JUST RELEASED: ATT&CK for Industrial Control Systems

TECHNIQUES

Priority Definition Planning

Assess current holdings, needs, and wants

Assess KITs/KIQs benefits

Assess leadership areas of interest

Assign KITs/KIQs into categories

Conduct cost/benefit analysis

Create implementation plan

Create strategic plan

Derive intelligence requirements

Develop KITs/KIQs

Generate analyst intelligence requirements

Identify analyst level gaps

Identify gap areas

Receive operator KITs/KIQs tasking

Priority Definition Direction

Assign KITs, KIQs, and/or intelligence requirements

Receive KITs/KIQs and determine requirements

Submit KITs, KIQs, and intelligence requirements

Task requirements

Target Selection

Determine approach/attack vector

Determine highest level tactical element

Determine operational element

Determine secondary level tactical element

Determine strategic target

Technical Information Gathering

Acquire OSINT data sets and information

Conduct active scanning

Conduct passive scanning

Conduct social engineering

Determine 3rd party infrastructure services

Determine domain and IP address space

Determine external network trust dependencies

Determine firmware version

Discover target logon/email address format

Enumerate client configurations

Enumerate externally facing software applications technologies, languages, and dependencies

Identify job postings and needs/gaps

Identify security defensive capabilities

Identify supply chains

Identify technology usage patterns

Identify web defensive services

Map network topology

Mine technical blogs/forums

Obtain domain/IP registration information

Spearphishing for Information

People Information Gathering

Acquire OSINT data sets and information

Aggregate individual's digital footprint

Conduct social engineering

Identify business relationships

Identify groups/roles

Identify job postings and needs/gaps

Identify people of interest

Identify personnel with an authority/privilege

Identify sensitive personnel information

Identify supply chains

Mine social media

Organizational Information Gathering

Acquire OSINT data sets and information

Conduct social engineering

Determine 3rd party infrastructure services

Determine centralization of IT management

Determine physical locations

Identify business processes/tempo

Identify business relationships

Identify job postings and needs/gaps

Identify supply chains

Obtain templates/branding materials

Technical Weakness Identification

Analyze application security posture

Analyze architecture and configuration posture

Analyze data collected

Analyze hardware/software security defensive capabilities

Analyze organizational skillsets and deficiencies

Identify vulnerabilities in third-party software libraries

Research relevant vulnerabilities/CVEs

Research visibility gap of security vendors

Test signature detection

People Weakness Identification

Analyze organizational skillsets and deficiencies

Analyze social and business relationships, interests, and affiliations

Assess targeting options

Organizational Weakness Identification

Analyze business processes

Analyze organizational skillsets and deficiencies

Analyze presence of outsourced capabilities

Assess opportunities created by business deals

Assess security posture of physical locations

Assess vulnerability of 3rd party vendors

Adversary OPSEC

Acquire and/or use 3rd party infrastructure services

Acquire and/or use 3rd party software services

Acquire or compromise 3rd party signing certificates

Anonymity services

Common, high volume protocols and software

Compromise 3rd party infrastructure to support delivery

Domain Generation Algorithms (DGA)

Host-based hiding techniques

Misattributable credentials

Network-based hiding techniques

Non-traditional or less attributable payment options

Obfuscate infrastructure

Obfuscate operational infrastructure

Obfuscate or encrypt code

Obfuscation or cryptography

OS-vendor provided communication channels

Private whois services

Proxy/protocol relays

Secure and protect infrastructure

Establish & Maintain Infrastructure

Acquire and/or use 3rd party infrastructure services

Acquire and/or use 3rd party software services

Acquire or compromise 3rd party signing certificates

Buy domain name

Compromise 3rd party infrastructure to support delivery

Create backup infrastructure

Domain registration hijacking

Install and configure hardware, network, and systems

Obfuscate infrastructure

Obtain booter/stressor subscription

Procure required equipment and software

SSL certificate acquisition for domain

SSL certificate acquisition for trust breaking

Use multiple DNS infrastructures

Persona Development

Build social network persona

Choose pre-compromised mobile app developer account credentials or signing keys

Choose pre-compromised persona and affiliated accounts

Develop social network persona digital footprint

Friend/Follow/Connect to targets of interest

Obtain Apple iOS enterprise distribution key pair and certificate

Build Capabilities

Build and configure delivery systems

Build or acquire exploits

C2 protocol development

Compromise 3rd party or closed-source vulnerability/exploit information

Create custom payloads

Create infected removable media

Discover new exploits and monitor exploit-provider forums

Identify resources required to build capabilities

Obtain/re-use payloads

Post compromise tool development

Remote access tool development

Test Capabilities

Review logs and residual traces

Test ability to evade automated mobile application security analysis performed by app stores

Test callback functionality

Test malware in various execution environments

Test malware to evade detection

Test physical access

Test signature detection for file upload/email filters

Stage Capabilities

Disseminate removable media

Distribute malicious software development tools

Friend/Follow/Connect to targets of interest

Hardware or software supply chain implant

Port redirector

Upload, install, and configure software/tools

Buy domain name

Domain Names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free. ^[1]

ID: T1328

Tactic: Establish & Maintain Infrastructure

Version: 1.0

Created: 14 December 2017

Last Modified: 17 October 2018

Procedure Examples

Name	Description
APT28	APT28 registered domains imitating NATO and OSCE security websites and Caucasus information resources.^[2]

Detection

Detectable by Common Defenses (Yes/No/Partial): Yes

Explanation: This is by design captured in public registration logs. Various tools and services exist to track/query/monitor domain name registration information.

Difficulty for the Adversary

Easy for the Adversary (Yes/No): Yes

Explanation: Proliferation of DNS TLDs and registrars. Adversary may choose domains that are similar to legitimate domains (aka "domain typosquatting" or homoglyphs).

References

Tom Lancaster and Michael Yip. (2014, December 05). APT28: Sofacy? So-funny.. Retrieved March 6, 2017.

FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.