M0814 Static Network Configuration
Configure hosts and devices to use static network configurations when possible, protocols that require dynamic discovery/addressing (e.g., ARP, DHCP, DNS) can be used to manipulate network message forwarding and enable various AiTM attacks. This mitigation may not always be usable due to limited device features or challenges introduced with different network configurations.
| Item | Value |
|---|---|
| ID | M0814 |
| Version | 1.1 |
| Created | 06 June 2019 |
| Last Modified | 05 April 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Addressed by Mitigation
| Domain | ID | Name | Use |
|---|---|---|---|
| ics | T0830 | Adversary-in-the-Middle | Statically defined ARP entries can prevent manipulation and sniffing of switched network traffic, as some AiTM techniques depend on sending spoofed ARP messages to manipulate network host’s dynamic ARP tables. |
| ics | T0878 | Alarm Suppression | Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections. |
| ics | T0803 | Block Command Message | Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections. |
| ics | T0804 | Block Reporting Message | Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections. |
| ics | T0842 | Network Sniffing | Statically defined ARP entries can prevent manipulation and sniffing of switched network traffic, as some AiTM techniques depend on sending spoofed ARP messages to manipulate network host’s dynamic ARP tables. |
| ics | T0846 | Remote System Discovery | ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols. 1 2 Examples of automation protocols with discovery capabilities include OPC UA Device Discovery 3, BACnet 4, and Ethernet/IP. 5 |
| ics | T0888 | Remote System Information Discovery | ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols. 1 2 Examples of automation protocols with discovery capabilities include OPC UA Device Discovery 3, BACnet 4, and Ethernet/IP. 5 |
References
-
D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 ↩↩
-
Colin Gray D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 How SDN Can Improve Cybersecurity in OT Networks Retrieved. 2020/09/25 ↩↩
-
Josh Rinaldi 2016, April Still a Thrill: OPC UA Device Discovery Retrieved. 2020/09/25 ↩↩
-
Aditya K Sood 2019, July Discovering and fingerprinting BACnet devices Retrieved. 2020/09/25 ↩↩
-
Langner 2018, November Why Ethernet/IP changes the OT asset discovery game Retrieved. 2020/09/25 ↩↩