Reconnaissance Techniques and Industrial Control System Tactics Knowledge Graph


  • Thomas Heverin Girls Learn Cyber LLC



Knowledge Representation, Knowledge Graph, Industrial Control Systems


In the initial stages of industrial control system (ICS) penetration testing, pentesters conduct reconnaissance by using various tools including Nmap, Shodan, Maltego, Google, Google Hacking Database (GHDB), Recon-ng and more. Testers use various reconnaissance techniques (RTs) within the tools to directly access ICS devices. Many novice ICS-pentesters stop their reconnaissance work upon successfully accessing an ICS device. However, continuing to conduct reconnaissance after initial access can lead to pentesters finding even more information to find more ICS devices, ICS networks, and ways to make ICS exploitation more effective.  Our research motivation stems from finding ways to explicitly model the continuation of using RTs once an ICS device is accessed. Knowledge graphs offer an approach for linking RTs together and creating chains of RTs.


MITRE ATT&CK ICS provides a matrix of ICS adversarial behaviours. The matrix consists of main exploit tactics and techniques used to accomplish these tactics. Example techniques include ICS alarm suppression, blocking command messages, starting a device, and stopping services. ATT&CK ICS also provides ICS data sources that defenders use to detect the adversarial techniques. Application logs, files, logon sessions, network traffic, and operational databases represent some of the ICS data sources. We reasoned that if adversaries could find the ICS data sources and discover the ability to modify the data sources, then adversaries could cover their tracks to successfully carry out ICS tactics. For example, ICS attackers could modify log entries to hide the attacker’s steps or ICS attackers could delete alarm notifications that showed that ICS attackers changed ICS settings.


In this work in progress research, we used knowledge-graph modelling techniques to link together RTs with ICS data sources, the ability to modify the data sources, the ability to then cover tracks of ICS techniques, and the impact of techniques on accomplishing ICS tactics. We named the graph RT-ICS Graph. With knowledge graph queries and shortest-path algorithms run over the RT-ICS graph, we showed how RTs can explicitly lead to impacts on adversaries carrying out ICS tactics. The accomplishment of ICS tactics can cause severe damage or harm.