Configure hosts and devices to use static network configurations when possible, protocols that require dynamic discovery/addressing (e.g., ARP, DHCP, DNS) can be used to manipulate network message forwarding and enable various AiTM attacks. This mitigation may not always be usable due to limited device features or challenges introduced with different network configurations.
Domain | ID | Name | Use | |
---|---|---|---|---|
ICS | T0830 | Adversary-in-the-Middle |
Statically defined ARP entries can prevent manipulation and sniffing of switched network traffic, as some AiTM techniques depend on sending spoofed ARP messages to manipulate network host's dynamic ARP tables. |
|
ICS | T0878 | Alarm Suppression |
Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections. |
|
ICS | T0803 | Block Command Message |
Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections. |
|
ICS | T0804 | Block Reporting Message |
Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections. |
|
ICS | T0842 | Network Sniffing |
Statically defined ARP entries can prevent manipulation and sniffing of switched network traffic, as some AiTM techniques depend on sending spoofed ARP messages to manipulate network host's dynamic ARP tables. |
|
ICS | T0846 | Remote System Discovery |
ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols. [1] [2] Examples of automation protocols with discovery capabilities include OPC UA Device Discovery [3], BACnet [4], and Ethernet/IP. [5] |
|
ICS | T0888 | Remote System Information Discovery |
ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols. [1] [2] Examples of automation protocols with discovery capabilities include OPC UA Device Discovery [3], BACnet [4], and Ethernet/IP. [5] |