be used to gain more information about the process itself or used as a trigger for malicious actions. The sources of process state information may vary such as, OPC tags, historian data, specific PLC block information, or network traffic.

---

Attack example

Industroyer’s OPC and IEC 61850 protocol modules include the ability to send “stVal” requests to read the status of operational variables.

---

Mitigation using ES portfolio

• BNS: Block all non-standard communication attempts including enumeration, file transfer, screen capture image transfer
• ZTMFW: Block any lateral access. Each device will only have access to packets targeted to it.
• Diode: Block any attempt to access ICS devices from IT environment including for enumeration, information collection, file transfers such as screen capture

---

---

Attack Description

Collect point and tag values to gain a more comprehensive understanding of the process environment. Points may be values such as inputs, memory locations, outputs or other process specific variables. Tags are the identifiers given to points for operator convenience.

---

Attack example

The Backdoor.Oldrea payload has the capability of enumerating OPC tags, in addition to more generic OPC server information.

---

Mitigation using ES portfolio

• BNS: Block all non-standard communication attempts including enumeration, file transfer, screen capture image transfer
• ZTMFW: Block any lateral access. Each device will only have access to packets targeted to it.
• Diode: Block any attempt to access ICS devices from IT environment including for enumeration, information collection, file transfers such as screen capture

---

---

Attack Description

Upload a program from a PLC to gather information about an industrial process.

---

Attack example

Triton calls the SafeAppendProgramMod to transfer its payloads to the Tricon. Part of this call includes preforming a program upload.

---

Mitigation using ES portfolio

• BNS: Block all non-standard communication attempts including enumeration, file transfer, screen capture image transfer
• ZTMFW: Block any lateral access. Each device will only have access to packets targeted to it.
• Diode: Block any attempt to access ICS devices from IT environment including for enumeration, information collection, file transfers such as screen capture

---

---

Attack Description

Adversaries may attempt to perform screen capture of devices in the control system environment.

---

Attack example

ALLANITE has been identified to collect and distribute screenshots of ICS systems such as HMIs.

---

Mitigation using ES portfolio

• BNS: Block all non-standard communication attempts including enumeration, file transfer, screen capture image transfer
• ZTMFW: Block any lateral access. Each device will only have access to packets targeted to it.
• Diode: Block any attempt to access ICS devices from IT environment including for enumeration, information collection, file transfers such as screen capture

---

---

Attack Description

Capture radio frequency (RF) communication used for remote control and reporting in distributed environments

---

Attack example

In the 2017 Dallas Siren incident, it is suspected that adversaries likely captured wireless command message broadcasts on a 700 MHz frequency during a regular test of the system. These messages were later replayed to trigger the alarm systems.

---

Mitigation using ES portfolio

• BNS: Encrypt all network traffic using WTC tunneling, so sniffing and repeating would not be effective

---

---

Attack Description

Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend in with normal network activity, to avoid more detailed inspection.

---

Attack example

Dragonfly 2.0 communicated with command and control over TCP ports 445 and 139 or UDP 137 or 138.

---

Mitigation using ES portfolio

• BNS: Perform deep inspection to identify and block non-standard patterns.
• ZTMFW: Block any lateral access. Each device will only have access to packets targeted to it.
• Diode: Block any attempt to access ICS devices from IT environment including access in common ports

---

---

Attack Description

Adversaries may establish command and control capabilities over commonly used application layer protocols such as HTTP(S), OPC, RDP, telnet, DNP3, and modbus. These protocols may be used to disguise adversary actions as benign network traffic.

---

Attack example

REvil sends HTTPS POST messages with randomly generated URLs to communicate with a remote server.

---

Mitigation using ES portfolio

• BNS: Perform deep inspection to identify and block non-standard patterns.
• ZTMFW: Block any lateral access. Each device will only have access to packets targeted to it.
• Diode: Block any attempt to access ICS devices from IT environment including access in common ports

---

---

Attack Description

Use a connection proxy to direct network traffic between systems or act as an intermediary for network communications.

---

Attack example

Sandworm Team establishes an internal proxy prior to the installation of backdoors within the network.

---

Mitigation using ES portfolio

• BNS: Block all communication to non standard IP/MAC addresses. Establish end to end WBC tunnel.
• ZTMFW: Block any lateral access. Each device will only have access to packets targeted to it.
• Diode: Block any attempt to access ICS devices from IT environment.

---

---

Attack Description

Activate firmware update mode on devices to prevent expected response functions from engaging in reaction to an emergency or process malfunction.

---

Attack example

The Industroyer SPIROTEC DoS module places the victim device into “firmware update” mode.

---

Mitigation using ES portfolio

• BNS: Block all non-standard communication attempts including mode change requests, and protocol requests
• ZTMFW: Block any lateral access. Each device will only have access to packets targeted to it.
• Diode: Block any attempt to access ICS devices from IT environment including mode change requests

---

---

Attack Description

Target protection function alarms to prevent them from notifying operators of critical conditions.

---

Attack example

In the Maroochy Attack, the adversary suppressed alarm reporting to the central computer.

---

Mitigation using ES portfolio

• BNS: Block all non-standard communication attempts including mode change requests, and protocol requests
• ZTMFW: Block any lateral access. Each device will only have access to packets targeted to it.
• Diode: Block any attempt to access ICS devices from IT environment including mode change requests

---

---

Attack Description

Block a command message from reaching its intended target to prevent command execution. In OT networks, command messages are sent to provide instructions to control system devices. A blocked command message can inhibit response functions from correcting a disruption or unsafe condition.

---

Attack example

In the Ukraine 2015 Incident, Sandworm Team blocked command messages by using malicious firmware to render communication devices inoperable

---

Mitigation using ES portfolio

• BNS: Encrypts all communication and block DoS attempts
• ZTMFW: Block any lateral access. Each device will only have access to packets targeted to it.
• Diode: Block any attempt to access ICS devices from IT environment including mode change requests

---

---

Attack Description

Prevent a reporting message from reaching its intended target. By blocking these reporting messages, an adversary can potentially hide their actions from an operator.

---

Attack example

Industroyer uses the first COM port from the configuration file for the communication and the other two COM ports are opened to prevent other processes accessing them. This may block processes or operators from getting reporting messages from a device,

---

Mitigation using ES portfolio

• BNS: Encrypts all communication and block DoS attempts
• ZTMFW: Block any lateral access. Each device will only have access to packets targeted to it.
• Diode: Block any attempt to access ICS devices from IT environment including mode change requests

---

---

Attack Description

A serial to Ethernet converter is often connected to a serial COM to facilitate communication between serial and Ethernet devices. One approach to blocking a serial COM would be to create and hold open a TCP session with the Ethernet side of the converter.

---

Attack example

Industroyer uses the first COM port from the configuration file for the communication and the other two COM ports are opened to prevent other processes accessing them. This may block processes or operators from getting reporting messages from a device,

---

Mitigation using ES portfolio

• BNS: Encrypts all communication and block DoS attempts
• ZTMFW: Block any lateral access. Each device will only have access to packets targeted to it.
• Diode: Block any attempt to access ICS devices from IT environment including mode change requests

---

---

Attack Description

Standard file deletion commands are available on most operating system and device interfaces to perform cleanup, but adversaries may use other tools as well.

---

Attack example

KillDisk is able to delete system files to make the system unbootable and targets 35 different types of files for deletion.

---

Mitigation using ES portfolio

• BNS: Block all non-standard communication attempts
• ZTMFW: Block any lateral movement
• Diode: Block any attempt to access ICS devices from IT environment

---

---

Attack Description

Exploit a software vulnerability to cause a denial of service by taking advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code.

---

Attack example

The PLC-Blaster implements an endless loop triggering an error condition within the PLC with the impact of a DoS

---

Mitigation using ES portfolio

• BNS: Shield the device from any unusual requests that could also result in DoS, Service Stop, Restart, I/O image manipulation, alarm manipulation
• ZTMFW: Block any lateral access. Each device will only have access to packets targeted to it.
• Diode: Block any attempt to access ICS devices from IT environment including ones that could result in DoS, , Service Stop, Restart, I/O image manipulation, alarm manipulation

---

---

Attack Description

Forcibly restart or shutdown a device in an ICS environment to disrupt and potentially negatively impact physical processes.

---

Attack example

In the 2015 attack on the Ukrainian power grid, the Sandworm Team scheduled disconnects of uninterruptable power supply (UPS) systems so that when power was disconnected from the substations, the devices would shut down and service could not be recovered.

---

Mitigation using ES portfolio

• BNS: Shield the device from any unusual requests that could also result in DoS, Service Stop, Restart, I/O image manipulation, alarm manipulation
• ZTMFW: Block any lateral access. Each device will only have access to packets targeted to it.
• Diode: Block any attempt to access ICS devices from IT environment including ones that could result in DoS, , Service Stop, Restart, I/O image manipulation, alarm manipulation

---

---

Attack Description

Manipulate the I/O image of PLCs through various means to prevent them from functioning as expected. The image table is the PLC’s internal storage location where values of inputs/outputs for one scan are stored while it executes the user program.

---

Attack example

PLC-Blaster may manipulate any outputs of the PLC. Using the POU POKE any value within the process image may be modified.

---

Mitigation using ES portfolio

• BNS: Shield the device from any unusual requests that could also result in DoS, Service Stop, Restart, I/O image manipulation, alarm manipulation
• ZTMFW: Block any lateral access. Each device will only have access to packets targeted to it.
• Diode: Block any attempt to access ICS devices from IT environment including ones that could result in DoS, , Service Stop, Restart, I/O image manipulation, alarm manipulation

---

---

Attack Description

Adversaries may modify alarm settings to prevent alerts that may inform operators of their presence or to prevent responses to dangerous and unintended scenarios.

---

Attack example

In the Maroochy Attack, the adversary disabled alarms at four pumping stations. This caused alarms to not be reported to the central computer.

---

Mitigation using ES portfolio

• BNS: Shield the device from any unusual requests that could also result in DoS, Service Stop, Restart, I/O image manipulation, alarm manipulation
• ZTMFW: Block any lateral access. Each device will only have access to packets targeted to it.
• Diode: Block any attempt to access ICS devices from IT environment including ones that could result in DoS, , Service Stop, Restart, I/O image manipulation, alarm manipulation

---

---

Attack Description

Adversaries may stop or disable services on a system to render those services unavailable to legitimate users.

---

Attack example

REvil searches for all processes listed in the “prc” field within its configuration file and then terminates each process.

---

Mitigation using ES portfolio

• BNS: Shield the device from any unusual requests that could also result in DoS, Service Stop, Restart, I/O image manipulation, alarm manipulation
• ZTMFW: Block any lateral access. Each device will only have access to packets targeted to it.
• Diode: Block any attempt to access ICS devices from IT environment including ones that could result in DoS, , Service Stop, Restart, I/O image manipulation, alarm manipulation

---

---

Attack Description

Covered under (Evasion)

---

Attack example

Covered under (Evasion)

---

Mitigation using ES portfolio

Covered under (Evasion)

---

---

Attack Description

Covered under (Persistance)

---

Attack example

Covered under (Persistance)

---

Mitigation using ES portfolio

Covered under (Persistance)

---

---

Attack Description

Adversaries may use Brute Force I/O to cause failures within various industrial processes. These failures could be the result of wear on equipment or damage to downstream equipment.

---

Attack example

The Industroyer IEC 104 module has 3 modes available to perform its attack.

---

Mitigation using ES portfolio

• BNS: Shield the device from any unusual requests that could also result in DoS, Service Stop, Restart, I/O image manipulation, alarm manipulation,
• ZTMFW: Block any lateral access. Each device will only have access to packets targeted to it.
• Diode: Block any attempt to access ICS devices from IT environment including ones that could result in DoS, , Service Stop, Restart, I/O image manipulation, alarm manipulation

---

---

Attack Description

Modifying system and process critical parameters, the adversary may cause Impact to equipment and/or control processes. Modified parameters may be turned into dangerous, out-of-bounds, or unexpected values from typical operations.

---

Attack example

In states 3 and 4 Stuxnet sends two network bursts (done through the DP_SEND primitive). The data in the frames are instructions for the frequency converter drives.

---

Mitigation using ES portfolio

• BNS: Shield the device from any unusual requests that could also result in DoS, Service Stop, Restart, I/O image manipulation, alarm manipulation,
• ZTMFW: Block any lateral access. Each device will only have access to packets targeted to it.
• Diode: Block any attempt to access ICS devices from IT environment including ones that could result in DoS, , Service Stop, Restart, I/O image manipulation, alarm manipulation

---

---

Attack Description

Send unauthorized command messages to instruct control system assets to perform actions outside of their intended functionality, or without the logical preconditions to trigger their expected function.

---

Attack example

Stuxnet sends two network bursts (done through the DP_SEND primitive). The data in the frames are instructions for the frequency converter drives.

---

Mitigation using ES portfolio

• BNS: Shield the device from any unusual requests that could also result in DoS, Service Stop, Restart, I/O image manipulation, alarm manipulation,
• ZTMFW: Block any lateral access. Each device will only have access to packets targeted to it.
• Diode: Block any attempt to access ICS devices from IT environment including ones that could result in DoS, , Service Stop, Restart, I/O image manipulation, alarm manipulation

---

---

Attack Description

Covered under (Persistence)

---

Attack example

Covered under (Persistence)

---

Mitigation using ES portfolio

Covered under (Persistence)

---

---

Attack Description

Covered under (Evasion)

---

Attack example

Covered under (Evasion)

---

Mitigation using ES portfolio

Covered under (Evasion)

---

---

Attack Description

Cause damage and destruction of property to infrastructure, equipment, and the surrounding environment when attacking control systems. This technique may result in device and operational equipment breakdown, or represent tangential damage from other techniques used in an attack.

---

Attack example

Stuxnet attacks were designed to over-pressure and damage centrifuge rotors by manipulating process pressure and rotor speeds over time.

---

Mitigation using ES portfolio

• BNS: Shield the device from any unusual requests that could also result in DoS, Service Stop, Restart, I/O image manipulation, alarm manipulation
• ZTMFW: Block any lateral access. Each device will only have access to packets targeted to it.
• Diode: Block any attempt to access ICS devices from IT environment including ones that could result in DoS, Service Stop, Restart, I/O image manipulation, alarm manipulation

---

---

Attack Description

Deny process control access to cause a temporary loss of communication with the control device or to prevent operator adjustment of process controls.

---

Attack example

Industroyer is able to block serial COM channels temporarily causing a denial of control.

---

Mitigation using ES portfolio

• BNS: Shield the device from any unusual requests that could also result in DoS, Service Stop, Restart, I/O image manipulation, alarm manipulation
• ZTMFW: Block any lateral access. Each device will only have access to packets targeted to it.
• Diode: Block any attempt to access ICS devices from IT environment including ones that could result in DoS, Service Stop, Restart, I/O image manipulation, alarm manipulation

---

---

Attack Description

An adversary may attempt to deny operator visibility by preventing them from receiving status and reporting messages. Denying this view may temporarily block and prevent operators from noticing a change in state or anomalous behavior.

---

Attack example

Industroyer is able to block serial COM channels temporarily causing a denial of view

---

Mitigation using ES portfolio

• BNS: Shield the device from any unusual requests that could also result in DoS, Service Stop, Restart, I/O image manipulation, alarm manipulation
• ZTMFW: Block any lateral access. Each device will only have access to packets targeted to it.
• Diode: Block any attempt to access ICS devices from IT environment including ones that could result in DoS, Service Stop, Restart, I/O image manipulation, alarm manipulation

---

---

Attack Description

Adversaries may attempt to disrupt essential components or systems to prevent owner and operator from delivering products or services.

---

Attack example

2021 Colonial Pipeline ransomware incident, pipeline operations were temporally halted on May 7th and were not fully restarted until May 12th.

---

Mitigation using ES portfolio

• BNS: In addition to shielding the device, BNS can enable remote operator to securely access the device.
• ZTMFW: Block any lateral access. Each device will only have access to packets targeted to it.
• Diode: Block any attempt to access ICS devices from IT environment including ones that could result in DoS, Service Stop, Restart, I/O image manipulation, alarm manipulation

---

---

Attack Description

Adversaries may seek to achieve a sustained loss of control or a runaway condition in which operators cannot issue any commands even if the malicious interference has subsided.

---

Attack example

Industroyer’s data wiper component removes the registry \image path\ throughout the system and overwrites all files, rendering the system unusable.

---

Mitigation using ES portfolio

• BNS: In addition to shielding the device, BNS can enable remote operator to securely access the device.
• ZTMFW: Block any lateral access. Each device will only have access to packets targeted to it.
• Diode: Block any attempt to access ICS devices from IT environment including ones that could result in DoS, Service Stop, Restart, I/O image manipulation, alarm manipulation

---

---

Attack Description

Loss of productivity and revenue through disruption and even damage to the availability and integrity of control system operations, devices, and related processes. This technique may manifest as a direct effect of an ICS-targeting attack or tangentially, due to an IT-targeting attack against non-segregated environments.

---

Attack example

NotPetya disrupted manufacturing facilities supplying vaccines, resulting in a halt of production and the inability to meet demand for specific vaccines.

---

Mitigation using ES portfolio

• BNS: In addition to shielding the device, BNS can enable remote operator to securely access the device.
• ZTMFW: Block any lateral access. Each device will only have access to packets targeted to it.
• Diode: Block any attempt to access ICS devices from IT environment including ones that could result in DoS, Service Stop, Restart, I/O image manipulation, alarm manipulation

---

---

Attack Description

Compromise protective system functions designed to prevent the effects of faults and abnormal conditions. This can result in equipment damage, prolonged process disruptions and hazards to personnel.

---

Attack example

Industroyer contained a module which leveraged a vulnerability in the Siemens SIPROTEC relays (CVE-2015-5374) to create a Denial of Service against automated protective relays.

---

Mitigation using ES portfolio

• BNS: In addition to shielding the PLC device, SIS devices and Firewalls. BNS itself is invisible and therefore cannot be attacked. Only communication from authorized IP/Mac addresses is approved.
• ZTMFW: Block any lateral access. Each device will only have access to packets targeted to it.
• Diode: Block any attempt to access ICS devices from IT environment including ones that could result in DoS, Service Stop, Restart, I/O image manipulation, alarm manipulation

---

---

Attack Description

Compromise safety system functions designed to maintain safe operation of a process when unacceptable or dangerous conditions occur. Safety systems are often composed of the same elements as control systems but have the sole purpose of ensuring the process fails in a predetermined safe manner.

---

Attack example

Triton has the capability to reprogram the Safety Instrumented System (SIS) logic to allow unsafe conditions to persist or reprogram the SIS to allow an unsafe state – while using the DCS to create an unsafe state or hazard.

---

Mitigation using ES portfolio

• BNS: In addition to shielding the PLC device, SIS devices and Firewalls. BNS itself is invisible and therefore cannot be attacked. Only communication from authorized IP/Mac addresses is approved.
• ZTMFW: Block any lateral access. Each device will only have access to packets targeted to it.
• Diode: Block any attempt to access ICS devices from IT environment including ones that could result in DoS, Service Stop, Restart, I/O image manipulation, alarm manipulation

---

---

Attack Description

Cause a sustained or permanent loss of view where the ICS equipment will require local, hands-on operator intervention; for instance, a restart or manual operation. By causing a sustained reporting or visibility loss, the adversary can effectively hide the present state of operations.

---

Attack example

Some of Norsk Hydro’s production systems were impacted by a LockerGoga infection. This resulted in a loss of view which forced the company to switch to manual operations.

---

Mitigation using ES portfolio

• BNS: In addition to shielding the PLC device, SIS devices and Firewalls. BNS itself is invisible and therefore cannot be attacked. Only communication from authorized IP/Mac addresses is approved.
• ZTMFW: Block any lateral access. Each device will only have access to packets targeted to it.
• Diode: Block any attempt to access ICS devices from IT environment including ones that could result in DoS, Service Stop, Restart, I/O image manipulation, alarm manipulation

---

---

Attack Description

Manipulate control systems devices or possibly leverage their own, to communicate with and command physical control processes.

---

Attack example

Stuxnet can apply inappropriate command sequences or parameters to cause damage to property.

---

Mitigation using ES portfolio

• BNS: In addition to shielding the PLC device, SIS devices and Firewalls. BNS itself is invisible and therefore cannot be attacked. Only communication from authorized IP/Mac addresses is approved.
• ZTMFW: Block any lateral access. Each device will only have access to packets targeted to it.
• Diode: Block any attempt to access ICS devices from IT environment including ones that could result in DoS, Service Stop, Restart, I/O image manipulation, alarm manipulation

---

---

Attack Description

Manipulate the information reported back to operators or controllers. This manipulation may be short term or sustained. During this time the process itself could be in a much different state than what is reported.

---

Attack example

Stuxnet manipulates the view of operators replaying process input and manipulating the I/O image to evade detection and inhibit protection functions.

---

Mitigation using ES portfolio

• BNS: In addition to shielding the PLC device, SIS devices and Firewalls. BNS itself is invisible and therefore cannot be attacked. Only communication from authorized IP/Mac addresses is approved.
• ZTMFW: Block any lateral access. Each device will only have access to packets targeted to it.
• Diode: Block any attempt to access ICS devices from IT environment including ones that could result in DoS, Service Stop, Restart, I/O image manipulation, alarm manipulation

---

---

Attack Description

Steal operational information on a production environment as a direct mission outcome for personal gain or to inform future operations. This information may include design documents, schedules, rotational data, or similar artifacts that provide insight on operations.

---

Attack example

Dragonfly 2.0 captured ICS vendor names, reference documents, wiring diagrams, and panel layouts about the process environment.

---

Mitigation using ES portfolio

• BNS: Prevent data leakage by only allowing limited communication.
• ZTMFW: Block any lateral access. Each device will only have access to packets targeted to it.
• Diode: Block any attempt to access ICS devices from IT environment including ones data leakage.

---