MISP/misp-galaxy
6
0
Fork 0
mirror of https://github.com/MISP/misp-galaxy.git synced 2024-11-26 00:37:18 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix: [fight] ugly workaround for duplicate entries

Browse source
This commit is contained in:
Christophe Vandeplas 2024-06-17 15:18:55 +02:00
parent e7c5bc7956
commit 5ca2dc6ff7
No known key found for this signature in database
GPG key ID: BDC48619FFDC5A5B
2 changed files with 8 additions and 652 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

652
clusters/mitre-fight-techniques.json
View file

@ -6472,224 +6472,6 @@
"uuid": "0551e810-74ac-5a51-82c1-abaebeb3dfd4",
"value": "Self Location Measurement"
},
{
"description": "An adversary may eavesdrop on unencrypted sensitive subscriber data on the air interface to capture information and to fingerprint application layer usage pattern of victim UE.\r\n\r\nAn adversary may employ a back-to-back fake gNB-UE combination to eavesdrop on the communication and relay communication between the intended recipient and the intended source, over the radio interface. \r\n\r\nThis attack assumes a successful bid down UE attack or else the network uses no (“NULL”) encryption on the radio interface.\r\n\r\nLTE layer 2 RLC/MAC metadata (e.g. PDCP packet length) may be eavesdropped by adversary on the air interface as all layer 2 data below PDCP layer are sent without encryption in LTE. Once the metadata is collected, an Artificial Intelligence/Machine learning (AI/ML) tool can be used to track which websites the UE applications are using even though PDCP and higher layer data are encrypted. The adversary must be in the same area where the victim UE is located to sniff the downlink air link messages sent to UE from gNB. The same attack is possible in 5G as layer 2 protocols have not changed in the 5G 3GPP specification.",
"meta": {
"architecture-segment": "RAN, O-RAN",
"bluf": "An adversary may eavesdrop on unencrypted sensitive subscriber data to capture information to and from a UE that has been bid down to a less secure format, such as Wi-Fi or an earlier mobile network generation.",
"criticalassets": [
{
"Description": "All user plane data sent by UE over the air can be intercepted in the clear.",
"Name": "User plane traffic confidentiality"
},
{
"Description": "UE/subscriber geographical location.",
"Name": "UE location"
},
{
"Description": "All signaling data (not NAS) including measurement reports sent by UE over the air can be intercepted in the clear.",
"Name": "Signaling traffic confidentiality"
},
{
"Description": "UEs private information is leaked to the adversary such as which websites they are using and the time and day the websites are visited.",
"Name": "UEs internet usage pattern"
}
],
"detections": [
{
"detects": "UE transitions to less secure service. UE responds to requests that were not sent by legitimate network.",
"fgdsid": "FGDS5010",
"name": "UE transition to less secure service"
}
],
"external_id": "FGT1040.501",
"kill_chain": [
"fight:Collection"
],
"mitigations": [
{
"fgmid": "FGM5006",
"mitigates": "Set security profile in the UE to prohibit bidding down to less secure service.",
"name": "Restrictive user profile"
},
{
"fgmid": "M1041",
"mitigates": "Avoid systems that employ null encryption. De-register when only NULL encryption is offered.",
"name": "Encrypt Sensitive Information"
},
{
"fgmid": "FGM5517",
"mitigates": "Obfuscation can be done at the application layer to avoid fingerprint detection of UE's internet usage. An example of application layer obfuscation is to use Orbot as Tor proxy that sends and receives all traffic through a Tor circuit. This is not highly effective as some metadata can still be used to fingerprint applications.\n\nEncryption of metadata such as PDCP length can be done to prevent this attack. It introduces large overhead on UE and hence it is not proposed in the 3GPP [6].",
"name": "Use obfuscation at application layer"
}
],
"object-type": "technique",
"platforms": "5G RAN",
"postconditions": [
{
"Description": "Transient technique. Works only as long as adversary is able to retain connection.",
"Name": "Temporary loss of subscriber data confidentiality."
},
{
"Description": "Further attacks are possible on the victim UE based on the data collected, e.g. bank fraud or attacks from social media sites.",
"Name": "Further attacks based on UEs internet usage"
}
],
"preconditions": [
{
"Description": "Subscriber security profile in the UE must allow bidding down to less secure service OR system must employ null encryption.",
"Name": "Permissive subscriber security profile in the UE OR system employs null encryption."
},
{
"Description": "See [FGT1562.501](/techniques/FGT1562.501).",
"Name": "Successful “Bid down UE” attack"
},
{
"Description": "Adversary must be positioned in the same area as the victim UE with an airlink message sniffer device to collect the downlink data sent by gNB to the UE.",
"Name": "Adversary in the same vicinity as victim UE"
}
],
"procedureexamples": [
{
"Description": "The adversary employs a back-to-back fake gNB-UE combination.\nAfter a successful bidding down attack, all sensitive subscriber data (CP & UP) including location data may be visible to the adversary. See [2], clause 6.7.4 of [3], and [4].",
"Name": "Eavesdrop on air interface for a given UE"
},
{
"Description": "Alternatively, if the 5G system employs null encryption, all subscriber data traffic (CP & UP) including location data can be collected in the clear. Clause 4.4 of [1].",
"Name": "Eavesdrop on air interface for any UE"
},
{
"Description": "Adversary collects layer 2 metadata of downlink data sent to the victim UE from gNB using an airlink sniffer device. Then it processes the metadata using an ML classifier such as k-NN. The classifier can reveal with high accuracy which websites are visited by the UE application [5]. It is a passive attack.",
"Name": "Passive collection of airlink messages leads to UE application fingerprinting"
}
],
"refs": [
"[1] European Union Agency for Cybersecurity (ENISA : “ENISA Threat Landscape for 5G Networks” Report, December 2020. - https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks",
"[2] Hu, X. et al: “A Systematic Analysis Method for 5G Non-Access Stratum Signalling Security”, August 2019 - https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=8817957",
"[3] 3GPP TS33.501 “Security architecture and procedures for 5G System”. - https://www.3gpp.org/DynaReport/33501.htm",
"[4] Zaenab D. Shakir, J. Zec, I. Kostanic, “Position location based on measurement reports in LTE cellular networks”, 2018 IEEE 19th Wireless and Microwave Technology Conference (WAMICON , 2018. - https://ieeexplore.ieee.org/document/8363501",
"[5] ACM article, : “Improving 4G/5G air interface security: A survey of existing attacks on different LTE layers”. - https://dl.acm.org/doi/abs/10.1016/j.comnet.2021.108532",
"[6] ACM article, Katharina Kohls et al: “Lost traffic encryption: fingerprinting LTE/4G traffic on layer two”. - https://dl.acm.org/doi/10.1145/3317549.3323416",
"[7] L. Zhai et al: “Identify What You are Doing: Smartphone Apps Fingerprinting on Cellular Network Traffic”. - https://ieeexplore.ieee.org/document/9631415",
"https://fight.mitre.org/data%20sources/FGDS5010",
"https://fight.mitre.org/mitigations/FGM5006",
"https://fight.mitre.org/mitigations/FGM5517",
"https://fight.mitre.org/mitigations/M1041",
"https://fight.mitre.org/techniques/FGT1040.501"
],
"status": "Observed in earlier 3GPP generations and expected in 5G.",
"subtechnique-of": "FGT1040",
"typecode": "fight_subtechnique_to_attack_technique"
},
"related": [
{
"dest-uuid": "cce626f3-b774-5f29-b1d2-5fb96a5befef",
"type": "mitigated-by"
},
{
"dest-uuid": "71801a06-41bd-5336-a539-e8bea9d647f7",
"type": "mitigated-by"
},
{
"dest-uuid": "aff10ded-e6c1-5ee9-aa82-1eb71c8b2709",
"type": "mitigated-by"
},
{
"dest-uuid": "d8cdf251-95c8-5624-bf93-4b468c59011f",
"type": "detected-by"
},
{
"dest-uuid": "d3c6705c-75d8-5243-93c2-37052321b3b8",
"type": "subtechnique-of"
}
],
"uuid": "9c0ebe3d-6a66-5914-83a1-0adcdbbe878b",
"value": "Radio interface"
},
{
"description": "An adversary may position itself on the radio interface, to support follow-on behaviors such as [Network Sniffing](/techniques/FGT1040) or [Transmitted Data Manipulation](/techniques/FGT1565.002).\r\n\r\nAdversary can deploy a fake gNB, eNB (a 4G base station) or WiFi access point, or a back-to-back fake gNB-UE combination to act as an adversary-in-the-middle, in order to intercept, inject and possibly modify communication and relay communication to and from intended recipient over the radio interface. \r\n\r\nThis attack assumes the following to have taken place: the UE has been bid-down (see [Bid down UE](/techniques/FGT1562.501)) to a less secure Radio Access Network such as 4G, or the UE connects to an eNB because the network is 5G Non-Standalone, or due to EPS fallback, or the UE connects to a WiFi access point (to access 5G services).",
"meta": {
"architecture-segment": "RAN",
"bluf": "An adversary may position itself on the radio interface, to support follow-on behaviors such as [Network Sniffing](/techniques/FGT1040) or [Transmitted Data Manipulation](/techniques/FGT1565.002).",
"criticalassets": [
{
"Description": "All signaling transmitted to and from subscriber can be modified or intercepted in the clear",
"Name": "Subscriber signaling"
},
{
"Description": "UE/subscriber geographical location can be intercepted.",
"Name": "UE location"
},
{
"Description": "All data and voice transmitted to and from subscriber can be modified or intercepted in the clear",
"Name": "Subscriber traffic"
}
],
"detections": [
{
"detects": "UE measurements of received power levels from all base stations nearby, and their identifiers Reference clause 6.24 of [3]",
"fgdsid": "FGDS5002",
"name": "UE signal measurements"
}
],
"external_id": "FGT1557.501",
"kill_chain": [
"fight:Collection",
"fight:Credential-Access"
],
"mitigations": [],
"object-type": "technique",
"platforms": "5G",
"postconditions": [
{
"Description": "Transient technique; works only as long as adversary-in-the-middle is able to retain connection.",
"Name": "Temporary loss of subscriber data confidentiality or integrity."
}
],
"preconditions": [
{
"Description": "Subscriber security profile must allow bidding down to less secure service OR system must employ null integrity or encryption.",
"Name": "Permissive subscriber security profile OR system employs null integrity or encryption."
}
],
"procedureexamples": [
{
"Description": "The adversary employs a back to back gNB-UE combination. When UE security profile allows bidding down, or the UE connects to 4G due to EPS fallback, or to WiFi, an adversary acts as an adversary-in-the-middle to intercept and possibly modify communication to and from intended recipient.",
"Name": "Adversary-in-the-Middle on air interface for a given UE"
},
{
"Description": "Alternatively, if the 5G system employs null integrity or encryption, subscriber data traffic can be eavesdropped or modified in transit over the air interface",
"Name": "Adversary-in-the-Middle on air interface for any UE"
},
{
"Description": "Adversary uses a fake base station to broadcast spoofed configuration messages to UEs nearby. Reference [3] (appendix B) contains a taxonomy of attacks against 5G UEs, passive and active. One concerns message attacks (fake MIB/SIB Master Information Block/System Information Block)",
"Name": "Spoofed configuration messages from fake base station"
}
],
"refs": [
"[1] European Union Agency for Cybersecurity (ENISA : “ENISA Threat Landscape for 5G Networks” Report, section 4.4, December 2020. - https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks",
"[2] Hu, X. et al: “A Systematic Analysis Method for 5G Non-Access Stratum Signalling Security”, August 2019 - https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=8817957",
"[3] 3rd Generation Partnership Project (3GPP TR 33.809: “Study on 5G security enhancements against False Base Stations (FBS ”, Technical Report, v0.18.0, February 2022. - https://www.3gpp.org/DynaReport/33809.htm",
"https://fight.mitre.org/data%20sources/FGDS5002",
"https://fight.mitre.org/techniques/FGT1557.501"
],
"status": "Observed in earlier 3GPP generations and expected in 5G.",
"subtechnique-of": "FGT1557",
"typecode": "fight_subtechnique_to_attack_technique"
},
"related": [
{
"dest-uuid": "fa9ee8fb-7f25-554c-9682-0e50e774812d",
"type": "detected-by"
},
{
"dest-uuid": "5ecccab0-9d6d-504c-92c4-408091a3c114",
"type": "subtechnique-of"
}
],
"uuid": "125336d2-ca71-57b5-a46e-faca5013c555",
"value": "Radio interface"
},
{
"description": "A malicious app consumes subscriber data allocation to deny or degrade service to that UE. \r\n\r\nA malicious application might consume a UE's limited data plan, denying or throttling service.",
"meta": {
@ -9198,150 +8980,6 @@
"uuid": "4d8acf53-2350-5390-af4d-7ba1f5f9dc13",
"value": "Weaken Integrity"
},
{
"description": "An adversary may alter or spoof network signaling so as to enable the NULL integrity algorithm thus allowing for manipulation of user data or signaling over the radio interface, for example to redirect traffic. \r\n\r\nSeveral procedures and interfaces can be implemented incorrectly or misused by an adversary in control over a gNB or NF and may result in a configuration that calls for the NULL integrity algorithm to protect data sent over the radio interface. The data sent is user signaling -- Non-Access Stratum (NAS) or Access Stratum (AS) Control Plane (CP) -- or subscriber data -- AS User Plane (UP)). These actions can be followed by another adversarial behavior whereby data and signaling sent over the radio interface is manipulated or tampered with.",
"meta": {
"architecture-segment": "RAN",
"bluf": "An adversary may alter or spoof network signaling so as to enable the NULL integrity algorithm thus allowing for manipulation of user data or signaling over the radio interface, for example to redirect traffic.",
"criticalassets": [
{
"Description": "UE signaling and subscriber (user plane) data integrity.",
"Name": "UE data"
}
],
"detections": [
{
"detects": "Check for unusual changes in gNB, SMF, AMF user profile, policy, and configuration data. Configuration audits by OSS/BSS to detect for example, user session redirects.",
"fgdsid": "DS0015",
"name": "Application Log"
},
{
"detects": "Radio traffic content\nInspect radio traffic and watch for unauthorized changes as the packets move through the interfaces.",
"fgdsid": "DS0029",
"name": "Network Traffic"
}
],
"external_id": "FGT5009.001",
"kill_chain": [
"fight:Defense-Evasion"
],
"mitigations": [
{
"fgmid": "FGM5024",
"mitigates": "Ensure gNB implementation and SMF implementations are both checking the UE CP and UP security policy against the most trustworthy source and taking action to not enable NULL integrity except for emergency calls.",
"name": "Integrity protection of data communication"
},
{
"fgmid": "FGM5006",
"mitigates": "UE should refuse to set up radio bearer and PDU session without integrity protection.",
"name": "Restrictive user profile"
},
{
"fgmid": "M1018",
"mitigates": "Network element security safeguards for gNBs, AMFs and SMFs. Includes measures in clause 5.3.4 of [2] (e.g. software updates, OA&M access security, secure boot).",
"name": "User Account Management"
},
{
"fgmid": "M1031",
"mitigates": "Implement network intrusion prevention methods.",
"name": "Network Intrusion Prevention"
},
{
"fgmid": "M1043",
"mitigates": "Implement credential access protection methods.",
"name": "Credential Access Protection"
}
],
"object-type": "technique",
"platforms": "5G Radio",
"postconditions": [
{
"Description": "Control Plane (CP): All UE signaling data may be tampered with if both NAS and AS CP (i.e., RRC) algorithms are weakened. \n\nUser Plane (UP): Subscriber (user) data may be tampered with if AS UP algorithms are weakened.\n\nAs a result, subscriber data session does not get setup (DoS attack) or gets interrupted during an active session.",
"Name": "UE data not integrity protected on air interface"
}
],
"preconditions": [
{
"Description": "A rogue gNB may be required to change the UEs CP & UP supported algorithms to NULL. Its easier to achieve control over a gNB than over the AMF or SMF itself. But then if the AMF and SMF are not rogue just not configured to do these additional checks, then control over a rogue gNB is sufficient.\nThis attack is possible with only control over the AMF, in which case the algorithm for CP and UP protection may be changed to NULL.",
"Name": "Rogue or misconfigured AMF or SMF or gNB or MME"
}
],
"procedureexamples": [
{
"Description": "Adversary (e.g. with fake gNB) intentionally configures NULL integrity algorithm to have highest priority in gNB. These algorithms are sent to the UE in the Access Stratum (AS) Security Mode Command (SMC). Normally the activation of algorithms for the AS is done by the gNB based on that policy received from the SMF, but a fake gNB can ignore the SMF. Clauses 6.7.3 & D.1 of [2].\n\nAdversary with control over a legitimate gNB, and who currently serves the UE, tells the SMF that the UE Control Plane (CP) and User Plane (UP) policy is NULL integrity, and the (legit but not correctly implemented) SMF doesnt check that against the locally configured UE CP & UP policy and lets the CP and UP data use NULL integrity. Clause 6.6.1 of [2].",
"Name": "Fake or misconfigured base station"
},
{
"Description": "Adversary makes the unauthorized change in the SMF CP & UP local policy to enable NULL integrity for CP & UP traffic.\nAlternatively, adversary exploits an SMF that is not implemented to check (for every UE it serves) that the algorithm received from gNB- (which may be compromised or fake) matches the local policy. That local policy in turn should be checked that it is the same as the UE policy stored in the UDM. Any of these failures can result in the SMF enabling the CP and UP traffic over the radio interface to use NULL integrity.",
"Name": "Rogue or misconfigured SMF"
},
{
"Description": "Adversary with control over AMF (or control over the configuration of AMF) can affect UE procedures such as NAS Security Mode Command, such that the UE's NAS data is not protected, i.e. prioritize NULL algorithm for either NAS encryption or integrity. Clause K.2.3.3. of [1]. \n\nThis can be followed by another attack behavior whereby data manipulation can be done over the air interface for signaling data. Clauses 5.3.2, 5.3.3 & 5.5.1, 5.5.2 of [2].",
"Name": "Rogue or misconfigured AMF non-roaming"
},
{
"Description": "Compromised source AMF sends incorrect UE context information to legitimate target AMF during\nInitial registration & roaming or\nHandover (N2 based)\n\nSource AMF sends null integrity algorithm information as part of the “UEContextTransfer” (initial registration & roaming) or “CreateUEContext” (N2 handover) service request messages. All UE data will be sent without integrity protection after registration or handover is completed. Clauses 4.2.2.2.2, 4.9.1.3.1 & 5.2.2.1 of [3] The element in the UE context is the ueSecurityCapability which the rogue AMF sets to NULL only.",
"Name": "Rogue or misconfigured AMF during roaming/handover"
},
{
"Description": "Compromised source MME sends incorrect UE context information to legitimate target AMF during EPS to 5GS handover and roaming with and without N26 interface.\n\nSource AMF sends NULL integrity algorithm information as part of the “UEContextTransfer” or \n“RelocateUEContext” service request messages. All UE data will be sent without integrity protection after roaming or handover is completed. Clauses 4.11.1.2.2.2, 4.11.1.3.3, 4.11.2.3 & 5.2.2.1 of [3] The element in the UE context is the ueSecurityCapability which the rogue AMF sets to NULL only.",
"Name": "Rogue or misconfigured MME during EPS roaming/handover"
}
],
"refs": [
"[1] 3GPP TR 33.926 “Security Assurance Specification (SCAS threats and critical assets in 3GPP network product classes”, v17.4.0, June 2022 - https://www.3gpp.org/DynaReport/33926.htm",
"[2] 3GPP TS 33.501 “Security architecture and procedures for 5G System”, v 17.6.0, June 2022 - https://www.3gpp.org/DynaReport/33501.htm",
"[3] 3GPP TS 23.502 “Procedures for the 5G System (5GS ”, v17.5.0, June 2022 - https://www.3gpp.org/DynaReport/23502.htm",
"https://fight.mitre.org/data%20sources/DS0015",
"https://fight.mitre.org/data%20sources/DS0029",
"https://fight.mitre.org/mitigations/FGM5006",
"https://fight.mitre.org/mitigations/FGM5024",
"https://fight.mitre.org/mitigations/M1018",
"https://fight.mitre.org/mitigations/M1031",
"https://fight.mitre.org/mitigations/M1043",
"https://fight.mitre.org/techniques/FGT5009.001"
],
"status": "This is a theoretical behavior",
"subtechnique-of": "FGT5009",
"typecode": "fight_subtechnique"
},
"related": [
{
"dest-uuid": "cccb021c-dd96-5d72-904f-c55ad24598de",
"type": "mitigated-by"
},
{
"dest-uuid": "cce626f3-b774-5f29-b1d2-5fb96a5befef",
"type": "mitigated-by"
},
{
"dest-uuid": "686a3700-8ee3-52d3-954f-d2ec4abf14aa",
"type": "mitigated-by"
},
{
"dest-uuid": "519ee587-bcda-5021-997d-9fc257c4720a",
"type": "mitigated-by"
},
{
"dest-uuid": "4d882eab-1588-508e-b3fc-f7221cad2db8",
"type": "mitigated-by"
},
{
"dest-uuid": "3c23d0f7-d55c-5891-90b9-c744e976f0ef",
"type": "detected-by"
},
{
"dest-uuid": "becdcf31-3d2a-53bb-8251-51e9da4a0df6",
"type": "detected-by"
},
{
"dest-uuid": "4d8acf53-2350-5390-af4d-7ba1f5f9dc13",
"type": "subtechnique-of"
}
],
"uuid": "955b7c23-35a9-57df-a223-ed9d9b3d14ad",
"value": "Radio Interface"
},
{
"description": "Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1190)",
"meta": {
@ -10278,172 +9916,6 @@
"uuid": "56a188ea-36f4-5322-bc12-899feac72eaa",
"value": "Network Interfaces"
},
{
"description": "An adversary may alter network signaling so as to use weakened or no encryption algorithm on the Non-SBI (Service Based Interface), SBI and Roaming interfaces, thus allowing for eavesdropping of user data or signaling. \r\n\r\nThe following Network interfaces are in the scope of this document.\r\n\r\n1. “Non-SBI” network interfaces are within 5G core network and the Radio Access Network (RAN), and between the RAN and the 5G Core (e.g. N2, N3, N4, Xn). \r\n\r\n2. SBI network interfaces are between core Network Functions (NFs) within an operator network; they use REST APIs.\r\n\r\n3. Roaming and interconnect interfaces, including IPX, are between network operators (between Security Edge Protection Proxies (SEPPs) (N32), or other interworking functions like Access and Mobility Management (AMF/MME) (N26) and between User Plane Functions (UPFs) owned by different network operators (N9)).\r\n\r\nAn adversary with control over gNB, AMF, UPF or SMF may disable IPSec on non-SBI interfaces (Xn, N2, N3, N4). IPSec is expected to be used to protect all non-SBI links, however, unlike radio communications, operator RAN to core communications are not mandated to actually run encryption protection. \r\n\r\nAn adversary with access to the SBI links, with control over one or more core network functions (NFs) or a middlebox (including the Service Communication Proxy (SCP) if deployed), may disable use of TLS or use older TLS version such as v1.1. TLS is required by 3GPP standards to be used to protect all SBI links within the operator core network. \r\n\r\nAn adversary with control over roaming nodes or interfaces- namely SEPP or IPX network-- may disable or cause to use a weak encryption algorithm for TLS or JWE encryption on the N32 interface. An adversary with control over visited network UPF may disable IPSec on the N9 interface or a compromised MME or AMF may disable IPSec on N26 interface.",
"meta": {
"access-required": "None",
"architecture-segment": "Control Plane, User Plane",
"bluf": "An adversary may alter network signaling so as to use weakened or no encryption algorithm on the Non-SBI (Service Based Interface), SBI and Roaming interfaces, thus allowing for eavesdropping of user data or signaling.",
"criticalassets": [
{
"Description": "Any of the subscriber data sourced or destined to the UE",
"Name": "UE data"
},
{
"Description": "Any of the signaling traffic between UE and network",
"Name": "UE signaling"
}
],
"detections": [
{
"detects": "Check configuration changes in gNB and all core NFs; Configuration audits by OSS/BSS.",
"fgdsid": "DS0015",
"name": "Application Log"
},
{
"detects": "Inspect network traffic and watch for unauthorized changes",
"fgdsid": "DS0029",
"name": "Network Traffic"
}
],
"external_id": "FGT1600.502",
"kill_chain": [
"fight:Defense-Evasion"
],
"mitigations": [
{
"fgmid": "M1018",
"mitigates": "Network element security safeguards for gNB and all core NFs",
"name": "User Account Management"
},
{
"fgmid": "M1031",
"mitigates": "Implement network intrusion prevention methods",
"name": "Network Intrusion Prevention"
},
{
"fgmid": "M1041",
"mitigates": "Ensure strong encryption is used in all non-SBI, SBI and roaming/interconnect interfaces. That is, TLS (not version 1.1) should be used in all SBI, N32-c and N32-f ; in addition, PRINS should be used on N32-f when TLS is not used.",
"name": "Encrypt Sensitive Information"
},
{
"fgmid": "M1043",
"mitigates": "Implement credential access protection methods",
"name": "Credential Access Protection"
},
{
"fgmid": "M1046",
"mitigates": "Network element security safeguards for gNB and all core NFs",
"name": "Boot Integrity"
},
{
"fgmid": "M1051",
"mitigates": "Network element security safeguards for gNB and all core NFs",
"name": "Update Software"
}
],
"object-type": "technique",
"platforms": "5G",
"postconditions": [
{
"Description": "Control Plane: All UE signaling data may be revealed if IPSec and TLS are disabled.\n\nUser Plane: Subscriber (user plane) data may be revealed if IPSec is disabled. \n\nUE CP & UP data can be sniffed, see FGT1040 Network Sniffing",
"Name": "UE data unprotected on network interfaces"
}
],
"preconditions": [
{
"Description": "Adversary must have access to the network components to cause the attacks",
"Name": "Rogue or misconfigured AMF/MME, SMF, gNB or UPF, or SEPP or any other core NF"
}
],
"procedureexamples": [
{
"Description": "A rogue or misconfigured gNB can disable IPSec encryption or use a weak IPSec encryption algorithm on backhaul interfaces such as N2, N3 and Xn. This can be used to launch other attacks. Clause D.2.2 of [1], clause 5.3.2 of [2].",
"Name": "Compromised or misconfigured gNB"
},
{
"Description": "A rogue or misconfigured AMF can disable IPSec encryption or use a weak IPSec encryption algorithm on N2 and N26 interfaces. This can be used to launch other attacks. Clause K.2.1 of [1], clause 5.5.1 of [2].",
"Name": "Compromised or misconfigured AMF"
},
{
"Description": "A rogue or misconfigured UPF can disable IPSec encryption or use a weak IPSec encryption algorithm on N3, N4 and N9 interfaces. This can be used to launch other attacks. Clause L.2.1 of [1], clauses 9.3 and 9.9 of [2].",
"Name": "Compromised or misconfigured UPF"
},
{
"Description": "A rogue or misconfigured SMF can disable IPSec encryption or use a weak IPSec encryption algorithm on N4 interface. This can be used to launch other attacks. Clause 9.9 of [2]",
"Name": "Compromised or misconfigured SMF"
},
{
"Description": "A rogue or misconfigured NF can disable the TLS encryption or use a weak TLS encryption algorithm to another NF including the SCP. Then it can launch other attacks to gain unauthorized access to network services. Clause 13.1 of [2]\n\nIf SCP is rogue or misconfigured, it can force TLS connections to all NFs to be unencrypted or use weak encryptions for all. Clause 5.9.2.4 of [2].",
"Name": "Compromised or misconfigured NF"
},
{
"Description": "A rogue or misconfigured SEPP can disable TLS encryption or use a weak TLS encryption algorithm on N32-c interface or N32-f interface or both.\n\nA rogue or misconfigured SEPP can disable JWE encryption or use a weak encryption algorithm when the PRINS algorithm is used on N32-f. Then it can launch other attacks. Clauses 9.9, 13.1 and 13.2 of [2].",
"Name": "Compromised or misconfigured SEPP or IPX component"
},
{
"Description": "A rogue or misconfigured AMF/MME can disable IPSec encryption or use a weak IPSec encryption algorithm on N26 interface. Then it can launch other attacks. Clause K.2.1 of [1], 8.4 of [2].",
"Name": "Compromised or misconfigured MME/AMF"
}
],
"refs": [
"[1] 3GPP TR 33.926 “Security Assurance Specification (SCAS threats and critical assets in 3GPP network product classes”. - https://www.3gpp.org/DynaReport/33926.htm",
"[2] 3GPP TS 33.501 “Security architecture and procedures for 5G System”. - https://www.3gpp.org/DynaReport/33501.htm",
"https://fight.mitre.org/data%20sources/DS0015",
"https://fight.mitre.org/data%20sources/DS0029",
"https://fight.mitre.org/mitigations/M1018",
"https://fight.mitre.org/mitigations/M1031",
"https://fight.mitre.org/mitigations/M1041",
"https://fight.mitre.org/mitigations/M1043",
"https://fight.mitre.org/mitigations/M1046",
"https://fight.mitre.org/mitigations/M1051",
"https://fight.mitre.org/techniques/FGT1600.502"
],
"status": "This is a theoretical behavior in context of 5G systems.",
"subtechnique-of": "FGT1600",
"typecode": "fight_subtechnique_to_attack_technique"
},
"related": [
{
"dest-uuid": "686a3700-8ee3-52d3-954f-d2ec4abf14aa",
"type": "mitigated-by"
},
{
"dest-uuid": "519ee587-bcda-5021-997d-9fc257c4720a",
"type": "mitigated-by"
},
{
"dest-uuid": "71801a06-41bd-5336-a539-e8bea9d647f7",
"type": "mitigated-by"
},
{
"dest-uuid": "4d882eab-1588-508e-b3fc-f7221cad2db8",
"type": "mitigated-by"
},
{
"dest-uuid": "3ea67e5f-f46e-5b5d-a987-0008b66fddfc",
"type": "mitigated-by"
},
{
"dest-uuid": "f54f2c17-0cf6-536a-b52e-a886652815d6",
"type": "mitigated-by"
},
{
"dest-uuid": "3c23d0f7-d55c-5891-90b9-c744e976f0ef",
"type": "detected-by"
},
{
"dest-uuid": "becdcf31-3d2a-53bb-8251-51e9da4a0df6",
"type": "detected-by"
},
{
"dest-uuid": "bb3c722d-a179-5bb9-bb66-0298fa30876d",
"type": "subtechnique-of"
}
],
"uuid": "8f866b4a-0347-509a-9f10-78af24f4ae8a",
"value": "Network Interfaces"
},
{
"description": "Adversaries may manipulate service or service delivery mechanisms prior to or while used by a mobile network operator (MNO) for the purpose of data or system compromise.\r\n\r\nThe adversary may use the compromised service as a means to apply additional techniques against interfaces exposed to the service provider such as the NEF. When the service provider hosts or provides core network functions, the adversary may attempt to compromise the 5G core components in the service provider environment, e.g. MEC hosted NFs (clause 5.13 of [1]), or through the service provider environment, attempt compromise of other core NFs not hosted in the MEC. \r\n\r\nWhen service providers are used for providing service to customers, the adversary may be in a position to compromise information about the subscriber. \r\n\r\nThe adversary, as an example, may also compromise software and/or hardware used by the service provider, such as opensource, as a technique to gain initial access or achieve other tactics within the service provider to provide a position for initial access to the MNOs network. Open source software may be an attractive target for supply chain attacks, as detection, reporting, and patch availability timelines can provide a greater window of opportunity for vulnerabilities to be exploited.",
"meta": {
@ -11495,101 +10967,6 @@
"uuid": "42ff8bbd-7d2d-5e77-991d-62e9f7e16500",
"value": "Diameter signaling"
},
{
"description": "An adversary may send an unsolicited SS7/Diameter message to the core network of a UE that will cause the core network to provide IMSI/SUPI of the UE.\r\n\r\nAn operators network consists of a 5G Core and also auxiliary systems such as the IP Multimedia System (IMS). The IMS is used to provide voice and SMS services; this is accomplished via traditional protocols SS7 and Diameter between the IMS and 5G core functions. This subtechnique covers the abuse of such legitimate signaling to obtain the permanent identifier of a UE. Once the IMSI/SUPI is obtained, adversary may launch further attacks such as retrieving location of the UE, network slice and data network that are being used by the UE etc.\r\n \r\nBackground info:\r\n5G SA core has interfaces to IMS core to support voice and SMS services. Diameter/SS7 attacks. In signaling plane, voice service uses Diameter based Rx interface between PCF and P-CSCF in IMS, Diameter based Sh interface between HSS/UDM and TAS in IMS, Diameter based Cx interface between HSS/UDM and I/S-CSCF. It also uses SIP/SDP based Gm interface between UPF and P-CSCF in the user plane. SMS over NAS service uses SS7 (MAP) based interface and S6c Diameter based interface from UDM to SMSC. It also uses MAP and SGd (Diameter) interfaces from SMSF to SMSC.",
"meta": {
"access-required": "N/A",
"architecture-segment": "Control Plane",
"bluf": "An adversary may send an unsolicited SS7/Diameter message to the core network of a UE that will cause the core network to provide IMSI/SUPI of the UE.",
"criticalassets": [
{
"Description": "Subscribers identity is revealed to the adversary.",
"Name": "UEs privacy is compromised"
}
],
"detections": [
{
"detects": "Monitor all communications over Diameter and SS7/MAP based interfaces to/from core network.",
"fgdsid": "DS0029",
"name": "Network Traffic"
}
],
"external_id": "FGT5019.005",
"kill_chain": [
"fight:Discovery",
"fight:Collection"
],
"mitigations": [
{
"fgmid": "FGM5004",
"mitigates": "Use SMS router or firewall",
"name": "Correctly configure SMS firewall"
},
{
"fgmid": "FGM5513",
"mitigates": "Use Diameter End-to-end Signaling Security (DESS). Section 6.5.3 of [4].",
"name": "Use DESS security"
}
],
"object-type": "technique",
"platforms": "5G Network",
"postconditions": [
{
"Description": "If IMSI/SUPI is obtained, many other subsequent attacks are possible such as retrieving subscriber location, network slice, data network of the UE.",
"Name": "IMSI/SUPI is available to the adversary"
}
],
"preconditions": [
{
"Description": "Adversary collects victim UEs phone number from subscribers physical address using internet based services such as numlooker.com.",
"Name": "MSISDN or phone number of victim UE is known to adversary"
}
],
"procedureexamples": [
{
"Description": "Diameter protocol:\nAdversary sets up a fake SMSC and then sends a specially crafted Send Routing Info for Short Message Request (SRR) with victim UEs MSISDN to HSS/UDM. If SMS router/firewall is not setup or if it is setup incorrectly, HSS/UDM will return the IMSI/SUPI of the UE and the ID of AMF/MMEs ID currently serving the UE in response Send Routing Info for SM Answer (SRA) message.\n\nSS7 protocol:\nAdversary sets up a fake SMSC and then sends a specially crafted MAP SRI_SM Send Routing Info for Short Message Request (SRR) with victim UEs MSISDN to HSS/UDM. If SMS router/firewall is not setup or if it is setup incorrectly, HSS/UDM will return the IMSI/SUPI of the UE and the ID of AMF/MMEs ID currently serving the UE in response Send Routing Info for SM Answer (SRA) message. [1, 2]",
"Name": "UEs IMSI/SUPI is retrieved using SRR message"
},
{
"Description": "Diameter protocol: Adversary sets up an application server and sends a specially crafted User Data Request (UDR) message with victim UEs MSISDN to HSS/UDM. If HSS/UDM is not configured properly, HSS/UDM will return the IMSI/SUPI of the UE in User Data Answer (UDA) response message. [2]",
"Name": "UEs IMSI/SUPI is retrieved using Diameter UDR message"
}
],
"refs": [
"[1] International Conference on Cyber Conflict 2016: “We know where you are\". - https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7529440",
"[2] Positive Technologies article: “Next Generation Networks, Next Level Cyber Security Problems” - https://www.ptsecurity.com/upload/iblock/a8e/diameter_research.pdf",
"[3] Broadforwards SS7/MAP Firewall - https://www.broadforward.com/ss7-firewall-ss7fw/",
"[4] GSMA IR.88 “EPS Roaming Guidelines”. - https://www.gsma.com/newsroom/wp-content/uploads/IR.88-v22.0.pdf",
"https://fight.mitre.org/data%20sources/DS0029",
"https://fight.mitre.org/mitigations/FGM5004",
"https://fight.mitre.org/mitigations/FGM5513",
"https://fight.mitre.org/techniques/FGT5019.005"
],
"status": "Observed in earlier 3GPP generations and expected in 5G.",
"subtechnique-of": "FGT5019",
"typecode": "fight_subtechnique"
},
"related": [
{
"dest-uuid": "b6db0fd1-7f3d-5873-bce6-6a2c56b2af9c",
"type": "mitigated-by"
},
{
"dest-uuid": "4b4e1865-22c1-5a4e-a816-5285c94a126b",
"type": "mitigated-by"
},
{
"dest-uuid": "becdcf31-3d2a-53bb-8251-51e9da4a0df6",
"type": "detected-by"
},
{
"dest-uuid": "0eaef533-4472-5d77-a665-3a40de657c70",
"type": "subtechnique-of"
}
],
"uuid": "b703c8f8-28b1-5fb3-8cbd-a1b154fddc68",
"value": "Diameter signaling"
},
{
"description": "Malicious xApps may gain unauthorized access to near-RT RIC and E2 nodes, in order to affect Radio Access Network (RAN) behavior. \r\n\r\nxApps are application software that may be developed by third party vendors. They reside in the Near Real Time (near-RT) RAN Intelligent Controller (RIC) after onboarding is done by ORAN orchestration system. Near-RT RICs control and optimize RAN functions for events ranging from 10 ms to 1 sec. xApps manage Radio Resource Management (RRM) functions of RAN via E2 interface. The following components are controlled by xApps by using APIs: E2 nodes such as O-DU, O-RU, O-CU-CP and O-CU-UP. Near-RT RIC and xApps are managed by non-RT RIC via A1 interface for RAN optimizations and by SMO via O1 interface for lifecycle management.\r\n\r\nDuring onboarding of xApps, malware may be installed by the adversary in xApps which can gain unauthorized access to near-RT RIC by exploiting weak or misconfigured authentication mechanism in near-RT RIC. A malicious xApp image may be crafted by the adversary and then installed in near-RT RIC during onboarding. A legitimate xApp may be cloned in near-RT RIC by an insider adversary.\r\n\r\nOnce installed in near-RT RIC, the rogue xApp may indirectly access E2 nodes via APIs by penetrating traffic separating firewalls within ORAN. The rogue xApp may change behavior of near-RT RIC which will impact RAN functions such as coverage, network slicing, QoS etc.",
"meta": {
@ -13452,35 +12829,6 @@
],
"uuid": "5e3ef71b-8af6-575f-88dc-b6823fabf786",
"value": "Exploitation for Client Execution"
},
{
"description": "Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.\n\nOn Android versions prior to 7, apps can abuse Device Administrator access to reset the device lock passcode, preventing the user from unlocking the device.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1642)",
"meta": {
"architecture-segment": "5G",
"bluf": "Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.\n\nOn Android versions prior to 7, apps can abuse Device Administrator access to reset the device lock passcode, preventing the user from unlocking the device.",
"detections": [],
"external_id": "FGT1642",
"kill_chain": [
"fight:Impact"
],
"mitigations": [],
"object-type": "technique",
"platforms": "5G",
"refs": [
"https://attack.mitre.org/techniques/T1642",
"https://fight.mitre.org/techniques/FGT1642"
],
"status": "This is an observed behavior in Enterprise networks.",
"typecode": "attack_technique_with_fight_subs"
},
"related": [
{
"dest-uuid": "eb6cf439-1bcb-4d10-bc68-1eed844ed7b3",
"type": "related-to"
}
],
"uuid": "58e62481-da83-5ee9-9286-69822d1c153e",
"value": "Endpoint Denial of Service"
}
],
"version": 1

8
tools/gen_mitre_fight.py
View file

@ -83,7 +83,15 @@ for item in fight['tactics']:
tactics[item['id']] = item['name'].replace(' ', '-')
# techniques
technique_strings = []
for item in fight['techniques']:
technique_string = item['name'].strip().lower()
if technique_string in technique_strings:
print(f"Skipping: Duplicate technique name found: {item['name']} - {item['id']}")
continue
technique_strings.append(technique_string)
element = {
'value': item['name'].strip(),
'description': item['description'].strip(),