T0842 Network Sniffing
Network sniffing is the practice of using a network interface on a computer system to monitor or capture information 1 regardless of whether it is the specified destination for the information.
An adversary may attempt to sniff the traffic to gain information about the target. This information can vary in the level of importance. Relatively unimportant information is general communications to and from machines. Relatively important information would be login information. User credentials may be sent over an unencrypted protocol, such as Telnet, that can be captured and obtained through network packet analysis.
In addition, ARP and Domain Name Service (DNS) poisoning can be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
| Item | Value |
|---|---|
| ID | T0842 |
| Sub-techniques | |
| Tactics | TA0102 |
| Platforms | Field Controller/RTU/PLC/IED |
| Version | 1.0 |
| Created | 21 May 2020 |
| Last Modified | 09 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S1045 | INCONTROLLER | INCONTROLLER can deploy Tcpdump to sniff network traffic and collect PCAP files.4 |
| S0603 | Stuxnet | DP_RECV is the name of a standard function block used by network coprocessors. It is used to receive network frames on the Profibus a standard industrial network bus used for distributed I/O. The original block is copied to FC1869, and then replaced by a malicious block. Each time the function is used to receive a packet, the malicious Stuxnet block takes control: it will call the original DP_RECV in FC1869 and then perform postprocessing on the packet data. The replaced DP_RECV block (later on referred to as the DP_RECV monitor) is meant to monitor data sent by the frequency converter drives to the 315-2 CPU via CP 342-5 Profibus communication modules. 7 |
| S1010 | VPNFilter | The VPNFilter packet sniffer looks for basic authentication as well as monitors ICS traffic, and is specific to the TP-LINK R600-VPN. The malware uses a raw socket to look for connections to a pre-specified IP address, only looking at TCP packets that are 150 bytes or larger. Packets that are not on port 502, are scanned for BasicAuth, and that information is logged. This may have allowed credential harvesting from communications between devices accessing a modbus-enabled HMI. 6 5 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M0808 | Encrypt Network Traffic | Ensure that wired and/or wireless traffic is encrypted when feasible. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS. 2 |
| M0932 | Multi-factor Authentication | Use multi-factor authentication wherever possible. |
| M0930 | Network Segmentation | Segment networks and systems appropriately to reduce access to critical system and services communications. |
| M0926 | Privileged Account Management | Restrict root or administrator access on user accounts to limit the ability to capture promiscuous traffic on a network through common packet capture tools. 3 |
| M0814 | Static Network Configuration | Statically defined ARP entries can prevent manipulation and sniffing of switched network traffic, as some AiTM techniques depend on sending spoofed ARP messages to manipulate network host’s dynamic ARP tables. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0009 | Process | Process Creation |
References
-
Enterprise ATT&CK 2018, January 11 Network Sniffing Retrieved. 2018/05/17 ↩
-
Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ↩
-
National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ↩
-
Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30. ↩
-
Carl Hurd 2019, March 26 VPNFilter Deep Dive Retrieved. 2019/03/28 ↩
-
William Largent 2018, June 06 VPNFilter Update - VPNFilter exploits endpoints, targets new devices Retrieved. 2019/03/28 ↩
-
Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ↩