{"description": "ICS techniques mitigated by Audit, ATT&CK mitigation M0947 (v1.1)", "name": "Audit (M0947)", "domain": "ics-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T0830", "comment": "Limit access to network infrastructure and resources that can be used to reshape traffic or otherwise produce AiTM conditions.\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0811", "comment": "Consider periodic reviews of accounts and privileges for critical and sensitive repositories.\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0874", "comment": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. Perform periodic integrity checks of the device to validate the correctness of the firmware, software, programs, and configurations. Integrity checks, which typically include cryptographic hashes or digital signatures, should be compared to those obtained at known valid states, especially after events like device reboots, program downloads, or program restarts.\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0821", "comment": "Provide the ability to verify the integrity of controller tasking. While techniques like CRCs and checksums are commonly used, they are not cryptographically secure and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used. (Citation: IEC February 2019)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1693", "comment": "Perform integrity checks of firmware before uploading it on a device. Utilize cryptographic hashes to verify the firmware has not been tampered with by comparing it to a trusted hash of the firmware. This could be from trusted data sources (e.g., vendor site) or through a third-party verification service.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1693.001", "comment": "Perform integrity checks of firmware before uploading it on a device. Utilize cryptographic hashes to verify the firmware has not been tampered with by comparing it to a trusted hash of the firmware. This could be from trusted data sources (e.g., vendor site) or through a third-party verification service.\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1693.002", "comment": "Perform integrity checks of firmware before uploading it on a device. Utilize cryptographic hashes to verify the firmware has not been tampered with by comparing it to a trusted hash of the firmware. This could be from trusted data sources (e.g., vendor site) or through a third-party verification service.\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T0836", "comment": "Provide the ability to verify the integrity and authenticity of changes to parameter values.\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0889", "comment": "Provide the ability to verify the integrity of control logic or programs loaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically strong and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used. (Citation: IEC February 2019)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0843", "comment": "Provide the ability to verify the integrity of programs downloaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically secure and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used.(Citation: IEC February 2019)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T0843.001", "comment": "Provide the ability to verify the integrity of programs downloaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically secure and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used.(Citation: IEC February 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T0843.002", "comment": "Provide the ability to verify the integrity of programs downloaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically secure and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used.(Citation: IEC February 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T0843.003", "comment": "Provide the ability to verify the integrity of programs downloaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically secure and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used.(Citation: IEC February 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T0873", "comment": "Review the integrity of project files to verify they have not been modified by adversary behavior. Verify a cryptographic hash for the file with a known trusted version, or look for other indicators of modification (e.g., timestamps).\n", "score": 1, "showSubtechniques": true}, {"techniqueID": "T0873.001", "comment": "Review the integrity of project files to verify they have not been modified by adversary behavior. Verify a cryptographic hash for the file with a known trusted version, or look for other indicators of modification (e.g., timestamps).", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T0851", "comment": "Audit the integrity of PLC system and application code functionality, such as the manipulation of standard function blocks (e.g., Organizational Blocks) that manage the execution of application logic programs. (Citation: IEC February 2019)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0862", "comment": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. Perform periodic integrity checks of the device to validate the correctness of the firmware, software, programs, and configurations. Integrity checks, which typically include cryptographic hashes or digital signatures, should be compared to those obtained at known valid states, especially after events like device reboots, program downloads, or program restarts.\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0864", "comment": "Integrity checking of transient assets can include performing the validation of the booted operating system and programs using TPM-based technologies, such as Secure Boot and Trusted Boot. (Citation: Emerson Exchange) It can also include verifying filesystem changes, such as programs and configuration files stored on the system, executing processes, libraries, accounts, and open ports.   (Citation: National Security Agency February 2016)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0859", "comment": "Routinely audit source code, application configuration files, open repositories, and public cloud storage for insecure use and storage of credentials.\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "mitigated by Audit", "color": "#66b1ff"}]}