Logo image
Back
Reconnaissance Techniques and Industrial Control System Tactics Knowledge Graph
Conference proceeding   Open access

Reconnaissance Techniques and Industrial Control System Tactics Knowledge Graph

Eve Cohen, Elsa Deitz, Jordana Wilkes and Thomas Heverin
European Conference on Cyber Warfare and Security, pp 688-XVII
01 Jun 2023
DOI: https://doi.org/10.34190/eccws.22.1.1221
url
https://doi.org/10.34190/eccws.22.1.1221View
Published, Version of Record (VoR)CC BY-NC-ND V4.0 Open

Abstract

Building automation Command messages Communications traffic Data encryption Data sources Graphs Industrial electronics Network security Ontology Process controls Queries Reconnaissance Resource Description Framework-RDF Shortest-path problems Tactics Tracks (paths) Workflow Algorithms Computer Security Control Systems Knowledge Representation Structured Query Language-SQL
In the initial stages of industrial control system (ICS) penetration testing, pentesters conduct reconnaissance by using various tools including Nmap, Shodan, Maltego, Google, Google Hacking Database (GHDB), Recon-ng and more. Testers use various reconnaissance techniques (RTs) within the tools to directly access ICS devices. Many novice ICS-pentesters stop their reconnaissance work upon successfully accessing an ICS device. However, continuing to conduct reconnaissance after initial access can lead to pentesters finding even more information to find more ICS devices, ICS networks, and ways to make ICS exploitation more effective. Our research motivation stems from finding ways to explicitly model the continuation of using RTs once an ICS device is accessed. Knowledge graphs offer an approach for linking RTs together and creating chains of RTs. MITRE ATT&CK ICS provides a matrix of ICS adversarial behaviours. The matrix consists of main exploit tactics and techniques used to accomplish these tactics. Example techniques include ICS alarm suppression, blocking command messages, starting a device, and stopping services. ATT&CK ICS also provides ICS data sources that defenders use to detect the adversarial techniques. Application logs, files, logon sessions, network traffic, and operational databases represent some of the ICS data sources. We reasoned that if adversaries could find the ICS data sources and discover the ability to modify the data sources, then adversaries could cover their tracks to successfully carry out ICS tactics. For example, ICS attackers could modify log entries to hide the attacker's steps or ICS attackers could delete alarm notifications that showed that ICS attackers changed ICS settings. In this work in progress research, we used knowledge-graph modelling techniques to link together RTs with ICS data sources, the ability to modify the data sources, the ability to then cover tracks of ICS techniques, and the impact of techniques on accomplishing ICS tactics. We named the graph RT-ICS Graph. With knowledge graph queries and shortest-path algorithms run over the RT-ICS graph, we showed how RTs can explicitly lead to impacts on adversaries carrying out ICS tactics. The accomplishment of ICS tactics can cause severe damage or harm.

Metrics

27 Record Views

Details

Logo image