Reconnaissance Techniques and Industrial Control System Tactics Knowledge Graph

T. Heverin
{"title":"Reconnaissance Techniques and Industrial Control System Tactics Knowledge Graph","authors":"T. Heverin","doi":"10.34190/eccws.22.1.1221","DOIUrl":null,"url":null,"abstract":"In the initial stages of industrial control system (ICS) penetration testing, pentesters conduct reconnaissance by using various tools including Nmap, Shodan, Maltego, Google, Google Hacking Database (GHDB), Recon-ng and more. Testers use various reconnaissance techniques (RTs) within the tools to directly access ICS devices. Many novice ICS-pentesters stop their reconnaissance work upon successfully accessing an ICS device. However, continuing to conduct reconnaissance after initial access can lead to pentesters finding even more information to find more ICS devices, ICS networks, and ways to make ICS exploitation more effective.  Our research motivation stems from finding ways to explicitly model the continuation of using RTs once an ICS device is accessed. Knowledge graphs offer an approach for linking RTs together and creating chains of RTs. \n  \nMITRE ATT&CK ICS provides a matrix of ICS adversarial behaviours. The matrix consists of main exploit tactics and techniques used to accomplish these tactics. Example techniques include ICS alarm suppression, blocking command messages, starting a device, and stopping services. ATT&CK ICS also provides ICS data sources that defenders use to detect the adversarial techniques. Application logs, files, logon sessions, network traffic, and operational databases represent some of the ICS data sources. We reasoned that if adversaries could find the ICS data sources and discover the ability to modify the data sources, then adversaries could cover their tracks to successfully carry out ICS tactics. For example, ICS attackers could modify log entries to hide the attacker’s steps or ICS attackers could delete alarm notifications that showed that ICS attackers changed ICS settings. \n  \nIn this work in progress research, we used knowledge-graph modelling techniques to link together RTs with ICS data sources, the ability to modify the data sources, the ability to then cover tracks of ICS techniques, and the impact of techniques on accomplishing ICS tactics. We named the graph RT-ICS Graph. With knowledge graph queries and shortest-path algorithms run over the RT-ICS graph, we showed how RTs can explicitly lead to impacts on adversaries carrying out ICS tactics. The accomplishment of ICS tactics can cause severe damage or harm.","PeriodicalId":258360,"journal":{"name":"European Conference on Cyber Warfare and Security","volume":"470 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2023-06-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"European Conference on Cyber Warfare and Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.34190/eccws.22.1.1221","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0

Abstract

In the initial stages of industrial control system (ICS) penetration testing, pentesters conduct reconnaissance by using various tools including Nmap, Shodan, Maltego, Google, Google Hacking Database (GHDB), Recon-ng and more. Testers use various reconnaissance techniques (RTs) within the tools to directly access ICS devices. Many novice ICS-pentesters stop their reconnaissance work upon successfully accessing an ICS device. However, continuing to conduct reconnaissance after initial access can lead to pentesters finding even more information to find more ICS devices, ICS networks, and ways to make ICS exploitation more effective.  Our research motivation stems from finding ways to explicitly model the continuation of using RTs once an ICS device is accessed. Knowledge graphs offer an approach for linking RTs together and creating chains of RTs.   MITRE ATT&CK ICS provides a matrix of ICS adversarial behaviours. The matrix consists of main exploit tactics and techniques used to accomplish these tactics. Example techniques include ICS alarm suppression, blocking command messages, starting a device, and stopping services. ATT&CK ICS also provides ICS data sources that defenders use to detect the adversarial techniques. Application logs, files, logon sessions, network traffic, and operational databases represent some of the ICS data sources. We reasoned that if adversaries could find the ICS data sources and discover the ability to modify the data sources, then adversaries could cover their tracks to successfully carry out ICS tactics. For example, ICS attackers could modify log entries to hide the attacker’s steps or ICS attackers could delete alarm notifications that showed that ICS attackers changed ICS settings.   In this work in progress research, we used knowledge-graph modelling techniques to link together RTs with ICS data sources, the ability to modify the data sources, the ability to then cover tracks of ICS techniques, and the impact of techniques on accomplishing ICS tactics. We named the graph RT-ICS Graph. With knowledge graph queries and shortest-path algorithms run over the RT-ICS graph, we showed how RTs can explicitly lead to impacts on adversaries carrying out ICS tactics. The accomplishment of ICS tactics can cause severe damage or harm.
侦察技术与工控系统战术知识图谱
在工业控制系统(ICS)渗透测试的初始阶段,渗透测试人员通过使用各种工具进行侦察,包括Nmap, Shodan, Maltego, Google, Google Hacking Database (GHDB), recocon -ng等。测试人员使用工具中的各种侦察技术(RTs)直接访问ICS设备。许多ICS渗透测试新手在成功访问ICS设备后停止了他们的侦察工作。但是,在初始访问之后继续进行侦察可能会导致渗透测试人员发现更多信息,从而发现更多ICS设备、ICS网络以及使ICS利用更有效的方法。我们的研究动机源于寻找方法来明确地模拟一旦ICS设备被访问后使用RTs的延续。知识图谱提供了一种将RTs连接在一起并创建RTs链的方法。MITRE ATT&CK ICS提供了ICS对抗行为的矩阵。矩阵包括主要的攻击策略和实现这些策略所使用的技术。示例技术包括ICS告警抑制、阻塞命令消息、启动设备和停止服务。ATT&CK ICS还提供了ICS数据源,防御者使用这些数据源来检测对抗性技术。应用程序日志、文件、登录会话、网络流量和操作数据库代表一些ICS数据源。我们认为,如果攻击者能够找到ICS数据源并发现修改数据源的能力,那么攻击者就可以掩盖他们的踪迹,从而成功实施ICS战术。例如,ICS攻击者可以修改日志条目以隐藏攻击者的步骤,或者ICS攻击者可以删除显示ICS攻击者更改ICS设置的告警通知。在这项正在进行的研究中,我们使用知识图谱建模技术将RTs与ICS数据源、修改数据源的能力、覆盖ICS技术轨迹的能力以及技术对实现ICS战术的影响联系起来。我们将此图命名为RT-ICS图。通过知识图查询和最短路径算法在RT-ICS图上运行,我们展示了RTs如何明确地导致对执行ICS策略的对手的影响。ICS战术的完成会造成严重的破坏或伤害。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信