Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves. On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file.
To change the operating system, the adversary typically only needs to affect this one file, replacing or modifying it. This can either be done live in memory during system runtime for immediate effect, or in storage to implement the change on the next boot of the network device.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.IR-01.05 | Remote access protection | Mitigates | T1601 | Modify System Image |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1601 | Modify System Image |
Comments
This diagnostic statement protects against Modify System Image through the use of privileged account management and the use of multi-factor authentication.
References
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1601 | Modify System Image |
Comments
This diagnostic statement protects against Modify System Image through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
References
|
| DE.CM-09.03 | Unauthorized software, hardware, or configuration changes | Mitigates | T1601 | Modify System Image |
Comments
This Diagnostic Statement addresses measures for managing configuration integrity and unauthorized changes that can mitigate risks associated with adversary techniques attempting to make changes to how the hardware, software, and firmware operates.
References
|
| PR.AA-05.01 | Access privilege limitation | Mitigates | T1601 | Modify System Image |
Comments
This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Limit permissions associated with creating and modifying platform images or containers based on the principle of least privilege
References
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1601 | Modify System Image |
Comments
This diagnostic statement provides protection from Modify System Image through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify the system image.
References
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1601 | Modify System Image |
Comments
This diagnostic statement protects against Modify System Image through the use of revocation of keys and key management. Employing key protection strategies and key management for key material used in managing and signing images, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to modify or patch system images.
References
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1601 | Modify System Image |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
References
|
| EX.MM-01.01 | Third-party monitoring and management resources | Mitigates | T1601 | Modify System Image |
Comments
This diagnostic statement provides for the implementation of procedures for management of third party products such as vendor provided digitally signed operating system images to validate the integrity of the software used on their platform.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1601 | Modify System Image |
Comments
This diagnostic statement protects against Modify System Image through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Disable controls | Disable or interfere with security controls | related-to | T1601 | Modify System Image | |
| attribute.integrity.variety.Software installation | Software installation or code modification | related-to | T1601 | Modify System Image |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| binary_authorization | Binary Authorization | technique_scores | T1601 | Modify System Image |
Comments
Each image has a signer digitally sign using a private key. At deploy time, the enforcer uses the attester's public key to verify the signature in the attestation.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1601.001 | Patch System Image | 35 |
| T1601.002 | Downgrade System Image | 35 |