After getting the initial access and the capability to execute commands, the adversary will try to maintain their foothold. Persistence includes techniques that can be used to maintain (undisclosed) access to the resource in time, with the aim to act later, where/as needed for adversary purposes. Techniques can include manipulation of the security components to permit a new access, or in pre-inserted or configured backdoors to permit a side access to the system.
ID | Name | Description | |
T2014 | Backdoor Installation | An attacker can interfere with the hardware or the software, integrating or modifying the existing software, hardware configuration or the transponder configuration to permit himself a future access to the resource. | |
.001 | Hardcoded credentials and/or keys | The attacker can hardcode credentials during the supply chain phase with custom, to have a secure access to the resource if the component is integrated in the system. | |
.002 | Integration of custom malicious hardware | Replacement of a product in the supply chain with a custom or counterfeit part to damage the system or to use it as a future backdoor. | |
.003 | OBSW modification | An attacker can modify the OBSW to permit a future access on the resource with a software backdoor. | |
.004 | Transponder reconfiguration | An attacker can change the transponder configuration to permit a future radio access on the resource. | |
.005 | Payload modification | An attacker can also modify the payload hardware, software or configuration to create a future access on the payload itself, either to target it or to use it against the whole resource. | |
T2013 | Key Management Infrastructure Manipulation | Key infrastructures provide the technical means for managing the key life cycles as well as for the distribution of keys using security protocols or other means. If an attacker manipulates them, he can gain and maintain an authorized access to the protected resource. Encryption keys used to encrypt TM/TC can be replaced in order to gain permanent access to other functionalities, or to temporarily interrupt the owner's control. | |
.001 | Replace / generate new Session Keys | Adversaries can replace or generate encryption keys used to encrypt TM/TC in order to gain permanent access to other functionalities. | |
.002 | Replace / generate new Master Keys | Adversaries can replace the master key used to encrypt TM/TC in order to gain permanent access to other functionalities, or interrupt the owner's control by generating new ones. | |
T1542 | Pre-OS Boot | "Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system." Adversaries can obtain it modifying or replacing components before the launch or updating them later if an update capability is implemented. Detection is very difficult, because defenses are usually working at higher levels. | |
.001 | System Firmware Exploitation | Persistence at a pre-OS level can be gained modifying the firmware in a resource.System firmware is quite static, and it doesn’t usually provide detections capabilities. A firmware level manipulation can remain unnoticed until next phases of the attack. | |
T2009 | Valid Credentials | Adversaries may obtain and abuse credentials to gain Initial Access or Persistence in a space resource. Compromised credentials may be used to bypass access controls placed on systems within the network and to decrypt communication, to send authenticate messages and to take control of the spacecraft. Gained credentials may even be used for persistent access to the resource. | |
.001 | Steal cryptographic keys | Adversaries may obtain and abuse master or session keys to gain Initial Access or Persistence. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to communication channels. | |
.002 | Forge Digital Certificates | If an attacker gains control of the credential-management system and issues credentials, he can access the system and maintain a persistent control on it. There is a need to invalidate existing credentials and reissue all credentials. CCSDS recommends two forms of credentials: X.509 certificates and protected simple authentication. The authenticity of an X.509 certificate is dependent upon the digital signature of the CA attesting to the credential. If the digital signature algorithm used by the CA is of insufficient cryptographic strength, a credential may be spoofed. | |
.003 | Brute force attack against TC channel or mission channel | An attacker can use brute force to gain access to a TC channel, to force encryption or to guess the valid commands. |