Initial Access
Techniques
| ID | Name | Description |
|---|---|---|
| EST000001 | Drive-By Compromise | A Cyber Embedded Technique in which an adversary gains access to a system through the actor utilizing a maintenance or debug port or protocol on the system to maliciously inject malware. This is different from the traditional Drive-by Compromise in that it requires an active event by the actor and passive event by the unwitting user for embedded systems. Typical drive-by compromise process: An adversary has preloaded malware on a debug interface of the target sub-system inclusive of: • 1394B (via FireWire) • UART (via RS-232) • PCMCIA Slot (via external PCI interface) • ARINC 615 (via ARINC 429) • ARINC 615A (via ethernet) These unauthenticated protocols will accept the malware by default because it is a trusted system (no authentication or software signing) and allow the adversary to gain persistence inside the sub-system. Once the malware is loaded the adversary removed any physical connection and the system appears to be physically unaltered. |
| EST000002 | Hardware Additions | A Cyber Embedded Technique in which an adversary introduces computer accessories, computers, or networking hardware into a sub-system or serial network that can be used as a vector to gain access. Products have the capabilities such as passive network tapping, man-in-the middle encryption breaking, keystroke injection, data injection, kernel memory reading via DMA, adding new wireless access to an existing network, and others. Serial network examples such as, ARINC 429, CAN, J1939, AS5643, SpaceWire. |
| EST000003 | Access via Removable Media | A Cyber Embedded Technique in which an adversary moves onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of embedded features when the media is inserted into a system and executes. This technique aligns with ICS ATT&CK T0847, Replication Through Removable Media. |
| EST000004 | Supply Chain Compromise | A Cyber Embedded Technique in which an adversary compromises the supply chain by manipulation of products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise can take place at any stage of the supply chain including: • Manipulation of development tools • Manipulation of a development environment • Manipulation of source code repositories (public or private) • Manipulation of source code in open-source dependencies • Manipulation of software update/distribution mechanisms • Compromised/infected system images (multiple cases of removable media infected at the factory) • Replacement of legitimate software with modified versions • Sales of modified/counterfeit products to legitimate distributors • Shipment interdiction While supply chain compromise can impact any component of hardware or software, attackers looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels. Targeting may be specific to a desired victim set or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of. |
| EST000005 | Trusted Relationship | A Cyber Embedded Technique in which an adversary breaches or otherwise leverages organizations who have access through trusted relationships. Access through trusted third-party relationship exploits an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network. Organizations often grant elevated access to second or third-party external providers in order to allow them to manage internal systems as well as cloud-based environments. Some examples of these relationships include original equipment engineers, or depot maintenance contractors. The third-party provider's access may be intended to be limited to the infrastructure being maintained but may exist on the same network as the rest of the enterprise. As such, Valid Accounts used by the other party for access to internal network systems may be compromised and used. |
| EST000006 | Access via Valid Accounts | A Cyber Embedded Technique in which a cyber adversary may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. In practice, embedded systems are more closely aligned with Local Accounts as described by MITRE ATT&CK sub-technique T1079.003, but could also be inclusive of devices such as embedded laptops. |
| EST000007 | Exploit via Radio Interfaces | A Cyber Embedded Technique in which an adversary seeks to attack the platform via external RF sources where the overall goal is to influence the subsystem on the platform that manage RF energy in some way. • Analog Communication: Compromise through analog voice at the subsystem stage on a platform from an external or internal source. Processing of the signal acts a peripheral to the host system MCU / Processor. This may be used as the pivot point to other subsystems. • Digital Communication: Compromise through digital communications mediums voice at the subsystem stage on a platform from an external or internal source. Processing of the signal acts a peripheral to the host system MCU / Processor. This may be used as the pivot point to other subsystems. • Data Link: Compromise through some remote service the platform uses for legitimate purposes to compromise platform (IFF, datalinks, etc.) Processing of the signal acts a peripheral to the host system MCU / Processor. This may be used as the pivot point to other subsystems. • Non-Data Link: Exploiting some non-communications RF path (Radar for example) to gain initial access into platform. Processing of the signal acts a peripheral to the host system MCU / Processor. This may be used as the pivot point to other subsystems. • Standardized Open Frequencies (i.e. 2.4 Ghz, 5 Ghz, 60Ghz): Compromise wireless communications typically used for packetized data transfer to gain access to platform via a specific subsystem. Processing of the signal acts a peripheral to the host system MCU / Processor. This may be used as the pivot point to other subsystems. |
| EST000008 | Install Insecure or Malicious Configuration | A Cyber Embedded Technique in which an adversary inserts malicious configuration either through Supply Chain or some other Dev Ops cycle in order to download malware. An example would be inserting a callout function on a data link which causes the system to use malicious data by controlling the location it draws from. |
| EST000009 | Maintenance or Debug Ports | A Cyber Embedded Technique in which an adversary gains access through maintenance or debug ports typically used for maintenance actions raises the capability of an attacker and could serve as the initial access point. These ports typically allow for OEMs or field level maintenance technicians to perform required operations to preserve mission capability of the platform. The use of these ports also drives technical knowledge of the system forward enabling reverse engineering efforts. |
| EST000010 | Authenticated Menu Bypass | A Cyber Embedded Technique in which an adversary gains an initial access vector and performs DMA attacks/manipulation directly from the multi-function display/MCDU to bypass authentication mechanisms. This may further reverse engineering efforts or simply allow an adversary to perform an impact action immediately. |
| EST000011 | Masquerade as Legitimate Application | A Cyber Embedded Technique in which an adversary exploits lacking or primative legacy sub-system security to masquerade as a legitimate application. Computationally, some of the legacy avionics LRUs could only perform simple cyclical redundancy checks. Defeating these checks in modern times can be accomplished by a standard desktop pc extremely quickly. |
| EST000012 | Engineering Workstation Compromise | A Cyber Embedded Technique in which an adversary compromises ground support equipment used at the depot maintenance location, so that they can affect the system baseline or as platforms are cycled through depot. This provides multi routes of entry into the platform. Refer to Enterprise ATT&CK for routes to compromise. This may affect the platform or may only effect specific LRUs. This would also then effect devices in the maintenance lifecycle. |
| EST000013 | Internet Accessible Device | A Cyber Embedded Technique in which an adversary exploits an internet accessible device. For example, planning documents for operational use that have been maliciously modified. |
| EST000014 | Access via Direct Connect System | A Cyber Embedded Technique in which an adversary exploits Direct Connect System (DCS) to deploy and execute malware on the connected device to gain a persistent foothold or pivot to other subsystems to have a specific effect on a system. Emulating a specific type of DCS is also possible, enabling the execution. ICE is an example of this. In-circuit emulation (ICE) is the use of a hardware device or in-circuit emulator used to debug the software of an embedded system. It operates by using a processor with the additional ability to support debugging operations, as well as to carry out the main function of the system. Particularly for older systems, with limited processors, this usually involved temporarily replacing the processor with a hardware emulator: a more expensive, more powerful version. This was historically done in the form of bond-out processor with many internal signals exposed for the purpose of debugging. These signals provide information about the state of the processor. |
| EST000015 | Downgrade to Insecure Protocols | A Cyber Embedded Technique in which an adversary exploits secure protocol through means such as intercepting a secure handshake or jamming secure protocols such that an adversary forces the operator to revert to an insecure protocol. This exposes the insecure protocol to the open and changes the security posture of the system to further allow attack vectors. |