Skip to content

Hide Navigation Hide TOC

Edit

Techniques

DISARM is a framework designed for describing and understanding disinformation incidents.

Authors
Authors and/or Contributors
DISARM Project

Facilitate State Propaganda

Organise citizens around pro-state messaging. Coordinate paid or volunteer groups to push state propaganda.

Internal MISP references

UUID 782afafa-e997-571a-9b25-d04bb322480c which can be used as unique global reference for Facilitate State Propaganda in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0002
kill_chain ['tactics:Plan Objectives']
Related clusters

To see the related clusters, click here.

Leverage Existing Narratives

Use or adapt existing narrative themes, where narratives are the baseline stories of a target audience. Narratives form the bedrock of our worldviews. New information is understood through a process firmly grounded in this bedrock. If new information is not consitent with the prevailing narratives of an audience, it will be ignored. Effective campaigns will frame their misinformation in the context of these narratives. Highly effective campaigns will make extensive use of audience-appropriate archetypes and meta-narratives throughout their content creation and amplifiction practices.

Internal MISP references

UUID 689e65f1-d834-581a-adf2-4e8a96d32464 which can be used as unique global reference for Leverage Existing Narratives in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0003
kill_chain ['tactics:Develop Narratives']
Related clusters

To see the related clusters, click here.

Develop Competing Narratives

Advance competing narratives connected to same issue ie: on one hand deny incident while at same time expresses dismiss. Suppressing or discouraging narratives already spreading requires an alternative. The most simple set of narrative techniques in response would be the construction and promotion of contradictory alternatives centred on denial, deflection, dismissal, counter-charges, excessive standards of proof, bias in prohibition or enforcement, and so on. These competing narratives allow loyalists cover, but are less compelling to opponents and fence-sitters than campaigns built around existing narratives or highly explanatory master narratives. Competing narratives, as such, are especially useful in the "firehose of misinformation" approach.

Internal MISP references

UUID 73bfaf89-d10a-5515-83fb-bc5ba11f5a2a which can be used as unique global reference for Develop Competing Narratives in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0004
kill_chain ['tactics:Develop Narratives']
Related clusters

To see the related clusters, click here.

Create Inauthentic Social Media Pages and Groups

Create key social engineering assets needed to amplify content, manipulate algorithms, fool public and/or specific incident/campaign targets. Computational propaganda depends substantially on false perceptions of credibility and acceptance. By creating fake users and groups with a variety of interests and commitments, attackers can ensure that their messages both come from trusted sources and appear more widely adopted than they actually are.

Internal MISP references

UUID e3cbbc7a-da73-50fb-9893-4ce88edb211f which can be used as unique global reference for Create Inauthentic Social Media Pages and Groups in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0007
kill_chain ['tactics:Establish Assets']
Related clusters

To see the related clusters, click here.

Create Fake Experts

Stories planted or promoted in computational propaganda operations often make use of experts fabricated from whole cloth, sometimes specifically for the story itself.

Internal MISP references

UUID 29768133-b941-5974-ab10-c15bbb86e387 which can be used as unique global reference for Create Fake Experts in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0009
kill_chain ['tactics:Establish Legitimacy']
Related clusters

To see the related clusters, click here.

Utilise Academic/Pseudoscientific Justifications

Utilise Academic/Pseudoscientific Justifications

Internal MISP references

UUID 4c721f5a-101e-5b5e-b260-7b08b92eac83 which can be used as unique global reference for Utilise Academic/Pseudoscientific Justifications in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0009.001
kill_chain ['tactics:Establish Legitimacy']

Cultivate Ignorant Agents

Cultivate propagandists for a cause, the goals of which are not fully comprehended, and who are used cynically by the leaders of the cause. Independent actors use social media and specialised web sites to strategically reinforce and spread messages compatible with their own. Their networks are infiltrated and used by state media disinformation organisations to amplify the state’s own disinformation strategies against target populations. Many are traffickers in conspiracy theories or hoaxes, unified by a suspicion of Western governments and mainstream media. Their narratives, which appeal to leftists hostile to globalism and military intervention and nationalists against immigration, are frequently infiltrated and shaped by state-controlled trolls and altered news items from agencies such as RT and Sputnik. Also know as "useful idiots" or "unwitting agents".

Internal MISP references

UUID 39baec3d-f2ce-5fee-ba7d-3db7d6469946 which can be used as unique global reference for Cultivate Ignorant Agents in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0010
kill_chain ['tactics:Establish Assets']
Related clusters

To see the related clusters, click here.

Create Inauthentic Websites

Create media assets to support inauthentic organisations (e.g. think tank), people (e.g. experts) and/or serve as sites to distribute malware/launch phishing operations.

Internal MISP references

UUID 534951bc-8d1e-58be-b051-c9243eac96fb which can be used as unique global reference for Create Inauthentic Websites in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0013
kill_chain ['tactics:Establish Assets']
Related clusters

To see the related clusters, click here.

Prepare Fundraising Campaigns

Fundraising campaigns refer to an influence operation’s systematic effort to seek financial support for a charity, cause, or other enterprise using online activities that further promote operation information pathways while raising a profit. Many influence operations have engaged in crowdfunding services on platforms including Tipee, Patreon, and GoFundMe. An operation may use its previously prepared fundraising campaigns (see: Develop Information Pathways) to promote operation messaging while raising money to support its activities.

Internal MISP references

UUID f0bb5056-fedb-5507-8554-c958ec8d9fdc which can be used as unique global reference for Prepare Fundraising Campaigns in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0014
kill_chain ['tactics:Establish Assets']
Related clusters

To see the related clusters, click here.

Raise Funds from Malign Actors

Raising funds from malign actors may include contributions from foreign agents, cutouts or proxies, shell companies, dark money groups, etc.

Internal MISP references

UUID d23f9cc0-058e-5354-b2c6-90e7b6737922 which can be used as unique global reference for Raise Funds from Malign Actors in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0014.001
kill_chain ['tactics:Establish Assets']

Raise Funds from Ignorant Agents

Raising funds from ignorant agents may include scams, donations intended for one stated purpose but then used for another, etc.

Internal MISP references

UUID dc89eee0-bf5e-51f0-957d-0e9e8a2cceff which can be used as unique global reference for Raise Funds from Ignorant Agents in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0014.002
kill_chain ['tactics:Establish Assets']

Create Hashtags and Search Artefacts

Create one or more hashtags and/or hashtag groups. Many incident-based campaigns will create hashtags to promote their fabricated event. Creating a hashtag for an incident can have two important effects: 1. Create a perception of reality around an event. Certainly only "real" events would be discussed in a hashtag. After all, the event has a name!, and 2. Publicise the story more widely through trending lists and search behaviour. Asset needed to direct/control/manage "conversation" connected to launching new incident/campaign with new hashtag for applicable social media sites).

Internal MISP references

UUID 6d3c1c71-746e-5e9d-9960-4845d712c899 which can be used as unique global reference for Create Hashtags and Search Artefacts in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0015
kill_chain ['tactics:Develop Content']
Related clusters

To see the related clusters, click here.

Create Clickbait

Create attention grabbing headlines (outrage, doubt, humour) required to drive traffic & engagement. This is a key asset.

Internal MISP references

UUID 9570ebf8-f69b-5064-a627-a19cb429d0f5 which can be used as unique global reference for Create Clickbait in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0016
kill_chain ['tactics:Microtarget']
Related clusters

To see the related clusters, click here.

Conduct Fundraising

Fundraising campaigns refer to an influence operation’s systematic effort to seek financial support for a charity, cause, or other enterprise using online activities that further promote operation information pathways while raising a profit. Many influence operations have engaged in crowdfunding services166 on platforms including Tipee, Patreon, and GoFundMe. An operation may use its previously prepared fundraising campaigns to promote operation messaging while raising money to support its activities.

Internal MISP references

UUID 7f21fe4b-d314-5511-a9b1-0b9fcfee8b5e which can be used as unique global reference for Conduct Fundraising in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0017
kill_chain ['tactics:Drive Offline Activity']
Related clusters

To see the related clusters, click here.

Conduct Crowdfunding Campaigns

An influence operation may Conduct Crowdfunding Campaigns on platforms such as GoFundMe, GiveSendGo, Tipeee, Patreon, etc.

Internal MISP references

UUID 999145bb-914b-5f7e-b47e-8756af2f5484 which can be used as unique global reference for Conduct Crowdfunding Campaigns in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0017.001
kill_chain ['tactics:Drive Offline Activity']

Purchase Targeted Advertisements

Create or fund advertisements targeted at specific populations

Internal MISP references

UUID 87208979-6982-53d5-ad0f-49cef659555c which can be used as unique global reference for Purchase Targeted Advertisements in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0018
kill_chain ['tactics:Microtarget']
Related clusters

To see the related clusters, click here.

Trial Content

Iteratively test incident performance (messages, content etc), e.g. A/B test headline/content enagagement metrics; website and/or funding campaign conversion rates

Internal MISP references

UUID 635f5592-0e2a-5f06-b164-c5af2ec9ef5e which can be used as unique global reference for Trial Content in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0020
kill_chain ['tactics:Conduct Pump Priming']
Related clusters

To see the related clusters, click here.

Leverage Conspiracy Theory Narratives

"Conspiracy narratives" appeal to the human desire for explanatory order, by invoking the participation of poweful (often sinister) actors in pursuit of their own political goals. These narratives are especially appealing when an audience is low-information, marginalised or otherwise inclined to reject the prevailing explanation. Conspiracy narratives are an important component of the "firehose of falsehoods" model.

Internal MISP references

UUID f1d52ce1-f431-5732-a071-215cb3306f3e which can be used as unique global reference for Leverage Conspiracy Theory Narratives in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0022
kill_chain ['tactics:Develop Narratives']
Related clusters

To see the related clusters, click here.

Amplify Existing Conspiracy Theory Narratives

An influence operation may amplify an existing conspiracy theory narrative that aligns with its incident or campaign goals. By amplifying existing conspiracy theory narratives, operators can leverage the power of the existing communities that support and propagate those theories without needing to expend resources creating new narratives or building momentum and buy in around new narratives.

Internal MISP references

UUID f3c7a9c8-9196-5b2f-8d10-46ca31380987 which can be used as unique global reference for Amplify Existing Conspiracy Theory Narratives in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0022.001
kill_chain ['tactics:Develop Narratives']

Develop Original Conspiracy Theory Narratives

While this requires more resources than amplifying existing conspiracy theory narratives, an influence operation may develop original conspiracy theory narratives in order to achieve greater control and alignment over the narrative and their campaign goals. Prominent examples include the USSR's Operation INFEKTION disinformation campaign run by the KGB in the 1980s to plant the idea that the United States had invented HIV/AIDS as part of a biological weapons research project at Fort Detrick, Maryland. More recently, Fort Detrick featured prominently in a new conspiracy theory narratives around the origins of the COVID-19 outbreak and pandemic.

Internal MISP references

UUID b90838cb-7124-5f07-9fa6-94f0b5b21343 which can be used as unique global reference for Develop Original Conspiracy Theory Narratives in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0022.002
kill_chain ['tactics:Develop Narratives']

Distort Facts

Change, twist, or exaggerate existing facts to construct a narrative that differs from reality. Examples: images and ideas can be distorted by being placed in an improper content

Internal MISP references

UUID 1993a35d-d276-569b-ba66-66623f982dc4 which can be used as unique global reference for Distort Facts in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0023
kill_chain ['tactics:Develop Content']

Reframe Context

Reframing context refers to removing an event from its surrounding context to distort its intended meaning. Rather than deny that an event occurred, reframing context frames an event in a manner that may lead the target audience to draw a different conclusion about its intentions.

Internal MISP references

UUID c887503d-e5f5-5f06-a92a-9e50ec908eb6 which can be used as unique global reference for Reframe Context in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0023.001
kill_chain ['tactics:Develop Content']

Edit Open-Source Content

An influence operation may edit open-source content, such as collaborative blogs or encyclopaedias, to promote its narratives on outlets with existing credibility and audiences. Editing open-source content may allow an operation to post content on platforms without dedicating resources to the creation and maintenance of its own assets.

Internal MISP references

UUID b4984f13-619b-54a7-bf2c-acc5cdc01437 which can be used as unique global reference for Edit Open-Source Content in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0023.002
kill_chain ['tactics:Develop Content']

Online Polls

Create fake online polls, or manipulate existing online polls. Data gathering tactic to target those who engage, and potentially their networks of friends/followers as well

Internal MISP references

UUID 1a8c4e8c-3543-5ab1-b4d0-939de9e7875f which can be used as unique global reference for Online Polls in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0029
kill_chain ['tactics:Select Channels and Affordances']
Related clusters

To see the related clusters, click here.

Bait Influencer

Influencers are people on social media platforms who have large audiences. 

Threat Actors can try to trick Influencers such as celebrities, journalists, or local leaders who aren’t associated with their campaign into amplifying campaign content. This gives them access to the Influencer’s audience without having to go through the effort of building it themselves, and it helps legitimise their message by associating it with the Influencer, benefitting from their audience’s trust in them.

Internal MISP references

UUID 53e8c51b-c178-5429-8cee-022c6741cc91 which can be used as unique global reference for Bait Influencer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0039
kill_chain ['tactics:Maximise Exposure']
Related clusters

To see the related clusters, click here.

Demand Insurmountable Proof

Campaigns often leverage tactical and informational asymmetries on the threat surface, as seen in the Distort and Deny strategies, and the "firehose of misinformation". Specifically, conspiracy theorists can be repeatedly wrong, but advocates of the truth need to be perfect. By constantly escalating demands for proof, propagandists can effectively leverage this asymmetry while also priming its future use, often with an even greater asymmetric advantage. The conspiracist is offered freer rein for a broader range of "questions" while the truth teller is burdened with higher and higher standards of proof.

Internal MISP references

UUID 70218fb2-3d85-5714-b990-2d18e345e184 which can be used as unique global reference for Demand Insurmountable Proof in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0040
kill_chain ['tactics:Develop Narratives']
Related clusters

To see the related clusters, click here.

Seed Kernel of Truth

Wrap lies or altered context/facts around truths. Influence campaigns pursue a variety of objectives with respect to target audiences, prominent among them: 1. undermine a narrative commonly referenced in the target audience; or 2. promote a narrative less common in the target audience, but preferred by the attacker. In both cases, the attacker is presented with a heavy lift. They must change the relative importance of various narratives in the interpretation of events, despite contrary tendencies. When messaging makes use of factual reporting to promote these adjustments in the narrative space, they are less likely to be dismissed out of hand; when messaging can juxtapose a (factual) truth about current affairs with the (abstract) truth explicated in these narratives, propagandists can undermine or promote them selectively. Context matters.

Internal MISP references

UUID ab4b4b44-5f15-5c92-934b-30cc73f67afc which can be used as unique global reference for Seed Kernel of Truth in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0042
kill_chain ['tactics:Conduct Pump Priming']

Chat Apps

Direct messaging via chat app is an increasing method of delivery. These messages are often automated and new delivery and storage methods make them anonymous, viral, and ephemeral. This is a difficult space to monitor, but also a difficult space to build acclaim or notoriety.

Internal MISP references

UUID ebd0aab4-013c-52fa-bae5-8fb3bd7704b8 which can be used as unique global reference for Chat Apps in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0043
kill_chain ['tactics:Select Channels and Affordances']
Related clusters

To see the related clusters, click here.

Use Encrypted Chat Apps

Examples include Signal, WhatsApp, Discord, Wire, etc.

Internal MISP references

UUID 7308289b-5875-5015-bead-adf63a552c28 which can be used as unique global reference for Use Encrypted Chat Apps in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0043.001
kill_chain ['tactics:Select Channels and Affordances']

Use Unencrypted Chats Apps

Examples include SMS, etc.

Internal MISP references

UUID 211e93c2-463a-5271-9384-61a6b8ca4af6 which can be used as unique global reference for Use Unencrypted Chats Apps in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0043.002
kill_chain ['tactics:Select Channels and Affordances']

Seed Distortions

Try a wide variety of messages in the early hours surrounding an incident or event, to give a misleading account or impression.

Internal MISP references

UUID 0fd25b71-ea11-51a3-bb18-545d5e818583 which can be used as unique global reference for Seed Distortions in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0044
kill_chain ['tactics:Conduct Pump Priming']
Related clusters

To see the related clusters, click here.

Use Fake Experts

Use the fake experts that were set up during Establish Legitimacy. Pseudo-experts are disposable assets that often appear once and then disappear. Give "credility" to misinformation. Take advantage of credential bias

Internal MISP references

UUID edc041f8-06ac-513a-a9f9-1353e38f3bcf which can be used as unique global reference for Use Fake Experts in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0045
kill_chain ['tactics:Conduct Pump Priming']
Related clusters

To see the related clusters, click here.

Use Search Engine Optimisation

Manipulate content engagement metrics (ie: Reddit & Twitter) to influence/impact news search results (e.g. Google), also elevates RT & Sputnik headline into Google news alert emails. aka "Black-hat SEO"

Internal MISP references

UUID 68c3a917-fed7-539e-9cf6-091153658ef2 which can be used as unique global reference for Use Search Engine Optimisation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0046
kill_chain ['tactics:Conduct Pump Priming']
Related clusters

To see the related clusters, click here.

Censor Social Media as a Political Force

Use political influence or the power of state to stop critical social media comments. Government requested/driven content take downs (see Google Transperancy reports).

Internal MISP references

UUID deb56d12-fd4d-515a-9051-89a372d5d4bb which can be used as unique global reference for Censor Social Media as a Political Force in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0047
kill_chain ['tactics:Drive Online Harms']
Related clusters

To see the related clusters, click here.

Harass

Threatening or harassing believers of opposing narratives refers to the use of intimidation techniques, including cyberbullying and doxing, to discourage opponents from voicing their dissent. An influence operation may threaten or harass believers of the opposing narratives to deter individuals from posting or proliferating conflicting content.

Internal MISP references

UUID cb33d6fe-0327-58c1-93ad-10684fe9e099 which can be used as unique global reference for Harass in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0048
kill_chain ['tactics:Drive Online Harms']

Boycott/"Cancel" Opponents

Cancel culture refers to the phenomenon in which individuals collectively refrain from supporting an individual, organisation, business, or other entity, usually following a real or falsified controversy. An influence operation may exploit cancel culture by emphasising an adversary’s problematic or disputed behaviour and presenting its own content as an alternative.

Internal MISP references

UUID 65c98713-cae5-5ae4-ae17-5902d7d1cfc4 which can be used as unique global reference for Boycott/"Cancel" Opponents in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0048.001
kill_chain ['tactics:Drive Online Harms']

Harass People Based on Identities

Examples include social identities like gender, sexuality, race, ethnicity, religion, ability, nationality, etc. as well as roles and occupations like journalist or activist.

Internal MISP references

UUID a40e4177-42f2-5be2-89cf-1dd4eadaad13 which can be used as unique global reference for Harass People Based on Identities in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0048.002
kill_chain ['tactics:Drive Online Harms']

Threaten to Dox

Doxing refers to online harassment in which individuals publicly release private information about another individual, including names, addresses, employment information, pictures, family members, and other sensitive information. An influence operation may dox its opposition to encourage individuals aligned with operation narratives to harass the doxed individuals themselves or otherwise discourage the doxed individuals from posting or proliferating conflicting content.

Internal MISP references

UUID c1df0074-7e66-5b71-85cb-784b1be15c48 which can be used as unique global reference for Threaten to Dox in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0048.003
kill_chain ['tactics:Drive Online Harms']

Dox

Doxing refers to online harassment in which individuals publicly release private information about another individual, including names, addresses, employment information, pictures, family members, and other sensitive information. An influence operation may dox its opposition to encourage individuals aligned with operation narratives to harass the doxed individuals themselves or otherwise discourage the doxed individuals from posting or proliferating conflicting content.

Internal MISP references

UUID 18e83c9c-8e16-55e2-a013-63e583e79e8e which can be used as unique global reference for Dox in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0048.004
kill_chain ['tactics:Drive Online Harms']

Flood Information Space

Flooding sources of information (e.g. Social Media feeds) with a high volume of inauthentic content.

This can be done to control/shape online conversations, drown out opposing points of view, or make it harder to find legitimate information. 

Bots and/or patriotic trolls are effective tools to achieve this effect.

This Technique previously used the name Flooding the Information Space.

Internal MISP references

UUID ee7bc41a-9eb0-5732-924a-3885e1c3bee9 which can be used as unique global reference for Flood Information Space in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0049
kill_chain ['tactics:Maximise Exposure']
Related clusters

To see the related clusters, click here.

Trolls Amplify and Manipulate

Use trolls to amplify narratives and/or manipulate narratives. Fake profiles/sockpuppets operating to support individuals/narratives from the entire political spectrum (left/right binary). Operating with increased emphasis on promoting local content and promoting real Twitter users generating their own, often divisive political content, as it's easier to amplify existing content than create new/original content. Trolls operate where ever there's a socially divisive issue (issues that can/are be politicized).

Internal MISP references

UUID b126047b-eafa-50aa-891a-31250d13f50e which can be used as unique global reference for Trolls Amplify and Manipulate in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0049.001
kill_chain ['tactics:Maximise Exposure']

Flood Existing Hashtag

Hashtags can be used by communities to collate information they post about particular topics (such as their interests, or current events) and users can find communities to join by exploring hashtags they’re interested in. 

Threat actors can flood an existing hashtag to try to ruin hashtag functionality, posting content unrelated to the hashtag alongside it, making it a less reliable source of relevant information. They may also try to flood existing hashtags with campaign content, with the intent of maximising exposure to users.

This Technique covers cases where threat actors flood existing hashtags with campaign content.

This Technique covers behaviours previously documented by T0019.002: Hijack Hashtags, which has since been deprecated. This Technique was previously called Hijack Existing Hashtag.

Internal MISP references

UUID 885e8687-3598-5378-b0bf-f09b67c1696e which can be used as unique global reference for Flood Existing Hashtag in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0049.002
kill_chain ['tactics:Maximise Exposure']

Bots Amplify via Automated Forwarding and Reposting

Automated forwarding and reposting refer to the proliferation of operation content using automated means, such as artificial intelligence or social media bots. An influence operation may use automated activity to increase content exposure without dedicating the resources, including personnel and time, traditionally required to forward and repost content. Use bots to amplify narratives above algorithm thresholds. Bots are automated/programmed profiles designed to amplify content (ie: automatically retweet or like) and give appearance it's more "popular" than it is. They can operate as a network, to function in a coordinated/orchestrated manner. In some cases (more so now) they are an inexpensive/disposable assets used for minimal deployment as bot detection tools improve and platforms are more responsive.

Internal MISP references

UUID 78bd9a95-4aa4-5595-90de-839c65ff6542 which can be used as unique global reference for Bots Amplify via Automated Forwarding and Reposting in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0049.003
kill_chain ['tactics:Maximise Exposure']

Utilise Spamoflauge

Spamoflauge refers to the practice of disguising spam messages as legitimate. Spam refers to the use of electronic messaging systems to send out unrequested or unwanted messages in bulk. Simple methods of spamoflauge include replacing letters with numbers to fool keyword-based email spam filters, for example, "you've w0n our jackp0t!". Spamoflauge may extend to more complex techniques such as modifying the grammar or word choice of the language, casting messages as images which spam detectors cannot automatically read, or encapsulating messages in password protected attachments, such as .pdf or .zip files. Influence operations may use spamoflauge to avoid spam filtering systems and increase the likelihood of the target audience receiving operation messaging.

Internal MISP references

UUID 36635199-0794-5cba-b494-5b54ebd0ca73 which can be used as unique global reference for Utilise Spamoflauge in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0049.004
kill_chain ['tactics:Maximise Exposure']

Conduct Swarming

Swarming refers to the coordinated use of accounts to overwhelm the information space with operation content. Unlike information flooding, swarming centres exclusively around a specific event or actor rather than a general narrative. Swarming relies on “horizontal communication” between information assets rather than a top-down, vertical command-and-control approach.

Internal MISP references

UUID b25835fd-4936-580f-9e40-03728f38badf which can be used as unique global reference for Conduct Swarming in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0049.005
kill_chain ['tactics:Maximise Exposure']

Conduct Keyword Squatting

Keyword squatting refers to the creation of online content, such as websites, articles, or social media accounts, around a specific search engine-optimized term to overwhelm the search results of that term. An influence may keyword squat to increase content exposure to target audience members who query the exploited term in a search engine and manipulate the narrative around the term.

Internal MISP references

UUID 864a3b1d-6a1f-50b0-adef-e46cc4a88933 which can be used as unique global reference for Conduct Keyword Squatting in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0049.006
kill_chain ['tactics:Maximise Exposure']

Inauthentic Sites Amplify News and Narratives

Inauthentic sites circulate cross-post stories and amplify narratives. Often these sites have no masthead, bylines or attribution.

Internal MISP references

UUID d8a87575-9e25-5e93-8bf6-8489fe70b864 which can be used as unique global reference for Inauthentic Sites Amplify News and Narratives in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0049.007
kill_chain ['tactics:Maximise Exposure']

Generate Information Pollution

Information Pollution occurs when threat actors attempt to ruin a source of information by flooding it with lots of inauthentic or unreliable content, intending to make it harder for legitimate users to find the information they’re looking for. 

This subtechnique's objective is to reduce exposure to target information, rather than promoting exposure to campaign content, for which the parent technique T0049 can be used. 

Analysts will need to infer what the motive for flooding an information space was when deciding whether to use T0049 or T0049.008 to tag a case when an information space is flooded. If such inference is not possible, default to T0049.

This Technique previously used the ID T0019.

Internal MISP references

UUID 0bf3d2c3-db36-5175-99b0-6c82ad078937 which can be used as unique global reference for Generate Information Pollution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0049.008
kill_chain ['tactics:Maximise Exposure']

Organise Events

Coordinate and promote real-world events across media platforms, e.g. rallies, protests, gatherings in support of incident narratives.

Internal MISP references

UUID 26c314bb-ed05-5dbe-b672-c16c2f0fff52 which can be used as unique global reference for Organise Events in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0057
kill_chain ['tactics:Drive Offline Activity']
Related clusters

To see the related clusters, click here.

Pay for Physical Action

Paying for physical action occurs when an influence operation pays individuals to act in the physical realm. An influence operation may pay for physical action to create specific situations and frame them in a way that supports operation narratives, for example, paying a group of people to burn a car to later post an image of the burning car and frame it as an act of protest.

Internal MISP references

UUID c4f3903c-0a5f-5764-ab76-a7d3a4ee0afb which can be used as unique global reference for Pay for Physical Action in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0057.001
kill_chain ['tactics:Drive Offline Activity']

Conduct Symbolic Action

Symbolic action refers to activities specifically intended to advance an operation’s narrative by signalling something to the audience, for example, a military parade supporting a state’s narrative of military superiority. An influence operation may use symbolic action to create falsified evidence supporting operation narratives in the physical information space.

Internal MISP references

UUID 055b66cb-0745-5f85-83c9-d9fb8e1684a2 which can be used as unique global reference for Conduct Symbolic Action in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0057.002
kill_chain ['tactics:Drive Offline Activity']

Play the Long Game

Play the long game refers to two phenomena: 1. To plan messaging and allow it to grow organically without conducting your own amplification. This is methodical and slow and requires years for the message to take hold 2. To develop a series of seemingly disconnected messaging narratives that eventually combine into a new narrative.

Internal MISP references

UUID 2a8e8fa2-6ac4-5e0b-b1fb-818362987687 which can be used as unique global reference for Play the Long Game in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0059
kill_chain ['tactics:Persist in the Information Environment']

Continue to Amplify

continue narrative or message amplification after the main incident work has finished

Internal MISP references

UUID 6eb04152-8342-563a-9b9c-1e73aae2cc24 which can be used as unique global reference for Continue to Amplify in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0060
kill_chain ['tactics:Persist in the Information Environment']
Related clusters

To see the related clusters, click here.

Sell Merchandise

Sell mechandise refers to getting the message or narrative into physical space in the offline world while making money

Internal MISP references

UUID e9208787-0c74-5517-bdd5-add8476beb6a which can be used as unique global reference for Sell Merchandise in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0061
kill_chain ['tactics:Drive Offline Activity']

Prepare Physical Broadcast Capabilities

Create or coopt broadcast capabilities (e.g. TV, radio etc).

Internal MISP references

UUID 8c763ea9-83ee-5ea6-91bb-5ab0dd981006 which can be used as unique global reference for Prepare Physical Broadcast Capabilities in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0065
kill_chain ['tactics:Establish Assets']

Degrade Adversary

Plan to degrade an adversary’s image or ability to act. This could include preparation and use of harmful information about the adversary’s actions or reputation.

Internal MISP references

UUID 30e32d3b-ece9-545b-b74f-82861e22c133 which can be used as unique global reference for Degrade Adversary in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0066
kill_chain ['tactics:Plan Objectives']

Respond to Breaking News Event or Active Crisis

Media attention on a story or event is heightened during a breaking news event, where unclear facts and incomplete information increase speculation, rumours, and conspiracy theories, which are all vulnerable to manipulation.

Internal MISP references

UUID df8d3fc5-efd3-54bf-baef-eaa6ec375f0f which can be used as unique global reference for Respond to Breaking News Event or Active Crisis in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0068
kill_chain ['tactics:Develop Narratives']

Segment Audiences

Create audience segmentations by features of interest to the influence campaign, including political affiliation, geographic location, income, demographics, and psychographics.

Internal MISP references

UUID d9bbfde8-dda3-5f20-a9ed-fbf021ecd8c1 which can be used as unique global reference for Segment Audiences in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0072
kill_chain ['tactics:Target Audience Analysis']

Geographic Segmentation

An influence operation may target populations in a specific geographic location, such as a region, state, or city. An influence operation may use geographic segmentation to Create Localised Content (see: Establish Legitimacy).

Internal MISP references

UUID 3c3edffe-de30-5b0c-8005-8916dd92eb1e which can be used as unique global reference for Geographic Segmentation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0072.001
kill_chain ['tactics:Target Audience Analysis']

Demographic Segmentation

An influence operation may target populations based on demographic segmentation, including age, gender, and income. Demographic segmentation may be useful for influence operations aiming to change state policies that affect a specific population sector. For example, an influence operation attempting to influence Medicare funding in the United States would likely target U.S. voters over 65 years of age.

Internal MISP references

UUID d19a9243-0fa0-5140-81c9-57442e8f7e25 which can be used as unique global reference for Demographic Segmentation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0072.002
kill_chain ['tactics:Target Audience Analysis']

Economic Segmentation

An influence operation may target populations based on their income bracket, wealth, or other financial or economic division.

Internal MISP references

UUID 163b9226-7923-527f-802f-8865450db2f5 which can be used as unique global reference for Economic Segmentation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0072.003
kill_chain ['tactics:Target Audience Analysis']

Psychographic Segmentation

An influence operation may target populations based on psychographic segmentation, which uses audience values and decision-making processes. An operation may individually gather psychographic data with its own surveys or collection tools or externally purchase data from social media companies or online surveys, such as personality quizzes.

Internal MISP references

UUID 474e292b-e866-5871-9ab6-395cc5aaa097 which can be used as unique global reference for Psychographic Segmentation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0072.004
kill_chain ['tactics:Target Audience Analysis']

Political Segmentation

An influence operation may target populations based on their political affiliations, especially when aiming to manipulate voting or change policy.

Internal MISP references

UUID 77ab671a-d532-50b7-ac02-2008d331164f which can be used as unique global reference for Political Segmentation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0072.005
kill_chain ['tactics:Target Audience Analysis']

Determine Target Audiences

Determining the target audiences (segments of the population) who will receive campaign narratives and artefacts intended to achieve the strategic ends.

Internal MISP references

UUID 872a110b-66ad-5854-aae5-a9725d227a5c which can be used as unique global reference for Determine Target Audiences in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0073
kill_chain ['tactics:Plan Strategy']

Determine Strategic Ends

These are the long-term end-states the campaign aims to bring about. They typically involve an advantageous position vis-a-vis competitors in terms of power or influence. The strategic goal may be to improve or simply to hold one’s position. Competition occurs in the public sphere in the domains of war, diplomacy, politics, economics, and ideology, and can play out between armed groups, nation-states, political parties, corporations, interest groups, or individuals.

Internal MISP references

UUID d88805d4-273a-50fb-a24a-63df92592e20 which can be used as unique global reference for Determine Strategic Ends in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0074
kill_chain ['tactics:Plan Strategy']

Geopolitical Advantage

Favourable position on the international stage in terms of great power politics or regional rivalry. Geopolitics plays out in the realms of foreign policy, national security, diplomacy, and intelligence. It involves nation-state governments, heads of state, foreign ministers, intergovernmental organisations, and regional security alliances.

Internal MISP references

UUID 3c362b89-6b61-5ea9-ba32-4873594ee92d which can be used as unique global reference for Geopolitical Advantage in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0074.001
kill_chain ['tactics:Plan Strategy']

Domestic Political Advantage

Favourable position vis-à-vis national or sub-national political opponents such as political parties, interest groups, politicians, candidates.

Internal MISP references

UUID a3ba0d23-3e22-5fb3-a4fd-074ab5bdc05a which can be used as unique global reference for Domestic Political Advantage in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0074.002
kill_chain ['tactics:Plan Strategy']

Economic Advantage

Favourable position domestically or internationally in the realms of commerce, trade, finance, industry. Economics involves nation-states, corporations, banks, trade blocs, industry associations, cartels.

Internal MISP references

UUID 9fc9578f-db6c-5505-ac66-dbdb6e887c6f which can be used as unique global reference for Economic Advantage in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0074.003
kill_chain ['tactics:Plan Strategy']

Ideological Advantage

Favourable position domestically or internationally in the market for ideas, beliefs, and world views. Competition plays out among faith systems, political systems, and value systems. It can involve sub-national, national or supra-national movements.

Internal MISP references

UUID c3156aaf-caf1-5188-836c-d5742cfc89fa which can be used as unique global reference for Ideological Advantage in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0074.004
kill_chain ['tactics:Plan Strategy']

Dismiss

Push back against criticism by dismissing your critics. This might be arguing that the critics use a different standard for you than with other actors or themselves; or arguing that their criticism is biassed.

Internal MISP references

UUID 3c33a91e-af4c-545d-bf54-a15fab753a11 which can be used as unique global reference for Dismiss in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0075
kill_chain ['tactics:Plan Objectives']

Discredit Credible Sources

Plan to delegitimize the media landscape and degrade public trust in reporting, by discrediting credible sources. This makes it easier to promote influence operation content.

Internal MISP references

UUID be2a0989-a95f-5961-ba7d-0597078dca96 which can be used as unique global reference for Discredit Credible Sources in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0075.001
kill_chain ['tactics:Plan Objectives']

Distort

Twist the narrative. Take information, or artefacts like images, and change the framing around them.

Internal MISP references

UUID bd75892f-b84d-5b36-b2d9-34832832296b which can be used as unique global reference for Distort in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0076
kill_chain ['tactics:Plan Objectives']

Distract

Shift attention to a different narrative or actor, for instance by accusing critics of the same activity that they’ve accused you of (e.g. police brutality).

Internal MISP references

UUID 8c807754-1267-5662-99f4-02461410cb3d which can be used as unique global reference for Distract in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0077
kill_chain ['tactics:Plan Objectives']

Dismay

Threaten the critic or narrator of events. For instance, threaten journalists or news outlets reporting on a story.

Internal MISP references

UUID 28400a1a-58f1-51ee-9e96-2c763279b990 which can be used as unique global reference for Dismay in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0078
kill_chain ['tactics:Plan Objectives']

Divide

Create conflict between subgroups, to widen divisions in a community

Internal MISP references

UUID 45926a30-7c89-5c14-bf7b-86f8c9597d15 which can be used as unique global reference for Divide in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0079
kill_chain ['tactics:Plan Objectives']

Map Target Audience Information Environment

Mapping the target audience information environment analyses the information space itself, including social media analytics, web traffic, and media surveys. Mapping the information environment may help the influence operation determine the most realistic and popular information channels to reach its target audience. Mapping the target audience information environment aids influence operations in determining the most vulnerable areas of the information space to target with messaging.

Internal MISP references

UUID 649af4be-031b-55db-ab45-d82b3cec27c2 which can be used as unique global reference for Map Target Audience Information Environment in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0080
kill_chain ['tactics:Target Audience Analysis']

Monitor Social Media Analytics

An influence operation may use social media analytics to determine which factors will increase the operation content’s exposure to its target audience on social media platforms, including views, interactions, and sentiment relating to topics and content types. The social media platform itself or a third-party tool may collect the metrics.

Internal MISP references

UUID a20c76bd-0b45-53f6-8cc5-6bc8a17289cf which can be used as unique global reference for Monitor Social Media Analytics in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0080.001
kill_chain ['tactics:Target Audience Analysis']

Evaluate Media Surveys

An influence operation may evaluate its own or third-party media surveys to determine what type of content appeals to its target audience. Media surveys may provide insight into an audience’s political views, social class, general interests, or other indicators used to tailor operation messaging to its target audience.

Internal MISP references

UUID af0acad2-7020-56cb-9775-56f03bad5bcf which can be used as unique global reference for Evaluate Media Surveys in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0080.002
kill_chain ['tactics:Target Audience Analysis']

An influence operation may identify trending hashtags on social media platforms for later use in boosting operation content. A hashtag40 refers to a word or phrase preceded by the hash symbol (#) on social media used to identify messages and posts relating to a specific topic. All public posts that use the same hashtag are aggregated onto a centralised page dedicated to the word or phrase and sorted either chronologically or by popularity.

Internal MISP references

UUID 269f9f9a-c8a4-5b68-8bf7-f09dd1dbd393 which can be used as unique global reference for Identify Trending Topics/Hashtags in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0080.003
kill_chain ['tactics:Target Audience Analysis']

Conduct Web Traffic Analysis

An influence operation may conduct web traffic analysis to determine which search engines, keywords, websites, and advertisements gain the most traction with its target audience.

Internal MISP references

UUID 8be163d6-9e22-5749-a11c-e1184ec64d33 which can be used as unique global reference for Conduct Web Traffic Analysis in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0080.004
kill_chain ['tactics:Target Audience Analysis']

Assess Degree/Type of Media Access

An influence operation may survey a target audience’s Internet availability and degree of media freedom to determine which target audience members will have access to operation content and on which platforms. An operation may face more difficulty targeting an information environment with heavy restrictions and media control than an environment with independent media, freedom of speech and of the press, and individual liberties.

Internal MISP references

UUID e5b33222-ed53-5da5-9d12-778741c209e2 which can be used as unique global reference for Assess Degree/Type of Media Access in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0080.005
kill_chain ['tactics:Target Audience Analysis']

Identify Social and Technical Vulnerabilities

Identifying social and technical vulnerabilities determines weaknesses within the target audience information environment for later exploitation. Vulnerabilities include decisive political issues, weak cybersecurity infrastructure, search engine data voids, and other technical and non technical weaknesses in the target information environment. Identifying social and technical vulnerabilities facilitates the later exploitation of the identified weaknesses to advance operation objectives.

Internal MISP references

UUID 6870e08f-8a82-592a-91be-71f732281a29 which can be used as unique global reference for Identify Social and Technical Vulnerabilities in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0081
kill_chain ['tactics:Target Audience Analysis']

Find Echo Chambers

Find or plan to create areas (social media groups, search term groups, hashtag groups etc) where individuals only engage with people they agree with.

Internal MISP references

UUID b6698222-4827-5b48-b0f4-b6d160cca97a which can be used as unique global reference for Find Echo Chambers in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0081.001
kill_chain ['tactics:Target Audience Analysis']

Identify Data Voids

A data void refers to a word or phrase that results in little, manipulative, or low-quality search engine data. Data voids are hard to detect and relatively harmless until exploited by an entity aiming to quickly proliferate false or misleading information during a phenomenon that causes a high number of individuals to query the term or phrase. In the Plan phase, an influence operation may identify data voids for later exploitation in the operation. A 2019 report by Michael Golebiewski identifies five types of data voids. (1) “Breaking news” data voids occur when a keyword gains popularity during a short period of time, allowing an influence operation to publish false content before legitimate news outlets have an opportunity to publish relevant information. (2) An influence operation may create a “strategic new terms” data void by creating their own terms and publishing information online before promoting their keyword to the target audience. (3) An influence operation may publish content on “outdated terms” that have decreased in popularity, capitalising on most search engines’ preferences for recency. (4) “Fragmented concepts” data voids separate connections between similar ideas, isolating segment queries to distinct search engine results. (5) An influence operation may use “problematic queries” that previously resulted in disturbing or inappropriate content to promote messaging until mainstream media recontextualizes the term.

Internal MISP references

UUID ab5b0e25-01fa-5a41-9ad8-7445034cf952 which can be used as unique global reference for Identify Data Voids in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0081.002
kill_chain ['tactics:Target Audience Analysis']

Identify Existing Prejudices

An influence operation may exploit existing racial, religious, demographic, or social prejudices to further polarise its target audience from the rest of the public.

Internal MISP references

UUID 0eefce18-09c4-513b-85a7-4441aa5df105 which can be used as unique global reference for Identify Existing Prejudices in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0081.003
kill_chain ['tactics:Target Audience Analysis']

Identify Existing Fissures

An influence operation may identify existing fissures to pit target populations against one another or facilitate a “divide-and-conquer" approach to tailor operation narratives along the divides.

Internal MISP references

UUID b3e586f5-98e3-556c-8d00-2d5be1482438 which can be used as unique global reference for Identify Existing Fissures in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0081.004
kill_chain ['tactics:Target Audience Analysis']

Identify Existing Conspiracy Narratives/Suspicions

An influence operation may assess preexisting conspiracy theories or suspicions in a population to identify existing narratives that support operational objectives.

Internal MISP references

UUID eb4cc97e-5620-5bf9-9b8b-1d6f5e00f81d which can be used as unique global reference for Identify Existing Conspiracy Narratives/Suspicions in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0081.005
kill_chain ['tactics:Target Audience Analysis']

Identify Wedge Issues

A wedge issue is a divisive political issue, usually concerning a social phenomenon, that divides individuals along a defined line. An influence operation may exploit wedge issues by intentionally polarising the public along the wedge issue line and encouraging opposition between factions.

Internal MISP references

UUID ac3f406b-c1dc-561a-ad27-c65c22a3a321 which can be used as unique global reference for Identify Wedge Issues in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0081.006
kill_chain ['tactics:Target Audience Analysis']

Identify Target Audience Adversaries

An influence operation may identify or create a real or imaginary adversary to centre operation narratives against. A real adversary may include certain politicians or political parties while imaginary adversaries may include falsified “deep state”62 actors that, according to conspiracies, run the state behind public view.

Internal MISP references

UUID 302d5e0a-375a-5fc6-a1da-0b33c9268af6 which can be used as unique global reference for Identify Target Audience Adversaries in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0081.007
kill_chain ['tactics:Target Audience Analysis']

Identify Media System Vulnerabilities

An influence operation may exploit existing weaknesses in a target’s media system. These weaknesses may include existing biases among media agencies, vulnerability to false news agencies on social media, or existing distrust of traditional media sources. An existing distrust among the public in the media system’s credibility holds high potential for exploitation by an influence operation when establishing alternative news agencies to spread operation content.

Internal MISP references

UUID 662f0d37-b90a-559f-8685-fa06a69be1cb which can be used as unique global reference for Identify Media System Vulnerabilities in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0081.008
kill_chain ['tactics:Target Audience Analysis']

Develop New Narratives

Actors may develop new narratives to further strategic or tactical goals, especially when existing narratives adequately align with the campaign goals. New narratives provide more control in terms of crafting the message to achieve specific goals. However, new narratives may require more effort to disseminate than adapting or adopting existing narratives.

Internal MISP references

UUID 4896a448-be51-5423-89cd-efb6444b1c75 which can be used as unique global reference for Develop New Narratives in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0082
kill_chain ['tactics:Develop Narratives']

Integrate Target Audience Vulnerabilities into Narrative

An influence operation may seek to exploit the preexisting weaknesses, fears, and enemies of the target audience for integration into the operation’s narratives and overall strategy. Integrating existing vulnerabilities into the operational approach conserves resources by exploiting already weak areas of the target information environment instead of forcing the operation to create new vulnerabilities in the environment.

Internal MISP references

UUID f78a066b-d01b-5f14-8327-4e2856a187d2 which can be used as unique global reference for Integrate Target Audience Vulnerabilities into Narrative in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0083
kill_chain ['tactics:Develop Narratives']

Reuse Existing Content

When an operation recycles content from its own previous operations or plagiarises from external operations. An operation may launder information to conserve resources that would have otherwise been utilised to develop new content.

Internal MISP references

UUID 7828596a-f1b5-563c-bd40-4a876b5cec58 which can be used as unique global reference for Reuse Existing Content in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0084
kill_chain ['tactics:Develop Content']

Use Copypasta

Copypasta refers to a piece of text that has been copied and pasted multiple times across various online platforms. A copypasta’s final form may differ from its original source text as users add, delete, or otherwise edit the content as they repost the text.

Internal MISP references

UUID dba75e23-c7f8-504d-83a7-5771148e5951 which can be used as unique global reference for Use Copypasta in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0084.001
kill_chain ['tactics:Develop Content']

Plagiarise Content

An influence operation may take content from other sources without proper attribution. This content may be either misinformation content shared by others without malicious intent but now leveraged by the campaign as disinformation or disinformation content from other sources.

Internal MISP references

UUID 33787c2e-55c8-54a4-9d2d-541a35b5932e which can be used as unique global reference for Plagiarise Content in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0084.002
kill_chain ['tactics:Develop Content']

Deceptively Labelled or Translated

An influence operation may take authentic content from other sources and add deceptive labels or deceptively translate the content into other langauges.

Internal MISP references

UUID a1f69093-a97c-561e-80ec-da8c93004205 which can be used as unique global reference for Deceptively Labelled or Translated in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0084.003
kill_chain ['tactics:Develop Content']

Appropriate Content

An influence operation may take content from other sources with proper attribution. This content may be either misinformation content shared by others without malicious intent but now leveraged by the campaign as disinformation or disinformation content from other sources. Examples include the appropriation of content from one inauthentic news site to another inauthentic news site or network in ways that align with the originators licencing or terms of service.

Internal MISP references

UUID f941e002-c556-5621-a80e-c52a38c54bc9 which can be used as unique global reference for Appropriate Content in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0084.004
kill_chain ['tactics:Develop Content']

Develop Text-Based Content

Creating and editing false or misleading text-based artefacts, often aligned with one or more specific narratives, for use in a disinformation campaign.

Internal MISP references

UUID bff9c590-c655-5c15-ae4d-13d353a0d9a4 which can be used as unique global reference for Develop Text-Based Content in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0085
kill_chain ['tactics:Develop Content']

Develop AI-Generated Text

AI-generated texts refers to synthetic text composed by computers using text-generating AI technology. Autonomous generation refers to content created by a bot without human input, also known as bot-created content generation. Autonomous generation represents the next step in automation after language generation and may lead to automated journalism. An influence operation may use read fakes or autonomous generation to quickly develop and distribute content to the target audience.

Internal MISP references

UUID ed3754e6-bc15-5cf0-8a4b-8737b3814225 which can be used as unique global reference for Develop AI-Generated Text in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0085.001
kill_chain ['tactics:Develop Content']

Develop Inauthentic News Articles

An influence operation may develop false or misleading news articles aligned to their campaign goals or narratives.

Internal MISP references

UUID 7bbdfe14-8294-54f7-9842-449f2db17a90 which can be used as unique global reference for Develop Inauthentic News Articles in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0085.003
kill_chain ['tactics:Develop Content']

Develop Document

Produce text in the form of a document.

Internal MISP references

UUID 5f8303e9-4956-589a-a4c6-6b929143f460 which can be used as unique global reference for Develop Document in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0085.004
kill_chain ['tactics:Develop Content']

Develop Book

Produce text content in the form of a book. 

This technique covers both e-books and physical books, however, the former is more easily deployed by threat actors given the lower cost to develop.

Internal MISP references

UUID c363e714-6b46-5f44-8446-ab88fa5974e9 which can be used as unique global reference for Develop Book in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0085.005
kill_chain ['tactics:Develop Content']

Develop Opinion Article

Opinion articles (aka “Op-Eds” or “Editorials”) are articles or regular columns flagged as “opinion” posted to news sources, and can be contributed by people outside the organisation. 

Flagging articles as opinions allow news organisations to distinguish them from the typical expectations of objective news reporting while distancing the presented opinion from the organisation or its employees.

The use of this technique is not by itself an indication of malicious or inauthentic content; Op-eds are a common format in media. However, threat actors exploit op-eds to, for example, submit opinion articles to local media to promote their narratives.

Examples from the perspective of a news site involve publishing op-eds from perceived prestigious voices to give legitimacy to an inauthentic publication, or supporting causes by hosting op-eds from actors aligned with the organisation’s goals.

Internal MISP references

UUID a3c5ef63-020b-5dd9-b8b1-303d6e0d2201 which can be used as unique global reference for Develop Opinion Article in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0085.006
kill_chain ['tactics:Develop Content']

Create Fake Research

Create fake academic research. Example: fake social science research is often aimed at hot-button social issues such as gender, race and sexuality. Fake science research can target Climate Science debate or pseudoscience like anti-vaxx.

This Technique previously used the ID T0019.001

Internal MISP references

UUID 130f70c4-5c39-5284-b604-b4711c6c41b8 which can be used as unique global reference for Create Fake Research in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0085.007
kill_chain ['tactics:Develop Content']

Develop Image-Based Content

Creating and editing false or misleading visual artefacts, often aligned with one or more specific narratives, for use in a disinformation campaign. This may include photographing staged real-life situations, repurposing existing digital images, or using image creation and editing technologies.

Internal MISP references

UUID 9039269a-4975-52f8-92a8-f142978ffcef which can be used as unique global reference for Develop Image-Based Content in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0086
kill_chain ['tactics:Develop Content']

Develop Memes

Memes are one of the most important single artefact types in all of computational propaganda. Memes in this framework denotes the narrow image-based definition. But that naming is no accident, as these items have most of the important properties of Dawkins' original conception as a self-replicating unit of culture. Memes pull together reference and commentary; image and narrative; emotion and message. Memes are a powerful tool and the heart of modern influence campaigns.

Internal MISP references

UUID 8c65e301-7dc0-5727-879b-288a643a992b which can be used as unique global reference for Develop Memes in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0086.001
kill_chain ['tactics:Develop Content']

Develop AI-Generated Images (Deepfakes)

Deepfakes refer to AI-generated falsified photos, videos, or soundbites. An influence operation may use deepfakes to depict an inauthentic situation by synthetically recreating an individual’s face, body, voice, and physical gestures.

Internal MISP references

UUID 0fa4f572-63c0-5a60-9e5e-2234e94f0ee6 which can be used as unique global reference for Develop AI-Generated Images (Deepfakes) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0086.002
kill_chain ['tactics:Develop Content']

Deceptively Edit Images (Cheap Fakes)

Cheap fakes utilise less sophisticated measures of altering an image, video, or audio for example, slowing, speeding, or cutting footage to create a false context surrounding an image or event.

Internal MISP references

UUID 69161c7b-a90f-5d96-a429-24a0d40d9973 which can be used as unique global reference for Deceptively Edit Images (Cheap Fakes) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0086.003
kill_chain ['tactics:Develop Content']

Aggregate Information into Evidence Collages

Image files that aggregate positive evidence (Joan Donovan)

Internal MISP references

UUID b8a00aa5-9527-5128-a447-210d43bf11e2 which can be used as unique global reference for Aggregate Information into Evidence Collages in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0086.004
kill_chain ['tactics:Develop Content']

Develop Video-Based Content

Creating and editing false or misleading video artefacts, often aligned with one or more specific narratives, for use in a disinformation campaign. This may include staging videos of purportedly real situations, repurposing existing video artefacts, or using AI-generated video creation and editing technologies (including deepfakes).

Internal MISP references

UUID 97ef881f-9056-5390-8968-2b3d34d2cff8 which can be used as unique global reference for Develop Video-Based Content in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0087
kill_chain ['tactics:Develop Content']

Develop AI-Generated Videos (Deepfakes)

Deepfakes refer to AI-generated falsified photos, videos, or soundbites. An influence operation may use deepfakes to depict an inauthentic situation by synthetically recreating an individual’s face, body, voice, and physical gestures.

Internal MISP references

UUID 7a3328b8-0998-5bcd-9646-1e0f593802eb which can be used as unique global reference for Develop AI-Generated Videos (Deepfakes) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0087.001
kill_chain ['tactics:Develop Content']

Deceptively Edit Video (Cheap Fakes)

Cheap fakes utilise less sophisticated measures of altering an image, video, or audio for example, slowing, speeding, or cutting footage to create a false context surrounding an image or event.

Internal MISP references

UUID 044465ed-375a-59b8-aece-347c73974cfb which can be used as unique global reference for Deceptively Edit Video (Cheap Fakes) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0087.002
kill_chain ['tactics:Develop Content']

Develop Audio-Based Content

Creating and editing false or misleading audio artefacts, often aligned with one or more specific narratives, for use in a disinformation campaign. This may include creating completely new audio content, repurposing existing audio artefacts (including cheap fakes), or using AI-generated audio creation and editing technologies (including deepfakes).

Internal MISP references

UUID 32f31f65-b210-57f8-a4e6-396d6f9676f0 which can be used as unique global reference for Develop Audio-Based Content in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0088
kill_chain ['tactics:Develop Content']

Develop AI-Generated Audio (Deepfakes)

Deepfakes refer to AI-generated falsified photos, videos, or soundbites. An influence operation may use deepfakes to depict an inauthentic situation by synthetically recreating an individual’s face, body, voice, and physical gestures.

Internal MISP references

UUID 96c96c0a-1e24-5b80-a7c2-2f31767c5fc3 which can be used as unique global reference for Develop AI-Generated Audio (Deepfakes) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0088.001
kill_chain ['tactics:Develop Content']

Deceptively Edit Audio (Cheap Fakes)

Cheap fakes utilise less sophisticated measures of altering an image, video, or audio for example, slowing, speeding, or cutting footage to create a false context surrounding an image or event.

Internal MISP references

UUID 482af0a0-50e3-57d6-99af-b8de290d1d00 which can be used as unique global reference for Deceptively Edit Audio (Cheap Fakes) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0088.002
kill_chain ['tactics:Develop Content']

Obtain Private Documents

Procuring documents that are not publicly available, by whatever means -- whether legal or illegal, highly-resourced or less so. These documents can include authentic non-public documents, authentic non-public documents have been altered, or inauthentic documents intended to appear as if they are authentic non-public documents. All of these types of documents can be "leaked" during later stages in the operation.

Internal MISP references

UUID 31254ebe-90c8-5dc6-8ee2-2f27ceb732c3 which can be used as unique global reference for Obtain Private Documents in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0089
kill_chain ['tactics:Develop Content']

Obtain Authentic Documents

Procure authentic documents that are not publicly available, by whatever means -- whether legal or illegal, highly-resourced or less so. These documents can be "leaked" during later stages in the operation.

Internal MISP references

UUID 0ac164e0-f9ea-55a6-ab2b-8d8710f30b1c which can be used as unique global reference for Obtain Authentic Documents in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0089.001
kill_chain ['tactics:Develop Content']

Alter Authentic Documents

Alter authentic documents (public or non-public) to achieve campaign goals. The altered documents are intended to appear as if they are authentic and can be "leaked" during later stages in the operation.

Internal MISP references

UUID 8214610e-69c5-509d-9b04-a393cdc586ec which can be used as unique global reference for Alter Authentic Documents in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0089.003
kill_chain ['tactics:Develop Content']

Create Inauthentic Accounts

Inauthentic accounts include bot accounts, cyborg accounts, sockpuppet accounts, and anonymous accounts.

Internal MISP references

UUID fef2cb67-00a3-5141-88df-c3e6a2ae6d56 which can be used as unique global reference for Create Inauthentic Accounts in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0090
kill_chain ['tactics:Establish Assets']

Create Anonymous Accounts

Anonymous accounts or anonymous users refer to users that access network resources without providing a username or password. An influence operation may use anonymous accounts to spread content without direct attribution to the operation.

Internal MISP references

UUID f3927312-d6d3-5124-b831-5446c1fb5e6e which can be used as unique global reference for Create Anonymous Accounts in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0090.001
kill_chain ['tactics:Establish Assets']

Create Cyborg Accounts

Cyborg accounts refer to partly manned, partly automated social media accounts. Cyborg accounts primarily act as bots, but a human operator periodically takes control of the account to engage with real social media users by responding to comments and posting original content. Influence operations may use cyborg accounts to reduce the amount of direct human input required to maintain a regular account but increase the apparent legitimacy of the cyborg account by occasionally breaking its bot-like behaviour with human interaction.

Internal MISP references

UUID 8fa7973f-e10d-5367-af06-76f9e0fc7fc7 which can be used as unique global reference for Create Cyborg Accounts in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0090.002
kill_chain ['tactics:Establish Assets']

Create Bot Accounts

Bots refer to autonomous internet users that interact with systems or other users while imitating traditional human behaviour. Bots use a variety of tools to stay active without direct human operation, including artificial intelligence and big data analytics. For example, an individual may programme a Twitter bot to retweet a tweet every time it contains a certain keyword or hashtag. An influence operation may use bots to increase its exposure and artificially promote its content across the internet without dedicating additional time or human resources. Amplifier bots promote operation content through reposts, shares, and likes to increase the content’s online popularity. Hacker bots are traditionally covert bots running on computer scripts that rarely engage with users and work primarily as agents of larger cyberattacks, such as a Distributed Denial of Service attacks. Spammer bots are programmed to post content on social media or in comment sections, usually as a supplementary tool. Impersonator bots102 pose as real people by mimicking human behaviour, complicating their detection.

Internal MISP references

UUID 16b41179-d9f3-50ea-aedb-ed9e667d6249 which can be used as unique global reference for Create Bot Accounts in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0090.003
kill_chain ['tactics:Establish Assets']

Create Sockpuppet Accounts

Sockpuppet accounts refer to falsified accounts that either promote the influence operation’s own material or attack critics of the material online. Individuals who control sockpuppet accounts also man at least one other user account.67 Sockpuppet accounts help legitimise operation narratives by providing an appearance of external support for the material and discrediting opponents of the operation.

Internal MISP references

UUID 0e5ca353-ba01-5dec-95a4-19ca45cb7717 which can be used as unique global reference for Create Sockpuppet Accounts in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0090.004
kill_chain ['tactics:Establish Assets']

Recruit Malign Actors

Operators recruit bad actors paying recruiting, or exerting control over individuals includes trolls, partisans, and contractors.

Internal MISP references

UUID 981baf1f-f9ae-523b-a135-06b2b940e1ea which can be used as unique global reference for Recruit Malign Actors in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0091
kill_chain ['tactics:Establish Assets']

Recruit Contractors

Operators recruit paid contractor to support the campaign.

Internal MISP references

UUID 8278b8d9-e056-5d6d-827d-4752bb2d7833 which can be used as unique global reference for Recruit Contractors in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0091.001
kill_chain ['tactics:Establish Assets']

Recruit Partisans

Operators recruit partisans (ideologically-aligned individuals) to support the campaign.

Internal MISP references

UUID 6c3ac844-a6fc-545d-9957-a1513949f639 which can be used as unique global reference for Recruit Partisans in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0091.002
kill_chain ['tactics:Establish Assets']

Enlist Troll Accounts

An influence operation may hire trolls, or human operators of fake accounts that aim to provoke others by posting and amplifying content about controversial issues. Trolls can serve to discredit an influence operation’s opposition or bring attention to the operation’s cause through debate. Classic trolls refer to regular people who troll for personal reasons, such as attention-seeking or boredom. Classic trolls may advance operation narratives by coincidence but are not directly affiliated with any larger operation. Conversely, hybrid trolls act on behalf of another institution, such as a state or financial organisation, and post content with a specific ideological goal. Hybrid trolls may be highly advanced and institutionalised or less organised and work for a single individual.

Internal MISP references

UUID 0ac30e0e-434d-510a-a2f8-1b330338134d which can be used as unique global reference for Enlist Troll Accounts in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0091.003
kill_chain ['tactics:Establish Assets']

Build Network

Operators build their own network, creating links between accounts -- whether authentic or inauthentic -- in order amplify and promote narratives and artefacts, and encourage further growth of ther network, as well as the ongoing sharing and engagement with operational content.

Internal MISP references

UUID ef0c7e64-7702-5624-8318-d6f2d592433b which can be used as unique global reference for Build Network in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0092
kill_chain ['tactics:Establish Assets']

Create Organisations

Influence operations may establish organisations with legitimate or falsified hierarchies, staff, and content to structure operation assets, provide a sense of legitimacy to the operation, or provide institutional backing to operation activities.

Internal MISP references

UUID bc78ce0a-1a9a-56b2-9e2d-77df7d14cf82 which can be used as unique global reference for Create Organisations in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0092.001
kill_chain ['tactics:Establish Assets']

Use Follow Trains

A follow train is a group of people who follow each other on a social media platform, often as a way for an individual or campaign to grow its social media following. Follow trains may be a violation of platform Terms of Service. They are also known as follow-for-follow groups.

Internal MISP references

UUID 3d9be546-6fd4-5171-b418-f7dc7557f347 which can be used as unique global reference for Use Follow Trains in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0092.002
kill_chain ['tactics:Establish Assets']

Create Community or Sub-Group

When there is not an existing community or sub-group that meets a campaign's goals, an influence operation may seek to create a community or sub-group.

Internal MISP references

UUID 0462781b-c754-5d6a-8742-91cb02d81034 which can be used as unique global reference for Create Community or Sub-Group in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0092.003
kill_chain ['tactics:Establish Assets']

Acquire/Recruit Network

Operators acquire an existing network by paying, recruiting, or exerting control over the leaders of the existing network.

Internal MISP references

UUID c1512f4a-9f4a-5b67-9f20-dbc40942d136 which can be used as unique global reference for Acquire/Recruit Network in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0093
kill_chain ['tactics:Establish Assets']

Fund Proxies

An influence operation may fund proxies, or external entities that work for the operation. An operation may recruit/train users with existing sympathies towards the operation’s narratives and/or goals as proxies. Funding proxies serves various purposes including: - Diversifying operation locations to complicate attribution - Reducing the workload for direct operation assets

Internal MISP references

UUID fb44dd38-07ef-5274-b3c9-c5e59afa1750 which can be used as unique global reference for Fund Proxies in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0093.001
kill_chain ['tactics:Establish Assets']

Acquire Botnets

A botnet is a group of bots that can function in coordination with each other.

Internal MISP references

UUID 750ed343-1ad9-5eb3-bbb4-08d680d47f53 which can be used as unique global reference for Acquire Botnets in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0093.002
kill_chain ['tactics:Establish Assets']

Infiltrate Existing Networks

Operators deceptively insert social assets into existing networks as group members in order to influence the members of the network and the wider information environment that the network impacts.

Internal MISP references

UUID bb12e908-0783-53cb-9b29-de4bc8786604 which can be used as unique global reference for Infiltrate Existing Networks in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0094
kill_chain ['tactics:Establish Assets']

Identify Susceptible Targets in Networks

When seeking to infiltrate an existing network, an influence operation may identify individuals and groups that might be susceptible to being co-opted or influenced.

Internal MISP references

UUID 16aa2680-49bf-531c-a654-2e06dd852ac8 which can be used as unique global reference for Identify Susceptible Targets in Networks in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0094.001
kill_chain ['tactics:Establish Assets']

Utilise Butterfly Attacks

Butterfly attacks occur when operators pretend to be members of a certain social group, usually a group that struggles for representation. An influence operation may mimic a group to insert controversial statements into the discourse, encourage the spread of operation content, or promote harassment among group members. Unlike astroturfing, butterfly attacks aim to infiltrate and discredit existing grassroots movements, organisations, and media campaigns.

Internal MISP references

UUID 9748df5d-c55d-5f30-80c9-670bdf312ecd which can be used as unique global reference for Utilise Butterfly Attacks in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0094.002
kill_chain ['tactics:Establish Assets']

Develop Owned Media Assets

An owned media asset refers to an agency or organisation through which an influence operation may create, develop, and host content and narratives. Owned media assets include websites, blogs, social media pages, forums, and other platforms that facilitate the creation and organisation of content.

Internal MISP references

UUID 9aff2d75-3898-56bc-b5ae-2d3566ab8de2 which can be used as unique global reference for Develop Owned Media Assets in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0095
kill_chain ['tactics:Establish Assets']

Leverage Content Farms

Using the services of large-scale content providers for creating and amplifying campaign artefacts at scale.

Internal MISP references

UUID 845f886a-80e7-587a-a8c2-1473488d290e which can be used as unique global reference for Leverage Content Farms in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0096
kill_chain ['tactics:Establish Assets']

Create Content Farms

An influence operation may create an organisation for creating and amplifying campaign artefacts at scale.

Internal MISP references

UUID c07d2615-36a0-52cc-8cbb-84442420df07 which can be used as unique global reference for Create Content Farms in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0096.001
kill_chain ['tactics:Establish Assets']

Outsource Content Creation to External Organisations

An influence operation may outsource content creation to external companies to avoid attribution, increase the rate of content creation, or improve content quality, i.e., by employing an organisation that can create content in the target audience’s native language. Employed organisations may include marketing companies for tailored advertisements or external content farms for high volumes of targeted media.

Internal MISP references

UUID ccbc4898-76ec-5bc3-a0d2-39473fb20c2f which can be used as unique global reference for Outsource Content Creation to External Organisations in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0096.002
kill_chain ['tactics:Establish Assets']

Create Personas

Creating fake people, often with accounts across multiple platforms. These personas can be as simple as a name, can contain slightly more background like location, profile pictures, backstory, or can be effectively backstopped with indicators like fake identity documents.

Internal MISP references

UUID 7f984091-41b3-5e8f-b723-1d5eb9150d1d which can be used as unique global reference for Create Personas in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0097
kill_chain ['tactics:Establish Legitimacy']

Produce Evidence for Persona

People may produce evidence which supports the persona they are deploying (T0097) (aka “backstopping” the persona).

This Technique covers situations where evidence is developed or produced as part of an influence operation to increase the perceived legitimacy of a persona used during IO, including creating accounts for the same persona on multiple platforms.

The use of personas (T0097), and providing evidence to improve people’s perception of one’s persona (T0097.001), are not necessarily malicious or inauthentic. However, sometimes people use personas to increase the perceived legitimacy of narratives for malicious purposes.

This Technique was previously called Backstop Personas.

Internal MISP references

UUID 2341584c-3ca5-5d2e-85f8-2b9c4da81268 which can be used as unique global reference for Produce Evidence for Persona in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0097.001
kill_chain ['tactics:Establish Legitimacy']

Establish Inauthentic News Sites

Modern computational propaganda makes use of a cadre of imposter news sites spreading globally. These sites, sometimes motivated by concerns other than propaganda--for instance, click-based revenue--often have some superficial markers of authenticity, such as naming and site-design. But many can be quickly exposed with reference to their owenership, reporting history and adverstising details.

Internal MISP references

UUID abaff1d4-e7b1-597b-bb22-556f54a9602c which can be used as unique global reference for Establish Inauthentic News Sites in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0098
kill_chain ['tactics:Establish Legitimacy']

Create Inauthentic News Sites

Create Inauthentic News Sites

Internal MISP references

UUID b9dceeab-f5d8-50ae-ad8a-365d77fc4a3d which can be used as unique global reference for Create Inauthentic News Sites in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0098.001
kill_chain ['tactics:Establish Legitimacy']

Leverage Existing Inauthentic News Sites

Leverage Existing Inauthentic News Sites

Internal MISP references

UUID 51648b8d-6019-5545-a67b-e2e1e4b901a2 which can be used as unique global reference for Leverage Existing Inauthentic News Sites in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0098.002
kill_chain ['tactics:Establish Legitimacy']

Impersonate Existing Entity

An influence operation may prepare assets impersonating existing entities (both organisations and people) to further conceal its network identity and add a layer of legitimacy to its operation content. Existing entities may include authentic news outlets, public figures, organisations, or state entities. 

Users will more likely believe and less likely fact-check news from recognisable sources rather than unknown sites. 

An influence operation may use a wide variety of cyber techniques to impersonate a legitimate entity’s website or social media account. 

This Technique was previously called Prepare Assets Impersonating Legitimate Entities.

Internal MISP references

UUID 9758be4b-0f4d-5438-bc2a-567bffb8cd57 which can be used as unique global reference for Impersonate Existing Entity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0099
kill_chain ['tactics:Establish Legitimacy']

Spoof/Parody Account/Site

An influence operation may prepare assets impersonating legitimate entities to further conceal its network identity and add a layer of legitimacy to its operation content. Users will more likely believe and less likely fact-check news from recognisable sources rather than unknown sites. Legitimate entities may include authentic news outlets, public figures, organisations, or state entities.

Internal MISP references

UUID 8eab0457-f145-56f7-aac6-d46ec8225570 which can be used as unique global reference for Spoof/Parody Account/Site in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0099.002
kill_chain ['tactics:Establish Legitimacy']

Impersonate Existing Organisation

A situation where a threat actor styles their online assets or content to mimic an existing organisation.

This can be done to take advantage of peoples’ trust in the organisation to increase narrative believability, to smear the organisation, or to make the organisation less trustworthy.

Internal MISP references

UUID 87a87abc-4860-51e5-a3cb-527d763dd7b1 which can be used as unique global reference for Impersonate Existing Organisation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0099.003
kill_chain ['tactics:Establish Legitimacy']

Impersonate Existing Media Outlet

A situation where a threat actor styles their online assets or content to mimic an existing media outlet.

This can be done to take advantage of peoples’ trust in the outlet to increase narrative believability, to smear the outlet, or to make the outlet less trustworthy.

Internal MISP references

UUID 6d757126-920d-5bd3-8eeb-c555e9f6482e which can be used as unique global reference for Impersonate Existing Media Outlet in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0099.004
kill_chain ['tactics:Establish Legitimacy']

Impersonate Existing Official

A situation where a threat actor styles their online assets or content to impersonate an official (including government officials, organisation officials, etc).

Internal MISP references

UUID 90a440e1-5618-5406-9ce3-2e61cf6c5e77 which can be used as unique global reference for Impersonate Existing Official in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0099.005
kill_chain ['tactics:Establish Legitimacy']

Impersonate Existing Influencer

A situation where a threat actor styles their online assets or content to impersonate an influencer or celebrity, typically to exploit users’ existing faith in the impersonated target.

Internal MISP references

UUID c2714def-dd7a-5091-818a-0c219af8135f which can be used as unique global reference for Impersonate Existing Influencer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0099.006
kill_chain ['tactics:Establish Legitimacy']

Co-Opt Trusted Sources

An influence operation may co-opt trusted sources by infiltrating or repurposing a source to reach a target audience through existing, previously reliable networks. Co-opted trusted sources may include: - National or local new outlets - Research or academic publications - Online blogs or websites

Internal MISP references

UUID 052ea05b-d892-5987-8017-0efad3d88a27 which can be used as unique global reference for Co-Opt Trusted Sources in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0100
kill_chain ['tactics:Establish Legitimacy']

Co-Opt Trusted Individuals

Co-Opt Trusted Individuals

Internal MISP references

UUID 8592f95a-a576-5c9f-8f62-66089345255a which can be used as unique global reference for Co-Opt Trusted Individuals in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0100.001
kill_chain ['tactics:Establish Legitimacy']

Co-Opt Grassroots Groups

Co-Opt Grassroots Groups

Internal MISP references

UUID 8b9308aa-c65d-5e00-bb60-f93873611283 which can be used as unique global reference for Co-Opt Grassroots Groups in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0100.002
kill_chain ['tactics:Establish Legitimacy']

Co-Opt Influencers

Co-opt Influencers

Internal MISP references

UUID 7e763150-56e9-50e0-a180-3faf14734574 which can be used as unique global reference for Co-Opt Influencers in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0100.003
kill_chain ['tactics:Establish Legitimacy']

Create Localised Content

Localised content refers to content that appeals to a specific community of individuals, often in defined geographic areas. An operation may create localised content using local language and dialects to resonate with its target audience and blend in with other local news and social media. Localised content may help an operation increase legitimacy, avoid detection, and complicate external attribution.

Internal MISP references

UUID a2355290-e41e-5210-b03c-6ef88d4b61c2 which can be used as unique global reference for Create Localised Content in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0101
kill_chain ['tactics:Microtarget']

Leverage Echo Chambers/Filter Bubbles

An echo chamber refers to an internet subgroup, often along ideological lines, where individuals only engage with “others with which they are already in agreement.” A filter bubble refers to an algorithm's placement of an individual in content that they agree with or regularly engage with, possibly entrapping the user into a bubble of their own making. An operation may create these isolated areas of the internet by match existing groups, or aggregating individuals into a single target audience based on shared interests, politics, values, demographics, and other characteristics. Echo chambers and filter bubbles help to reinforce similar biases and content to the same target audience members.

Internal MISP references

UUID d4e6d8d6-125c-58cf-924f-960e17a795bf which can be used as unique global reference for Leverage Echo Chambers/Filter Bubbles in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0102
kill_chain ['tactics:Microtarget']

Use Existing Echo Chambers/Filter Bubbles

Use existing Echo Chambers/Filter Bubbles

Internal MISP references

UUID bfa744ce-4cbb-5cc3-9cb5-406783d5d5d9 which can be used as unique global reference for Use Existing Echo Chambers/Filter Bubbles in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0102.001
kill_chain ['tactics:Microtarget']

Create Echo Chambers/Filter Bubbles

Create Echo Chambers/Filter Bubbles

Internal MISP references

UUID 1a8c5e95-d053-5cf1-98c9-7e33b04708ab which can be used as unique global reference for Create Echo Chambers/Filter Bubbles in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0102.002
kill_chain ['tactics:Microtarget']

Exploit Data Voids

A data void refers to a word or phrase that results in little, manipulative, or low-quality search engine data. Data voids are hard to detect and relatively harmless until exploited by an entity aiming to quickly proliferate false or misleading information during a phenomenon that causes a high number of individuals to query the term or phrase. In the Plan phase, an influence operation may identify data voids for later exploitation in the operation. A 2019 report by Michael Golebiewski identifies five types of data voids. (1) “Breaking news” data voids occur when a keyword gains popularity during a short period of time, allowing an influence operation to publish false content before legitimate news outlets have an opportunity to publish relevant information. (2) An influence operation may create a “strategic new terms” data void by creating their own terms and publishing information online before promoting their keyword to the target audience. (3) An influence operation may publish content on “outdated terms” that have decreased in popularity, capitalising on most search engines’ preferences for recency. (4) “Fragmented concepts” data voids separate connections between similar ideas, isolating segment queries to distinct search engine results. (5) An influence operation may use “problematic queries” that previously resulted in disturbing or inappropriate content to promote messaging until mainstream media recontextualizes the term.

Internal MISP references

UUID 62a656a7-9e5f-58e3-b563-9396006fadc3 which can be used as unique global reference for Exploit Data Voids in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0102.003
kill_chain ['tactics:Microtarget']

Livestream

A livestream refers to an online broadcast capability that allows for real-time communication to closed or open networks.

Internal MISP references

UUID aead2978-a869-5fc7-96f6-f9c55baf2e09 which can be used as unique global reference for Livestream in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0103
kill_chain ['tactics:Select Channels and Affordances']

Video Livestream

A video livestream refers to an online video broadcast capability that allows for real-time communication to closed or open networks.

Internal MISP references

UUID b8200b83-54c4-5448-86a8-08fa1223b470 which can be used as unique global reference for Video Livestream in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0103.001
kill_chain ['tactics:Select Channels and Affordances']

Audio Livestream

An audio livestream refers to an online audio broadcast capability that allows for real-time communication to closed or open networks.

Internal MISP references

UUID 880869e4-2576-5a33-bea0-f35bb71fcdc0 which can be used as unique global reference for Audio Livestream in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0103.002
kill_chain ['tactics:Select Channels and Affordances']

Social Networks

Social media are interactive digital channels that facilitate the creation and sharing of information, ideas, interests, and other forms of expression through virtual communities and networks.

Internal MISP references

UUID 012be2cf-7aed-5ac4-8fb5-ad7ffff73ea0 which can be used as unique global reference for Social Networks in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0104
kill_chain ['tactics:Select Channels and Affordances']

Mainstream Social Networks

Examples include Facebook, Twitter, LinkedIn, etc.

Internal MISP references

UUID 79364323-1d9e-5e29-8bd8-d0bc7bf32f30 which can be used as unique global reference for Mainstream Social Networks in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0104.001
kill_chain ['tactics:Select Channels and Affordances']

Dating App

“Dating App” refers to any platform (or platform feature) in which the ostensive purpose is for users to develop a physical/romantic relationship with other users.

Threat Actors can exploit users’ quest for love to trick them into doing things like revealing sensitive information or giving them money.

Examples include Tinder, Bumble, Grindr, Facebook Dating, Tantan, Badoo, Plenty of Fish, hinge, LOVOO, OkCupid, happn, and Mamba.

Internal MISP references

UUID 96b1a88b-ea2d-51ad-a473-1669e956d387 which can be used as unique global reference for Dating App in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0104.002
kill_chain ['tactics:Select Channels and Affordances']

Private/Closed Social Networks

Social networks that are not open to people outside of family, friends, neighbours, or co-workers. Non-work-related examples include Couple, FamilyWall, 23snaps, and Nextdoor. Some of the larger social network platforms enable closed communities: examples are Instagram Close Friends and Twitter (X) Circle. Work-related examples of private social networks include LinkedIn, Facebook Workplace, and enterprise communication platforms such as Slack or Microsoft Teams.

Internal MISP references

UUID ebcad87c-1217-5d90-8f6f-43d078a3d461 which can be used as unique global reference for Private/Closed Social Networks in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0104.003
kill_chain ['tactics:Select Channels and Affordances']

Interest-Based Networks

Examples include smaller and niche networks including Gettr, Truth Social, Parler, etc.

Internal MISP references

UUID 7f80d0ec-c3d9-501f-9688-780ed4fa3720 which can be used as unique global reference for Interest-Based Networks in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0104.004
kill_chain ['tactics:Select Channels and Affordances']

Use Hashtags

Use a dedicated, existing hashtag for the campaign/incident.

Internal MISP references

UUID 6e852d19-6582-5713-bdf0-18a68ee50bd8 which can be used as unique global reference for Use Hashtags in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0104.005
kill_chain ['tactics:Select Channels and Affordances']

Create Dedicated Hashtag

Create a campaign/incident specific hashtag.

Internal MISP references

UUID 732d47a6-ba6a-56d4-828c-6e6612d9c95d which can be used as unique global reference for Create Dedicated Hashtag in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0104.006
kill_chain ['tactics:Select Channels and Affordances']

Media Sharing Networks

Media sharing networks refer to services whose primary function is the hosting and sharing of specific forms of media. Examples include Instagram, Snapchat, TikTok, Youtube, SoundCloud.

Internal MISP references

UUID d201dc16-622a-5da2-b82a-9924607f2e24 which can be used as unique global reference for Media Sharing Networks in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0105
kill_chain ['tactics:Select Channels and Affordances']

Photo Sharing

Examples include Instagram, Snapchat, Flickr, etc

Internal MISP references

UUID 727b8c48-8a62-5804-a1af-fd0b6ec71699 which can be used as unique global reference for Photo Sharing in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0105.001
kill_chain ['tactics:Select Channels and Affordances']

Video Sharing

Examples include Youtube, TikTok, ShareChat, Rumble, etc

Internal MISP references

UUID 84e96b27-ea09-5a88-9ad7-d6420cc06ee8 which can be used as unique global reference for Video Sharing in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0105.002
kill_chain ['tactics:Select Channels and Affordances']

Audio Sharing

Examples include podcasting apps, Soundcloud, etc.

Internal MISP references

UUID 0f5bce10-d1d9-5270-9b54-0214e2353724 which can be used as unique global reference for Audio Sharing in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0105.003
kill_chain ['tactics:Select Channels and Affordances']

Discussion Forums

Platforms for finding, discussing, and sharing information and opinions. Examples include Reddit, Quora, Digg, message boards, interest-based discussion forums, etc.

Internal MISP references

UUID 1f4ef9c4-e3f3-5981-a4c9-9aed559323d0 which can be used as unique global reference for Discussion Forums in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0106
kill_chain ['tactics:Select Channels and Affordances']

Anonymous Message Boards

Examples include the Chans

Internal MISP references

UUID 12fb075d-f148-5eab-ae24-94799f055750 which can be used as unique global reference for Anonymous Message Boards in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0106.001
kill_chain ['tactics:Select Channels and Affordances']

Bookmarking and Content Curation

Platforms for searching, sharing, and curating content and media. Examples include Pinterest, Flipboard, etc.

Internal MISP references

UUID cc4df2aa-7a91-53a3-816f-c1d9340801ea which can be used as unique global reference for Bookmarking and Content Curation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0107
kill_chain ['tactics:Select Channels and Affordances']

Blogging and Publishing Networks

Examples include WordPress, Blogger, Weebly, Tumblr, Medium, etc.

Internal MISP references

UUID 274821cc-3f7a-5785-8712-0f46a5e2903b which can be used as unique global reference for Blogging and Publishing Networks in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0108
kill_chain ['tactics:Select Channels and Affordances']

Consumer Review Networks

Platforms for finding, reviewing, and sharing information about brands, products, services, restaurants, travel destinations, etc. Examples include Yelp, TripAdvisor, etc.

Internal MISP references

UUID 64d83292-f532-5aca-b76e-69e4741d4a6e which can be used as unique global reference for Consumer Review Networks in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0109
kill_chain ['tactics:Select Channels and Affordances']

Formal Diplomatic Channels

Leveraging formal, traditional, diplomatic channels to communicate with foreign governments (written documents, meetings, summits, diplomatic visits, etc). This type of diplomacy is conducted by diplomats of one nation with diplomats and other officials of another nation or international organisation.

Internal MISP references

UUID 46aedae0-4850-5af6-8db4-ad5665ecd2a4 which can be used as unique global reference for Formal Diplomatic Channels in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0110
kill_chain ['tactics:Select Channels and Affordances']

Traditional Media

Examples include TV, Newspaper, Radio, etc.

Internal MISP references

UUID 5cb9a5f0-e6a6-57e8-9cc4-262c807281fa which can be used as unique global reference for Traditional Media in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0111
kill_chain ['tactics:Select Channels and Affordances']

TV

TV

Internal MISP references

UUID 7c5bb87d-d038-5a46-9069-6cb8d01a19e7 which can be used as unique global reference for TV in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0111.001
kill_chain ['tactics:Select Channels and Affordances']

Newspaper

Newspaper

Internal MISP references

UUID 21fa5ba1-9782-5cad-8903-7abb955ed9b1 which can be used as unique global reference for Newspaper in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0111.002
kill_chain ['tactics:Select Channels and Affordances']

Radio

Radio

Internal MISP references

UUID 6d83b061-da10-5693-837c-960285176c0b which can be used as unique global reference for Radio in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0111.003
kill_chain ['tactics:Select Channels and Affordances']

Email

Delivering content and narratives via email. This can include using list management or high-value individually targeted messaging.

Internal MISP references

UUID 32ec2894-3a89-5b14-be34-77289f1106ca which can be used as unique global reference for Email in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0112
kill_chain ['tactics:Select Channels and Affordances']

Employ Commercial Analytic Firms

Commercial analytic firms collect data on target audience activities and evaluate the data to detect trends, such as content receiving high click-rates. An influence operation may employ commercial analytic firms to facilitate external collection on its target audience, complicating attribution efforts and better tailoring the content to audience preferences.

Internal MISP references

UUID d6a72ed4-28f9-5736-b8a6-459679026513 which can be used as unique global reference for Employ Commercial Analytic Firms in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0113
kill_chain ['tactics:Establish Assets']

Deliver Ads

Delivering content via any form of paid media or advertising.

Internal MISP references

UUID 51639828-5e65-5f32-9858-7020166d26dd which can be used as unique global reference for Deliver Ads in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0114
kill_chain ['tactics:Deliver Content']

Social Media

Social Media

Internal MISP references

UUID 9c655aa6-1474-5ab9-8eff-519df00fe41b which can be used as unique global reference for Social Media in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0114.001
kill_chain ['tactics:Deliver Content']

Post Content

Delivering content by posting via owned media (assets that the operator controls).

Internal MISP references

UUID e41d7f0f-d913-5973-b8a3-385b39e78ebd which can be used as unique global reference for Post Content in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0115
kill_chain ['tactics:Deliver Content']

Share Memes

Memes are one of the most important single artefact types in all of computational propaganda. Memes in this framework denotes the narrow image-based definition. But that naming is no accident, as these items have most of the important properties of Dawkins' original conception as a self-replicating unit of culture. Memes pull together reference and commentary; image and narrative; emotion and message. Memes are a powerful tool and the heart of modern influence campaigns.

Internal MISP references

UUID 986815f4-a31d-57bd-8782-9039044af3af which can be used as unique global reference for Share Memes in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0115.001
kill_chain ['tactics:Deliver Content']

Post Violative Content to Provoke Takedown and Backlash

Post Violative Content to Provoke Takedown and Backlash.

Internal MISP references

UUID 70a3dd8d-c492-5b80-a77c-21f05a72a8c4 which can be used as unique global reference for Post Violative Content to Provoke Takedown and Backlash in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0115.002
kill_chain ['tactics:Deliver Content']

One-Way Direct Posting

Direct posting refers to a method of posting content via a one-way messaging service, where the recipient cannot directly respond to the poster’s messaging. An influence operation may post directly to promote operation narratives to the target audience without allowing opportunities for fact-checking or disagreement, creating a false sense of support for the narrative.

Internal MISP references

UUID 344ef4f6-8020-5493-871e-b7015d53bfae which can be used as unique global reference for One-Way Direct Posting in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0115.003
kill_chain ['tactics:Deliver Content']

Comment or Reply on Content

Delivering content by replying or commenting via owned media (assets that the operator controls).

Internal MISP references

UUID df724dcc-0d26-5c3b-aec1-b3c82f509f07 which can be used as unique global reference for Comment or Reply on Content in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0116
kill_chain ['tactics:Deliver Content']

Post Inauthentic Social Media Comment

Use government-paid social media commenters, astroturfers, chat bots (programmed to reply to specific key words/hashtags) influence online conversations, product reviews, web-site comment forums.

Internal MISP references

UUID c5d17eaa-9f30-5b38-a54a-ddc853981e53 which can be used as unique global reference for Post Inauthentic Social Media Comment in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0116.001
kill_chain ['tactics:Deliver Content']

Attract Traditional Media

Deliver content by attracting the attention of traditional media (earned media).

Internal MISP references

UUID 40c341c1-873c-5cbe-bac6-eaeed322d74e which can be used as unique global reference for Attract Traditional Media in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0117
kill_chain ['tactics:Deliver Content']

Amplify Existing Narrative

An influence operation may amplify existing narratives that align with its narratives to support operation objectives.

Internal MISP references

UUID 69fe11a4-89b8-5c78-8872-7f7bc7a870f1 which can be used as unique global reference for Amplify Existing Narrative in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0118
kill_chain ['tactics:Maximise Exposure']

Cross-Posting

Cross-posting refers to posting the same message to multiple internet discussions, social media platforms or accounts, or news groups at one time. An influence operation may post content online in multiple communities and platforms to increase the chances of content exposure to the target audience.

Internal MISP references

UUID 324248a7-3a0c-5689-8f0e-770d6d6f2dd7 which can be used as unique global reference for Cross-Posting in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0119
kill_chain ['tactics:Maximise Exposure']

Post across Groups

An influence operation may post content across groups to spread narratives and content to new communities within the target audiences or to new target audiences.

Internal MISP references

UUID d6cb6d4e-f75a-50af-b629-bea934659403 which can be used as unique global reference for Post across Groups in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0119.001
kill_chain ['tactics:Maximise Exposure']

Post across Platform

An influence operation may post content across platforms to spread narratives and content to new communities within the target audiences or to new target audiences. Posting across platforms can also remove opposition and context, helping the narrative spread with less opposition on the cross-posted platform.

Internal MISP references

UUID 7dfb83d1-507f-517e-912f-6deefee4ce3f which can be used as unique global reference for Post across Platform in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0119.002
kill_chain ['tactics:Maximise Exposure']

Post across Disciplines

Post Across Disciplines

Internal MISP references

UUID 32ad368e-ac64-59bb-921a-80fdff8eed09 which can be used as unique global reference for Post across Disciplines in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0119.003
kill_chain ['tactics:Maximise Exposure']

Incentivize Sharing

Incentivizing content sharing refers to actions that encourage users to share content themselves, reducing the need for the operation itself to post and promote its own content.

Internal MISP references

UUID e8a91999-4d28-5d96-a427-d67c23a9c661 which can be used as unique global reference for Incentivize Sharing in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0120
kill_chain ['tactics:Maximise Exposure']

Use Affiliate Marketing Programmes

Use Affiliate Marketing Programmes

Internal MISP references

UUID cd41b90c-5c59-5c1f-9824-515e9394d546 which can be used as unique global reference for Use Affiliate Marketing Programmes in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0120.001
kill_chain ['tactics:Maximise Exposure']

Use Contests and Prizes

Use Contests and Prizes

Internal MISP references

UUID 7fcb8b90-f534-5a4e-8321-d1610916eaa0 which can be used as unique global reference for Use Contests and Prizes in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0120.002
kill_chain ['tactics:Maximise Exposure']

Manipulate Platform Algorithm

Manipulating a platform algorithm refers to conducting activity on a platform in a way that intentionally targets its underlying algorithm. After analysing a platform’s algorithm (see: Select Platforms), an influence operation may use a platform in a way that increases its content exposure, avoids content removal, or otherwise benefits the operation’s strategy. For example, an influence operation may use bots to amplify its posts so that the platform’s algorithm recognises engagement with operation content and further promotes the content on user timelines.

Internal MISP references

UUID 0f36a79a-aa9a-5792-9a5e-5587fd626ee3 which can be used as unique global reference for Manipulate Platform Algorithm in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0121
kill_chain ['tactics:Maximise Exposure']

Bypass Content Blocking

Bypassing content blocking refers to actions taken to circumvent network security measures that prevent users from accessing certain servers, resources, or other online spheres. An influence operation may bypass content blocking to proliferate its content on restricted areas of the internet. Common strategies for bypassing content blocking include: - Altering IP addresses to avoid IP filtering - Using a Virtual Private Network (VPN) to avoid IP filtering - Using a Content Delivery Network (CDN) to avoid IP filtering - Enabling encryption to bypass packet inspection blocking - Manipulating text to avoid filtering by keywords - Posting content on multiple platforms to avoid platform-specific removals - Using local facilities or modified DNS servers to avoid DNS filtering

Internal MISP references

UUID df60a404-a336-5fe0-8194-4c7605b0504c which can be used as unique global reference for Bypass Content Blocking in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0121.001
kill_chain ['tactics:Maximise Exposure']

Direct Users to Alternative Platforms

Direct users to alternative platforms refers to encouraging users to move from the platform on which they initially viewed operation content and engage with content on alternate information channels, including separate social media channels and inauthentic websites. An operation may drive users to alternative platforms to diversify its information channels and ensure the target audience knows where to access operation content if the initial platform suspends, flags, or otherwise removes original operation assets and content.

Internal MISP references

UUID 18930995-fc3c-530b-8e6c-ae8fef68a4df which can be used as unique global reference for Direct Users to Alternative Platforms in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0122
kill_chain ['tactics:Maximise Exposure']

Control Information Environment through Offensive Cyberspace Operations

Controlling the information environment through offensive cyberspace operations uses cyber tools and techniques to alter the trajectory of content in the information space to either prioritise operation messaging or block opposition messaging.

Internal MISP references

UUID 8264209e-287a-535e-b502-a0c59483a667 which can be used as unique global reference for Control Information Environment through Offensive Cyberspace Operations in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0123
kill_chain ['tactics:Drive Online Harms']

Delete Opposing Content

Deleting opposing content refers to the removal of content that conflicts with operational narratives from selected platforms. An influence operation may delete opposing content to censor contradictory information from the target audience, allowing operation narratives to take priority in the information space.

Internal MISP references

UUID e65250eb-08b4-5bc5-b3b5-d0f426470755 which can be used as unique global reference for Delete Opposing Content in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0123.001
kill_chain ['tactics:Drive Online Harms']

Block Content

Content blocking refers to actions taken to restrict internet access or render certain areas of the internet inaccessible. An influence operation may restrict content based on both network and content attributes.

Internal MISP references

UUID 8afe697e-f8f5-5b71-81e3-1d81d89b754b which can be used as unique global reference for Block Content in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0123.002
kill_chain ['tactics:Drive Online Harms']

Destroy Information Generation Capabilities

Destroying information generation capabilities refers to actions taken to limit, degrade, or otherwise incapacitate an actor’s ability to generate conflicting information. An influence operation may destroy an actor’s information generation capabilities by physically dismantling the information infrastructure, disconnecting resources needed for information generation, or redirecting information generation personnel. An operation may destroy an adversary’s information generation capabilities to limit conflicting content exposure to the target audience and crowd the information space with its own narratives.

Internal MISP references

UUID 55d0c38e-4e38-56c9-b864-962c976b2a62 which can be used as unique global reference for Destroy Information Generation Capabilities in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0123.003
kill_chain ['tactics:Drive Online Harms']

Conduct Server Redirect

A server redirect, also known as a URL redirect, occurs when a server automatically forwards a user from one URL to another using server-side or client-side scripting languages. An influence operation may conduct a server redirect to divert target audience members from one website to another without their knowledge. The redirected website may pose as a legitimate source, host malware, or otherwise aid operation objectives.

Internal MISP references

UUID 27fe7183-604f-5b93-a55f-0e9b6a10dd8c which can be used as unique global reference for Conduct Server Redirect in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0123.004
kill_chain ['tactics:Drive Online Harms']

Suppress Opposition

Operators can suppress the opposition by exploiting platform content moderation tools and processes like reporting non-violative content to platforms for takedown and goading opposition actors into taking actions that result in platform action or target audience disapproval.

Internal MISP references

UUID 57788034-088b-5c4d-b0b3-25dcea8f2973 which can be used as unique global reference for Suppress Opposition in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0124
kill_chain ['tactics:Drive Online Harms']

Report Non-Violative Opposing Content

Reporting opposing content refers to notifying and providing an instance of a violation of a platform’s guidelines and policies for conduct on the platform. In addition to simply reporting the content, an operation may leverage copyright regulations to trick social media and web platforms into removing opposing content by manipulating the content to appear in violation of copyright laws. Reporting opposing content facilitates the suppression of contradictory information and allows operation narratives to take priority in the information space.

Internal MISP references

UUID de589f8f-a86c-5cc4-bd1b-fb522555b718 which can be used as unique global reference for Report Non-Violative Opposing Content in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0124.001
kill_chain ['tactics:Drive Online Harms']

Goad People into Harmful Action (Stop Hitting Yourself)

Goad people into actions that violate terms of service or will lead to having their content or accounts taken down.

Internal MISP references

UUID 5ebcb2f6-22b0-5c8a-9b40-d764b736210f which can be used as unique global reference for Goad People into Harmful Action (Stop Hitting Yourself) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0124.002
kill_chain ['tactics:Drive Online Harms']

Exploit Platform TOS/Content Moderation

Exploit Platform TOS/Content Moderation

Internal MISP references

UUID 393644ea-39c6-59c4-976f-7c2088167f14 which can be used as unique global reference for Exploit Platform TOS/Content Moderation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0124.003
kill_chain ['tactics:Drive Online Harms']

Platform Filtering

Platform filtering refers to the decontextualization of information as claims cross platforms (from Joan Donovan https://www.hks.harvard.edu/publications/disinformation-design-use-evidence-collages-and-platform-filtering-media-manipulation)

Internal MISP references

UUID c56168d8-5f79-57d4-8cf2-a3575bd7e598 which can be used as unique global reference for Platform Filtering in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0125
kill_chain ['tactics:Drive Online Harms']

Encourage Attendance at Events

Operation encourages attendance at existing real world event.

Internal MISP references

UUID cf67a0f0-ae79-59bb-afe2-1eda9f99e8e4 which can be used as unique global reference for Encourage Attendance at Events in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0126
kill_chain ['tactics:Drive Offline Activity']

Call to Action to Attend

Call to action to attend an event

Internal MISP references

UUID e52a27b8-48f8-527d-9859-84b198d61864 which can be used as unique global reference for Call to Action to Attend in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0126.001
kill_chain ['tactics:Drive Offline Activity']

Facilitate Logistics or Support for Attendance

Facilitate logistics or support for travel, food, housing, etc.

Internal MISP references

UUID 829b1f45-d835-53c8-94e5-4ff3c87fc39c which can be used as unique global reference for Facilitate Logistics or Support for Attendance in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0126.002
kill_chain ['tactics:Drive Offline Activity']

Physical Violence

Physical violence refers to the use of force to injure, abuse, damage, or destroy. An influence operation may conduct or encourage physical violence to discourage opponents from promoting conflicting content or draw attention to operation narratives using shock value.

Internal MISP references

UUID db32bcd3-a2ee-58ac-bc71-33f1af810a98 which can be used as unique global reference for Physical Violence in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0127
kill_chain ['tactics:Drive Offline Activity']

Conduct Physical Violence

An influence operation may directly Conduct Physical Violence to achieve campaign goals.

Internal MISP references

UUID 4c7437f5-1759-527a-b7e1-53de1a65abb2 which can be used as unique global reference for Conduct Physical Violence in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0127.001
kill_chain ['tactics:Drive Offline Activity']

Encourage Physical Violence

An influence operation may Encourage others to engage in Physical Violence to achieve campaign goals.

Internal MISP references

UUID 7dc74bbe-4d75-55f7-951c-bdd766e2efa6 which can be used as unique global reference for Encourage Physical Violence in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0127.002
kill_chain ['tactics:Drive Offline Activity']

Conceal Information Assets

Conceal the identity or provenance of campaign information assets such as accounts, channels, pages etc. to avoid takedown and attribution.

Internal MISP references

UUID e9efb6c7-93bf-5bce-a6c7-f01bb8d8a3f8 which can be used as unique global reference for Conceal Information Assets in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0128
kill_chain ['tactics:Persist in the Information Environment']

Use Pseudonyms

An operation may use pseudonyms, or fake names, to mask the identity of operational accounts, channels, pages etc., publish anonymous content, or otherwise use falsified personas to conceal the identity of the operation. An operation may coordinate pseudonyms across multiple platforms, for example, by writing an article under a pseudonym and then posting a link to the article on social media on an account, channel, or page with the same falsified name.

Internal MISP references

UUID 4e7db4e0-23e4-5931-bf81-2c60081bb44f which can be used as unique global reference for Use Pseudonyms in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0128.001
kill_chain ['tactics:Persist in the Information Environment']

Conceal Network Identity

Concealing network identity aims to hide the existence an influence operation’s network completely. Unlike concealing sponsorship, concealing network identity denies the existence of any sort of organisation.

Internal MISP references

UUID caa69e11-fc2b-580d-a6cb-a9bf28308b71 which can be used as unique global reference for Conceal Network Identity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0128.002
kill_chain ['tactics:Persist in the Information Environment']

Distance Reputable Individuals from Operation

Distancing reputable individuals from the operation occurs when enlisted individuals, such as celebrities or subject matter experts, actively disengage themselves from operation activities and messaging. Individuals may distance themselves from the operation by deleting old posts or statements, unfollowing operation information assets, or otherwise detaching themselves from the operation’s timeline. An influence operation may want reputable individuals to distance themselves from the operation to reduce operation exposure, particularly if the operation aims to remove all evidence.

Internal MISP references

UUID ef1633ed-1970-54e9-9fcc-60693beb0500 which can be used as unique global reference for Distance Reputable Individuals from Operation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0128.003
kill_chain ['tactics:Persist in the Information Environment']

Launder Information Assets

Laundering occurs when an influence operation acquires control of previously legitimate information assets such as accounts, channels, pages etc. from third parties through sale or exchange and often in contravention of terms of use. Influence operations use laundered assets to reach target audience members from within an existing information community and to complicate attribution.

Internal MISP references

UUID 8f9b7ca8-e697-520e-a477-f0ba0509bfcd which can be used as unique global reference for Launder Information Assets in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0128.004
kill_chain ['tactics:Persist in the Information Environment']

Change Names of Information Assets

Changing names or brand names of information assets such as accounts, channels, pages etc. An operation may change the names or brand names of its assets throughout an operation to avoid detection or alter the names of newly acquired or repurposed assets to fit operational narratives.

Internal MISP references

UUID 234c3805-31b1-585b-8c39-94c35315860d which can be used as unique global reference for Change Names of Information Assets in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0128.005
kill_chain ['tactics:Persist in the Information Environment']

Conceal Operational Activity

Conceal the campaign's operational activity to avoid takedown and attribution.

Internal MISP references

UUID 7c57a7c5-28eb-550d-bdf5-12be2396acb7 which can be used as unique global reference for Conceal Operational Activity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0129
kill_chain ['tactics:Persist in the Information Environment']

Generate Content Unrelated to Narrative

An influence operation may mix its own operation content with legitimate news or external unrelated content to disguise operational objectives, narratives, or existence. For example, an operation may generate "lifestyle" or "cuisine" content alongside regular operation content.

Internal MISP references

UUID b7751384-967b-5260-89c8-0301868810f5 which can be used as unique global reference for Generate Content Unrelated to Narrative in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0129.002
kill_chain ['tactics:Persist in the Information Environment']

Break Association with Content

Breaking association with content occurs when an influence operation actively separates itself from its own content. An influence operation may break association with content by unfollowing, unliking, or unsharing its content, removing attribution from its content, or otherwise taking actions that distance the operation from its messaging. An influence operation may break association with its content to complicate attribution or regain credibility for a new operation.

Internal MISP references

UUID 3cf39d60-3b40-5739-b7e7-c6cd3474a9ee which can be used as unique global reference for Break Association with Content in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0129.003
kill_chain ['tactics:Persist in the Information Environment']

Delete URLs

URL deletion occurs when an influence operation completely removes its website registration, rendering the URL inaccessible. An influence operation may delete its URLs to complicate attribution or remove online documentation that the operation ever occurred.

Internal MISP references

UUID 4f4ae59d-332d-52d5-8c18-cfd6bfc9da97 which can be used as unique global reference for Delete URLs in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0129.004
kill_chain ['tactics:Persist in the Information Environment']

Coordinate on Encrypted/Closed Networks

Coordinate on encrypted/ closed networks

Internal MISP references

UUID 6f546799-5edd-5356-a976-a1df70f5ca32 which can be used as unique global reference for Coordinate on Encrypted/Closed Networks in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0129.005
kill_chain ['tactics:Persist in the Information Environment']

Deny Involvement

Without "smoking gun" proof (and even with proof), incident creator can or will deny involvement. This technique also leverages the attacker advantages outlined in "Demand insurmountable proof", specifically the asymmetric disadvantage for truth-tellers in a "firehose of misinformation" environment.

Internal MISP references

UUID 1646a166-55f0-54c8-a5cc-9e0ca4779974 which can be used as unique global reference for Deny Involvement in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0129.006
kill_chain ['tactics:Persist in the Information Environment']

Delete Accounts/Account Activity

Deleting accounts and account activity occurs when an influence operation removes its online social media assets, including social media accounts, posts, likes, comments, and other online artefacts. An influence operation may delete its accounts and account activity to complicate attribution or remove online documentation that the operation ever occurred.

Internal MISP references

UUID abf940cd-1f31-5ca7-a2ef-2714c54a3c2a which can be used as unique global reference for Delete Accounts/Account Activity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0129.007
kill_chain ['tactics:Persist in the Information Environment']

Redirect URLs

An influence operation may redirect its falsified or typosquatted URLs to legitimate websites to increase the operation's appearance of legitimacy, complicate attribution, and avoid detection.

Internal MISP references

UUID 4c7aca7d-c1d2-5262-b374-d28675ddd402 which can be used as unique global reference for Redirect URLs in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0129.008
kill_chain ['tactics:Persist in the Information Environment']

Remove Post Origins

Removing post origins refers to the elimination of evidence that indicates the initial source of operation content, often to complicate attribution. An influence operation may remove post origins by deleting watermarks, renaming files, or removing embedded links in its content.

Internal MISP references

UUID 1192d06d-4766-599f-987f-f6eb292f1b5c which can be used as unique global reference for Remove Post Origins in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0129.009
kill_chain ['tactics:Persist in the Information Environment']

Misattribute Activity

Misattributed activity refers to incorrectly attributed operation activity. For example, a state sponsored influence operation may conduct operation activity in a way that mimics another state so that external entities misattribute activity to the incorrect state. An operation may misattribute their activities to complicate attribution, avoid detection, or frame an adversary for negative behaviour.

Internal MISP references

UUID 5b9fee14-a5d4-56e3-a8b1-7031ef414e78 which can be used as unique global reference for Misattribute Activity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0129.010
kill_chain ['tactics:Persist in the Information Environment']

Conceal Infrastructure

Conceal the campaign's infrastructure to avoid takedown and attribution.

Internal MISP references

UUID e19140c7-5296-574a-8350-5b1d5be04630 which can be used as unique global reference for Conceal Infrastructure in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0130
kill_chain ['tactics:Persist in the Information Environment']

Conceal Sponsorship

Concealing sponsorship aims to mislead or obscure the identity of the hidden sponsor behind an operation rather than entity publicly running the operation. Operations that conceal sponsorship may maintain visible falsified groups, news outlets, non-profits, or other organisations, but seek to mislead or obscure the identity sponsoring, funding, or otherwise supporting these entities. Influence operations may use a variety of techniques to mask the location of their social media accounts to complicate attribution and conceal evidence of foreign interference. Operation accounts may set their location to a false place, often the location of the operation’s target audience, and post in the region’s language

Internal MISP references

UUID bd222921-2ce7-5198-aebe-794cbc81b5db which can be used as unique global reference for Conceal Sponsorship in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0130.001
kill_chain ['tactics:Persist in the Information Environment']

Utilise Bulletproof Hosting

Hosting refers to services through which storage and computing resources are provided to an individual or organisation for the accommodation and maintenance of one or more websites and related services. Services may include web hosting, file sharing, and email distribution. Bulletproof hosting refers to services provided by an entity, such as a domain hosting or web hosting firm, that allows its customer considerable leniency in use of the service. An influence operation may utilise bulletproof hosting to maintain continuity of service for suspicious, illegal, or disruptive operation activities that stricter hosting services would limit, report, or suspend.

Internal MISP references

UUID 64cfd678-c279-59af-89ef-fce2be1f6b26 which can be used as unique global reference for Utilise Bulletproof Hosting in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0130.002
kill_chain ['tactics:Persist in the Information Environment']

Use Shell Organisations

Use Shell Organisations to conceal sponsorship.

Internal MISP references

UUID e33a8453-d3c1-53a7-9568-8fb65ffe8a47 which can be used as unique global reference for Use Shell Organisations in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0130.003
kill_chain ['tactics:Persist in the Information Environment']

Use Cryptocurrency

Use Cryptocurrency to conceal sponsorship. Examples include Bitcoin, Monero, and Etherium.

Internal MISP references

UUID 6d422b33-be0a-5d5e-8556-f6db54f506d9 which can be used as unique global reference for Use Cryptocurrency in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0130.004
kill_chain ['tactics:Persist in the Information Environment']

Obfuscate Payment

Obfuscate Payment

Internal MISP references

UUID 97c3035f-9c01-51a9-8f00-0b28b12d89bd which can be used as unique global reference for Obfuscate Payment in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0130.005
kill_chain ['tactics:Persist in the Information Environment']

Exploit TOS/Content Moderation

Exploiting weaknesses in platforms' terms of service and content moderation policies to avoid takedowns and platform actions.

Internal MISP references

UUID 636c3c7c-c98a-50dd-9b98-607d163a3a94 which can be used as unique global reference for Exploit TOS/Content Moderation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0131
kill_chain ['tactics:Persist in the Information Environment']

Legacy Web Content

Make incident content visible for a long time, e.g. by exploiting platform terms of service, or placing it where it's hard to remove or unlikely to be removed.

Internal MISP references

UUID 7897332f-fb75-509f-8cf5-005da7bd14cf which can be used as unique global reference for Legacy Web Content in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0131.001
kill_chain ['tactics:Persist in the Information Environment']

Post Borderline Content

Post Borderline Content

Internal MISP references

UUID 98cdfd25-6d66-5dfe-8303-a97d2f6d44dd which can be used as unique global reference for Post Borderline Content in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0131.002
kill_chain ['tactics:Persist in the Information Environment']

Measure Performance

A metric used to determine the accomplishment of actions. “Are the actions being executed as planned?”

Internal MISP references

UUID 68f1e82e-f3ae-5975-aec8-a396c204ed39 which can be used as unique global reference for Measure Performance in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0132
kill_chain ['tactics:Assess Effectiveness']

People Focused

Measure the performance individuals in achieving campaign goals

Internal MISP references

UUID 7e712446-36ee-584f-a832-c98f8fa6d912 which can be used as unique global reference for People Focused in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0132.001
kill_chain ['tactics:Assess Effectiveness']

Content Focused

Measure the performance of campaign content

Internal MISP references

UUID 145dc4d2-ab1f-5128-a7bf-d7d835b0a8fa which can be used as unique global reference for Content Focused in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0132.002
kill_chain ['tactics:Assess Effectiveness']

View Focused

View Focused

Internal MISP references

UUID 79368272-a235-5d84-aeb3-70d337dcfffb which can be used as unique global reference for View Focused in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0132.003
kill_chain ['tactics:Assess Effectiveness']

Measure Effectiveness

A metric used to measure a current system state. “Are we on track to achieve the intended new system state within the planned timescale?”

Internal MISP references

UUID 26789434-54f0-5a93-a769-4810af285679 which can be used as unique global reference for Measure Effectiveness in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0133
kill_chain ['tactics:Assess Effectiveness']

Behaviour Changes

Monitor and evaluate behaviour changes from misinformation incidents.

Internal MISP references

UUID 3cf4d2ba-2ba4-58c0-915d-c9781f4b4979 which can be used as unique global reference for Behaviour Changes in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0133.001
kill_chain ['tactics:Assess Effectiveness']

Content

Measure current system state with respect to the effectiveness of campaign content.

Internal MISP references

UUID 90ed2d0b-1260-50ed-8a3d-8a71fbda4c8e which can be used as unique global reference for Content in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0133.002
kill_chain ['tactics:Assess Effectiveness']

Awareness

Measure current system state with respect to the effectiveness of influencing awareness.

Internal MISP references

UUID 2a5f3d2c-9b1e-5aa5-a817-f9af6adf454d which can be used as unique global reference for Awareness in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0133.003
kill_chain ['tactics:Assess Effectiveness']

Knowledge

Measure current system state with respect to the effectiveness of influencing knowledge.

Internal MISP references

UUID df8b6793-cb28-5445-bbdb-c72bf5ff73fa which can be used as unique global reference for Knowledge in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0133.004
kill_chain ['tactics:Assess Effectiveness']

Action/Attitude

Measure current system state with respect to the effectiveness of influencing action/attitude.

Internal MISP references

UUID f9ae2f58-1c32-5e54-9bfd-27b3618a60e6 which can be used as unique global reference for Action/Attitude in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0133.005
kill_chain ['tactics:Assess Effectiveness']

Measure Effectiveness Indicators (or KPIs)

Ensuring that Key Performance Indicators are identified and tracked, so that the performance and effectiveness of campaigns, and elements of campaigns, can be measured, during and after their execution.

Internal MISP references

UUID e13d8a29-e9ef-5bf5-bcbc-372edc418d5d which can be used as unique global reference for Measure Effectiveness Indicators (or KPIs) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0134
kill_chain ['tactics:Assess Effectiveness']

Message Reach

Monitor and evaluate message reach in misinformation incidents.

Internal MISP references

UUID 22e518b6-db32-50db-bf96-5a19b6604b8c which can be used as unique global reference for Message Reach in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0134.001
kill_chain ['tactics:Assess Effectiveness']

Social Media Engagement

Monitor and evaluate social media engagement in misinformation incidents.

Internal MISP references

UUID e9ff0ba4-19ba-5ae7-9fd4-49ac50a8a7b2 which can be used as unique global reference for Social Media Engagement in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0134.002
kill_chain ['tactics:Assess Effectiveness']

Undermine

Weaken, debilitate, or subvert a target or their actions. An influence operation may be designed to disparage an opponent; sabotage an opponent’s systems or processes; compromise an opponent’s relationships or support system; impair an opponent’s capability; or thwart an opponent’s initiative.

Internal MISP references

UUID 0141e703-9b91-55b5-b262-506eb215f6e8 which can be used as unique global reference for Undermine in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0135
kill_chain ['tactics:Plan Objectives']

Smear

Denigrate, disparage, or discredit an opponent. This is a common tactical objective in political campaigns with a larger strategic goal. It differs from efforts to harm a target through defamation. If there is no ulterior motive and the sole aim is to cause harm to the target, then choose sub-technique “Defame” of technique “Cause Harm” instead.

Internal MISP references

UUID a1a4b880-fd5a-5f6e-a649-3caf0e1395fc which can be used as unique global reference for Smear in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0135.001
kill_chain ['tactics:Plan Objectives']

Thwart

Prevent the successful outcome of a policy, operation, or initiative. Actors conduct influence operations to stymie or foil proposals, plans, or courses of action which are not in their interest.

Internal MISP references

UUID 13212ee6-9714-5a65-a1e2-6fa5e30b5f73 which can be used as unique global reference for Thwart in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0135.002
kill_chain ['tactics:Plan Objectives']

Subvert

Sabotage, destroy, or damage a system, process, or relationship. The classic example is the Soviet strategy of “active measures” involving deniable covert activities such as political influence, the use of front organisations, the orchestration of domestic unrest, and the spread of disinformation.

Internal MISP references

UUID 0b45e223-773a-533f-83f0-fbc928fe8e77 which can be used as unique global reference for Subvert in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0135.003
kill_chain ['tactics:Plan Objectives']

Polarise

To cause a target audience to divide into two completely opposing groups. This is a special case of subversion. To divide and conquer is an age-old approach to subverting and overcoming an enemy.

Internal MISP references

UUID 674d2dbc-d75f-5c3e-964a-e4fd3010dd4f which can be used as unique global reference for Polarise in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0135.004
kill_chain ['tactics:Plan Objectives']

Cultivate Support

Grow or maintain the base of support for the actor, ally, or action. This includes hard core recruitment, managing alliances, and generating or maintaining sympathy among a wider audience, including reputation management and public relations. Sub-techniques assume support for actor (self) unless otherwise specified.

Internal MISP references

UUID 92f8589a-028b-5504-8b71-bb847c45155b which can be used as unique global reference for Cultivate Support in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0136
kill_chain ['tactics:Plan Objectives']

Defend Reputaton

Preserve a positive perception in the public’s mind following an accusation or adverse event. When accused of a wrongful act, an actor may engage in denial, counter accusations, whataboutism, or conspiracy theories to distract public attention and attempt to maintain a positive image.

Internal MISP references

UUID 0846475e-2669-52e3-b1a0-9da43455379e which can be used as unique global reference for Defend Reputaton in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0136.001
kill_chain ['tactics:Plan Objectives']

Justify Action

To convince others to exonerate you of a perceived wrongdoing. When an actor finds it untenable to deny doing something, they may attempt to exonerate themselves with disinformation which claims the action was reasonable. This is a special case of “Defend Reputation”.

Internal MISP references

UUID eb9eddd7-ec69-57cf-9858-7699328de606 which can be used as unique global reference for Justify Action in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0136.002
kill_chain ['tactics:Plan Objectives']

Energise Supporters

Raise the morale of those who support the organisation or group. Invigorate constituents with zeal for the mission or activity. Terrorist groups, political movements, and cults may indoctrinate their supporters with ideologies that are based on warped versions of religion or cause harm to others.

Internal MISP references

UUID 367a49af-493d-5f32-af61-94ac25f12ef4 which can be used as unique global reference for Energise Supporters in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0136.003
kill_chain ['tactics:Plan Objectives']

Boost Reputation

Elevate the estimation of the actor in the public’s mind. Improve their image or standing. Public relations professionals use persuasive overt communications to achieve this goal; manipulators use covert disinformation.

Internal MISP references

UUID 53f0923a-2e3d-5d42-b520-1218f962dc68 which can be used as unique global reference for Boost Reputation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0136.004
kill_chain ['tactics:Plan Objectives']

Cultvate Support for Initiative

Elevate or fortify the public backing for a policy, operation, or idea. Domestic and foreign actors can use artificial means to fabricate or amplify public support for a proposal or action.

Internal MISP references

UUID 7da024d9-24d2-595a-becb-4a792e885b80 which can be used as unique global reference for Cultvate Support for Initiative in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0136.005
kill_chain ['tactics:Plan Objectives']

Cultivate Support for Ally

Elevate or fortify the public backing for a partner. Governments may interfere in other countries’ elections by covertly favouring a party or candidate aligned with their interests. They may also mount an influence operation to bolster the reputation of an ally under attack.

Internal MISP references

UUID 06bed5fe-853f-57ce-a6de-4174b6ab58d2 which can be used as unique global reference for Cultivate Support for Ally in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0136.006
kill_chain ['tactics:Plan Objectives']

Recruit Members

Motivate followers to join or subscribe as members of the team. Organisations may mount recruitment drives that use propaganda to entice sympathisers to sign up.

Internal MISP references

UUID 78cd1801-a560-5417-abf2-dc5c617950e2 which can be used as unique global reference for Recruit Members in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0136.007
kill_chain ['tactics:Plan Objectives']

Increase Prestige

Improve personal standing within a community. Gain fame, approbation, or notoriety. Conspiracy theorists, those with special access, and ideologues can gain prominence in a community by propagating disinformation, leaking confidential documents, or spreading hate.

Internal MISP references

UUID 7f0f4d69-8634-52b4-aad8-61d8445acdb7 which can be used as unique global reference for Increase Prestige in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0136.008
kill_chain ['tactics:Plan Objectives']

Make Money

Profit from disinformation, conspiracy theories, or online harm. In some cases, the sole objective is financial gain, in other cases the objective is both financial and political. Making money may also be a way to sustain a political campaign.

Internal MISP references

UUID a9da70ec-419b-5fee-a66e-b55f0d5f483b which can be used as unique global reference for Make Money in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0137
kill_chain ['tactics:Plan Objectives']

Generate Ad Revenue

Earn income from digital advertisements published alongside inauthentic content. Conspiratorial, false, or provocative content drives internet traffic. Content owners earn money from impressions of, or clicks on, or conversions of ads published on their websites, social media profiles, or streaming services, or ads published when their content appears in search engine results. Fraudsters simulate impressions, clicks, and conversions, or they spin up inauthentic sites or social media profiles just to generate ad revenue. Conspiracy theorists and political operators generate ad revenue as a byproduct of their operation or as a means of sustaining their campaign.

Internal MISP references

UUID a25ebac4-85ff-5106-926b-b3c9ca1dfc86 which can be used as unique global reference for Generate Ad Revenue in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0137.001
kill_chain ['tactics:Plan Objectives']

Scam

Defraud a target or trick a target into doing something that benefits the attacker. A typical scam is where a fraudster convinces a target to pay for something without the intention of ever delivering anything in return. Alternatively, the fraudster may promise benefits which never materialise, such as a fake cure. Criminals often exploit a fear or crisis or generate a sense of urgency. They may use deepfakes to impersonate authority figures or individuals in distress.

Internal MISP references

UUID ef11bcd5-f638-55cb-a6e7-599fbbecdc80 which can be used as unique global reference for Scam in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0137.002
kill_chain ['tactics:Plan Objectives']

Raise Funds

Solicit donations for a cause. Popular conspiracy theorists can attract financial contributions from their followers. Fighting back against the establishment is a popular crowdfunding narrative.

Internal MISP references

UUID 8c512fc6-92a0-5d2f-8b9b-d5e21283f365 which can be used as unique global reference for Raise Funds in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0137.003
kill_chain ['tactics:Plan Objectives']

Sell Items under False Pretences

Offer products for sale under false pretences. Campaigns may hijack or create causes built on disinformation to sell promotional merchandise. Or charlatans may amplify victims’ unfounded fears to sell them items of questionable utility such as supplements or survival gear.

Internal MISP references

UUID b502d30b-0ad0-5abe-bba6-04298b660e26 which can be used as unique global reference for Sell Items under False Pretences in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0137.004
kill_chain ['tactics:Plan Objectives']

Extort

Coerce money or favours from a target by threatening to expose or corrupt information. Ransomware criminals typically demand money. Intelligence agencies demand national secrets. Sexual predators demand favours. The leverage may be critical, sensitive, or embarrassing information.

Internal MISP references

UUID d174f433-fcf2-5ad7-be1c-098b373849c1 which can be used as unique global reference for Extort in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0137.005
kill_chain ['tactics:Plan Objectives']

Manipulate Stocks

Artificially inflate or deflate the price of stocks or other financial instruments and then trade on these to make profit. The most common securities fraud schemes are called “pump and dump” and “poop and scoop”.

Internal MISP references

UUID bc85e12f-6663-567c-a422-180252963838 which can be used as unique global reference for Manipulate Stocks in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0137.006
kill_chain ['tactics:Plan Objectives']

Motivate to Act

Persuade, impel, or provoke the target to behave in a specific manner favourable to the attacker. Some common behaviours are joining, subscribing, voting, buying, demonstrating, fighting, retreating, resigning, boycotting.

Internal MISP references

UUID b0b363b2-8dc8-5be1-86f3-6da1b08427ae which can be used as unique global reference for Motivate to Act in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0138
kill_chain ['tactics:Plan Objectives']

Encourage

Inspire, animate, or exhort a target to act. An actor can use propaganda, disinformation, or conspiracy theories to stimulate a target to act in its interest.

Internal MISP references

UUID 7e4979e2-a6ce-5c9c-a153-2c0cdcefee24 which can be used as unique global reference for Encourage in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0138.001
kill_chain ['tactics:Plan Objectives']

Provoke

Instigate, incite, or arouse a target to act. Social media manipulators exploit moral outrage to propel targets to spread hate, take to the streets to protest, or engage in acts of violence.

Internal MISP references

UUID ce2c3d20-781c-5f85-a329-633bfd0b735d which can be used as unique global reference for Provoke in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0138.002
kill_chain ['tactics:Plan Objectives']

Compel

Force target to take an action or to stop taking an action it has already started. Actors can use the threat of reputational damage alongside military or economic threats to compel a target.

Internal MISP references

UUID df4308e1-d324-57dc-b2e5-63dd8c4f884b which can be used as unique global reference for Compel in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0138.003
kill_chain ['tactics:Plan Objectives']

Dissuade from Acting

Discourage, deter, or inhibit the target from actions which would be unfavourable to the attacker. The actor may want the target to refrain from voting, buying, fighting, or supplying.

Internal MISP references

UUID 854d0c3d-ea59-5e49-bc38-bee72958a0fb which can be used as unique global reference for Dissuade from Acting in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0139
kill_chain ['tactics:Plan Objectives']

Discourage

To make a target disinclined or reluctant to act. Manipulators use disinformation to cause targets to question the utility, legality, or morality of taking an action.

Internal MISP references

UUID 841f2f99-397b-5834-87a0-69e1d62cc68f which can be used as unique global reference for Discourage in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0139.001
kill_chain ['tactics:Plan Objectives']

Silence

Intimidate or incentivise target into remaining silent or prevent target from speaking out. A threat actor may cow a target into silence as a special case of deterrence. Or they may buy the target’s silence. Or they may repress or restrict the target’s speech.

Internal MISP references

UUID 403d3951-1a59-5c34-b0da-08f6781b9562 which can be used as unique global reference for Silence in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0139.002
kill_chain ['tactics:Plan Objectives']

Deter

Prevent target from taking an action for fear of the consequences. Deterrence occurs in the mind of the target, who fears they will be worse off if they take an action than if they don’t. When making threats, aggressors may bluff, feign irrationality, or engage in brinksmanship.

Internal MISP references

UUID 29b445b6-6d90-5b67-af56-3d78a0cd1343 which can be used as unique global reference for Deter in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0139.003
kill_chain ['tactics:Plan Objectives']

Cause Harm

Persecute, malign, or inflict pain upon a target. The objective of a campaign may be to cause fear or emotional distress in a target. In some cases, harm is instrumental to achieving a primary objective, as in coercion, repression, or intimidation. In other cases, harm may be inflicted for the satisfaction of the perpetrator, as in revenge or sadistic cruelty.

Internal MISP references

UUID 0f9fbfeb-5b2f-5aa1-91fa-133841b458c7 which can be used as unique global reference for Cause Harm in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0140
kill_chain ['tactics:Plan Objectives']

Defame

Attempt to damage the target’s personal reputation by impugning their character. This can range from subtle attempts to misrepresent or insinuate, to obvious attempts to denigrate or disparage, to blatant attempts to malign or vilify. Slander applies to oral expression. Libel applies to written or pictorial material. Defamation is often carried out by online trolls. The sole aim here is to cause harm to the target. If the threat actor uses defamation as a means of undermining the target, then choose sub-technique “Smear” of technique “Undermine” instead.

Internal MISP references

UUID 79dd50a8-0b49-59f1-a820-1c76656cd836 which can be used as unique global reference for Defame in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0140.001
kill_chain ['tactics:Plan Objectives']

Intimidate

Coerce, bully, or frighten the target. An influence operation may use intimidation to compel the target to act against their will. Or the goal may be to frighten or even terrify the target into silence or submission. In some cases, the goal is simply to make the victim suffer.

Internal MISP references

UUID 3d2bdd06-fdcc-5c08-b71e-6aec4315cc2b which can be used as unique global reference for Intimidate in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0140.002
kill_chain ['tactics:Plan Objectives']

Spread Hate

Publish and/or propagate demeaning, derisive, or humiliating content targeting an individual or group of individuals with the intent to cause emotional, psychological, or physical distress. Hate speech can cause harm directly or incite others to harm the target. It often aims to stigmatise the target by singling out immutable characteristics such as colour, race, religion, national or ethnic origin, gender, gender identity, sexual orientation, age, disease, or mental or physical disability. Thus, promoting hatred online may involve racism, antisemitism, Islamophobia, xenophobia, sexism, misogyny, homophobia, transphobia, ageism, ableism, or any combination thereof. Motivations for hate speech range from group preservation to ideological superiority to the unbridled infliction of suffering.

Internal MISP references

UUID 823c3b54-8eac-5772-8e1c-b7fd55bbe518 which can be used as unique global reference for Spread Hate in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0140.003
kill_chain ['tactics:Plan Objectives']

Acquire Compromised Asset

Threat Actors may take over existing assets not owned by them through nefarious means, such as using technical exploits, hacking, purchasing compromised accounts from the dark web, or social engineering.

Internal MISP references

UUID c863835c-366c-58c1-b405-68f632632540 which can be used as unique global reference for Acquire Compromised Asset in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0141
kill_chain ['tactics:Establish Assets']

Acquire Compromised Account

Threat Actors can take over existing users’ accounts to distribute campaign content. 

The actor may maintain the asset’s previous identity to capitalise on the perceived legitimacy its previous owner had cultivated.

The actor may completely rebrand the account to exploit its existing reach, or relying on the account’s history to avoid more stringent automated content moderation rules applied to new accounts.

See also Mitre ATT&CK’s T1586 Compromise Accounts for more technical information on how threat actors may achieve this objective.

This Technique was previously called Compromise Legitimate Accounts, and used the ID T0011.

Internal MISP references

UUID 6c78a4cc-99ff-5dda-9fd2-0ed060b478ad which can be used as unique global reference for Acquire Compromised Account in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0141.001
kill_chain ['tactics:Establish Assets']

Acquire Compromised Website

Threat Actors may take over existing websites to publish or amplify inauthentic narratives. This includes the defacement of websites, and cases where websites’ personas are maintained to add credence to threat actors’ narratives.

See also Mitre ATT&CK’s T1584 Compromise Infrastructure for more technical information on how threat actors may achieve this objective.

Internal MISP references

UUID 66c253b1-d644-5dca-9954-805693489ed4 which can be used as unique global reference for Acquire Compromised Website in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0141.002
kill_chain ['tactics:Establish Assets']

Fabricate Grassroots Movement

This technique, sometimes known as "astroturfing", occurs when an influence operation disguises itself as a grassroots movement or organisation that supports operation narratives. 

Astroturfing aims to increase the appearance of popular support for an evolving grassroots movement in contrast to "Utilise Butterfly Attacks", which aims to discredit an existing grassroots movement. 

This Technique was previously called Astroturfing, and used the ID T0099.001

Internal MISP references

UUID c52f5e7a-5a13-5859-9bb0-1620dec4dde2 which can be used as unique global reference for Fabricate Grassroots Movement in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T0142
kill_chain ['tactics:Establish Legitimacy']

Activate Firmware Update Mode

Adversaries may activate firmware update mode on devices to prevent expected response functions from engaging in reaction to an emergency or process malfunction. For example, devices such as protection relays may have an operation mode designed for firmware installation. This mode may halt process monitoring and related functions to allow new firmware to be loaded. A device left in update mode may be placed in an inactive holding state if no firmware is provided to it. By entering and leaving a device in this mode, the adversary may deny its usual functionalities.

Internal MISP references

UUID d07be12d-39a2-448c-8e92-f40a46ed9865 which can be used as unique global reference for Activate Firmware Update Mode in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Procedure Examples ['The Industroyer SPIROTEC DoS module places the victim device into firmware update mode. This is a legitimate use case under normal circumstances, but in this case is used the adversary to prevent the SPIROTEC from performing its designed protective functions. As a result the normal safeguards are disabled, leaving an unprotected link in the electric transmission', 'The Industroyer SIPROTEC DoS module exploits the CVE-2015-5374 vulnerability in order to render a Siemens SIPROTEC device unresponsive. Once this vulnerability is successfully exploited, the target device stops responding to any commands until it is rebooted manually. Once the tool is executed it sends specifically crafted packets to port 50,000 of the target IP addresses using UDP. The UDP packet contains the following 18 byte payload: 0x11 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 9E']
Tactic ['Inhibit Response Function']
Technique ID ['T800']

Alarm Suppression

Adversaries may target protection function alarms to prevent them from notifying operators of critical conditions. Alarm messages may be a part of an overall reporting system and of particular interest for adversaries. Disruption of the alarm system does not imply the disruption of the reporting system as a whole. In the Maroochy Attack, the adversary suppressed alarm reporting to the central computer. A Secura presentation on targeting OT notes a dual fold goal for adversaries attempting alarm suppression: prevent outgoing alarms from being raised and prevent incoming alarms from being responded to. The method of suppression may greatly depend on the type of alarm in question: An alarm raised by a protocol message. An alarm signaled with I/O. An alarm bit set in a flag and read In ICS environments, the adversary may have to suppress or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring.2 Methods of suppression may involve tampering or altering device displays and logs, modifying in memory code to fixed values, or even tampering with assembly level instruction code.

Internal MISP references

UUID f35e36fd-1a4a-4fc5-a881-9db30b51b43f which can be used as unique global reference for Alarm Suppression in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Tactic ['Inhibit Response Function']
Technique ID ['T878']

Automated Collection

Adversaries may automate collection of industrial environment information using tools or scripts. This automated collection may leverage native control protocols and tools available in the control systems environment. For example, the OPC protocol may be used to enumerate and gather information. Access to a system or interface with these native protocols may allow collection and enumeration of other attached, communicating servers and devices.

Internal MISP references

UUID cd10178b-3af2-4169-9d19-73194c379fa0 which can be used as unique global reference for Automated Collection in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Procedure Examples ['Using OPC, a component of Backdoor.Oldrea gathers any details about connected devices and sends them back to the C2 for the attackers to analyze.', 'Industroyer automatically collects protocol object data to learn about control devices in the environment.']
Tactic ['Collection']
Technique ID ['T802']

Block Command Message

Adversaries may block a command message from reaching its intended target to prevent command execution. In OT networks, command messages are sent to provide instructions to control system devices. A blocked command message can inhibit response functions from correcting a disruption or unsafe condition. In the 2015 attack on the Ukranian power grid, malicious firmware was used to render communication devices inoperable and effectively prevent them from receiving remote command messages.

Internal MISP references

UUID bc454d80-054b-48bf-8848-289ec9d8277d which can be used as unique global reference for Block Command Message in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Mitigations ['Implement Virtual Local Area Networks (VLANs) to divide physical networks into smaller, logical ones with isolated traffic from each other. This limits both broadcast traffic and unnecessary flooding.', 'Secure the environment to minimize wires susceptible to interference and limit access points to cables. Keep the ICS and IT networks separate.', 'Monitor the network for expected outcomes and to detect unexpected states.', 'Implement antivirus and malware detection tools to protect against threats, such as code enabling improper network access.']
Procedure Examples ['In Industroyer the first COM port from the configuration file is used for the actual communication and the two other COM ports are just opened to prevent other processes accessing them. Thus, the IEC 101 payload component is able to take over and maintain control of the RTU device.']
Tactic ['Inhibit Response Function']
Technique ID ['T803']

Block Reporting Message

Adversaries may block or prevent a reporting message from reaching its intended target. Reporting messages relay the status of control system devices, which can include event log data and I/O values of the associated device. By blocking these reporting messages, an adversary can potentially hide their actions from an operator. Blocking reporting messages in control systems that manage physical processes may contribute to system impact, causing inhibition of a response function. A control system may not be able to respond in a proper or timely manner to an event, such as a dangerous fault, if its corresponding reporting message is blocked. In the 2015 attack on the Ukranian power grid, malicious firmware was used to render communication devices inoperable and effectively block messages from being reported.

Internal MISP references

UUID c70c3328-e180-4947-badd-8088686aec7f which can be used as unique global reference for Block Reporting Message in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Mitigations ['Implement Virtual Local Area Networks (VLANs) to divide physical networks into smaller, logical ones with isolated traffic from each other.', 'Secure the environment to minimize wires susceptible to interference and limit access points to cables. Keep the ICS and IT networks separate.', 'Monitor the network for expected outcomes and to detect unexpected states. For instance, an expected report does not occur may indicate reason for concern.', 'Implement antivirus and malware detection tools to protect against threats, such as code enabling improper network access.', 'Authenticate wireless users’ access with a secure IEEE 802.1x authentication protocol, that authenticates users via user certificates or a Remote Authentication Dial In User Service (RADIUS) server.']
Procedure Examples ['Industroyer uses the first COM port from the configuration file for the communication and the other two COM ports are opened to prevent other processes accessing them. This may block processes or operators from getting reporting messages from a device.']
Tactic ['Inhibit Response Function']
Technique ID ['T804']

Block Serial COM

Adversaries may block access to serial COM to prevent instructions or configurations from reaching target devices. Serial Communication ports (COM) allow communication with control system devices. Devices can receive command and configuration messages over such serial COM. Devices also use serial COM to send command and reporting messages. Blocking device serial COM may also block command messages and block reporting messages. A serial to Ethernet converter is often connected to a serial COM to facilitate communication between serial and Ethernet devices. One approach to blocking a serial COM would be to create and hold open a TCP session with the Ethernet side of the converter. A serial to Ethernet converter may have a few ports open to facilitate multiple communications. For example, if there are three serial COM available -- 1, 2 and 3 --, the converter might be listening on the corresponding ports 20001, 20002, and 20003. If a TCP/IP connection is opened with one of these ports and held open, then the port will be unavailable for use by another party. One way the adversary could achieve this would be to initiate a TCP session with the serial to Ethernet converter at 10.0.0.1 via Telnet on serial port 1 with the following command: telnet 10.0.0.1 20001.

Internal MISP references

UUID 6def9c26-dbd6-4410-a363-02bd2e235c22 which can be used as unique global reference for Block Serial COM in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Mitigations ['In ICS environments with dial-up modems, disconnect the modems when not in use or automate their disconnection after being active for a given amount of time, if feasible.', 'Restrict access to both physical control and network environments with strong passwords. Consider forms of multi-factor authentication, such introducing as biometrics, smart cards, or tokens, to supplement traditional passwords.', 'Lock down and secure portable devices and removable media. Portable ICS assets should not be used outside of the ICS network.', 'Use only authorized media in the physical environment and be aware of anomalies. Take care to keep backups and stored data in secure, protected locations.', 'Implement antivirus and malware detection tools to detect improper access to serial COM by malicious or unexpected programs. Maintain environmental awareness to help detect instances when a serial COM may be blocked, resulting in commands or reports not being carried out.']
Procedure Examples ['In Industroyer the first COM port from the configuration file is used for the actual communication and the two other COM ports are just opened to prevent other processes accessing them. Thus, the IEC 101 payload component is able to take over and maintain control of the RTU device.']
Tactic ['Inhibit Response Function']
Technique ID ['T805']

Brute Force I/O

Adversaries may brute force I/O addresses on a device and attempt to exhaustively perform an action. By enumerating the full range of I/O addresses, an adversary may manipulate a process function without having to target specific I/O interfaces. More than one process function manipulation and enumeration pass may occur on the targeted I/O range in a brute force attempt.

Internal MISP references

UUID f5b5b616-1b96-485e-8b7b-620e94145bea which can be used as unique global reference for Brute Force I/O in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Procedure Examples ['The Industroyer IEC 104 module has 3 modes available to perform its attack. These modes are range, shift, and sequence. The range mode operates in 2 stages. The first stage of range mode gathers Information Object Addresses (IOA) and sends select and execute packets to switch the state. The second stage of range mode has an infinite loop where it will switch the state of all of the previously discovered IOAs. Shift mode is similar to range mode, but instead of staying within the same range, it will add a shift value to the default range values.']
Tactic ['Impair Process Control']
Technique ID ['T806']

Change Program State

Adversaries may attempt to change the state of the current program on a control device. Program state changes may be used to allow for another program to take over control or be loaded onto the device.

Internal MISP references

UUID 1f846cbc-ed70-429c-b489-eaf1f0f99ca6 which can be used as unique global reference for Change Program State in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Procedure Examples ['After PLC-Blaster is transferred to a PLC, the PLC begins execution of PLC-Blaster.', 'Stuxnet halts the original PLC code and the malicious PLC code begins sending frames of data based on the recorded values during the DP_RECV monitor phase.', 'Triton has the ability to halt or run a program through the TriStation protocol. TsHi.py contains instances of halt and run functions being executed.']
Tactic ['Execution Impair Process Control']
Technique ID ['T875']

Command-Line Interface

Adversaries may utilize command-line interfaces (CLIs) to interact with systems and execute commands. CLIs provide a means of interacting with computer systems and are a common feature across many types of platforms and devices within control systems environments. Adversaries may also use CLIs to install and run new software, including malicious tools that may be installed over the course of an operation. CLIs are typically accessed locally, but can also be exposed via services, such as SSH, Telnet, and RDP. Commands that are executed in the CLI execute with the current permissions level of the process running the terminal emulator, unless the command specifies a change in permissions context. Many controllers have CLI interfaces for management purposes.

Internal MISP references

UUID 1e6829cd-e6f3-4ff9-b56d-c6f0a2bb88ae which can be used as unique global reference for Command-Line Interface in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Mitigations ['Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured.', 'Authentication of accounts should be enforced, and when applicable, account permissions and privileges should be limited to an as-needed basis.', 'In ICS environments with dial-up modems, disconnect the modems when not in use or automate their disconnection after being active for a given amount of time, if feasible.', 'In general, reduce and restrict access to both physical resources and the network, wherever CLIs might be exposed.']
Procedure Examples ['The name of the Industroyer payload DLL is supplied by the attackers via a command line parameter supplied in one of the main backdoor’s “execute a shell command” commands.']
Tactic ['Execution']
Technique ID ['T807']

Commonly Used Port

Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend in with normal network activity, to avoid more detailed inspection. They may use the protocol associated with the port, or a completely different protocol. They may use commonly open ports, such as the examples as follows TCP:80 (HTTP), TCP:443 (HTTPS), TCP/UDP:53 (DNS), TCP:1024-4999 (OPC on XP/Win2k3), TCP:49152-65535 (OPC on Vista and later), TCP:23 (TELNET), UDP:161 (SNMP), TCP:502 (MODBUS), TCP:102 (S7comm/ISO-TSAP), TCP:20000 (DNP3), TCP:44818 (Ethernet/IP)

Internal MISP references

UUID 6f53940b-f5ee-4fcc-8752-2c9bdb16381c which can be used as unique global reference for Commonly Used Port in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Mitigations ['Access to device configuration settings should be restricted. Be wary of improper modifications before, during, and after system implementation', 'Settings should be in the most restrictive mode, consistent with ICS operational requirements 4, including the limitation of open ports to those that are necessary.', 'Leverage access control capabilities, such as whitelists, to limit communications to and from permitted, known entities.', 'Assess and secure new device acquisitions as they enter the environment to detect and prevent the introduction of tampered with components.', 'VPNs can be used to provide secure access from an untrusted network to the ICS control network and restrict access to and from host computers.', 'Intrusion detection can be put in place to monitor traffic and logs. Unexpected or a high amount of traffic involving even commonly used ports can be suspicious when it deviates from the often consistent state of the ICS environment.']
Procedure Examples ['Dragonfly communicated with command and control over TCP ports 445 and 139 or UDP 137 or 138.', 'Stuxnet attempts to contact command and control servers on port 80 to send basic information about the computer it has compromised.', "Triton framework can communicate with the implant utilizing the TriStation 'get main processor diagnostic data' command and looks for a specifically crafted packet body from which it extracts a command value and its arguments."]
Tactic ['Command and Control']
Technique ID ['T885']

Connection Proxy

Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications. The definition of a proxy can also be expanded to encompass trust relationships between networks in peer-to-peer, mesh, or trusted connections between networks consisting of hosts or systems that regularly communicate with each other. The network may be within a single organization or across multiple organizations with trust relationships. Adversaries could use these types of relationships to manage command and control communications, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion.

Internal MISP references

UUID 2c5bf128-129a-482f-b578-995b389c9e2e which can be used as unique global reference for Connection Proxy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Mitigations ['Implement Virtual Local Area Networks (VLANs) to divide physical networks into smaller, logical ones with isolated traffic from each other.', 'VPNs can be used to provide secure access from an untrusted network to the ICS control network and restrict access to and from host computers.', 'Where applicable, further restrict network traffic by enforcing whitelisting of known, trusted devices. Limit access and editing privileges to such lists.', 'Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific C2 protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.']
Tactic ['Command and Control']
Technique ID ['T884']

Damage to Property

Adversaries may cause damage and destruction of property to infrastructure, equipment, and the surrounding environment when attacking control systems. This technique may result in device and operational equipment breakdown, or represent tangential damage from other techniques used in an attack. Depending on the severity of physical damage and disruption caused to control processes and systems, this technique may result in Loss of Safety. Operations that result in Loss of Control may also cause damage to property, which may be directly or indirectly motivated by an adversary seeking to cause impact in the form of Loss of Productivity and Revenue. The German Federal Office for Information Security (BSI) reported a targeted attack on a steel mill under an incidents affecting business section of its 2014 IT Security Report. These targeted attacks affected industrial operations and resulted in breakdowns of control system components and even entire installations. As a result of these breakdowns, massive impact and damage resulted from the uncontrolled shutdown of a blast furnace. In the Maroochy Attack, Vitek Boden gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. This ultimately led to 800,000 liters of raw sewage being spilled out into the community. The raw sewage affected local parks, rivers, and even a local hotel. This resulted in harm to marine life and produced a sickening stench from the community's now blackened rivers. A Polish student used a remote controller device to interface with the Lodz city tram system in Poland.345 Using this remote, the student was able to capture and replay legitimate tram signals. This resulted in damage to impacted trams, people, and the surrounding property. Reportedly, four trams were derailed and were forced to make emergency stops.4 Commands issued by the student may have also resulted in tram collisions, causing harm to those on board and the environment outside.

Internal MISP references

UUID 0f14bec1-cc6e-4c73-a0de-77b9cf3f525f which can be used as unique global reference for Damage to Property in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Procedure Examples ['Stuxnet attacks were designed to over-pressure and damage centrifuge rotors by manipulating process pressure and rotor speeds over time. One focused on a routine to change centrifuge rotor speeds, while the other manipulated critical resonance speeds to over-pressure them.']
Tactic ['Impact']
Technique ID ['T879']

Data Destruction

Adversaries may perform data destruction over the course of an operation. The adversary may drop or create malware, tools, or other non-native files on a target system to accomplish this, potentially leaving behind traces of malicious activities. Such non-native files and other data may be removed over the course of an intrusion to maintain a small footprint or as a standard part of the post-intrusion cleanup process. Data destruction may also be used to render operator interfaces unable to respond and to disrupt response functions from occurring as expected. An adversary may also destroy data backups that are vital to recovery after an incident. Standard file deletion commands are available on most operating system and device interfaces to perform cleanup, but adversaries may use other tools as well. Two examples are Windows Sysinternals SDelete and Active@ Killdisk.

Internal MISP references

UUID cc76d9dc-1e26-48a1-baa1-c42b2aa6d381 which can be used as unique global reference for Data Destruction in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Mitigations ['Password authentication can be used as a barrier to Data Destruction, in addition to restricting user account file access according to the principle of least privilege. The default for newly created accounts should be minimal, to reduce adversary movement capabilities.', 'Best password practices, and the implementation of multi-factor authentication can also add security, particularly if data in the environment has a high risk of interception or may be sent in plaintext.', 'Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Unauthorized and suspicious media should be avoided and kept away from systems and the network. Keep track of cables, to ensure that the ICS and IT environments remain separate and no interceptive, adversarial devices are installed.', 'Take note of suspicious files and run antivirus and malware detecting solutions to assist in catching malicious programs that can result in Data Destruction.', 'dentify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to delete files, and audit and/or block them by using whitelisting5 tools like AppLocker or Software Restriction Policies where appropriate.']
Procedure Examples ['Industroyer has a destructive wiper that overwrites all ICS configuration files across the hard drives and all mapped network drives specifically targeting ABB PCM600 configuration files.', 'KillDisk is able to delete system files to make the system unbootable and targets 35 different types of files for deletion.']
Tactic ['Inhibit Response Function']
Technique ID ['T809']

Data Historian Compromise

Adversaries may compromise and gain control of a data historian to gain a foothold into the control system environment. Access to a data historian may be used to learn stored database archival and analysis information on the control system. A dual-homed data historian may provide adversaries an interface from the IT environment to the OT environment. Dragos has released an updated analysis on CrashOverride that outlines the attack from the ICS network breach to payload delivery and execution.1 The report summarized that CrashOverride represents a new application of malware, but relied on standard intrusion techniques. In particular, new artifacts include refs to a Microsoft Windows Server 2003 host, with a SQL Server. Within the ICS environment, such a database server can act as a data historian. Dragos noted a device with this role should be expected to have extensive connections within the ICS environment. Adversary activity leveraged database capabilities to perform reconnaissance, including directory queries and network connectivity checks.

Internal MISP references

UUID bb11d289-4661-444b-8923-e77ce630f487 which can be used as unique global reference for Data Historian Compromise in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Procedure Examples ['In Industroyer, after pivoting into the ICS environment, the adversary gained Initial Access to devices involved with critical process operations through a Microsoft Windows Server 2003 running a SQL Server.']
Tactic ['Initial Access']
Technique ID ['T810']

Data from Information Repositories

Adversaries may target and collect data from information repositories. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes. Examples of target information repositories include reference databases and local machines on the process environment.

Internal MISP references

UUID ec83fca8-a475-42fd-9ae5-db666ec6dd3d which can be used as unique global reference for Data from Information Repositories in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Procedure Examples ['ACAD/Medre.A collects information related to the AutoCAD application. The worm collects AutoCAD (*.dwg) files with drawings from information repositories.', 'Duqu downloads additional modules for the collection of data in information repositories. The modules are named: infostealer 1, infostealer 2 and reconnaissance.', 'Flame has built-in modules to gather information from compromised computers.']
Tactic ['Collection']
Technique ID ['T811']

Default Credentials

Adversaries may leverage manufacturer or supplier set default credentials on control system devices. These default credentials may have administrative permissions and may be necessary for initial configuration of the device. It is general best practice to change the passwords for these accounts as soon as possible, but some manufacturers may have devices that have passwords or usernames that cannot be changed. Default credentials are normally documented in an instruction manual that is either packaged with the device, published online through official means, or published online through unofficial means. Adversaries may leverage default credentials that have not been properly modified or disabled.

Internal MISP references

UUID c40fbcf3-5baf-4589-8f3a-e544790d2e37 which can be used as unique global reference for Default Credentials in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Mitigations ['Restrict user privileges with Role-Based Access Control (RBAC). Configure and assign “roles” based on the principle of least privilege. Levels of access can dictate several factors, including the ability to view, use, and alter specific ICS data or device functions.', 'Change default passwords to strong ones, when possible. In some instances, network traffic may be easily intercepted or sent in plaintext. In these instances, multi-factor authentication can act as both a barrier to the adversary and help alert the account owner of unauthorized access. Triple-factor authentication may also be considered.', 'Be aware of device patching and maintenance that would enable password changes or stronger passwords than currently used ones.', 'Authenticate wireless communications and access with a secure IEEE 802.1x authentication protocol.', 'Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured.', 'In general, console user actions should be traceable, whether it may manually (e.g. control room sign in) or automatic (e.g. login at the application and/or OS layer).1 Protect and restrict access to the resulting logs.', 'Implementing Challenge/Response authentication eliminates the risk of discovery or replay that traditional password exchange has. Physical, token authentication can also be considered. It is also easier to notice if these have gotten lost or stolen, unlike traditional passwords. Smart cards another option to consider, and provide additional functionality over token authentication. Biometric authentication may also be good supplement to software-only password solutions. Secure and check new acquisitions for tampering and signs of malicious components.', 'VPNs can be used to provide secure access from an untrusted network to the ICS control network and restrict access to and from host computers.', 'In the event the adversary is already inside the network, an intrusion detection system can help detect and record unusual patterns of activity.']
Tactic ['Lateral Movement']
Technique ID ['T811']

Denial of Control

Adversaries may cause a denial of control to temporarily prevent operators and engineers from interacting with process controls. An adversary may attempt to deny process control access to cause a temporary loss of communication with the control device or to prevent operator adjustment of process controls. An affected process may still be operating during the period of control loss, but not necessarily in a desired state. In the Maroochy attack, the adversary was able to temporarily shut an investigator out of the network preventing them from issuing any controls.

Internal MISP references

UUID 8d7682dc-e23b-4a53-bac7-ca92ad5d7772 which can be used as unique global reference for Denial of Control in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Procedure Examples ['Industroyer is able to block serial COM channels temporarily causing a denial of control.']
Tactic ['Impact']
Technique ID ['T813']

Denial of Service

Adversaries may perform Denial-of-Service (DoS) attacks to disrupt expected device functionality. Examples of DoS attacks include overwhelming the target device with a high volume of requests in a short time period and sending the target device a request it does not know how to handle. Disrupting device state may temporarily render it unresponsive, possibly lasting until a reboot can occur. When placed in this state, devices may be unable to send and receive requests, and may not perform expected response functions in reaction to other events in the environment. Some ICS devices are particularly sensitive to DoS events, and may become unresponsive in reaction to even a simple ping sweep. Adversaries may also attempt to execute a Permanent Denial-of-Service (PDoS) against certain devices, such as in the case of the BrickerBot malware. Adversaries may exploit a software vulnerability to cause a denial of service by taking advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in software that can be used to cause a or denial of service condition. Adversaries may have prior knowledge about industrial protocols or control devices used in the environment through Control Device Identification. There are examples of adversaries remotely causing a Device Restart/Shutdown by exploiting a vulnerability that induces uncontrolled resource consumption. In the Maroochy attack, the adversary was able to shut an investigator out of the network.

Internal MISP references

UUID 5dc02bb0-3332-459b-a66e-148e152ee063 which can be used as unique global reference for Denial of Service in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Procedure Examples ['The Backdoor.Oldrea payload has caused multiple common OPC platforms to intermittently crash. This could cause a denial of service effect on applications reliant on OPC communications.', 'The Industroyer SIPROTEC DoS module exploits the CVE-2015-5374 vulnerability in order to render a Siemens SIPROTEC device unresponsive. Once this vulnerability is successfully exploited, the target device stops responding to any commands until it is rebooted manually.7 Once the tool is executed it sends specifically crafted packets to port 50,000 of the target IP addresses using UDP. The UDP packet contains the following 18 byte payload: 0x11 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 9E', 'The execution on the PLC can be stopped by violating the cycle time limit. The PLC-Blaster implements an endless loop triggering an error condition within the PLC with the impact of a DoS.']
Tactic ['Inhibit Response Function']
Technique ID ['T814']

Denial of View

Adversaries may cause a denial of view in attempt to disrupt and prevent operator oversight on the status of an ICS environment. This may manifest itself as a temporary communication failure between a device and its control source, where the interface recovers and becomes available once the interference ceases. An adversary may attempt to deny operator visibility by preventing them from receiving status and reporting messages. Denying this view may temporarily block and prevent operators from noticing a change in state or anomalous behavior. The environment's data and processes may still be operational, but functioning in an unintended or adversarial manner. In the Maroochy attack, the adversary was able to temporarily shut an investigator out of the network, preventing them from viewing the state of the system.

Internal MISP references

UUID 3840a392-0074-42ba-9303-d8bf18ce0048 which can be used as unique global reference for Denial of View in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Procedure Examples ['Industroyer is able to block serial COM channels temporarily causing a denial of view.']
Tactic ['Impact']
Technique ID ['T815']

Detect Operating Mode

Adversaries may gather information about the current operating state of a PLC. CPU operating modes are often controlled by a key switch on the PLC. Example states may be run, prog, stop, remote, and invalid. Knowledge of these states may be valuable to an adversary to determine if they are able to reprogram the PLC.

Internal MISP references

UUID b12d6ee9-db15-45de-a1d7-594803e53960 which can be used as unique global reference for Detect Operating Mode in MISP communities and other software using the MISP galaxy

External references
  • Triton contains a file named TS_cnames.py which contains default definitions for key state (TS_keystate). Key state is referenced in TsHi.py.
Associated metadata
Metadata key Value
Procedure Examples ['Triton contains a file named TS_cnames.py which contains default definitions for key state (TS_keystate). Key state is referenced in TsHi.py.']
Tactic ['Collection']
Technique ID ['T868']

Detect Program State

Adversaries may seek to gather information about the current state of a program on a PLC. State information reveals information about the program, including whether it's running, halted, stopped, or has generated an exception. This information may be leveraged as a verification of malicious program execution or to determine if a PLC is ready to download a new program.

Internal MISP references

UUID 2afa4852-71bc-41c9-b524-643cddb3e7fa which can be used as unique global reference for Detect Program State in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Procedure Examples ['Triton contains a file named TS_cnames.py which contains default definitions for program state (TS_progstate). Program state is referenced in TsHi.py.']
Tactic ['Collection']
Technique ID ['T870']

Device Restart/Shutdown

Adversaries may forcibly restart or shutdown a device in the ICS environment to disrupt and potentially cause adverse effects on the physical processes it helps to control. Methods of device restart and shutdown exist as built-in, standard functionalities. This can include interactive device web interfaces, CLIs, and network protocol commands, among others. Device restart or shutdown may also occur as a consequence of changing a device into an alternative mode of operation for testing or firmware loading. Unexpected restart or shutdown of control system devices may contribute to impact, by preventing expected response functions from activating and being received in critical states. This can also be a sign of malicious device modification, as many updates require a shutdown in order to take affect. For example, DNP3's function code 0x0D can reset and reconfigure DNP3 outstations by forcing them to perform a complete power cycle. In the 2015 attack on the Ukranian power grid, the adversaries gained access to the control networks of three different energy companies. The adversaries scheduled disconnects for the uniterruptable power supply (UPS) systems so that when power was disconnected from the substations, the devices would shut down and service could not be recovered.

Internal MISP references

UUID e3b4487b-d29f-4940-a02d-8c948374964b which can be used as unique global reference for Device Restart/Shutdown in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Mitigations ['Restrict user privileges with Role-Based Access Control (RBAC). Configure and assign “roles” based on the principle of least privilege. Levels of access can dictate several factors, including the ability to view, use, and alter specific ICS data or device functions.', 'In general, it is unlikely devices in an ICS environment should experience frequent shutdowns. Therefore, monitor physical devices for unexpected state changes and the network for suspicious, related activity', 'Whenever possible, intrusion detection systems, sensors, logs, and patch management should be done in real-time. These tools can provide tangible records of evidence and system integrity. Additionally, active log management utilities may actually flag an attack or event in progress and provide location and tracing information to help respond to the incident.', 'Applying best password policies and being multi-factor authentication enabled can add an additional barrier to device shutdown, in the situation only verified users have the shutdown capability.', 'Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Keep track of cables, to ensure that the ICS and IT environments remain separate and no interceptive, adversarial devices are installed. Cable exposure should be as minimal as possible, to reduce likely hood of tampering.', 'Depending on security needs and risks, it might also be prudent to disable or physically protect power buttons to prevent unauthorized use.']
Procedure Examples ['The Industroyer SIPROTEC DoS module exploits the CVE-2015-5374 vulnerability in order to render a Siemens SIPROTEC device unresponsive. Once this vulnerability is successfully exploited, the target device stops responding to any commands until it is rebooted manually.3 Once the tool is executed it sends specifically crafted packets to port 50,000 of the target IP addresses using UDP. The UDP packet contains the following 18 byte payload: 0x11 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 9E.']
Tactic ['Inhibit Response Function']
Technique ID ['T816']

Drive-by Compromise

Adversaries may gain access to a system during a drive-by compromise, when a user visits a website as part of a regular browsing session.With this technique, the user's web browser is targeted and exploited simply by visiting the compromised website. The adversary may target a specific community, such as trusted third party suppliers or other industry specific groups, which often visit the target website. This kind of targeted attack relies on a common interest, and is known as a strategic web compromise or watering hole attack. The National Cyber Awareness System (NCAS) has issued a Technical Alert (TA) regarding Russian government cyber activity targeting critical infrastructure sectors. Analysis by DHS and FBI has noted two distinct categories of victims in the Dragonfly campaign on the Western energy sector: staging and intended targets. The adversary targeted the less secure networks of staging targets, including trusted third-party suppliers and related peripheral organizations. Initial access to the intended targets used watering hole attacks to target process control, ICS, and critical infrastructure related trade publications and informational websites.

Internal MISP references

UUID 3eb64b2b-2710-446e-a30d-d49728d17350 which can be used as unique global reference for Drive-by Compromise in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Procedure Examples ['ALLANITE leverages watering hole attacks to gain access into electric utilities.', 'Dragonfly 2.0 utilized watering hole attacks to gather credentials, by compromising websites that energy sector organizations might access.', 'Dragonfly used intermediate targets for watering hole attacks on an intended target. A line of code is injected into the header.php file, this is used to redirect the visitors to an adversary controlled IP.', 'OilRig has been seen utilizing watering hole attacks to collect credentials which could be used to gain access into ICS networks', 'XENOTIME utilizes watering hole websites to target industrial employees.', 'Bad Rabbit ransomware spreads through drive-by attacks where insecure websites are compromised. While the target is visiting a legitimate website, a malware dropper is being downloaded from the threat actor’s infrastructure.']
Tactic ['Initial Access']
Technique ID ['T817']

Engineering Workstation Compromise

Adversaries may compromise and gain control of an engineering workstation as an Initial Access technique into the control system environment. Access to an engineering workstation may occur as a result of remote access or by physical means, such as a person with privileged access or infection by removable media. A dual-homed engineering workstation may allow the adversary access into multiple networks. For example, unsegregated process control, safety system, or information system networks. An Engineering Workstation is designed as a reliable computing platform that configures, maintains, and diagnoses control system equipment and applications. Compromise of an engineering workstation may provide access to and control of other control system applications and equipment. In the Maroochy attack, the adversary utilized a computer, possibly stolen, with proprietary engineering software to communicate with a wastewater system.

Internal MISP references

UUID 56fc2528-7ad9-4ff4-8a65-b7641822074e which can be used as unique global reference for Engineering Workstation Compromise in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Procedure Examples ['Stuxnet utilized an engineering workstation as the initial access point for PLC devices.', 'The Triton malware gained remote access to an SIS engineering workstation.']
Tactic ['Initial Access']
Technique ID ['T818']

Execution through API

Adversaries may attempt to leverage Application Program Interfaces (APIs) used for communication between control software and the hardware. Specific functionality is often coded into APIs which can be called by software to engage specific functions on a device or other software, such as Change Program State of a program on a PLC.

Internal MISP references

UUID 66ff7ce5-3daf-4651-9157-b6df2009e1b6 which can be used as unique global reference for Execution through API in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Procedure Examples ['PLC-Blaster utilizes the PLC communication and management API to load executable Program Organization Units.', 'Stuxnet utilizes the PLC communication and management API to load executable Program Organization Units.', 'Triton leverages a reconstructed TriStation protocol within its framework to trigger APIs related to program download, program allocation, and program changes']
Tactic ['Execution']
Technique ID ['T871']

Exploit Public-Facing Application

Adversaries may attempt to exploit public-facing applications to leverage weaknesses on Internet-facing computer systems, programs, or assets in order to cause unintended or unexpected behavior. These public-facing applications may include user interfaces, software, data, or commands. In particular, a public-facing application in the IT environment may provide adversaries an interface into the OT environment. ICS-CERT analysis has identified the probable initial infection vector for systems running GE’s Cimplicity HMI with a direct connection to the Internet.

Internal MISP references

UUID fce2a3b6-4bf0-4f98-9287-8849f0ed08d0 which can be used as unique global reference for Exploit Public-Facing Application in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Tactic ['Initial Access']
Technique ID ['T819']

Exploitation for Evasion

Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to evade detection. Vulnerabilities may exist in software that can be used to disable or circumvent security features. Adversaries may have prior knowledge through Control Device Identification about security features implemented on control devices. These device security features will likely be targeted directly for exploitation. There are examples of firmware RAM/ROM consistency checks on control devices being targeted by adversaries to enable the installation of malicious System Firmware.

Internal MISP references

UUID 8b5ed78d-5902-4656-99a8-05f8733f56bd which can be used as unique global reference for Exploitation for Evasion in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Procedure Examples ['Triton disables a firmware RAM/ROM consistency check, injects a payload (imain.bin) into the firmware memory region, and changes a jumptable entry to point to the added code. In Schneider Electric Triconex Tricon MP model 3008 firmware versions 10.0-10.4, system calls read directly from memory addresses within the control program area without any verification. Manipulating this data could allow adversary data to be copied anywhere within memory.45 Triconex systems include continuous means of detection including checksums for firmware and program integrity, memory and memory reference integrity, and configuration ']
Tactic ['Evasion']
Technique ID ['T820']

Exploitation of Remote Services

Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to enable remote service abuse. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system. ICS asset owners and operators have been affected by ransomware (or disruptive malware masquerading as ransomware) migrating from enterprise IT to ICS environments: WannaCry, NotPetya, and BadRabbit. In each of these cases, self-propagating (“wormable”) malware initially infected IT networks, but through exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks, producing significant impacts.

Internal MISP references

UUID c9324642-1af8-45d5-8b99-a8227e541f9d which can be used as unique global reference for Exploitation of Remote Services in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Procedure Examples ['Bad Rabbit initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks.', 'NotPetya initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks.', 'WannaCry initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks.']
Tactic ['Lateral Movement']
Technique ID ['T866']

External Remote Services

Adversaries may leverage external remote services as a point of initial access into your network. These services allow users to connect to internal network resources from external locations. Examples are VPNs, Citrix, and other access mechanisms. Remote service gateways often manage connections and credential authentication for these services. External remote services allow administration of a control system from outside the system. Often, vendors and internal engineering groups have access to external remote services to control system networks via the corporate network. In some cases, this access is enabled directly from the internet. While remote access enables ease of maintenance when a control system is in a remote area, compromise of remote access solutions is a liability. The adversary may use these services to gain access to and execute attacks against a control system network. Access to valid accounts is often a requirement. As they look for an entry point into the control system network, adversaries may begin searching for existing point?to?point VPN implementations at trusted third party networks or through remote support employee connections where split tunneling is enabled. In the Maroochy Attack, the adversary was able to gain remote computer access to the system over radio. The 2015 attack on the Ukranian power grid showed the use of existing remote access tools within the environment to access the control system network. The adversary harvested worker credentials, some of them for VPNs the grid workers used to remotely log into the control system networks.3245 The VPNs into these networks appear to have lacked two?factor authentication.

Internal MISP references

UUID 51aa0e11-3141-4c65-a6bf-2a434ff62e11 which can be used as unique global reference for External Remote Services in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Mitigations ['Restrict user privileges with Role-Based Access Control (RBAC). Configure and assign “roles” based on the principle of least privilege. Levels of access can dictate several factors, including the ability to view, use, and alter specific ICS data or device functions.', 'Configure remote control software to use unique user names and passwords, strong authentication, encryption if determined appropriate, and audit logs. Use of this software by remote users should be monitored on an almost real-time frequency.', 'Enable console user actions to be traceable, either manually (e.g., control room sign in) or automatically (e.g. ,login at the application and/or OS layer).8 Protect and restrict access to the resulting logs.', 'In environments with a high risk of interception or intrusion, consider supplementing password authentication with other forms of authentication such as multi-factor authentication using biometric or physical tokens.', 'Secure and restrict access to the control room(s), which could be leveraged to set up an external remote service. Ensure VPNs, which are commonly used to provide secure access to ICS environments from untrusted networks, are properly configured.', 'Maintain awareness and observe use of External Remote Services with intrusion detection systems and solutions. Timely patch maintenance will assist with reducing the likelihood of Exploitation of Vulnerability for External Remote Service.']
Procedure Examples ['XENOTIME utilized remote desktop protocol (RDP) jump boxes to move into the ICS environment.', 'Bad Rabbit can utilize exposed SMB services to access industrial networks.', 'NotPetya can utilize exposed SMB services to access industrial networks.', 'WannaCry can utilize exposed SMB services to access industrial networks']
Tactic ['Lateral Movement, Initial Access']
Technique ID ['T822']

Graphical User Interface

Adversaries may attempt to gain access to a machine via a Graphical User Interface (GUI) to enhance execution capabilities. Access to a GUI allows a user to interact with a computer in a more visual manner than a CLI. A GUI allows users to move a cursor and click on interface objects, with a mouse and keyboard as the main input devices, as opposed to just using the keyboard. If physical access is not an option, then access might be possible via protocols such as VNC on Linux-based and Unix-based operating systems, and RDP on Windows operating systems. An adversary can use this access to execute programs and applications on the target machine. In the 2015 attack on the Ukrainian power grid, the adversary utilized the GUI of HMIs in the SCADA environment to open breakers.

Internal MISP references

UUID fe7af615-363e-4d57-89f3-b513e3d2ea30 which can be used as unique global reference for Graphical User Interface in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Mitigations ['Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Physical control room or control systems access often implies also gaining logical access.', 'Unauthorized and suspicious media should be avoided and kept away from systems and the network.', 'Authentication and strong passwords should be used to protect access to GUIs. Associated accounts and GUI sessions should be restricted to appropriate capabilities and actions.', 'Prevent adversaries from gaining access to credentials through Credential Access that can be used to log into remote desktop sessions on systems.', 'Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to log into remote interactive sessions, and audit and/or block them by using whitelisting tools, like AppLocker and Software Restriction Policies where appropriate.']
Tactic ['Execution']
Technique ID ['T823']

Hooking

Adversaries may hook into application programming interface (API) functions used by processes to redirect calls for persistent means. Windows processes often leverage these API functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions. One type of hooking seen in ICS involves redirecting calls to these functions via import address table (IAT) hooking. IAT hooking uses modifications to a process’s IAT, where pointers to imported API functions are stored.

Internal MISP references

UUID eb51ef09-1119-42e5-a54a-bae8da791160 which can be used as unique global reference for Hooking in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Procedure Examples ['Stuxnet modifies the Import Address Tables DLLs to hook specific APIs that are used to open project files.']
Tactic ['Persistence']
Technique ID ['T874']

I/O Image

Adversaries may seek to capture process image values related to the inputs and outputs of a PLC. Within a PLC all input and output states are stored into an I/O image. This image is used by the user program instead of directly interacting with physical I/O.

Internal MISP references

UUID a721f6e3-0b80-4eca-bbd1-43a6891ac8cd which can be used as unique global reference for I/O Image in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Procedure Examples ['Stuxnet copies the input area of an I/O image into data blocks with a one second interval between copies, forming a 21 second recording of the input area. The input area contains information being passed to the PLC from a peripheral. For example, the current state of a valve or the temperature of a device.']
Tactic ['Collection']
Technique ID ['T877']

I/O Module Discovery

Adversaries may use input/output (I/O) module discovery to gather key information about a control system device. An I/O module is a device that allows the control system device to either receive or send signals to other devices. These signals can be analog or digital, and may support a number of different protocols. Devices are often able to use attachable I/O modules to increase the number of inputs and outputs that it can utilize. An adversary with access to a device can use native device functions to enumerate I/O modules that are connected to the device. Information regarding the I/O modules can aid the adversary in understanding related control processes.

Internal MISP references

UUID 10ea82ba-9f19-476a-8ec5-c653e0add46c which can be used as unique global reference for I/O Module Discovery in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Mitigations ['Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Ensure ICS and IT network cables are kept separate and that devices are locked up when possible. Consider multi-factor authentication solutions, such as biometric or card-based tokens, to supplement traditional password-protection to access physical rooms.']
Procedure Examples ['Stuxnet enumerates and parses the System Data Blocks (SDB). Stuxnet must find an SDB with the DWORD at offset 50h equal to 0100CB2Ch. This specifies that the system uses the Profibus communications processor module CP 342-5. In addition, specific values are searched for and counted: 7050h and 9500h. 7050h is assigned to part number KFC750V3 which appears to be a frequency converter drive (also known as variable frequency drive) manufactured by Fararo Paya in Teheran, Iran. 9500h is assigned to Vacon NX frequency converter drives manufactured by Vacon based in Finland.']
Tactic ['Discovery']
Technique ID ['T824']

Indicator Removal on Host

Adversaries may attempt to remove indicators of their presence on a system in an effort to cover their tracks. In cases where an adversary may feel detection is imminent, they may try to overwrite, delete, or cover up changes they have made to the device.

Internal MISP references

UUID 54e8db05-d233-48f4-9467-702f60bd53c0 which can be used as unique global reference for Indicator Removal on Host in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Procedure Examples ['KillDisk deletes application, security, setup, and system event logs from Windows systems.', 'Triton would reset the controller to the previous state over TriStation and if this failed it would write a dummy program to memory in what was likely an attempt at anti-forensics.']
Tactic ['Evasion']
Technique ID ['T872']

Internet Accessible Device

Adversaries may gain access into industrial environments directly through systems exposed to the internet for remote access rather than through External Remote Services. Minimal protections provided by these devices such as password authentication may be targeted and compromised. In the case of the Bowman dam incident, adversaries leveraged access to the dam control network through a cellular modem. Access to the device was protected by password authentication, although the application was vulnerable to brute forcing.

Internal MISP references

UUID a9251e7f-921e-40f3-9ad7-8ab3f38e3136 which can be used as unique global reference for Internet Accessible Device in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Procedure Examples ["Sandworm actors exploited vulnerabilities in GE's Cimplicity HMI and Advantech/Broadwin WebAccess HMI software which had been directly exposed to the internet."]
Tactic ['Initial Access']
Technique ID ['T833']

Location Identification

Adversaries may perform location identification using device data to inform operations and targeted impact for attacks. Location identification data can come in a number of forms, including geographic location, location relative to other control system devices, time zone, and current time. An adversary may use an embedded global positioning system (GPS) module in a device to figure out the physical coordinates of a device. NIST SP800-82 recommends that devices utilize GPS or another location determining mechanism to attach appropriate timestamps to log entries1. While this assists in logging and event tracking, an adversary could use the underlying positioning mechanism to determine the general location of a device. An adversary can also infer the physical location of serially connected devices by using serial connection enumeration. An adversary attempt to attack and cause Impact could potentially affect other control system devices in close proximity. Device local-time and time-zone settings can also provide adversaries a rough indicator of device location, when specific geographic identifiers cannot be determined from the system.

Internal MISP references

UUID 48aed709-3fcf-4d51-8316-c4dc6b90114f which can be used as unique global reference for Location Identification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Mitigations ['Prior to wireless network installation, survey the area to determine the antenna location and strength that minimizes exposure of the network. An adversary is capable of extending the effective range of a wireless LAN with powerful directional antennas.', 'Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Physical control room or control systems access often implies also gaining logical access', 'Unauthorized and suspicious media should be avoided and kept away from systems and the network.', 'Ensure ICS and IT network cables are kept separate and that devices are locked up when possible. Protecting and securing cables reduces potential collateral damage and the likelihood of being tampered with.', 'Whenever possible, protect location information from outside eyes. Limit viewing of any stored data to those with the need to know and try to restrict data sending to encrypted channels.']
Procedure Examples ['The Backdoor.Oldrea payload has the capability of enumerating OPC tags, in addition to more generic OPC server information. The tag names, depending on the naming convention, can provide information about facilities and locations.']
Tactic ['Collection']
Technique ID ['T825']

Loss of Availability

Adversaries may attempt to disrupt essential components or systems to prevent owner and operator from delivering products or services. Adversaries may leverage malware to delete or encrypt critical data on HMIs, workstations, or databases.

Internal MISP references

UUID b997f861-a587-48d5-9070-a358b1b67ac6 which can be used as unique global reference for Loss of Availability in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Procedure Examples ['A Conficker infection at a nuclear power plant forced the facility to temporarily shutdown.']
Tactic ['Impact']
Technique ID ['T826']

Loss of Control

Adversaries may seek to achieve a sustained loss of control or a runaway condition in which operators cannot issue any commands even if the malicious interference has subsided.

Internal MISP references

UUID 0d1979d5-d62c-4836-b14a-46f5a6d68bca which can be used as unique global reference for Loss of Control in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Procedure Examples ["Industroyer's data wiper component removes the registry image path throughout the system and overwrites all files, rendering the system unusable.", "Some of Norsk Hydro's production systems were impacted by a LockerGoga infection. This resulted in a loss of control which forced the company to switch to manual operations."]
Tactic ['Impact']
Technique ID ['T827']

Loss of Productivity and Revenue

Adversaries may cause loss of productivity and revenue through disruption and even damage to the availability and integrity of control system operations, devices, and related processes. This technique may manifest as a direct effect of an ICS-targeting attack or tangentially, due to an IT-targeting attack against non-segregated environments. In some cases, this may result from the postponement and disruption of ICS operations and production as part of a remediation effort. Operations may be brought to a halt and effectively stopped in an effort to contain and properly remove malware or due to the Loss of Safety.

Internal MISP references

UUID f2905196-e419-4740-bca9-0fc3af846bc0 which can be used as unique global reference for Loss of Productivity and Revenue in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Procedure Examples ['Several transportation organizations in Ukraine have suffered from being infected by Bad Rabbit, resulting in some computers becoming encrypted, according to media reports.', 'A Conficker infection at a nuclear power plant forced the facility to shutdown and go through security procedures involved with such events, with its staff scanning computer systems and going through all the regular checks and motions before putting the plant back into production.', 'While Norsk Hydro attempted to recover from a LockerGoga infection, most of its 160 manufacturing locations switched to manual (non-IT driven) operations. Manual operations can result in a loss of productivity', 'NotPetya disrupted manufacturing facilities supplying vaccines, resulting in a halt of production and the inability to meet demand for specific vaccines.', 'An enterprise resource planning (ERP) manufacturing server was lost to the Ryuk attack. The manufacturing process had to rely on paper and existing orders to keep the shop floor open.']
Tactic ['Impact']
Technique ID ['T828']

Loss of Safety

Adversaries may cause loss of safety whether on purpose or as a consequence of actions taken to accomplish an operation. The loss of safety can describe a physical impact and threat, or the potential for unsafe conditions and activity in terms of control systems environments, devices, or processes. For instance, an adversary may issue commands or influence and possibly inhibit safety mechanisms that allow the injury of and possible loss of life. This can also encompass scenarios resulting in the failure of a safety mechanism or control, that may lead to unsafe and dangerous execution and outcomes of physical processes and related systems. The German Federal Office for Information Security (BSI) reported a targeted attack on a steel mill in its 2014 IT Security Report. These targeted attacks affected industrial operations and resulted in breakdowns of control system components and even entire installations. As a result of these breakdowns, massive impact resulted in damage and unsafe conditions from the uncontrolled shutdown of a blast furnace. A Polish student used a remote controller device to interface with the Lodz city tram system in Poland.567 Using this remote, the student was able to capture and replay legitimate tram signals. As a consequence, four trams were derailed and twelve people injured due to resulting emergency stops. The track controlling commands issued may have also resulted in tram collisions, a further risk to those on board and nearby the areas of impact.

Internal MISP references

UUID 4f46d0e0-91ee-4ab2-a5b7-168ee099b715 which can be used as unique global reference for Loss of Safety in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Procedure Examples ['Industroyer contained a module which leveraged a vulnerability in the Siemens SIPROTEC relays (CVE-2015-5374) to create a Denial of Service against automated protective relays.', 'Triton has the capability to reprogram the SIS logic to allow unsafe conditions to persist or reprogram the SIS to allow an unsafe state – while using the DCS to create an unsafe state or hazard.']
Tactic ['Impact']
Technique ID ['T880']

Loss of View

Adversaries may cause a sustained or permanent loss of view where the ICS equipment will require local, hands-on operator intervention; for instance, a restart or manual operation. By causing a sustained reporting or visibility loss, the adversary can effectively hide the present state of operations. This loss of view can occur without affecting the physical processes themselves.

Internal MISP references

UUID ceee160f-8d23-41bd-b3f8-cfb87713e1a2 which can be used as unique global reference for Loss of View in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Procedure Examples ["Industroyer's data wiper component removes the registry image path throughout the system and overwrites all files, rendering the system unusable. KillDisk erases the master boot record (MBR) and system logs, leaving the system unusable.", "Some of Norsk Hydro's production systems were impacted by a LockerGoga infection. This resulted in a loss of view which forced the company to switch to manual operations."]
Tactic ['Impact']
Technique ID ['T829']

Man in the Middle

Adversaries with privileged network access may seek to modify network traffic in real time using man-in-the-middle (MITM) attacks. This type of attack allows the adversary to intercept traffic to and/or from a particular device on the network. If a MITM attack is established, then the adversary has the ability to block, log, modify, or inject traffic into the communication stream. There are several ways to accomplish this attack, but some of the most-common are Address Resolution Protocol (ARP) poisoning and the use of a proxy. A MITM attack may allow an adversary to perform the following attacks: Block Reporting Message, Modify Parameter, Unauthorized Command Message, Spoof Reporting Message

Internal MISP references

UUID 23bcd8f2-4e1e-473b-83fa-8e895e503236 which can be used as unique global reference for Man in the Middle in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Mitigations ['Encrypt and protect the integrity of wireless device communications, while taking care not to degrade end device performance. OSI Layer 2 encryption, rather than Layer 3, can reduce encryption-based latency. Hardware accelerator solutions for cryptographic functions may also be considered. Special care should be taken to ensure passwords used with encrypted, as opposed to non-encrypted protocols are not the same. Password lockout policies can be enforced, but take care to balance this with operational needs, that might result in a few failed login attempts in stressful situations.4 Implementing Challenge/Response authentication eliminates the risk of discovery or replay that traditional password exchange has.4Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Unauthorized and suspicious media should be avoided and kept away from systems and the network.4 *Ensure ICS and IT network cables are kept separate and that devices are locked up when possible. VPNs can be used to provide secure access from an untrusted network to the ICS control network and restrict access to and from host computers. Depending on how it is deployed, an Intrusion Detection System (IDS) might be able to detect or help with the detection of a MitM attack.']
Procedure Examples ['HEXANE targeted telecommunication providers in the greater Middle East, Central Asia, and Africa, potentially as a stepping stone to network-focused man-in-the-middle and related attacks.', 'Stuxnet de-couples all inputs and signals from the legitimate code on a PLC and chooses what is passed to the original code. STUXNET effectively creates a man in the middle attack with the input and output signals and control logic.']
Tactic ['Execution']
Technique ID ['T830']

Manipulate I/O Image

Adversaries may manipulate the I/O image of PLCs through various means to prevent them from functioning as expected. Methods of I/O image manipulation may include overriding the I/O table via direct memory manipulation or using the override function used for testing PLC programs. During the PLC scan cycle, the state of the actual physical inputs is copied to a portion of the PLC memory, commonly called the input image table. When the program is scanned, it examines the input image table to read the state of a physical input. When the logic determines the state of a physical output, it writes to a portion of the PLC memory commonly called the output image table. The output image may also be examined during the program scan. To update the physical outputs, the output image table contents are copied to the physical outputs after the program is scanned. One of the unique characteristics of PLCs is their ability to override the status of a physical discrete input or to override the logic driving a physical output coil and force the output to a desired status.

Internal MISP references

UUID 08fe1ccd-247f-45a4-b4f0-4d7f8329f510 which can be used as unique global reference for Manipulate I/O Image in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Procedure Examples ['PLC-Blaster may manipulate any outputs of the PLC. Using the POU POKE any value within the process image may be modified.', 'When the peripheral output is written to, sequence C intercepts the output and ensures it is not written to the process image output. The output is the instructions the PLC sends to a device to change its operating behavior. By intercepting the peripheral output, Stuxnet prevents an operator from noticing unauthorized commands sent to the peripheral.']
Tactic ['Inhibit Response Function']
Technique ID ['T835']

Manipulation of Control

Adversaries may manipulate physical process control within the industrial environment. Methods of manipulating control can include changes to set point values, tags, or other parameters. Adversaries may manipulate control systems devices or possibly leverage their own, to communicate with and command physical control processes. The duration of manipulation may be temporary or longer sustained, depending on operator detection. Methods of Manipulation of Control include: Man-in-the-middle, Spoof command message, Changing setpoints

Internal MISP references

UUID 9366f29b-dcea-468c-bc47-579747a75978 which can be used as unique global reference for Manipulation of Control in MISP communities and other software using the MISP galaxy

External references
  • Stuxnet can reprogram a PLC and change critical parameters in such a way that legitimate commands can be overridden or intercepted. In addition, Stuxnet can apply inappropriate command sequences or parameters to cause damage to property.
Associated metadata
Metadata key Value
Procedure Examples ['Industroyer toggles breakers to the open state utilizing unauthorized command messages.', 'Stuxnet can reprogram a PLC and change critical parameters in such a way that legitimate commands can be overridden or intercepted. In addition, Stuxnet can apply inappropriate command sequences or parameters to cause damage to property.']
Tactic ['Impact']
Technique ID ['T831']

Masquerading

Adversaries may use masquerading to disguise a malicious application or executable as another file, to avoid operator and engineer suspicion. Possible disguises of these masquerading files can include commonly found programs, expected vendor executables and configuration files, and other commonplace application and naming conventions. By impersonating expected and vendor-relevant files and applications, operators and engineers may not notice the presence of the underlying malicious content and possibly end up running those masquerading as legitimate functions. Applications and other files commonly found on Windows systems or in engineering workstations have been impersonated before. This can be as simple as renaming a file to effectively disguise it in the ICS environment.

Internal MISP references

UUID e90b468f-8789-45e2-90fc-6cab1d121283 which can be used as unique global reference for Masquerading in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Procedure Examples ['Industroyer modules operate by inhibiting the normal SCADA master communication functions and then activate a replacement master communication module managed by the malware, which executes a script of commands to issue normal protocol messages.', 'Stuxnet renames a dll responsible for handling communications with a PLC. It replaces the original .dll file with its own version that allows it to intercept any calls that are made to access the PLC.', 'The Triton malware was configured to masquerade as trilog.exe, which is the Triconex software for analyzing SIS logs.']
Tactic ['Evasion, Impair Process Control']
Technique ID ['T849']

Modify Alarm Settings

Adversaries may modify alarm settings to prevent alerts that may inform operators of their presence or to prevent responses to dangerous and unintended scenarios. Reporting messages are a standard part of data acquisition in control systems. Reporting messages are used as a way to transmit system state information and acknowledgements that specific actions have occurred. These messages provide vital information for the management of a physical process, and keep operators, engineers, and administrators aware of the state of system devices and physical processes. If an adversary is able to change the reporting settings, certain events could be prevented from being reported. This type of modification can also prevent operators or devices from performing actions to keep the system in a safe state. If critical reporting messages cannot trigger these actions then a Impact could occur. In ICS environments, the adversary may have to use Alarm Suppression or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring. Methods of suppression often rely on modification of alarm settings, such as modifying in memory code to fixed values or tampering with assembly level instruction code. In the Maroochy Attack, the adversary disabled alarms at four pumping stations. This caused alarms to not be reported to the central computer.

Internal MISP references

UUID d3691a42-3964-4629-bd95-89ddd71e6e38 which can be used as unique global reference for Modify Alarm Settings in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Mitigations ['Restrict access to report settings changes and automatically log any such changes, keeping actions accountable to user accounts.', 'Restrict ICS user privileges to only those necessary to perform one’s job using Role-Based Access Control (RBAC). Configure these “roles” based on the principle of least privilege. Levels of access can dictate several factors, such as the ability to view, use, and alter specific ICS data or device functions.', 'Auditing tools can provide tangible records of evidence and system integrity, and should be done on a real-time basis when feasible. 3 These tools may include monitoring of sensors, logs, Intrusion Detection Systems (IDS), antivirus, patch management, policy management software, and other security mechanisms.', 'Secure and restrict authorization to the control room and the physical environment. ICS devices should stay in their designated areas. Portable ICS assets should be secured and used only in the ICS network', 'Intrusion detection systems (IDS) monitor events on a network and ensure unusual activity is brought to attention. Comparing the reporting commands, or lack of certain reports, against the IDS can assist with detecting anomalies.', 'For instance, reporting behavior for critical or unsafe conditions and safety alarms should rarely, if ever, be turned off. Unsafe conditions coupled with no reports could indicate an attack.']
Tactic ['Inhibit Response Function']
Technique ID ['T838']

Modify Control Logic

Adversaries may place malicious code in a system, which can cause the system to malfunction by modifying its control logic. Control system devices use programming languages (e.g. relay ladder logic) to control physical processes by affecting actuators, which cause machines to operate, based on environment sensor readings. These devices often include the ability to perform remote control logic updates. Program code is normally edited in a vendor-specific Integrated Development Environment (IDE) that relies on proprietary tools and features. These IDEs allow an engineer to perform host target development and may have the ability to run the code on the machine it is programmed for. The IDE will transmit the control logic to the testing device, and will perform the required device-specific functions to apply the changes and make them active. An adversary may attempt to use this host target IDE to modify device control logic. Even though proprietary tools are often used to edit and update control logic, the process can usually be reverse-engineered and reproduced with open-source tools. An adversary can de-calibrate a sensor by removing functions in control logic that account for sensor error. This can be used to change a control process without actually spoofing command messages to a controller or device. It is believed this process happened in the lesser known over-pressurizer attacks build into Stuxnet. Pressure sensors are not perfect at translating pressure into an analog output signal, but their errors can be corrected by calibration. The pressure controller can be told what the “real” pressure is for given analog signals and then automatically linearize the measurement to what would be the “real” pressure. If the linearization is overwritten by malicious code on the S7-417 controller, analog pressure readings will be “corrected” during the attack by the pressure controller, which then interprets all analog pressure readings as perfectly normal pressure no matter how high or low their analog values are. The pressure controller then acts accordingly by never opening the stage exhaust valves. In the meantime, actual pressure keeps rising. In the Maroochy Attack, Vitek Boden gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. The software program installed in the laptop was one developed by Hunter Watertech for its use in changing configurations in the PDS computers. This ultimately led to 800,000 liters of raw sewage being spilled out into the community.

Internal MISP references

UUID 8f0ff984-424f-4c9e-b446-467f9d6493a0 which can be used as unique global reference for Modify Control Logic in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Mitigations ['Restrict user privileges with Role-Based Access Control (RBAC). Configure and assign “roles” based on the principle of least privilege. Levels of access can dictate several factors, including the ability to view, use, and alter specific ICS data or device functions.', 'Monitor sensors, logs, Intrusion Detection Systems (IDS), antivirus, patch management, policy management software, and other security mechanisms on a real-time basis as feasible. These tools can provide tangible records of evidence and system integrity. Additionally, active log management utilities may actually flag an attack or event in progress and provide location and tracing information to help respond to the incident.', 'Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Avoid unauthorized and suspicious media and keep it away from systems and the network. Keep track of cables, to ensure that the ICS and IT environments remain separate and no interceptive, adversarial devices are installed.', 'Encrypt and protect the integrity of wireless device communications, while taking care not to degrade end device performance. OSI Layer 2 encryption, rather than Layer 3, can reduce encryption-based latency. Hardware accelerator solutions for cryptographic functions may also be considered. Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured.', 'Make use of antivirus and malware detection tools to further secure the environment. In particular, intrusion detection system solutions can assist with monitoring the ICS environment for unexpected or alarming behaviors.']
Procedure Examples ['Triton can reprogram the SIS logic to cause it to trip and shutdown a process that is, in actuality, in a safe state. In other words, trigger a false positive. Triton also can reprogram the SIS logic to allow unsafe conditions to persist. The Triton malware is able to add a malicious program to the execution table of the controller. This action leaves the legitimate programs in place. If the controller failed, Triton would attempt to return it to a running state. If the controller did not recover within a certain time window, the sample would overwrite the malicious program to cover its tracks.']
Tactic ['Impair Process Control, Inhibit Response Function']
Technique ID ['T833']

Modify Parameter

Adversaries may modify parameters used to instruct industrial control system devices. These devices operate via programs that dictate how and when to perform actions based on such parameters. Such parameters can determine the extent to which an action is performed and may specify additional options. For example, a program on a control system device dictating motor processes may take a parameter defining the total number of seconds to run that motor. An adversary can potentially modify these parameters to produce an outcome outside of what was intended by the operators. By modifying system and process critical parameters, the adversary may cause Impact to equipment and/or control processes. Modified parameters may be turned into dangerous, out-of-bounds, or unexpected values from typical operations. For example, specifying that a process run for more or less time than it should, or dictating an unusually high, low, or invalid value as a parameter. In the Maroochy Attack, Vitek Boden gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. The software program installed in the laptop was one developed by Hunter Watertech for its use in changing configurations in the PDS computers. This ultimately led to 800,000 liters of raw sewage being spilled out into the community.

Internal MISP references

UUID 8da151db-39aa-4424-a236-415dec458799 which can be used as unique global reference for Modify Parameter in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Mitigations ['Restrict user privileges with Role-Based Access Control (RBAC). Configure and assign “roles” based on the principle of least privilege. Levels of access can dictate several factors, including the ability to view, use, and alter specific ICS data or device functions.', 'Access to device configuration settings should be restricted. IT products should be secured, in the most restrictive mode, on par with ICS operational requirements. Be wary of improper modifications before, during, and after system implementation.', 'Monitor system parameters for safe, expected settings and raise alerts when unsafe parameters, unexpected changes, or odd system states occur. Logging and/or associating device changes to accounts may also be beneficial, as an ICS environment rarely changes', 'Secure and restrict authorization to the control room and the physical environment. Ensure ICS and IT network cables are kept separate and that devices are locked up when possible.']
Procedure Examples ['In states 3 and 4 Stuxnet sends two network bursts (done through the DP_SEND primitive). The data in the frames are instructions for the frequency converter drives. For example one of the frames contains records that change the maximum frequency (the speed at which the motor will operate). The frequency converter drives consist of parameters, which can be remotely configured via Profibus. One can write new values to these parameters changing the behavior of the device.']
Tactic ['Impair Process Control']
Technique ID ['T836']

Module Firmware

Adversaries may install malicious or vulnerable firmware onto modular hardware devices. Control system devices often contain modular hardware devices. These devices may have their own set of firmware that is separate from the firmware of the main control system equipment. This technique is similar to System Firmware, but is conducted on other system components that may not have the same capabilities or level of integrity checking. Although it results in a device re-image, malicious device firmware may provide persistent access to remaining devices. An easy point of access for an adversary is the Ethernet card, which may have its own CPU, RAM, and operating system. The adversary may attack and likely exploit the computer on an Ethernet card. Exploitation of the Ethernet card computer may enable the adversary to accomplish additional attacks, such as the following: Delayed Attack - The adversary may stage an attack in advance and choose when to launch it, such as at a particularly damaging time. Brick the Ethernet Card - Malicious firmware may be programmed to result in an Ethernet card failure, requiring a factory return. Random Attack or Failure - The adversary may load malicious firmware onto multiple field devices. Execution of an attack and the time it occurs is generated by a pseudo-random number generator. A Field Device Worm - The adversary may choose to identify all field devices of the same model, with the end goal of performing a device-wide compromise. Attack Other Cards on the Field Device - Although it is not the most important module in a field device, the Ethernet card is most accessible to the adversary and malware. Compromise of the Ethernet card may provide a more direct route to compromising other modules, such as the CPU module.

Internal MISP references

UUID 08f44b76-8a2f-43d8-b51c-a18ef3e0a999 which can be used as unique global reference for Module Firmware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Mitigations ['Access to device configuration settings should be restricted. IT products should be secured, in the most restrictive mode, on par with ICS operational requirements.', 'Maintain and patch module firmware, checking to ensure the version and state are as expected. Firmware that requires a cryptographic key will be harder for the adversary to alter.', 'Be wary of improper modifications before, during, and after system implementation.', 'Ensure field devices require source and data authentication in order for users to update firmware and perform similar options. Enforcing proper firmware update policies and procedures may help distinguish intended update activity from malicious activity. Note that compromised devices may continue to function as expected by an asset owner, and that it is possible for many to be compromised in such a way.', 'Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Unauthorized and suspicious media should be avoided and kept away from systems and the network.', 'Ensure ICS and IT network cables are kept separate and that devices are locked up when possible, to reduce the likelihood they can be tampered with.', 'Hold new acquisitions to strict security requirements; be sure they are properly secured and haven’t been tampered with. Monitor existing module firmware with applicable assessments to ensure devices are at the expected versions', 'Monitor the network and enforce access control practices, such as whitelisting, to reduce points of contact to and from control system devices, where applicable. Utilize intrusion detection system (IDS) capabilities to assist with detecting and preventing the spread of malicious files', 'Limit access to the network and require authentication as a barrier. Test access to field devices from outside the network, to help determine if an adversary could reach them.']
Tactic ['Impair Process Control']
Technique ID ['T839']

Monitor Process State

Adversaries may gather information about the physical process state. This information may be used to gain more information about the process itself or used as a trigger for malicious actions. The sources of process state information may vary such as, OPC tags, historian data, specific PLC block information, or network traffic.

Internal MISP references

UUID 48947a94-a769-41a8-bc13-60aecfdcfa90 which can be used as unique global reference for Monitor Process State in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Mitigations ['When feasible, monitor and compare ICS device behavior and physical state to expected behavior and physical state. Contingency plans should be in place to handle and minimize impact from unexpected behavior.2 The physical layout and cable setup should be monitored to detect anomalies and to prevent crossover of ICS and IT environments.', 'Access to device configuration settings should be restricted. IT products should be secured, in the most restrictive mode, on par with ICS operational requirements. Maintenance of such devices and products should be performed, keeping in mind operational concerns', 'Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Unauthorized and suspicious media should be avoided and kept away from systems and the network. Keeping a controlled and consistent asset inventory can assist with this', 'Special care should be taken to ensure backups and other data are restricted to authorized users and kept out of the adversary’s hands. Never use portable ICS environment assets outside of the ICS network.']
Procedure Examples ['Stuxnet examines fields recorded by the DP_RECV monitor to determine if the target system is in a particular state of operation.']
Tactic ['Collection']
Technique ID ['T801']

Network Connection Enumeration

Adversaries may perform network connection enumeration to discover information about device communication patterns. If an adversary can inspect the state of a network connection with tools, such as netstat, in conjunction with System Firmware, then they can determine the role of certain devices on the network. The adversary can also use Network Sniffing to watch network traffic for details about the source, destination, protocol, and content.

Internal MISP references

UUID 96775fdf-1e64-47d6-b4bc-40d586aff9fd which can be used as unique global reference for Network Connection Enumeration in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Mitigations ['Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Unauthorized and suspicious media should be avoided and kept away from systems and the network.', 'Ensure ICS and IT network cables are kept separate and that devices are locked up when possible, to reduce the likelihood they can be tampered with', 'Restrict communications to and from devices over the network with access controls, such as whitelists.', 'Utilize intrusion detection system (IDS) capabilities and heuristics to detect adversarial monitoring of the environment and modules or actions that deviate from normal functionality']
Procedure Examples ['Industroyer contains an IEC 61850 module that enumerates all connected network adapters to determine their TCP/IP subnet masks.']
Tactic ['Discovery']
Technique ID ['T840']

Network Service Scanning

Network Service Scanning is the process of discovering services on networked systems. This can be achieved through a technique called port scanning or probing. Port scanning interacts with the TCP/IP ports on a target system to determine whether ports are open, closed, or filtered by a firewall. This does not reveal the service that is running behind the port, but since many common services are run on specific port numbers, the type of service can be assumed. More in-depth testing includes interaction with the actual service to determine the service type and specific version. One of the most-popular tools to use for Network Service Scanning is Nmap. An adversary may attempt to gain information about a target device and its role on the network via Network Service Scanning techniques, such as port scanning. Network Service Scanning is useful for determining potential vulnerabilities in services on target devices. Network Service Scanning is closely tied to. Scanning ports can be noisy on a network. In some attacks, adversaries probe for specific ports using custom tools. This was specifically seen in the Triton and PLC-Blaster attacks.

Internal MISP references

UUID d9476518-569b-4baa-b01f-09d6ec61b101 which can be used as unique global reference for Network Service Scanning in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Mitigations ['Isolate wireless access points and data servers for wireless worker devices on their own network with documented and minimal (single if possible) connections to the ICS network', 'Segmenting the network with VLANs allow switches to enforce security policies and segregate traffic at the Ethernet layer. Secure and restrict authorization to the control room and the physical environment.', 'Physical control room or control systems access often implies also gaining logical access.', 'Ensure ICS and IT network cables are kept separate and that devices are locked up when possible, to reduce the likelihood they can be tampered with.', 'Monitor the network and enforce access control practices, such as whitelisting, to reduce points of contact to and from control system devices, where applicable. Utilize intrusion detection system (IDS) capabilities to assist with detecting and preventing the spread of malicious files.', 'Implement heuristics to detect monitoring and invasive probing activity on the network, such as port scanning. Filter and limit communications to and from devices. Ensure devices are patched and up-to-date.']
Tactic ['Discovery']
Technique ID ['T841']

Network Sniffing

Network sniffing is the practice of using a network interface on a computer system to monitor or capture information1 regardless of whether it is the specified destination for the information. An adversary may attempt to sniff the traffic to gain information about the target. This information can vary in the level of importance. Relatively unimportant information is general communications to and from machines. Relatively important information would be login information. User credentials may be sent over an unencrypted protocol, such as Telnet, that can be captured and obtained through network packet analysis. Network sniffing can be a way to discover information for Control Device Identification. In addition, ARP and Domain Name Service (DNS) poisoning can be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.

Internal MISP references

UUID 7bccc6c8-43eb-4d26-ba17-98167a068627 which can be used as unique global reference for Network Sniffing in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Mitigations ['Prior to wireless network installation, survey the area to determine the antenna location and strength that minimizes exposure of the network. An adversary is capable of extending the effective range of a wireless LAN with powerful directional antennas.', 'Isolate wireless access points and data servers for wireless worker devices on their own network with documented and minimal (single if possible) connections to the ICS network', 'Segmenting the network with VLANs allow switches to enforce security policies and segregate traffic at the Ethernet layer. Proper segmentation helps mitigate the risk of broadcast storms resulting from port scans. Assigning each automation cell to a single VLAN limits unnecessary traffic flooding.', 'Implement VPNs to further restrict access in and out of control system computers and controllers, which help remove unauthorized, non-essential traffic from the intermediary network.', 'In ICS environments with dial-up modems, disconnect the modems when not in use or automate their disconnection after being active for a given amount of time, if reasonable.', 'Network services will often transmit in plaintext, making third-party eavesdropping easy. When communications over both encrypted and non-encrypted protocols with passwords exist, be sure to use different passwords.', 'Implementing Challenge/Response authentication eliminates the risk of discovery or replay that traditional password exchange has.', 'Secure and restrict authorization to the control room and the physical environment. Ensure ICS and IT network cables are kept separate and that devices are locked up when possible.', 'Encrypt and protect the integrity of wireless device communications, while taking care not to degrade end device performance. OSI Layer 2 encryption, rather than Layer 3, can reduce encryption-based latency. Hardware accelerator solutions for cryptographic functions may also be considered.', 'Ensure that all wireless traffic is encrypted appropriately. Use Kerberos, SSL, and multifactor authentication wherever possible. Monitor switches and network for span port usage, ARP/DNS poisoning, and router reconfiguration.', 'Make use of antivirus and malware detection tools to further secure the environment. Monitor the network and enforce access control practices, such as whitelisting, to reduce points of contact to and from control system devices, where applicable. Implement heuristics to detect monitoring and invasive probing activity on the network.', 'Identify and block potentially malicious software that may be used to sniff or analyze network traffic by using whitelisting6 tools, like AppLocker,78 or Software Restriction Policies9 where appropriate.']
Procedure Examples ['DP_RECV is the name of a standard function block used by network coprocessors. It is used to receive network frames on the Profibus – a standard industrial network bus used for distributed I/O. The original block is copied to FC1869, and then replaced by a malicious block. Each time the function is used to receive a packet, the malicious Stuxnet block takes control: it will call the original DP_RECV in FC1869 and then perform postprocessing on the packet data. This secondary thread is used to monitor a data block DB890 of sequence A or B. Though constantly running and probing this block (every 5 minutes), this thread has no purpose if the PLC is not infected. The purpose of the thread is to monitor each S7-315 on the bus. The replaced DP_RECV block (later on referred to as the “DP_RECV monitor”) is meant to monitor data sent by the frequency converter drives to the 315-2 CPU via CP 342-5 Profibus communication modules.', 'The VPNFilter packet sniffer looks for basic authentication as well as monitors ICS traffic, and is specific to the TP-LINK R600-VPN. The malware uses a raw socket to look for connections to a pre-specified IP address, only looking at TCP packets that are 150 bytes or larger. Packets that are not on port 502, are scanned for BasicAuth, and that information is logged. This may have allowed credential harvesting from communications between devices accessing a modbus-enabled HMI.']
Tactic ['Discovery']
Technique ID ['T842']

Point & Tag Identification

Adversaries may collect point and tag values to gain a more comprehensive understanding of the process environment. Points may be values such as inputs, memory locations, outputs or other process specific variables.1 Tags are the identifiers given to points for operator convenience. Collecting such tags provides valuable context to environmental points and enables an adversary to map inputs, outputs, and other values to their control processes. Understanding the points being collected may inform an adversary on which processes and values to keep track of over the course of an operation.

Internal MISP references

UUID 6b1da46d-fbe4-4b84-a4e1-1ece7daf6a93 which can be used as unique global reference for Point & Tag Identification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Procedure Examples ['Backdoor.Oldrea enumerates all OPC tags and queries for specific fields such as server state, tag name, type, access, and id']
Tactic ['Collection']
Technique ID ['T861']

Program Download

Adversaries may perform a program download to load malicious or unintended program logic on a device as a method of persistence or to disrupt response functions or process control. Program download onto devices, such as PLCs, allows adversaries to implement custom logic. Malicious PLC programs may be used to disrupt physical processes or enable adversary persistence. The act of a program download will cause the PLC to enter a STOP operation state, which may prevent response functions from operating correctly.

Internal MISP references

UUID 53f180f4-9093-4d1e-8372-3e10943b820e which can be used as unique global reference for Program Download in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Procedure Examples ['Stuxnet infects PLCs with different code depending on the characteristics of the target system. An infection sequence consists of code blocks and data blocks that will be downloaded to the PLC to alter its behavior.', 'Triton leveraged the TriStation protocol to download programs onto Triconex Safety Instrumented System.']
Tactic ['Persistence, Impair Process Control, Inhibit Response Function']
Technique ID ['T843']

Program Organization Units

Program Organizational Units (POUs) are block structures used within PLC programming to create programs and projects. POUs can be used to hold user programs written in IEC 61131-3 languages: Structured text, Instruction list, Function block, and Ladder logic. They can also provide additional functionality, such as establishing connections between the PLC and other devices using TCON. Stuxnet uses a simple code-prepending infection technique to infect Organization Blocks (OB). For example, the following sequence of actions is performed when OB1 is infected: Increase the size of the original block. Write malicious code to the beginning of the block. Insert the original OB1 code after the malicious code.

Internal MISP references

UUID 326ade02-552b-4c68-b4e4-f41599b49a32 which can be used as unique global reference for Program Organization Units in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Procedure Examples ['PLC-Blaster copies itself to various Program Organization Units (POU) on the target device. The POUs include the Organization Block, Data Block, Function, and Function Block.', 'Stuxnet infects PLCs with different code depending on the characteristics of the target system. An infection sequence consists of code blocks and data blocks that will be downloaded to the PLC to alter its behavior.']
Tactic ['Lateral Movement, Execution']
Technique ID ['T844']

Program Upload

Adversaries may attempt to upload a program from a PLC to gather information about an industrial process. Uploading a program may allow them to acquire and study the underlying logic. Methods of program upload include vendor software, which enables the user to upload and read a program running on a PLC. This software can be used to upload the target program to a workstation, jump box, or an interfacing device.

Internal MISP references

UUID 1931da8b-1781-480b-b7db-26b7c432821c which can be used as unique global reference for Program Upload in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Procedure Examples ['Stuxnet replaces the DLL responsible for reading projects from a PLC to the step7 software. This allows Stuxnet the ability to upload a program from the PLC.']
Tactic ['Collection']
Technique ID ['T845']

Project File Infection

Adversaries may attempt to infect project files with malicious code. These project files may consist of objects, program organization units, variables such as tags, documentation, and other configurations needed for PLC programs to function. Using built in functions of the engineering software, adversaries may be able to download an infected program to a PLC in the operating environment enabling further execution and persistence techniques. Adversaries may export their own code into project files with conditions to execute at specific intervals.3 Malicious programs allow adversaries control of all aspects of the process enabled by the PLC. Once the project file is downloaded to a PLC the workstation device may be disconnected with the infected project file still executing.

Internal MISP references

UUID 46034514-6c9c-4afd-8158-246279fcd7d1 which can be used as unique global reference for Project File Infection in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Procedure Examples ['Stuxnet copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is loaded']
Tactic ['Persistence, Execution']
Technique ID ['T873']

Remote File Copy

Adversaries may copy files from one system to another to stage adversary tools or other files over the course of an operation. Copying of files may also be performed laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares. In control systems environments, malware may use SMB and other file sharing protocols to move laterally through industrial networks.

Internal MISP references

UUID de0f0771-1772-421c-b2d4-4f913067583d which can be used as unique global reference for Remote File Copy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Procedure Examples ['Bad Rabbit can move laterally through industrial networks by means of the SMB service.', 'NotPetya can move laterally through industrial networks by means of the SMB service.', 'WannaCry can move laterally through industrial networks by means of the SMB service.']
Tactic ['Lateral Movement']
Technique ID ['T867']

Remote System Discovery

Remote System Discovery is the process of identifying the presence of hosts on a network1, and details about them. This process is common to network administrators validating the presence of machines and services, as well as adversaries mapping out a network for future-attack targets. An adversary may attempt to gain information about the target network via network enumeration techniques such as port scanning. One of the most popular tools for enumeration is Nmap. Remote System Discovery allows adversaries to map out hosts on the network as well as the TCP/IP ports that are open, closed, or filtered. Remote System Discovery tools also aid in by attempting to connect to the service and determine its exact version. The adversary may use this information to pick an exploit for a particular version if a known vulnerability exists.

Internal MISP references

UUID a65e1d32-cbff-40cb-af45-72fd5ad393ff which can be used as unique global reference for Remote System Discovery in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Mitigations ['Segmenting the network with VLANs allow switches to enforce security policies and segregate traffic at the Ethernet layer.7 Proper segmentation helps mitigate the risk of broadcast storms resulting from port scans. Assigning each automation cell to a single VLAN limits unnecessary traffic flooding.', 'Prior to wireless network installation, survey the area to determine the antenna location and strength that minimizes exposure of the network. An adversary is capable of extending the effective range of a wireless LAN with powerful directional antennas.', 'Secure and restrict authorization to the control room and the physical environment. ICS devices should stay in their designated areas.', 'Implement VPNs to further restrict access in and out of control system computers and controllers, which help remove unauthorized, non-essential traffic from the intermediary network.', 'Monitor the network and enforce access control practices, such as whitelisting, to reduce points of contact to and from control system devices, where applicable. Utilize intrusion detection system (IDS) capabilities to assist with detecting and preventing the spread of malicious files.', 'Implement heuristics to detect monitoring and invasive probing activity on the network. Filter and limit communications to and from devices. Ensure devices are patched and up-to-date.']
Procedure Examples ['The Backdoor.Oldrea ICS malware plugin relies on Windows networking (WNet) to discover all the servers, including OPC servers, that are reachable by the compromised machine over the network.', 'The Industroyer IEC 61850 payload enumerates all possible IP addresses for each of the subnet masks for the interfaces on the infected machine, and tries to connect to port 102 on each of those addresses. Therefore, this component has the ability to discover relevant devices in the network automatically.', 'PLC-Blaster scans the network to find other Siemens S7 PLC devices to infect. It locates these devices by checking for a service listening on TCP port 102.', 'Stuxnet scanned the network to identify the Siemens PLCs that it was targeting.', 'Triton uses a Python script that is capable of detecting Triconex controllers on the network by sending a specific UDP broadcast packet over port 1502.']
Tactic ['Discovery']
Technique ID ['T846']

Replication Through Removable Media

Adversaries may move onto systems, such as those separated from the enterprise network, by copying malware to removable media which is inserted into the control systems environment. The adversary may rely on unknowing trusted third parties, such as suppliers or contractors with access privileges, to introduce the removable media. This technique enables initial access to target devices that never connect to untrusted networks, but are physically accessible. Operators of the German nuclear power plant, Gundremmingen, discovered malware on a facility computer not connected to the internet. The malware included Conficker and W32.Ramnit, which were also found on eighteen removable disk drives in the facility. The plant has since checked for infection and cleaned up more than 1,000 computers.9 An ESET researcher commented that internet disconnection does not guarantee system safety from infection or payload execution.

Internal MISP references

UUID 00697a1d-aa6d-4a52-91cf-4c0cbb9ff81f which can be used as unique global reference for Replication Through Removable Media in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Procedure Examples ["Conficker exploits Windows drive shares. Once it has infected a computer, Conficker automatically copies itself to all visible open drive shares on other computers inside the network. Nuclear power plant officials suspect someone brought in Conficker by accident on a USB thumb drive, either from home or computers found in the power plant's facility.", 'Stuxnet was able to self-replicate by being spread through removable drives. A willing insider or unknown third party, such as a contractor, may have brought the removable media into the target environment. The earliest version of Stuxnet relied on physical installation, infecting target systems when an infected configuration file carried by a USB stick was opened.']
Tactic ['Initial Access']
Technique ID ['T847']

Rogue Master Device

Adversaries may setup a rogue master to leverage control server functions to communicate with slave devices. A rogue master device can be used to send legitimate control messages to other control system devices, affecting processes in unintended ways. It may also be used to disrupt network communications by capturing and receiving the network traffic meant for the actual master device. Impersonating a master device may also allow an adversary to avoid detection. In the Maroochy Attack, Vitek Boden falsified network addresses in order to send false data and instructions to pumping stations.

Internal MISP references

UUID 988cb83e-1ecd-4711-8c71-2d461dddd4f7 which can be used as unique global reference for Rogue Master Device in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Mitigations ['Implement Virtual Local Area Networks (VLANs) to divide physical networks into smaller, logical ones with isolated traffic from each other. This limits both broadcast traffic and unnecessary flooding.', 'Encrypt and protect the integrity of wireless device communications, while taking care not to degrade end device performance. OSI Layer 2 encryption, rather than Layer 3, can reduce encryption-based latency. Hardware accelerator solutions for cryptographic functions may also be considered', 'Protect physical devices and restrict access to different locations with authentication to reduce the likelihood the adversary can introduce an outside device. Inventorying of devices and capabilities can assist in finding unknown entities.', 'Check new acquisitions for unexpected features and tampering that could enable them to masquerade as another device.', 'When creating security rules, avoid exclusions based on file name or file path. Require signed binaries. Use file system access controls to protect folders such as C:\Windows\System32. Use tools that restrict program execution via whitelisting by attributes other than file name.', 'Identify potentially malicious software that may look like a legitimate program based on name and location, and audit and/or block it by using whitelisting tools like AppLocker or Software Restriction Policies where appropriate.']
Tactic ['Evasion Impair Process Control']
Technique ID ['T848']

Role Identification

Adversaries may perform role identification of devices involved with physical processes of interest in a target control system. Control systems devices often work in concert to control a physical process. Each device can have one or more roles that it performs within that control process. By collecting this role-based data, an adversary can construct a more targeted attack. For example, a power generation plant may have unique devices such as one that monitors power output of a generator and another that controls the speed of a turbine. Examining devices roles allows the adversary to observe how the two devices work together to monitor and control a physical process. Understanding the role of a target device can inform the adversary's decision on what action to take, in order to cause Impact and influence or disrupt the integrity of operations. Furthermore, an adversary may be able to capture control system protocol traffic. By studying this traffic, the adversary may be able to determine which devices are outstations, and which are masters. Understanding of master devices and their role within control processes can enable the use of Rogue Master Device.

Internal MISP references

UUID 52099a90-ab4f-43a8-8047-89492f5dadc4 which can be used as unique global reference for Role Identification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Mitigations ['Restrict user privileges with Role-Based Access Control (RBAC). Configure and assign “roles” based on the principle of least privilege. Levels of access can dictate several factors, including the ability to view, use, and alter specific ICS data or device functions.', 'Encrypt and protect the integrity of wireless device communications. Encryption at OSI Layer 2 can be considered instead of at Layer 3, to reduce latency. Authenticate wireless users’ access with a secure IEEE 802.1x authentication protocol, that authenticates users via user certificates or a Remote Authentication Dial In User Service (RADIUS) server.', 'Filter and limit communications to and from devices on the network. Implement relevant heuristics to detect adversarial probing and unexpected communications activity.', 'Wireless access points and data servers for wireless worker devices should be located on an isolated network with minimal connections to the ICS network.', 'Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Unauthorized and suspicious media should be avoided and kept away from systems and the network.', 'Ensure ICS and IT network cables are kept separate and that devices are locked up when possible, to reduce the likelihood they can be tampered with.']
Procedure Examples ['The Backdoor.Oldrea payload gathers server information that includes CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth. This information helps indicate the role the server has in the control process.', 'The Industroyer IEC 61850 component enumerates the objects discovered in the previous step and sends the domain-specific getNameList requests with each object name. This enumerates named variables in a specific domain.']
Tactic ['Collection']
Technique ID ['T850']

Rootkit

Adversaries may deploy rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting and modifying operating-system API calls that supply system information. Rootkits or rootkit-enabling functionality may reside at the user or kernel level in the operating system, or lower. Firmware rootkits that affect the operating system yield nearly full control of the system. While firmware rootkits are normally developed for the main processing board, they can also be developed for I/O that can be attached to the asset. Compromise of this firmware allows the modification of all of the process variables and functions the module engages in. This may result in commands being disregarded and false information being fed to the main device. By tampering with device processes, an adversary may inhibit its expected response functions and possibly enable Impact.

Internal MISP references

UUID 753a01c8-60c3-41f4-9241-166d884e1b84 which can be used as unique global reference for Rootkit in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Mitigations ['Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Unauthorized and suspicious media should be avoided and kept away from systems and the network.', 'Ensure ICS and IT network cables are kept separate and that devices are locked up when possible, to reduce the likelihood they can be tampered with.', 'Hold new acquisitions to strict security requirements; be sure they are properly secured and haven’t been tampered with', 'In environments with a high risk of interception or intrusion, organizations should consider supplementing password authentication with other forms of authentication such as multi-factor authentication using biometric or physical tokens.', 'Make use of antivirus and malware detection tools to further secure the environment.', 'Identify potentially malicious software that may contain rootkit functionality, and audit and/or block it by using whitelisting tools, like AppLocker, or Software Restriction Policies where appropriate.']
Procedure Examples ["One of Stuxnet's rootkits is contained entirely in the fake s7otbxdx.dll. In order to continue existing undetected on the PLC it needs to account for at least the following situations: read requests for its own malicious code blocks, read requests for infected blocks (OB1, OB35, DP_RECV), and write requests that could overwrite Stuxnet’s own code. Stuxnet contains code to monitor and intercept these types of requests. The rootkit modifies these requests so that Stuxnet’s PLC code is not discovered or damaged.", 'When the peripheral output is written to, sequence C of Stuxnet intercepts the output and ensures it is not written to the process image output. The output is the instructions the PLC sends to a device to change its operating behavior. By intercepting the peripheral output, Stuxnet prevents an operator from noticing unauthorized commands sent to the peripheral.']
Tactic ['Evasion, Impair Process Control']
Technique ID ['T851']

Screen Capture

Adversaries may attempt to perform screen capture of devices in the control system environment. Screenshots may be taken of workstations, HMIs, or other devices that display environment-relevant process, device, reporting, alarm, or related data. These device displays may reveal information regarding the ICS process, layout, control, and related schematics. In particular, an HMI can provide a lot of important industrial process information. Analysis of screen captures may provide the adversary with an understanding of intended operations and interactions between critical devices.

Internal MISP references

UUID 2711392c-7f55-4d48-a505-cfd5de3c3e0e which can be used as unique global reference for Screen Capture in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Procedure Examples ['ALLANITE has been identified to collect and distribute screenshots of ICS systems such as HMIs', 'APT33 utilize backdoors capable of capturing screenshots once installed on a system', 'Dragonfly has been reported to take screenshots of the GUI for ICS equipment, such as HMIs.']
Tactic ['Collection']
Technique ID ['T852']

Scripting

Adversaries may use scripting languages to execute arbitrary code in the form of a pre-written script or in the form of user-supplied code to an interpreter. Scripting languages are programming languages that differ from compiled languages, in that scripting languages use an interpreter, instead of a compiler. These interpreters read and compile part of the source code just before it is executed, as opposed to compilers, which compile each and every line of code to an executable file. Scripting allows software developers to run their code on any system where the interpreter exists. This way, they can distribute one package, instead of precompiling executables for many different systems. Scripting languages, such as Python, have their interpreters shipped as a default with many Linux distributions. In addition to being a useful tool for developers and administrators, scripting language interpreters may be abused by the adversary to execute code in the target environment. Due to the nature of scripting languages, this allows for weaponized code to be deployed to a target easily, and leaves open the possibility of on-the-fly scripting to perform a task.

Internal MISP references

UUID 38959743-d33f-4e4c-9be2-3c1f773b0c30 which can be used as unique global reference for Scripting in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Mitigations ['Restrict user privileges with Role-Based Access Control (RBAC). Configure and assign “roles” based on the principle of least privilege. Levels of access can dictate several factors, including the ability to view, use, and alter specific ICS data or device functions', 'These access restrictions should also apply to configuration and systems settings.', 'The ability to make certain changes, alter settings, and run files should be at least protected by basic password authentication. In environments where passwords may be intercepted or sent as plaintext, implement multi-factor authentication to supplement password use.', 'Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Unauthorized and suspicious media should be avoided and kept away from systems and the network.', 'Physical access to systems may allow the adversary to run scripts, if privileged accounts are logged in. Consider enforcing a logoff or timeout policy, consistent with operational needs.']
Procedure Examples ['APT33 utilized PowerShell scripts to establish command and control and install files for execution.', 'HEXANE utilizes VBA macros and Powershell scripts such as DanDrop and kl.ps1 tools', 'OilRig has embedded a macro within spearphishing attachments that has been made up of both a VBScript and a PowerShell script.', 'In the version of Triton available at the time of publication, the component that programs the Triconex controllers is written entirely in Python. The modules that implement the communciation protocol and other supporting components are found in a separate file -- library.zip -- which the main script that employs this functionality is compiled into a standalone Windows executable -- trilog.exe -- that includes a Python environment.', 'A Python script seen in Triton communicates using four Python modules—TsBase, TsLow, TsHi, and TS_cnames—that collectively implement the TriStation network protocol (“TS”, via UDP 1502); this is the protocol that the TriStation TS1131 software uses to communicate with Triconex safety PLCs.']
Tactic ['Execution']
Technique ID ['T854']

Serial Connection Enumeration

Adversaries may perform serial connection enumeration to gather situational awareness after gaining access to devices in the OT network. Control systems devices often communicate to each other via various types of serial communication mediums. These serial communications are used to facilitate informational communication, as well as commands. Serial Connection Enumeration differs from I/O Module Discovery, as I/O modules are auxiliary systems to the main system, and devices that are connected via serial connection are normally discrete systems. While IT and OT networks may work in tandem, the exact structure of the OT network may not be discernible from the IT network alone. After gaining access to a device on the OT network, an adversary may be able to enumerate the serial connections. From this perspective, the adversary can see the specific physical devices to which the compromised device is connected to. This gives the adversary greater situational awareness and can influence the actions that the adversary can take in an attack.

Internal MISP references

UUID 7bbc25f1-eec4-4ecc-bc98-071dc89d25b2 which can be used as unique global reference for Serial Connection Enumeration in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Mitigations ['Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Unauthorized and suspicious media should be avoided and kept away from systems and the network.', 'Keep documentation and portable assets secured and stowed away when not in use.', 'Limit communications to and from devices wherever possible, such as enforcing whitelist policies for network-based communications.']
Procedure Examples ['Industroyer contains modules for IEC 101 and IEC 104 communications. IEC 101 uses serial for the physical connection and IEC 104 uses Ethernet. Analysis of the malware by Dragos states that both of the modules have equivalent functionality. The IEC 104 module uses Network Connection Enumeration to determine the Ethernet adapters on the device. Since functionality between the two modules are equivalent, this implies that the IEC 101 module is able to detect serial interfaces on the device.']
Tactic ['Discovery']
Technique ID ['T854']

Service Stop

Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment. Services may not allow for modification of their data stores while running. Adversaries may stop services in order to conduct Data Destruction.

Internal MISP references

UUID 249f3b38-db72-4941-a36c-59b5db185b87 which can be used as unique global reference for Service Stop in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Procedure Examples ['Industroyer has the capability to stop a service itself, or to login as a user and stop a service as that user.', 'KillDisk looks for and terminates two non-standard processes, one of which is an ICS application.']
Tactic ['Impair Process Control']
Technique ID ['T881']

Spearphishing Attachment

Adversaries may use a spearphishing attachment, a variant of spearphishing, as a form of a social engineering attack against specific targets. Spearphishing attachments are different from other forms of spearphishing in that they employ malware attached to an email. All forms of spearphishing are electronically delivered and target a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution and access.

Internal MISP references

UUID 813ea621-37d0-44dc-aaef-74cacca69f43 which can be used as unique global reference for Spearphishing Attachment in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Procedure Examples ['ALLANITE utilized spear phishing to gain access into energy sector environments', 'APT33 sent spear phishing emails containing links to HTML application files, which were embedded with malicious code.', 'APT33 has conducted targeted spear phishing campaigns against U.S. government agencies and private sector companies.', 'Dragonfly 2.0 used the Phishery tool kit to conduct spear phishing attacks and gather credentials.56 Dragonfly 2.0 conducted a targeted spear phishing campaign against multiple electric utilities in the North America', 'Dragonfly sent pdf documents over email which contained links to malicious sites and downloads', 'HEXANE has used malicious documents to drop malware and gain access into an environment.', 'Lazarus group has been observed targeting organizations using spearphishing documents with embedded malicious payloads.11 Highly targeted spear phishing campaigns have been conducted against a U.S. electric grid company.', 'OilRig used spearphishing emails with malicious Microsoft Excel spreadsheet attachments.', 'The Backdoor.Oldrea RAT is distributed through a trojanized installer attached to emails.', 'BlackEnergy targeted energy sector organizations in a wide reaching email spearphishing campaign. Adversaries utilized malicious Microsoft Word documents attachments.']
Tactic ['Initial Access']
Technique ID ['T865']

Standard Application Layer Protocol

Adversaries may establish command and control capabilities over commonly used application layer protocols such as HTTP(S), OPC, RDP, telnet, DNP3, and modbus. These protocols may be used to disguise adversary actions as benign network traffic. Standard protocols may be seen on their associated port or in some cases over a non-standard port. Adversaries may use these protocols to reach out of the network for command and control, or in some cases to other infected devices within the network.

Internal MISP references

UUID 6b277198-78b1-4910-bfea-21803c1b8048 which can be used as unique global reference for Standard Application Layer Protocol in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Procedure Examples ['HEXANE communicated with command and control over HTTP and DNS.', 'OilRig communicated with its command and control using HTTP requests', 'BlackEnergy uses HTTP POST request to contact external command and control servers.', 'Stuxnet attempts to contact command and control servers over HTTP to send basic information about the computer it has compromised.']
Tactic ['Command and Control']
Technique ID ['T869']

Supply Chain Compromise

Adversaries may perform supply chain compromise to gain control systems environment access by means of infected products, software, and workflows. Supply chain compromise is the manipulation of products, such as devices or software, or their delivery mechanisms before receipt by the end consumer. Adversary compromise of these products and mechanisms is done for the goal of data or system compromise, once infected products are introduced to the target environment. Supply chain compromise can occur at all stages of the supply chain, from manipulation of development tools and environments to manipulation of developed products and tools distribution mechanisms. This may involve the compromise and replacement of legitimate software and patches, such as on third party or vendor websites. Targeting of supply chain compromise can be done in attempts to infiltrate the environments of a specific audience. In control systems environments with assets in both the IT and OT networks, it is possible a supply chain compromise affecting the IT environment could enable further access to the OT environment. F-Secure Labs analyzed the approach the adversary used to compromise victim systems with Havex. The adversary planted trojanized software installers available on legitimate ICS/SCADA vendor websites. After being downloaded, this software infected the host computer with a Remote Access Trojan (RAT).

Internal MISP references

UUID eb58509d-92e4-4d43-bfd6-99b26dc62d37 which can be used as unique global reference for Supply Chain Compromise in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Procedure Examples ['Dragonfly 2.0 trojanized legitimate software to deliver malware disguised as standard windows applications.', 'ENOTIME targeted several ICS vendors and manufacturers.', 'The Backdoor.Oldrea RAT is distributed through trojanized installers planted on compromised vendor sites.']
Tactic ['Initial Access']
Technique ID ['T862']

System Firmware

System firmware on modern assets is often designed with an update feature. Older device firmware may be factory installed and require special reprograming equipment. When available, the firmware update feature enables vendors to remotely patch bugs and perform upgrades. Device firmware updates are often delegated to the user and may be done using a software update package. It may also be possible to perform this task over the network. An adversary may exploit the firmware update feature on accessible devices to upload malicious or out-of-date firmware. Malicious modification of device firmware may provide an adversary with root access to a device, given firmware is one of the lowest programming abstraction layers. In the 2015 attack on the Ukranian power grid, the adversaries gained access to the control networks of three different energy companies. The adversaries developed malicious firmware for the serial-to-ethernet devices which rendered them inoperable and severed connections between the control center and the substation.

Internal MISP references

UUID 1d8e19f2-66f7-4a48-9f9d-26b6d512cdcd which can be used as unique global reference for System Firmware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Mitigations ['Access to device configuration settings should be restricted. IT products should be secured, in the most restrictive mode, on par with ICS operational requirements.', 'Maintain and patch module firmware, checking to ensure the version and state are as expected. Firmware that requires a cryptographic key will be harder for the adversary to alter', 'Be wary of improper modifications before, during, and after system implementation', 'Enforcing proper firmware update policies and procedures may help distinguish intended update activity from malicious activity. Require source and data authentication, at a minimum, as part of this process.', 'Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Unauthorized and suspicious media should be avoided and kept away from systems and the network. Take care to keep backups and stored data in secure, protected locations.', 'Ensure ICS and IT network cables are kept separate and that devices are locked up when possible, to reduce the likelihood they can be tampered with.', 'Hold new acquisitions to strict security requirements; be sure they are properly secured and haven’t been tampered with. Monitor existing module firmware with applicable assessments to ensure devices are at the expected versions.', 'Monitor the network and enforce access control practices, such as whitelisting, to reduce points of contact to and from control system devices, where applicable. Utilize intrusion detection system (IDS) capabilities to assist with detecting and preventing the spread of malicious files', 'Limit access to the network and require authentication as a barrier. Test access to field devices from outside the network, to help determine if an adversary could reach them.']
Procedure Examples ['The malicious shellcode Triton uses is split into two separate pieces -- inject.bin and imain.bin. The former program is more generic code that handles injecting the payload into the running firmware, while the latter is the payload that actually performs the additional malicious functionality. The payload --imain.bin-- is designed to take a TriStation protocol get main processor diagnostic data command, look for a specially crafted packet body, and perform custom actions on demand. It is able to read and write memory on the safety controller and execute code at an arbitrary address within the firmware. In addition, if the memory address it writes to is within the firmware region, it disables address translation, writes the code at the provided address, flushes the instruction cache, and re-enables address translation. This allows the malware to make changes to the running firmware in memory. This allows Triton to change how the device operates and would allow for the modification of other actions that the Triton controller might make']
Tactic ['Persistence, Inhibit Response Function']
Technique ID ['T857']

Theft of Operational Information

Adversaries may steal operational information on a production environment as a direct mission outcome for personal gain or to inform future operations. This information may include design documents, schedules, rotational data, or similar artifacts that provide insight on operations. In the Bowman Dam incident, adversaries probed systems for operational data.

Internal MISP references

UUID c92ffac5-3979-4209-8f81-9ca45e556a73 which can be used as unique global reference for Theft of Operational Information in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Procedure Examples ['ACAD/Medre.A can collect AutoCad files with drawings. These drawings may contain operational information.', 'Duqu’s purpose is to gather intelligence data and assets from entities such as industrial infrastructure and system manufacturers, amongst others not in the industrial sector, in order to more easily conduct a future attack against another third party.', 'Flame can collect AutoCAD design data and visio diagrams as well as other documents that may contain operational information.']
Tactic ['Impact']
Technique ID ['T882']

Unauthorized Command Message

Adversaries may send unauthorized command messages to instruct control systems devices to perform actions outside their expected functionality for process control. Command messages are used in ICS networks to give direct instructions to control systems devices. If an adversary can send an unauthorized command message to a control system, then it can instruct the control systems device to perform an action outside the normal bounds of the device's actions. An adversary could potentially instruct a control systems device to perform an action that will cause an Impact. In the Maroochy Attack, the adversary used a dedicated analog two-way radio system to send false data and instructions to pumping stations and the central computer. In the 2015 attack on the Ukranian power grid, the adversaries gained access to the control networks of three different energy companies. The adversaries used valid credentials to seize control of operator workstations and access a distribution management system (DMS) client application via a VPN. The adversaries used these tools to issue unauthorized commands to breakers at substations which caused a loss of power to over 225,000 customers over various areas.

Internal MISP references

UUID 78fb294d-11e9-49d3-9469-40665308a710 which can be used as unique global reference for Unauthorized Command Message in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Mitigations ['Implement Virtual Local Area Networks (VLANs) to divide physical networks into smaller, logical ones with isolated traffic from each other. This limits both broadcast traffic and unnecessary flooding', 'In ICS environments with dial-up modems, disconnect the modems when not in use or automate their disconnection after being active for a given amount of time, if reasonable.', 'When feasible, monitor and compare ICS device behavior and physical state to expected behavior and physical state. Contingency plans should be in place to handle and minimize impact from unexpected behavior.', 'Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Unauthorized and suspicious media should be avoided and kept away from systems and the network. Keep track of cables, to ensure that the ICS and IT environments remain separate and no interceptive, adversarial devices are installed.', 'Encrypt and protect the integrity of wireless device communications, while taking care not to degrade end device performance. OSI Layer 2 encryption, rather than Layer 3, can reduce encryption-based latency. Hardware accelerator solutions for cryptographic functions may also be considered.', 'Antivirus and malicious code detection tools can assist with detecting and preventing impact of malware. Secure Windows, Unix, and Linux, etc.-based systems like traditional IT equipment. Follow vendor recommendations for other computers and services with time-dependent code and changes differentiating them from standard devices.', 'Leverage Intrusion Detection Systems (IDS) capabilities for event monitoring, such as looking for unusual activity and traffic patterns and detecting abnormal changes to functionality. If timestamps or methods of authentication are associated with commands, these may be useful metrics to determine spoofed sources. For instance, a spoofed message sent with unusual timing or an extra command sent, coinciding with a legitimate source.']
Procedure Examples ['The Industroyer IEC 101 module has the capability to communicate with devices (likely RTUs) via the IEC 101 protocol. The module will attempt to find all Information Object Addresses (IOAs) for the device and attempt to change their state in the following sequence: OFF, ON, OFF.', 'In states 3 and 4 Stuxnet sends two network bursts (done through the DP_SEND primitive). The data in the frames are instructions for the frequency converter drives.', 'Using Triton, an adversary can manipulate the process into an unsafe state from the DCS while preventing the SIS from functioning appropriately.']
Tactic ['Impair Process Control']
Technique ID ['T855']

User Execution

Adversaries may rely on a targeted organizations’ user interaction for the execution of malicious code. User interaction may consist of installing applications, opening email attachments, or granting higher permissions to documents. Adversaries may embed malicious code or visual basic code into files such as Microsoft Word and Excel documents or software installers. Execution of this code requires that the user enable scripting or write access within the document. Embedded code may not always be noticeable to the user especially in cases of trojanized software

Internal MISP references

UUID 0df00d45-2105-4ab0-ad6d-de0a9b7d898d which can be used as unique global reference for User Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Procedure Examples ['Execution of Backdoor.Oldrea relies on a user opening a trojanized installer attached to an email.', 'Bad Rabbit is disguised as an Adobe Flash installer. When the file is opened it starts locking the infected computer.']
Tactic ['Execution']
Technique ID ['T863']

Utilize/Change Operating Mode

Adversaries may place controllers into an alternate mode of operation to enable configuration setting changes for evasive code execution or to inhibit device functionality. Programmable controllers typically have several modes of operation. These modes can be broken down into three main categories: program run, program edit, and program write. Each of these modes puts the device in a state in which certain functions are available. For instance, the program edit mode allows alterations to be made to the user program while the device is still online. By driving a device into an alternate mode of operation, an adversary has the ability to change configuration settings in such a way to cause a Impact to equipment and/or industrial process associated with the targeted device. An adversary may also use this alternate mode to execute arbitrary code which could be used to evade defenses.

Internal MISP references

UUID 9e5e5c49-45ec-4dd3-a890-9bcbb7f99a81 which can be used as unique global reference for Utilize/Change Operating Mode in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Mitigations ['Restrict user privileges with Role-Based Access Control (RBAC). Configure and assign “roles” based on the principle of least privilege. Levels of access can dictate several factors, including the ability to view, use, and alter specific ICS data or device functions.', 'Supplement restricted privileges and environment access with strong passwords. Consider forms of multi-factor authentication, such as introducing biometrics, smart cards, or tokens, to supplement traditional passwords.', 'Implementing Challenge/Response authentication eliminates the risk of discovery or replay that traditional password exchange has.', 'Network services in ICS often transmit in plaintext, making third-party eavesdropping easy. Always use different passwords, especially if credentials may be transmitted across both encrypted and non-encrypted protocols', 'Restrict device configuration settings access. Be wary of improper modifications before, during, and after system implementation. IT products should be secured as restrictively as possible, in accordance with ICS operational requirements.', 'Protect and restrict physical access to locations, devices, and systems. Lockdown and secure portable devices and removable media. Portable ICS assets should not be used outside of the ICS network', 'When possible, real-time monitoring and management of ICS devices and the network can help detect anomalous behavior. Always check new device acquisitions for the presence of backdoors and malicious tampering.']
Procedure Examples ['Triton is able to modify code if the Triconex SIS Controller is configured with the physical keyswitch in ‘program mode’ during operation. If the controller is placed in Run mode (program changes not permitted), arbitrary changes in logic are not possible substantially reducing the likelihood of manipulation. Once the Triton implant is installed on the SIS it is able to conduct any operation regardless of any future position of the keyswitch.']
Tactic ['Evasion, Inhibit Response Function']
Technique ID ['T858']

Valid Accounts

Adversaries may steal the credentials of a specific user or service account using credential access techniques. In some cases, default credentials for control system devices may be publicly available. Compromised credentials may be used to bypass access controls placed on various resources on hosts and within the network, and may even be used for persistent access to remote systems. Compromised and default credentials may also grant an adversary increased privilege to specific systems and devices or access to restricted areas of the network. Adversaries may choose not to use malware or tools, in conjunction with the legitimate access those credentials provide, to make it harder to detect their presence or to control devices and send legitimate commands in an unintended way. Adversaries may also create accounts, sometimes using predefined account names and passwords, to provide a means of backup access for persistence. The overlap of credentials and permissions across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) and possibly between the enterprise and operational technology environments. Adversaries may be able to leverage valid credentials from one system to gain access to another system. In the 2015 attack on the Ukranian power grid, the adversaries used valid credentials to interact directly with the client application of the distribution management system (DMS) server via a VPN and native remote access services to access employee workstations hosting HMI applications.2 The adversaries caused outages at three different energy companies, causing loss of power to over 225,000 customers over various areas.

Internal MISP references

UUID 439051c8-9404-40f1-a4c9-d6bef22ea5fd which can be used as unique global reference for Valid Accounts in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Mitigations ['Restrict user privileges with Role-Based Access Control (RBAC). Configure and assign “roles” based on the principle of least privilege. Levels of access can dictate several factors, including the ability to view, use, and alter specific ICS data or device functions.', 'Privilege restriction should extend to hardware, firmware, software, documentation, and settings modifications.', 'Authenticate wireless users’ access with a secure IEEE 802.1x authentication protocol, that authenticates users via user certificates or a Remote Authentication Dial In User Service (RADIUS) server.', 'In general, console user actions should be traceable, whether it may manually (e.g. control room sign in) or automatic (e.g. login at the application and/or OS layer).11 Protect and restrict access to the resulting logs.', 'Special care should be taken to ensure passwords used with encrypted, as opposed to non-encrypted protocols are not the same. Password lockout policies can be enforced, but take care to balance this with operational needs, that might result in a few failed login attempts in stressful situations.', 'Implementing Challenge/Response authentication eliminates the risk of discovery or replay that traditional password exchange has', 'Physical token authentication can also be considered. It is also easier to notice if these have gotten lost or stolen, unlike traditional passwords. Smart cards another option to consider, and provide additional functionality over token authentication. Biometric authentication may also be good supplement to software-only password solutions.', 'Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Unauthorized and suspicious media should be avoided and kept away from systems and the network.', 'Antivirus and malware detection should be employed to assist with detecting and preventing malicious code from being run, in the event a Valid Account is compromised.', 'Network monitoring and intrusion detection systems can be leveraged to observe activity and may help identify suspicious account activity and movement at unexpected times.']
Procedure Examples ['ALLANITE utilized credentials collected through phishing and watering hole attacks.', 'Dragonfly 2.0 used credentials collected through spear phishing and watering hole attacks.', 'Dragonfly leveraged compromised user credentials to access the targets networks and download tools from a remote server.', 'HEXANE has used valid IT accounts to extend their spearphishing campaign within an organization.', 'OilRig utilized stolen credentials to gain access to victim machines.', 'Sandworm used valid accounts to laterally move through VPN connections and dual-homed systems', 'XENOTIME used valid credentials when laterally moving through RDP jump boxes into the ICS environment.', 'BlackEnergy utilizes valid user and administrator credentials, in addition to creating new administrator accounts to maintain presence.']
Tactic ['Persistence, Lateral Movement']
Technique ID ['T859']

Wireless Compromise

Adversaries may perform wireless compromise as a method of gaining communications and unauthorized access to a wireless network. Access to a wireless network may be gained through the compromise of a wireless device.12 Adversaries may also utilize radios and other wireless communication devices on the same frequency as the wireless network. Wireless compromise can be done as an initial access vector from a remote distance. A joint case study on the Maroochy Shire Water Services event examined the attack from a cyber security perspective.3 The adversary disrupted Maroochy Shire's radio-controlled sewage system by driving around with stolen radio equipment and issuing commands with them. Boden used a two-way radio to communicate with and set the frequencies of Maroochy Shire's repeater stations. A Polish student used a modified TV remote controller to gain access to and control over the Lodz city tram system in Poland. The remote controller device allowed the student to interface with the tram’s network to modify track settings and override operator control. The adversary may have accomplished this by aligning the controller to the frequency and amplitude of IR control protocol signals. The controller then enabled initial access to the network, allowing the capture and replay of tram signals

Internal MISP references

UUID 6330fa53-0ba5-4be6-bd76-1cb4f9a535d4 which can be used as unique global reference for Wireless Compromise in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Tactic ['Initial Access']
Technique ID ['T860']