Conditions préalables
The victim must use email or removable media from systems running the IDE (or systems adjacent to the IDE systems).
The victim must have a system running exploitable applications and/or a vulnerable configuration to allow for initial infiltration.
The adversary must have working knowledge of some if not all of the components involved in the IDE system as well as the infrastructure.
Compétences requises
Intelligence about the manufacturer's operating environment and infrastructure.
Ability to develop, deploy, and maintain a stealth malicious backdoor program remotely in what is essentially a hostile environment.
Development skills to construct malicious attachments that can be used to exploit vulnerabilities in typical desktop applications or system configurations. The malicious attachments should be crafted well enough to bypass typical defensive systems (IDS, anti-virus, etc)
Atténuations
Verify software downloads and updates to ensure they have not been modified be adversaries
Leverage antivirus tools to detect known malware
Do not download software from untrusted sources
Educate designers, developers, engineers, etc. on social engineering attacks to avoid downloading malicious software via attacks such as phishing attacks
Références
REF-439
Supply Chain Attack Framework and Attack Patterns
John F. Miller.
http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf REF-712
Guarding against supply chain attacks—Part 2: Hardware risks
Cristin Goodwin, Joram Borenstein.
https://www.microsoft.com/security/blog/2020/02/03/guarding-against-supply-chain-attacks-part-2-hardware-risks/
Soumission
Nom |
Organisation |
Date |
Date de publication |
CAPEC Content Team |
The MITRE Corporation |
2014-06-23 +00:00 |
|
Modifications
Nom |
Organisation |
Date |
Commentaire |
CAPEC Content Team |
The MITRE Corporation |
2015-11-09 +00:00 |
Updated Related_Attack_Patterns, Typical_Likelihood_of_Exploit |
CAPEC Content Team |
The MITRE Corporation |
2019-04-04 +00:00 |
Updated Related_Weaknesses |
CAPEC Content Team |
The MITRE Corporation |
2019-09-30 +00:00 |
Updated Related_Attack_Patterns |
CAPEC Content Team |
The MITRE Corporation |
2020-12-17 +00:00 |
Updated Related_Weaknesses |
CAPEC Content Team |
The MITRE Corporation |
2022-02-22 +00:00 |
Updated Description, Example_Instances, Mitigations, Prerequisites, References |
CAPEC Content Team |
The MITRE Corporation |
2022-09-29 +00:00 |
Updated Taxonomy_Mappings |