Space tactics

Tactics represent the "why" of an ATT&CK technique or sub-technique. It is the adversary's tactical goal: the reason for performing an action. For example, an adversary may want to achieve credential access.

Space Tactics: 14
ID Name Description
TA0043 Reconnaissance At the reconnaissance phase the adversary tries to gather information for the targeted system that could be useful at the later stages of an attack . A good intelligence related with the target system allows the adversary to find the most critical assets and weakest links, information to be stolen, the services that can be attacked and the damage that can be caused. The information gathering includes active and passive techniques. While some techniques can be same with typical IT systems, like gathering information for victim’s organisations, and other techniques resembling them, like scanning, there is a difference in the last ones due to the nature of space missions. For instance, interception, active or passive, is mainly RF or optical based, due to the nature of the space communication links . On the contrary, some other like wordlist scanning or IP scanning typically used in IT world do not really make sense for space systems , at least for the traditional ones (this may change for new systems like Starlink or other that offer Internet connectivity via large Low Earth Orbit constellations). Finally, there are space-specific techniques like the in-orbit proximity intelligence one, while others, like remote vulnerability scanning may be applicable only for ‘New Space’ systems and only after remote access has been achieved.
TA0042 Resource Development During Resource Development, the adversary is trying to establish resources they can use to support operations. It includes adversaries creating, purchasing, or compromising/stealing resources that can be used to support targeting. These resources can be leveraged by the adversary to aid in other phases of the adversary lifecycle .The techniques of Resource Development tactic are to a great extent the same used in IT attacks and reflected in MITRE ATT&CK matrix; what it really differs, are the sub-techniques, which are space specific.
TA0001 Initial Access Accessing a system is the first step that an attacker performs against it, after the preparatory phase. He can use various techniques to gain the foothold in the system, and then to continue with his malicious operations.While adversaries techniques of Initial Access tactic for space segment does have some commonalities with the IT domain, as for example potential supply chain compromise and exploitation of trust relationships (if any), most of them are quite different, due to the nature of the space systems. In order to get an initially access to a spacecraft, the main ways (except from the aforementioned ones) are through a compromised ground segment (that controls the spacecraft), or by getting access directly to the spacecraft by using stolen/compromised cryptographic keys or safe mode.
The attacker can target the ground station or try to get into the space component. Due to the unreachability of this last component, initial access techniques are usually related to a physical access before the launch or to the violation of communication channels.
TA0002 Execution At the Execution phase the adversary tries to execute his own commands (either already available in the spacecraft as built in capabilities or not) for malicious purposes, including (if possible) arbitrary malicious code. The intended purpose is to obtain further information (from the inside), elevate privileges, move laterally, establish persistence, or launch a direct attack (eg Denial of Service or other). All the techniques in the Execution tactic are related to an adversary’s code running inside a machine. The code execution is usually used to accomplish other goals, like control the system or modify its parameters. In a space system, an attacker can use the gained access to the payload or to the TC system to interact with the spacecraft, attempting to modify the resource’s behavior.
TA0003 Persistence After getting the initial access and the capability to execute commands, the adversary will try to maintain their foothold. Persistence includes techniques that can be used to maintain (undisclosed) access to the resource in time, with the aim to act later, where/as needed for adversary purposes. Techniques can include manipulation of the security components to permit a new access, or in pre-inserted or configured backdoors to permit a side access to the system.
TA0004 Privilege Escalation Privilege escalation is the gain of higher-level permissions on a system. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities . Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system. In a limited system as the Space System is, examples are the overcoming of hypervisor's limits and controls, or the abuse of bus’s hierarchy.
TA0005 Defense Evasion Attackers can have more time to complete or to postpone the attack, or they can extend the attack duration if the resource owner does not discover it. If defense or detection systems are in place, they can attempt to disable or to avoid them.
TA0006 Credential Access A possible adversarial goal is the credentials discovery, useful to have a hidden and stable access to the resource. Keys can be gathered corrupting a weak security protocol used in a communication or compromising the key management facility or its communications.
TA0007 Discovery Discovery consists of techniques an adversary may use to gain knowledge about the system structure and implementation or configuration. These techniques can help adversaries to observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what is around their entry point in order to discover how it could benefit their current objective.
TA0008 Lateral Movement Lateral Movement Tactic is related to the access of another system or sub-system connected to a compromised component, leveraging a lack or a misconfiguration of separation tools. The attack can propagate to that component, delivering a wider access to the attacker.
TA0009 Collection An adversary who compromised the space resource or the communication channel can leverage his access to collect data. If the communication is unencrypted, the collection corresponds to the channel eavesdropping.
TA0011 Command and Control Command and Control consists of techniques that adversaries may use to communicate with systems under their control. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection .
TA0010 Exfiltration Exfiltration techniques are used to send data out of the resource through a communication or other channel, to steal them. The two common download channels are the TM and the payload channel. Both are RF or optical channels. When RF channels are used, there is a broad diffusion on the Earth surface (due to the high distance), which cab result in an easy interception by adversaries of the exfiltrated packets.
TA0040 Impact Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes . The adversary is trying to damage the system security, interrupting its normal execution, or damaging it physically. Due to the impossibility to reach the resource and repair/reprogram it, if the damage is too severe the resource is definitively lost.The damage can be at data level, targeting the stored or transmitted data, deleting them, or modifying them to deceive the receiver. It can be also at service level, interrupting a payload execution or hitting the communication with jamming and flooding to prevent it. Damage can be also at hardware level, destroying the space resource with electromagnetic power, kinetic weapons, or malicious hardware preinserted in the system.