T0822 External Remote Services
Adversaries may leverage external remote services as a point of initial access into your network. These services allow users to connect to internal network resources from external locations. Examples are VPNs, Citrix, and other access mechanisms. Remote service gateways often manage connections and credential authentication for these services. 1
External remote services allow administration of a control system from outside the system. Often, vendors and internal engineering groups have access to external remote services to control system networks via the corporate network. In some cases, this access is enabled directly from the internet. While remote access enables ease of maintenance when a control system is in a remote area, compromise of remote access solutions is a liability. The adversary may use these services to gain access to and execute attacks against a control system network. Access to valid accounts is often a requirement.
As they look for an entry point into the control system network, adversaries may begin searching for existing point-to-point VPN implementations at trusted third party networks or through remote support employee connections where split tunneling is enabled. 2
| Item | Value |
|---|---|
| ID | T0822 |
| Sub-techniques | |
| Tactics | TA0108 |
| Platforms | Control Server, Input/Output Server |
| Version | 1.1 |
| Created | 21 May 2020 |
| Last Modified | 30 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| C0020 | Maroochy Water Breach | In the Maroochy Water Breach, the adversary gained remote computer access to the system over radio.8 |
| G0034 | Sandworm Team | In the Ukraine 2015 Incident, Sandworm Team harvested VPN worker credentials and used them to remotely log into control system networks. 2 7 5 6 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M0936 | Account Use Policies | Configure features related to account use like login attempt lockouts, specific login times, and password strength requirements as examples. Consider these features as they relate to assets which may impact safety and availability. 3 |
| M0942 | Disable or Remove Feature or Program | Consider removal of remote services which are not regularly in use, or only enabling them when required (e.g., vendor remote access). Ensure all external remote access point (e.g., jump boxes, VPN concentrator) are configured with least functionality, especially the removal of unnecessary services. 4 |
| M0935 | Limit Access to Resource Over Network | Limit access to remote services through centrally managed concentrators such as VPNs and other managed remote access systems. |
| M0932 | Multi-factor Authentication | Use strong multi-factor authentication for remote service accounts to mitigate an adversary’s ability to leverage stolen credentials. Be aware of multi-factor authentication interception techniques for some implementations. |
| M0930 | Network Segmentation | Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. Consider a jump server or host into the DMZ for greater access control. Leverage this DMZ or corporate resources for vendor access. 3 |
| M0927 | Password Policies | Set and enforce secure password policies for accounts. |
| M0918 | User Account Management | Consider utilizing jump boxes for external remote access. Additionally, dynamic account management may be used to easily remove accounts when not in use. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0015 | Application Log | Application Log Content |
| DS0028 | Logon Session | Logon Session Metadata |
| DS0029 | Network Traffic | Network Traffic Flow |
References
-
Daniel Oakley, Travis Smith, Tripwire Retrieved. 2018/05/30 ↩
-
Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ↩↩
-
Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ↩↩
-
Department of Homeland Security 2016, September Retrieved. 2020/09/25 ↩
-
ICS-CERT 2016, February 25 Cyber-Attack Against Ukrainian Critical Infrastructure Retrieved. 2019/03/08 ↩
-
John Hultquist 2016, January 07 Sandworm Team and the Ukrainian Power Authority Attacks Retrieved. 2019/03/08 ↩
-
Zetter, Kim 2016, March 03 INSIDE THE CUNNING, UNPRECEDENTED HACK OF UKRAINE’S POWER GRID Retrieved. 2019/03/08 ↩
-
Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ↩