Modify System Image: Downgrade System Image

ID Name
T1601.001 Patch System Image
T1601.002 Downgrade System Image

Adversaries may install an older version of the operating system of a network device to weaken security. Older operating system versions on network devices often have weaker encryption ciphers and, in general, fewer/less updated defensive features. [1]

On embedded devices, downgrading the version typically only requires replacing the operating system file in storage. With most embedded devices, this can be achieved by downloading a copy of the desired version of the operating system file and reconfiguring the device to boot from that file on next system restart. The adversary could then restart the device to implement the change immediately or they could wait until the next time the system restarts.

Downgrading the system image to an older versions may allow an adversary to evade defenses by enabling behaviors such as Weaken Encryption. Downgrading of a system image can be done on its own, or it can be used in conjunction with Patch System Image.

ID: T1601.002
Sub-technique of:  T1601
Tactic: Defense Evasion
Platforms: Network
Permissions Required: Administrator
Version: 1.0
Created: 19 October 2020
Last Modified: 22 October 2020

Mitigations

ID Mitigation Description
M1046 Boot Integrity

Some vendors of embedded network devices provide cryptographic signing to ensure the integrity of operating system images at boot time. Implement where available, following vendor guidelines. [2]

M1045 Code Signing

Many vendors provide digitally signed operating system images to validate the integrity of the software used on their platform. Make use of this feature where possible in order to prevent and/or detect attempts by adversaries to compromise the system image. [3]

M1043 Credential Access Protection

Some embedded network devices are capable of storing passwords for local accounts in either plain-text or encrypted formats. Ensure that, where available, local passwords are always encrypted, per vendor recommendations. [4]

M1032 Multi-factor Authentication

Use multi-factor authentication for user and privileged accounts. Most embedded network devices support TACACS+ and/or RADIUS. Follow vendor prescribed best practices for hardening access control.[5]

M1027 Password Policies

Refer to NIST guidelines when creating password policies. [6]

M1026 Privileged Account Management

Restrict administrator accounts to as few individuals as possible, following least privilege principles. Prevent credential overlap across systems of administrator and privileged accounts, particularly between network and non-network platforms, such as servers or endpoints.

Detection

ID Data Source Data Component Detects
DS0022 File File Modification

Monitor for changes made to the operating system of a network device because image downgrade may be used in conjunction with  Patch System Image, it may be appropriate to also verify the integrity of the vendor provided operating system image file.

References