T1601 - Modify System Image#
Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves. On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file.
To change the operating system, the adversary typically only needs to affect this one file, replacing or modifying it. This can either be done live in memory during system runtime for immediate effect, or in storage to implement the change on the next boot of the network device.
Atomic Tests:#
Currently, no tests are available for this technique.
Detection#
Most embedded network devices provide a command to print the version of the currently running operating system. Use this command to query the operating system for its version number and compare it to what is expected for the device in question. Because this method may be used in conjunction with Patch System Image, it may be appropriate to also verify the integrity of the vendor provided operating system image file.
Compare the checksum of the operating system file with the checksum of a known good copy from a trusted source. Some embedded network device platforms may have the capability to calculate the checksum of the file, while others may not. Even for those platforms that have the capability, it is recommended to download a copy of the file to a trusted computer to calculate the checksum with software that is not compromised. (Citation: Cisco IOS Software Integrity Assurance - Image File Verification)
Many vendors of embedded network devices can provide advanced debugging support that will allow them to work with device owners to validate the integrity of the operating system running in memory. If a compromise of the operating system is suspected, contact the vendor technical support and seek such services for a more thorough inspection of the current running system. (Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification)
Shield Active Defense#
Decoy System#
Configure a computing system to serve as an attack target or experimental environment.
A decoy system is a computing resource presented to the adversary in support of active defense. The underlying system can be real, virtual, or simulated, and can be presented as one of a variety of IT devices including user workstations, servers, networking systems, IOT (embedded devices), mobile systems like phones, etc.
Opportunity#
There is an opportunity to study the adversary and collect first-hand observations about them and their tools.
Use Case#
A defender can use a decoy system to see if an adversary exploits vulnerable software in order to compromise the system.
Procedures#
Use an isolated system to visit a suspected compromised website. Collect any associated scripting code or files dropped onto the system. Setup a server which appears to be something that is commonly expected within a network, such as web server.