Adversaries may target and collect data from information repositories. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes. Examples of information repositories include reference databases in the process environment, as well as databases in the corporate network that might contain information about the ICS.[1]
Information collected from these systems may provide the adversary with a better understanding of the operational environment, vendors used, processes, or procedures of the ICS.
In a campaign between 2011 and 2013 against ONG organizations, Chinese state-sponsored actors searched document repositories for specific information such as, system manuals, remote terminal unit (RTU) sites, personnel lists, documents that included the string SCAD*, user credentials, and remote dial-up access information. [2]
ID | Name | Description |
---|---|---|
S0038 | Duqu |
Duqu downloads additional modules for the collection of data in information repositories, including the Infostealer 2 module that can access data from Windows Shares.[3] |
ID | Asset |
---|---|
A0007 | Control Server |
A0006 | Data Historian |
ID | Mitigation | Description |
---|---|---|
M0947 | Audit |
Consider periodic reviews of accounts and privileges for critical and sensitive repositories. |
M0941 | Encrypt Sensitive Information |
Information which is sensitive to the operation and architecture of the process environment may be encrypted to ensure confidentiality and restrict access to only those who need to know. [4] [5] |
M0926 | Privileged Account Management |
Minimize permissions and access for service accounts to limit the information that may be exposed or collected by malicious users or software. [5] |
M0922 | Restrict File and Directory Permissions |
Protect files with proper permissions to limit opportunities for adversaries to interact and collect information from databases. [4] [5] |
M0918 | User Account Management |
Ensure users and user groups have appropriate permissions for their roles through Identity and Access Management (IAM) controls to prevent misuse. Implement user accounts for each individual that may access the repositories for role enforcement and non-repudiation of actions. |
M0917 | User Training |
Develop and publish policies that define acceptable information to be stored in repositories. |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0015 | Application Log | Application Log Content |
Monitor for third-party application logging, messaging, and/or other artifacts that may leverage information repositories to mine valuable information. Information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user-based anomalies. |
DS0028 | Logon Session | Logon Session Creation |
Monitor for newly constructed logon behavior within Microsoft's SharePoint can be configured to report access to certain pages and documents.[6] Sharepoint audit logging can also be configured to report when a user shares a resource.[7] The user access logging within Atlassian's Confluence can also be configured to report access to certain pages and documents through AccessLogFilter.[8] Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities. |
DS0033 | Network Share | Network Share Access |
In the case of detecting collection from shared network drives monitor for unexpected and abnormal accesses to network shares. |