T0819 Exploit Public-Facing Application
Adversaries may leverage weaknesses to exploit internet-facing software for initial access into an industrial network. Internet-facing software may be user applications, underlying networking implementations, an assets operating system, weak defenses, etc. Targets of this technique may be intentionally exposed for the purpose of remote management and visibility.
An adversary may seek to target public-facing applications as they may provide direct access into an ICS environment or the ability to move into the ICS network. Publicly exposed applications may be found through online tools that scan the internet for open ports and services. Version numbers for the exposed application may provide adversaries an ability to target specific known vulnerabilities. Exposed control protocol or remote access ports found in Commonly Used Port may be of interest by adversaries.
| Item | Value |
|---|---|
| ID | T0819 |
| Sub-techniques | |
| Tactics | TA0108 |
| Platforms | Human-Machine Interface |
| Version | 1.0 |
| Created | 21 May 2020 |
| Last Modified | 09 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G0034 | Sandworm Team | Sandworm Team actors exploited vulnerabilities in GE’s Cimplicity HMI and Advantech/Broadwin WebAccess HMI software which had been directly exposed to the internet. 5 4 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M0948 | Application Isolation and Sandboxing | Application isolation will limit the other processes and system features an exploited target can access. Examples of built in features are software restriction policies, AppLocker for Windows, and SELinux or AppArmor for Linux. |
| M0950 | Exploit Protection | Web Application Firewalls may be used to limit exposure of applications to prevent exploit traffic from reaching the application. 1 |
| M0930 | Network Segmentation | Segment externally facing servers and services from the rest of the network with a DMZ or on separate hosting infrastructure. |
| M0926 | Privileged Account Management | Use least privilege for service accounts. 2 3 |
| M0951 | Update Software | Regularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and public disclosure. |
| M0916 | Vulnerability Scanning | Regularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and public disclosure. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0015 | Application Log | Application Log Content |
| DS0029 | Network Traffic | Network Traffic Content |
References
-
Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ↩
-
Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ↩
-
National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ↩
-
ICS CERT 2018, September 06 Advantech/Broadwin WebAccess RPC Vulnerability (Update B) Retrieved. 2019/12/05 ↩
-
ICS-CERT 2014, December 10 ICS Alert (ICS-ALERT-14-281-01E) Ongoing Sophisticated Malware Campaign Compromising ICS (Update E) Retrieved. 2019/10/11 ↩