SlideShare a Scribd company logo

MITRE ATT&CK based Threat Analysis for Electronic Flight Bag

M
MITRE ATT&CK

From ATT&CKcon 4.0 By Ozan Olali, IBM Security The Electronic Flight Bag (EFB) has become an indispensable tool in modern aviation, providing pilots with digital resources and critical flight information. However, the increased reliance on EFB systems running on operating systems, introduces various security challenges. In this session, a technical assessment approach with MITRE ATT&CK framework to perform a comprehensive threat analysis of an EFB solution, will be presented. The potential attack vectors and relation with the risks for business/ flight operations will be demonstrated.

Technology
1 of 31
Download to read offline
Electronic Flight Bag MITRE ATT&CK Based Threat Analysis for Electronic Flight Bag — Ozan Olali IBM X-Force Red Offensive Security Services
Agenda 1 About Speaker 2 Quick Overview - Aviation Business 3 Electronic Flight Bags 4 MITRE ATT&CK Based EFB Threat Assessment 5 Recon, Resource Development, and Initial Access IBM Security | MITRE ATT&CK CON 4.0 X-Force Red
3 About Speaker Ozan Olali 14 years professional 23 years unprofessional Cybersecurity IBM X-Force Red – MEA Security Research Astrophotography 5+ Aviation Company & EFBs
Quick Overview - Aviation Business
Airlines contend with a massive attack surface, capable of exerting significant influence on both their business operations and the overall experience of their passengers. ↓ Detailed threats for each service/ platform; and each components within that platform should be assessed considering business impact Electronic Flight Bag Booking & Reservation Services Agency Management Cargo Services Crew and Employee Portals Loyalty Programs & Miles Management Availability Management & Forecasting Customer Correspondence Center In-Flight Entertainment (IFE) Systems Check-in Platforms and Applications Self-Service Baggage Check-in And Many Others… IBM Security | MITRE ATT&CK CON 4.0 X-Force Red
Airline Companies have also extensive trust relation with suppliers to run business operations and maintenance ↓ Critical 3rd Parties and Integrated Ecosystem of Airline Companies Aircraft Manufacturers Maintenance and Repair Organizations Air Traffic Control Payment Processors Ground Handling Companies Catering and In-Flight Services Fuel Suppliers Weather and Meteorological Services Airport Authorities Regulatory Authorities Insurance Providers And Many Others… IBM Security | MITRE ATT&CK CON 4.0 X-Force Red
Electronic Flight Bags
Electronic Flight Bags in a Nutshell Customization Not plug and play solutions, it needs many customization according to airline company’s environment, many configuration requirements. Functions Flight Briefing, Pre-flight and Post- flight reporting, Cockpit Security Checks, Document Library, Take- off and Landing Performance, MEL & Defect Reporting and many others. Paperless Cockpit Consolidate in single app all the relevant information and functionalities for the mission of the pilot and to provide all that they need at every stage of the flight. Integrations Capable for lots of custom integrations with popular SaaS solutions; content management and document distribution, and some federated authentication to those platforms EFB, very critical component of modern aviation, providing pilots with digital resources and critical flight information. X-Force Red 8 IBM Security | MITRE ATT&CK CON 4.0
Electronic Flight Bags in a Nutshell Customization Not plug and play solutions, it needs many customization according to airline company’s environment, many configuration requirements. Functions Flight Briefing, Pre-flight and Post- flight reporting, Cockpit Security Checks, Document Library, Take- off and Landing Performance, MEL & Defect Reporting and many others. Paperless Cockpit Consolidate in single app all the relevant information and functionalities for the mission of the pilot and to provide all that they need at every stage of the flight. Integrations Capable for lots of custom integrations with popular SaaS solutions; content management and document distribution, and some federated authentication to those platforms EFB, very critical component of modern aviation, providing pilots with digital resources and critical flight information. X-Force Red 9 IBM Security | MITRE ATT&CK CON 4.0
MITRE ATT&CK Based EFB Threat Assessment
The Threat Surface associated with EFB is complex, potential compromise scenarios and business impact should be identified to enable cyber prevention and detection capabilities High Level Threat Surface for EFB EFB Tablet Network Shares *Credentials in Files EFF Domain Account App Level Auth Tablet Auth Local Account Email Ground Messaging Email Comm. In Flight Comm. OS Layer of Tablet Operating System Fuel Order & Plan Ground Ops. Document Mng. Systems Read Docs. Cloud Update Hubs Takeoff Landing Performance DB Reporting Update OS Update App Briefing Room / Hub Update Data Corporate Network Servers Other Technologies Cloud Platforms Servers Other Technologies OS Layer Components Registry Local Files Terminal Others Auth Headers Supportive Applications Authentication Components User Repo Auth Protocols Policies Public Facing App Services Airplane Avionic Net. Back Office Administration Flight Operations IBM Security | MITRE ATT&CK CON 4.0 X-Force Red EFB Vendor
The Threat Surface associated with EFB is complex, potential compromise scenarios and business impact should be identified to enable cyber prevention and detection capabilities High Level Threat Surface for EFB EFB Tablet Network Shares EFF Domain Account App Level Auth Tablet Auth Local Account Email Ground Messaging Email Comm. In Flight Comm. OS Layer of Tablet Operating System Fuel Order & Plan Ground Ops. Document Mng. Systems Read Docs. Cloud Update Hubs Takeoff Landing Performance DB Reporting Update OS Update App Briefing Room / Hub Update Data Corporate Network Servers Other Technologies Cloud Platforms Servers Other Technologies OS Layer Components Registry Local Files Terminal Others Auth Headers Supportive Applications Authentication Components User Repo Auth Protocols Policies Public Facing App Services Airplane Avionic Net. Back Office Administration Flight Operations IBM Security | MITRE ATT&CK CON 4.0 X-Force Red Initial Access T1566: Phishing EFB Vendor Initial Access T1199: Trusted Relationship Initial Access T1190: Exploit Public-Facing Application T1078: Valid Accounts T1189: Drive-by Compromise Initial Access T1558: Lockscreen Bypass T1091: Removable Media
The Threat Surface associated with EFB is complex, potential compromise scenarios and business impact should be identified to enable cyber prevention and detection capabilities High Level Threat Surface for EFB EFB Tablet Network Shares EFF Domain Account App Level Auth Tablet Auth Local Account Email Ground Messaging Email Comm. In Flight Comm. OS Layer of Tablet Operating System Fuel Order & Plan Ground Ops. Document Mng. Systems Read Docs. Cloud Update Hubs Takeoff Landing Performance DB Reporting Update OS Update App Briefing Room / Hub Update Data Corporate Network Servers Other Technologies Cloud Platforms Servers Other Technologies OS Layer Components Registry Local Files Terminal Others Auth Headers Supportive Applications Authentication Components User Repo Auth Protocols Policies Public Facing App Services Airplane Avionic Net. Back Office Administration Flight Operations IBM Security | MITRE ATT&CK CON 4.0 X-Force Red Initial Access T1566: Phishing EFB Vendor Execution T1059: Command and Scripting Interpreter T1204: User Execution: Malicious File/ Link T1106: Native API T1053: Scheduled Task Initial Access T1199: Trusted Relationship Initial Access T1190: Exploit Public-Facing Application T1078: Valid Accounts T1189: Drive-by Compromise Initial Access T1558: Lockscreen Bypass T1091: Removable Media
The Threat Surface associated with EFB is complex, potential compromise scenarios and business impact should be identified to enable cyber prevention and detection capabilities High Level Threat Surface for EFB EFB Tablet Network Shares EFF Domain Account App Level Auth Tablet Auth Local Account Email Ground Messaging Email Comm. In Flight Comm. OS Layer of Tablet Operating System Fuel Order & Plan Ground Ops. Document Mng. Systems Read Docs. Cloud Update Hubs Takeoff Landing Performance DB Reporting Update OS Update App Briefing Room / Hub Update Data Corporate Network Servers Other Technologies Cloud Platforms Servers Other Technologies OS Layer Components Registry Local Files Terminal Others Auth Headers Supportive Applications Authentication Components User Repo Auth Protocols Policies Public Facing App Services Airplane Avionic Net. Back Office Administration Flight Operations IBM Security | MITRE ATT&CK CON 4.0 X-Force Red Initial Access T1566: Phishing EFB Vendor Execution T1059: Command and Scripting Interpreter T1204: User Execution: Malicious File/ Link T1106: Native API T1053: Scheduled Task Initial Access T1199: Trusted Relationship Initial Access T1190: Exploit Public-Facing Application T1078: Valid Accounts T1189: Drive-by Compromise Initial Access T1558: Lockscreen Bypass T1091: Removable Media Persistence T1554: Compromise Client Software Binary T1547: Boot or Logon Autostart Execution
The Threat Surface associated with EFB is complex, potential compromise scenarios and business impact should be identified to enable cyber prevention and detection capabilities High Level Threat Surface for EFB EFB Tablet Network Shares EFF Domain Account App Level Auth Tablet Auth Local Account Email Ground Messaging Email Comm. In Flight Comm. OS Layer of Tablet Operating System Fuel Order & Plan Ground Ops. Document Mng. Systems Read Docs. Cloud Update Hubs Takeoff Landing Performance DB Reporting Update OS Update App Briefing Room / Hub Update Data Corporate Network Servers Other Technologies Cloud Platforms Servers Other Technologies OS Layer Components Registry Local Files Terminal Others Auth Headers Supportive Applications Authentication Components User Repo Auth Protocols Policies Public Facing App Services Airplane Avionic Net. Back Office Administration Flight Operations IBM Security | MITRE ATT&CK CON 4.0 X-Force Red Initial Access T1566: Phishing EFB Vendor Execution T1059: Command and Scripting Interpreter T1204: User Execution: Malicious File/ Link T1106: Native API T1053: Scheduled Task Initial Access T1199: Trusted Relationship Initial Access T1190: Exploit Public-Facing Application T1078: Valid Accounts T1189: Drive-by Compromise Initial Access T1558: Lockscreen Bypass T1091: Removable Media Persistence T1554: Compromise Client Software Binary T1547: Boot or Logon Autostart Execution Privilege Escalation T1548: Exploitation for Privilege Escalation T1078: Local Accounts
The Threat Surface associated with EFB is complex, potential compromise scenarios and business impact should be identified to enable cyber prevention and detection capabilities High Level Threat Surface for EFB EFB Tablet Network Shares EFF Domain Account App Level Auth Tablet Auth Local Account Email Ground Messaging Email Comm. In Flight Comm. OS Layer of Tablet Operating System Fuel Order & Plan Ground Ops. Document Mng. Systems Read Docs. Cloud Update Hubs Takeoff Landing Performance DB Reporting Update OS Update App Briefing Room / Hub Update Data Corporate Network Servers Other Technologies Cloud Platforms Servers Other Technologies OS Layer Components Registry Local Files Terminal Others Auth Headers Supportive Applications Authentication Components User Repo Auth Protocols Policies Public Facing App Services Airplane Avionic Net. Back Office Administration Flight Operations IBM Security | MITRE ATT&CK CON 4.0 X-Force Red Initial Access T1566: Phishing EFB Vendor Execution T1059: Command and Scripting Interpreter T1204: User Execution: Malicious File/ Link T1106: Native API T1053: Scheduled Task Initial Access T1199: Trusted Relationship Initial Access T1190: Exploit Public-Facing Application T1078: Valid Accounts T1189: Drive-by Compromise Initial Access T1558: Lockscreen Bypass T1091: Removable Media Persistence T1554: Compromise Client Software Binary T1547: Boot or Logon Autostart Execution Privilege Escalation T1548: Exploitation for Privilege Escalation T1078: Local Accounts Credential Access T1461: Steal or Forge Kerberos Tickets Credential Access T1552: Unsecured Credentials: Credentials in Registry
The Threat Surface associated with EFB is complex, potential compromise scenarios and business impact should be identified to enable cyber prevention and detection capabilities High Level Threat Surface for EFB EFB Tablet Network Shares EFF Domain Account App Level Auth Tablet Auth Local Account Email Ground Messaging Email Comm. In Flight Comm. OS Layer of Tablet Operating System Fuel Order & Plan Ground Ops. Document Mng. Systems Read Docs. Cloud Update Hubs Takeoff Landing Performance DB Reporting Update OS Update App Briefing Room / Hub Update Data Corporate Network Servers Other Technologies Cloud Platforms Servers Other Technologies OS Layer Components Registry Local Files Terminal Others Auth Headers Supportive Applications Authentication Components User Repo Auth Protocols Policies Public Facing App Services Airplane Avionic Net. Back Office Administration Flight Operations IBM Security | MITRE ATT&CK CON 4.0 X-Force Red Initial Access T1566: Phishing EFB Vendor Execution T1059: Command and Scripting Interpreter T1204: User Execution: Malicious File/ Link T1106: Native API T1053: Scheduled Task Initial Access T1199: Trusted Relationship Initial Access T1190: Exploit Public-Facing Application T1078: Valid Accounts T1189: Drive-by Compromise Initial Access T1558: Lockscreen Bypass T1091: Removable Media Persistence T1554: Compromise Client Software Binary T1547: Boot or Logon Autostart Execution Privilege Escalation T1548: Exploitation for Privilege Escalation T1078: Local Accounts Credential Access T1461: Steal or Forge Kerberos Tickets Credential Access T1552: Unsecured Credentials: Credentials in Registry Discovery T1087: Account Discovery Discovery T1619: Cloud Storage Object Discovery T1526: Cloud Service Discovery Discovery T1083: File and Directory Discovery T1135: Network Share Discovery Discovery T1615: Group Policy Discovery Discovery T1018: Remote System Discovery
The Threat Surface associated with EFB is complex, potential compromise scenarios and business impact should be identified to enable cyber prevention and detection capabilities High Level Threat Surface for EFB EFB Tablet Network Shares EFF Domain Account App Level Auth Tablet Auth Local Account Email Ground Messaging Email Comm. In Flight Comm. OS Layer of Tablet Operating System Fuel Order & Plan Ground Ops. Document Mng. Systems Read Docs. Cloud Update Hubs Takeoff Landing Performance DB Reporting Update OS Update App Briefing Room / Hub Update Data Corporate Network Servers Other Technologies Cloud Platforms Servers Other Technologies OS Layer Components Registry Local Files Terminal Others Auth Headers Supportive Applications Authentication Components User Repo Auth Protocols Policies Public Facing App Services Airplane Avionic Net. Back Office Administration Flight Operations IBM Security | MITRE ATT&CK CON 4.0 X-Force Red Initial Access T1566: Phishing EFB Vendor Execution T1059: Command and Scripting Interpreter T1204: User Execution: Malicious File/ Link T1106: Native API T1053: Scheduled Task Initial Access T1199: Trusted Relationship Initial Access T1190: Exploit Public-Facing Application T1078: Valid Accounts T1189: Drive-by Compromise Initial Access T1558: Lockscreen Bypass T1091: Removable Media Persistence T1554: Compromise Client Software Binary T1547: Boot or Logon Autostart Execution Privilege Escalation T1548: Exploitation for Privilege Escalation T1078: Local Accounts Credential Access T1461: Steal or Forge Kerberos Tickets Credential Access T1552: Unsecured Credentials: Credentials in Registry Discovery T1087: Account Discovery Discovery T1619: Cloud Storage Object Discovery T1526: Cloud Service Discovery Discovery T1083: File and Directory Discovery T1135: Network Share Discovery Discovery T1615: Group Policy Discovery Discovery T1018: Remote System Discovery Lateral Movement T1021: Remote Services: Cloud Services Lateral Movement T1210: Exploitation of Remote Services Lateral Movement T1550: Use Alternate Authentication Material
The Threat Surface associated with EFB is complex, potential compromise scenarios and business impact should be identified to enable cyber prevention and detection capabilities High Level Threat Surface for EFB EFB Tablet Network Shares EFF Domain Account App Level Auth Tablet Auth Local Account Email Ground Messaging Email Comm. In Flight Comm. OS Layer of Tablet Operating System Fuel Order & Plan Ground Ops. Document Mng. Systems Read Docs. Cloud Update Hubs Takeoff Landing Performance DB Reporting Update OS Update App Briefing Room / Hub Update Data Corporate Network Servers Other Technologies Cloud Platforms Servers Other Technologies OS Layer Components Registry Local Files Terminal Others Auth Headers Supportive Applications Authentication Components User Repo Auth Protocols Policies Public Facing App Services Airplane Avionic Net. Back Office Administration Flight Operations IBM Security | MITRE ATT&CK CON 4.0 X-Force Red Initial Access T1566: Phishing EFB Vendor Execution T1059: Command and Scripting Interpreter T1204: User Execution: Malicious File/ Link T1106: Native API T1053: Scheduled Task Initial Access T1199: Trusted Relationship Initial Access T1190: Exploit Public-Facing Application T1078: Valid Accounts T1189: Drive-by Compromise Initial Access T1558: Lockscreen Bypass T1091: Removable Media Persistence T1554: Compromise Client Software Binary T1547: Boot or Logon Autostart Execution Privilege Escalation T1548: Exploitation for Privilege Escalation T1078: Local Accounts Credential Access T1461: Steal or Forge Kerberos Tickets Credential Access T1552: Unsecured Credentials: Credentials in Registry Discovery T1087: Account Discovery Discovery T1619: Cloud Storage Object Discovery T1526: Cloud Service Discovery Discovery T1083: File and Directory Discovery T1135: Network Share Discovery Discovery T1615: Group Policy Discovery Discovery T1018: Remote System Discovery Lateral Movement T1021: Remote Services: Cloud Services Lateral Movement T1210: Exploitation of Remote Services Lateral Movement T1550: Use Alternate Authentication Material Collection T1123: Audio Capture T1114: Email Collection T1113: Screen Capture Collection: T1530: Data from Cloud Storage
The Threat Surface associated with EFB is complex, potential compromise scenarios and business impact should be identified to enable cyber prevention and detection capabilities High Level Threat Surface for EFB EFB Tablet Network Shares EFF Domain Account App Level Auth Tablet Auth Local Account Email Ground Messaging Email Comm. In Flight Comm. OS Layer of Tablet Operating System Fuel Order & Plan Ground Ops. Document Mng. Systems Read Docs. Cloud Update Hubs Takeoff Landing Performance DB Reporting Update OS Update App Briefing Room / Hub Update Data Corporate Network Servers Other Technologies Cloud Platforms Servers Other Technologies OS Layer Components Registry Local Files Terminal Others Auth Headers Supportive Applications Authentication Components User Repo Auth Protocols Policies Public Facing App Services Airplane Avionic Net. Back Office Administration Flight Operations IBM Security | MITRE ATT&CK CON 4.0 X-Force Red Initial Access T1566: Phishing EFB Vendor Execution T1059: Command and Scripting Interpreter T1204: User Execution: Malicious File/ Link T1106: Native API T1053: Scheduled Task Initial Access T1199: Trusted Relationship Initial Access T1190: Exploit Public-Facing Application T1078: Valid Accounts T1189: Drive-by Compromise Initial Access T1558: Lockscreen Bypass T1091: Removable Media Persistence T1554: Compromise Client Software Binary T1547: Boot or Logon Autostart Execution Privilege Escalation T1548: Exploitation for Privilege Escalation T1078: Local Accounts Credential Access T1461: Steal or Forge Kerberos Tickets Credential Access T1552: Unsecured Credentials: Credentials in Registry Discovery T1087: Account Discovery Discovery T1619: Cloud Storage Object Discovery T1526: Cloud Service Discovery Discovery T1083: File and Directory Discovery T1135: Network Share Discovery Discovery T1615: Group Policy Discovery Discovery T1018: Remote System Discovery Lateral Movement T1021: Remote Services: Cloud Services Lateral Movement T1210: Exploitation of Remote Services Lateral Movement T1550: Use Alternate Authentication Material Collection T1123: Audio Capture T1114: Email Collection T1113: Screen Capture Collection: T1530: Data from Cloud Storage Command and Control T1071: Application Layer Protocol (Mail, Web)
The Threat Surface associated with EFB is complex, potential compromise scenarios and business impact should be identified to enable cyber prevention and detection capabilities High Level Threat Surface for EFB EFB Tablet Network Shares EFF Domain Account App Level Auth Tablet Auth Local Account Email Ground Messaging Email Comm. In Flight Comm. OS Layer of Tablet Operating System Fuel Order & Plan Ground Ops. Document Mng. Systems Read Docs. Cloud Update Hubs Takeoff Landing Performance DB Reporting Update OS Update App Briefing Room / Hub Update Data Corporate Network Servers Other Technologies Cloud Platforms Servers Other Technologies OS Layer Components Registry Local Files Terminal Others Auth Headers Supportive Applications Authentication Components User Repo Auth Protocols Policies Public Facing App Services Airplane Avionic Net. Back Office Administration Flight Operations IBM Security | MITRE ATT&CK CON 4.0 X-Force Red Initial Access T1566: Phishing EFB Vendor Execution T1059: Command and Scripting Interpreter T1204: User Execution: Malicious File/ Link T1106: Native API T1053: Scheduled Task Initial Access T1199: Trusted Relationship Initial Access T1190: Exploit Public-Facing Application T1078: Valid Accounts T1189: Drive-by Compromise Initial Access T1558: Lockscreen Bypass T1091: Removable Media Persistence T1554: Compromise Client Software Binary T1547: Boot or Logon Autostart Execution Privilege Escalation T1548: Exploitation for Privilege Escalation T1078: Local Accounts Credential Access T1461: Steal or Forge Kerberos Tickets Credential Access T1552: Unsecured Credentials: Credentials in Registry Discovery T1087: Account Discovery Discovery T1619: Cloud Storage Object Discovery T1526: Cloud Service Discovery Discovery T1083: File and Directory Discovery T1135: Network Share Discovery Discovery T1615: Group Policy Discovery Discovery T1018: Remote System Discovery Lateral Movement T1021: Remote Services: Cloud Services Lateral Movement T1210: Exploitation of Remote Services Lateral Movement T1550: Use Alternate Authentication Material Collection T1123: Audio Capture T1114: Email Collection T1113: Screen Capture Collection: T1530: Data from Cloud Storage Command and Control T1071: Application Layer Protocol (Mail, Web) Impact T1565: Data Manipulation Impact T1489: Service Stop
The Threat Surface associated with EFB is complex, potential compromise scenarios and business impact should be identified to enable cyber prevention and detection capabilities High Level Threat Surface for EFB EFB Tablet Network Shares EFF Domain Account App Level Auth Tablet Auth Local Account Email Ground Messaging Email Comm. In Flight Comm. OS Layer of Tablet Operating System Fuel Order & Plan Ground Ops. Document Mng. Systems Read Docs. Cloud Update Hubs Takeoff Landing Performance DB Reporting Update OS Update App Briefing Room / Hub Update Data Corporate Network Servers Other Technologies Cloud Platforms Servers Other Technologies OS Layer Components Registry Local Files Terminal Others Auth Headers Supportive Applications Authentication Components User Repo Auth Protocols Policies Public Facing App Services Airplane Avionic Net. Back Office Administration Flight Operations IBM Security | MITRE ATT&CK CON 4.0 X-Force Red Initial Access T1566: Phishing EFB Vendor Execution T1059: Command and Scripting Interpreter T1106: Native API T1053: Scheduled Task Initial Access T1199: Trusted Relationship Initial Access T1190: Exploit Public-Facing Application T1078: Valid Accounts T1189: Drive-by Compromise Credential Access T1461: Steal or Forge Kerberos Tickets Persistence T1554: Compromise Client Software Binary T1547: Boot or Logon Autostart Execution Credential Access T1552: Unsecured Credentials: Credentials in Registry Discovery T1087: Account Discovery Discovery T1619: Cloud Storage Object Discovery T1526: Cloud Service Discovery Discovery T1083: File and Directory Discovery T1135: Network Share Discovery Discovery T1615: Group Policy Discovery Discovery T1018: Remote System Discovery Lateral Movement T1021: Remote Services: Cloud Services Lateral Movement T1210: Exploitation of Remote Services Lateral Movement T1550: Use Alternate Authentication Material Collection T1123: Audio Capture T1114: Email Collection T1113: Screen Capture Collection: T1530: Data from Cloud Storage Command and Control T1071: Application Layer Protocol (Mail, Web) Impact T1565: Data Manipulation Impact T1489: Service Stop Initial Access T1558: Lockscreen Bypass T1091: Removable Media Privilege Escalation T1548: Exploitation for Privilege Escalation T1078: Local Accounts
Reconnaissance Resource Development Mapping the top priority controls from the MITRE ATT&CK framework to an EFB platform Acquire Access Acquire Infrastructure Compromise Accounts Compromise Infrastructure Develop Capabilities Establish Accounts Exploit Public- Facing Application Valid Accounts Phishing Supply Chain Compromise Drive-by Compromise Lockscreen Bypass Replication Through Removable Media Initial Access Command and Scripting Interpreter Native API Scheduled Task/Job Exploitation for Client Execution Create Account Compromise Client Software Binary Boot or Logon Autostart Execution Scheduled Task/Job Bypass UAC Exploitation for Privilege Escalation Valid Accounts Local Accounts Obfuscated Files or Information Valid Accounts Steal or Forge Kerberos Tickets Unsecured Credentials Credentials from Password Stores Network Sniffing Cloud Storage Object Discovery Cloud Service Discovery Remote System Discovery File and Directory Discovery Network Share Discovery Account Discovery Group Policy Discovery Network Sniffing Remote Services: Cloud Services Exploitation of Remote Services Use Alternate Authentication Material Audio Capture Email Collection Screen Capture Data from Cloud Storage Ingress Tool Transfer Non-Standard Port Application Layer Protocol (Mail, Web) Active Scanning Gather Victim Host Information Gather Victim Identity Information Gather Victim Network Information Gather Victim Org Information Phishing for Information Search Closed Sources Search Open Technical Databases Search Open Websites/ Domains Search Victim- Owned Websites Custom Techniques Targeting EFB APT33 Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Service Stop Data Manipulation Command and Control Impact IBM Security | MITRE ATT&CK CON 4.0 X-Force Red
ATT&CK Threat Assessment for EFB Identify the Techniques and Test All Choose an Attack Technique/ Sub-Technique Choose a Test Methodology for Technique Execute the Test Procedure Analyze the Prevention, Detection & Response Capability Take Notes and Suggest Improvement for Defense Adversary Simulation IBM Security | MITRE ATT&CK CON 4.0 X-Force Red
Recon, Resource Development, and Initial Access
Search Victim-Owned Websites Gather Victim Identity Information Business Relationships Compromise Infrastructure Compromise Accounts Reconnaissance ↓ A general research was conducted to identify potential attack surface with Public information using Open-Source solutions. X-Force Red - Quick research on Airlines & Aviation Companies & Websites - 634 Airlines Website - 37.694 Subdomains - 158 Public EFB Services (Subdomains) - Email Addresses: - EFB Product Owners - EFB Administrators - Pilots - EFB Developers - EFB Vendors - Vendor’s Support Team - Alliances & Partnerships Identify & Compromise trusted accounts: - Email Accounts - Cloud Accounts Compromise and use trusted resources: - Domains - Web Services - Servers Resource Development ↓ Obtain or build trusted infrastructure by Aviation Industry Aviation / Airlines Company Take Over IBM Security | MITRE ATT&CK CON 4.0
Post Covid for Aviation Industry? X-Force Red Mirroring its impact on aviation, the COVID-19 pandemic had a significant impact on airline or aviation supply chain companies due to travel restrictions and a slump in demand among travellers Numerous airline travel agencies have shuttered operations 43 commercial airlines had gone bankrupt (only 2020) Airlines Supply Chain Companies 30 Private Jet Companies Thousands of Users Emails Authentications Integrations IBM Security | MITRE ATT&CK CON 4.0
Post Covid for Aviation Industry? X-Force Red Mirroring its impact on aviation, the COVID-19 pandemic had a significant impact on airline or aviation supply chain companies due to travel restrictions and a slump in demand among travellers Numerous airline travel agencies have shuttered operations 43 commercial airlines had gone bankrupt (only 2020) Airlines Supply Chain Companies 30 Private Jet Companies Thousands of Users Emails Authentications Integrations Domain Names Are Expiring or Already Expired IBM Security | MITRE ATT&CK CON 4.0
Post Covid for Aviation Industry? What You May See If You Own One? HTTP Requests You would probably get millions of requests coming from integrations, test activities and Bots. Thousands of Emails You will receive emails with real account memberships, passwords, spams, alerts etc… Critical Information Many critical information will be gathered by Emails, POST or Header analysis, including API Keys, Credentials and memberships etc.. IBM Security | MITRE ATT&CK CON 4.0 X-Force Red
The Phases of Research to Identify All Potential Risk Areas Email Listener Build Cloud Environment Web Listener Domain Registration Following the Drop Date of Domains (Using Domain Catching Service to Register Domain) Developing the Listeners, Certificate, Servers, DBs and Source Codes: Leave System to Listen the HTTP & Other Connections for a timeframe to obtain enough data for analysis phase Create an Email Listener to follow all emails coming associated with that domain name (*@airline.com) Analysis & Reporting Analysis all the data including Web traffic, other Port requests, Emails received. IBM Security | MITRE ATT&CK CON 4.0 X-Force Red
MITRE ATT&CK based Threat Analysis for Electronic Flight Bag

Recommended

Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...
Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...
Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...MITRE ATT&CK
 
Updates from the Center for Threat-Informed Defense
Updates from the Center for Threat-Informed DefenseUpdates from the Center for Threat-Informed Defense
Updates from the Center for Threat-Informed DefenseMITRE ATT&CK
 
Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CK
Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CKGrow Up! Evaluating and Maturing Your SOC using MITRE ATT&CK
Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CKMITRE ATT&CK
 
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR TelemetryTidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR TelemetryMITRE ATT&CK
 
CISA usage of ATT&CK in Cybersecurity Advisories
CISA usage of ATT&CK in Cybersecurity AdvisoriesCISA usage of ATT&CK in Cybersecurity Advisories
CISA usage of ATT&CK in Cybersecurity AdvisoriesMITRE ATT&CK
 
.LNK Tears of the Kingdom
.LNK Tears of the Kingdom.LNK Tears of the Kingdom
.LNK Tears of the KingdomMITRE ATT&CK
 
Evaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
Evaluating and Enhancing Security Maturity through MITRE ATT&CK MappingEvaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
Evaluating and Enhancing Security Maturity through MITRE ATT&CK MappingMITRE ATT&CK
 
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...MITRE ATT&CK
 

Recommended

Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...
Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...
Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...MITRE ATT&CK
 
Updates from the Center for Threat-Informed Defense
Updates from the Center for Threat-Informed DefenseUpdates from the Center for Threat-Informed Defense
Updates from the Center for Threat-Informed DefenseMITRE ATT&CK
 
Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CK
Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CKGrow Up! Evaluating and Maturing Your SOC using MITRE ATT&CK
Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CKMITRE ATT&CK
 
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR TelemetryTidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR TelemetryMITRE ATT&CK
 
CISA usage of ATT&CK in Cybersecurity Advisories
CISA usage of ATT&CK in Cybersecurity AdvisoriesCISA usage of ATT&CK in Cybersecurity Advisories
CISA usage of ATT&CK in Cybersecurity AdvisoriesMITRE ATT&CK
 
.LNK Tears of the Kingdom
.LNK Tears of the Kingdom.LNK Tears of the Kingdom
.LNK Tears of the KingdomMITRE ATT&CK
 
Evaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
Evaluating and Enhancing Security Maturity through MITRE ATT&CK MappingEvaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
Evaluating and Enhancing Security Maturity through MITRE ATT&CK MappingMITRE ATT&CK
 
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...MITRE ATT&CK
 
One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK
One Leg to Stand on: Adventures in Adversary Tracking with ATT&CKOne Leg to Stand on: Adventures in Adversary Tracking with ATT&CK
One Leg to Stand on: Adventures in Adversary Tracking with ATT&CKMITRE ATT&CK
 
MITRE ATT&CK Updates: ICS
MITRE ATT&CK Updates: ICSMITRE ATT&CK Updates: ICS
MITRE ATT&CK Updates: ICSMITRE ATT&CK
 
Cloud Native Workload ATT&CK Matrix
Cloud Native Workload ATT&CK MatrixCloud Native Workload ATT&CK Matrix
Cloud Native Workload ATT&CK MatrixMITRE ATT&CK
 
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)MITRE ATT&CK
 
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOSExploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOSMITRE ATT&CK
 
Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...
Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...
Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...MITRE ATT&CK
 
ATT&CKcon Intro
ATT&CKcon IntroATT&CKcon Intro
ATT&CKcon IntroMITRE ATT&CK
 
ATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKMITRE ATT&CK
 
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...MITRE - ATT&CKcon
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...MITRE ATT&CK
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideMITRE ATT&CK
 
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developersMITRE ATT&CK
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMITRE ATT&CK
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE - ATT&CKcon
 
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...MITRE ATT&CK
 
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro... Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...MITRE ATT&CK
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...MITRE ATT&CK
 
Efb positioning-v6-low-res
Efb positioning-v6-low-resEfb positioning-v6-low-res
Efb positioning-v6-low-resCarlos Simba
 
INFORM-Measuring and Monitoring Aircraft Turn Operations v3
INFORM-Measuring and Monitoring Aircraft Turn Operations v3INFORM-Measuring and Monitoring Aircraft Turn Operations v3
INFORM-Measuring and Monitoring Aircraft Turn Operations v3David Foster
 

More Related Content

What's hot

One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK
One Leg to Stand on: Adventures in Adversary Tracking with ATT&CKOne Leg to Stand on: Adventures in Adversary Tracking with ATT&CK
One Leg to Stand on: Adventures in Adversary Tracking with ATT&CKMITRE ATT&CK
 
MITRE ATT&CK Updates: ICS
MITRE ATT&CK Updates: ICSMITRE ATT&CK Updates: ICS
MITRE ATT&CK Updates: ICSMITRE ATT&CK
 
Cloud Native Workload ATT&CK Matrix
Cloud Native Workload ATT&CK MatrixCloud Native Workload ATT&CK Matrix
Cloud Native Workload ATT&CK MatrixMITRE ATT&CK
 
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)MITRE ATT&CK
 
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOSExploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOSMITRE ATT&CK
 
Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...
Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...
Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...MITRE ATT&CK
 
ATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKMITRE ATT&CK
 
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...MITRE - ATT&CKcon
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...MITRE ATT&CK
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideMITRE ATT&CK
 
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developersMITRE ATT&CK
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMITRE ATT&CK
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE - ATT&CKcon
 
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...MITRE ATT&CK
 
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro... Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...MITRE ATT&CK
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...MITRE ATT&CK
 

What's hot (20)

One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK
One Leg to Stand on: Adventures in Adversary Tracking with ATT&CKOne Leg to Stand on: Adventures in Adversary Tracking with ATT&CK
One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK
 
MITRE ATT&CK Updates: ICS
MITRE ATT&CK Updates: ICSMITRE ATT&CK Updates: ICS
MITRE ATT&CK Updates: ICS
 
Cloud Native Workload ATT&CK Matrix
Cloud Native Workload ATT&CK MatrixCloud Native Workload ATT&CK Matrix
Cloud Native Workload ATT&CK Matrix
 
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
 
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOSExploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
 
Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...
Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...
Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...
 
ATT&CKcon Intro
ATT&CKcon IntroATT&CKcon Intro
ATT&CKcon Intro
 
ATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CK
 
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
 
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
 
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developers
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE Activities
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
 
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...
 
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro... Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
 

Similar to MITRE ATT&CK based Threat Analysis for Electronic Flight Bag

Efb positioning-v6-low-res
Efb positioning-v6-low-resEfb positioning-v6-low-res
Efb positioning-v6-low-resCarlos Simba
 
INFORM-Measuring and Monitoring Aircraft Turn Operations v3
INFORM-Measuring and Monitoring Aircraft Turn Operations v3INFORM-Measuring and Monitoring Aircraft Turn Operations v3
INFORM-Measuring and Monitoring Aircraft Turn Operations v3David Foster
 
From nothing to production in 1 hour
From nothing to production in 1 hourFrom nothing to production in 1 hour
From nothing to production in 1 hourRoy Braam
 
Customer Highleveloverview
Customer HighleveloverviewCustomer Highleveloverview
Customer Highleveloverviewrehanf5
 
Nextgen tools for data migration in aviation
Nextgen tools for data migration in aviationNextgen tools for data migration in aviation
Nextgen tools for data migration in aviationEXSYN Aviation Solutions
 
March 3 2004 for the ai cie
March 3 2004 for the ai cieMarch 3 2004 for the ai cie
March 3 2004 for the ai cieShailesh Dubey
 
March 3 2004 for the ai cie
March 3 2004 for the ai cieMarch 3 2004 for the ai cie
March 3 2004 for the ai cieShailesh Dubey
 
Running head AVIATION MAINTENANCE SYSTEM DEFICIENCY1Aviation.docx
Running head AVIATION MAINTENANCE SYSTEM DEFICIENCY1Aviation.docxRunning head AVIATION MAINTENANCE SYSTEM DEFICIENCY1Aviation.docx
Running head AVIATION MAINTENANCE SYSTEM DEFICIENCY1Aviation.docxjoellemurphey
 
MAX 2008: Build collaborative applications with Flex LCDS and Cairngorm
MAX 2008: Build collaborative applications with Flex LCDS and CairngormMAX 2008: Build collaborative applications with Flex LCDS and Cairngorm
MAX 2008: Build collaborative applications with Flex LCDS and CairngormXavier Agnetti
 
Big Data Transforms Flight Operations
Big Data Transforms Flight OperationsBig Data Transforms Flight Operations
Big Data Transforms Flight OperationsTulinda Larsen
 
Ramco Aviation M&E MRO Software for Civil & Defense
Ramco Aviation M&E MRO Software for Civil & DefenseRamco Aviation M&E MRO Software for Civil & Defense
Ramco Aviation M&E MRO Software for Civil & DefenseRamco Systems
 
Dronesafe™ Flyer - Simply connect, stream and comply
Dronesafe™ Flyer - Simply connect, stream and complyDronesafe™ Flyer - Simply connect, stream and comply
Dronesafe™ Flyer - Simply connect, stream and complyPaul New
 
[Solace] Open Data Movement for Connected Vehicles
[Solace] Open Data Movement for Connected Vehicles[Solace] Open Data Movement for Connected Vehicles
[Solace] Open Data Movement for Connected VehiclesTomo Yamaguchi
 
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...Cristian Garcia G.
 
Troubleshooting App Health and Performance with PCF Metrics 1.2
Troubleshooting App Health and Performance with PCF Metrics 1.2Troubleshooting App Health and Performance with PCF Metrics 1.2
Troubleshooting App Health and Performance with PCF Metrics 1.2VMware Tanzu
 
Improving Software quality for the Modern Web
Improving Software quality for the Modern WebImproving Software quality for the Modern Web
Improving Software quality for the Modern WebEuan Garden
 

Similar to MITRE ATT&CK based Threat Analysis for Electronic Flight Bag (20)

Efb positioning-v6-low-res
Efb positioning-v6-low-resEfb positioning-v6-low-res
Efb positioning-v6-low-res
 
INFORM-Measuring and Monitoring Aircraft Turn Operations v3
INFORM-Measuring and Monitoring Aircraft Turn Operations v3INFORM-Measuring and Monitoring Aircraft Turn Operations v3
INFORM-Measuring and Monitoring Aircraft Turn Operations v3
 
From nothing to production in 1 hour
From nothing to production in 1 hourFrom nothing to production in 1 hour
From nothing to production in 1 hour
 
Embrace network
Embrace networkEmbrace network
Embrace network
 
Customer Highleveloverview
Customer HighleveloverviewCustomer Highleveloverview
Customer Highleveloverview
 
Nextgen tools for data migration in aviation
Nextgen tools for data migration in aviationNextgen tools for data migration in aviation
Nextgen tools for data migration in aviation
 
March 3 2004 for the ai cie
March 3 2004 for the ai cieMarch 3 2004 for the ai cie
March 3 2004 for the ai cie
 
March 3 2004 for the ai cie
March 3 2004 for the ai cieMarch 3 2004 for the ai cie
March 3 2004 for the ai cie
 
Running head AVIATION MAINTENANCE SYSTEM DEFICIENCY1Aviation.docx
Running head AVIATION MAINTENANCE SYSTEM DEFICIENCY1Aviation.docxRunning head AVIATION MAINTENANCE SYSTEM DEFICIENCY1Aviation.docx
Running head AVIATION MAINTENANCE SYSTEM DEFICIENCY1Aviation.docx
 
MAX 2008: Build collaborative applications with Flex LCDS and Cairngorm
MAX 2008: Build collaborative applications with Flex LCDS and CairngormMAX 2008: Build collaborative applications with Flex LCDS and Cairngorm
MAX 2008: Build collaborative applications with Flex LCDS and Cairngorm
 
Microsoft Lync 2010 - Practical Applications
Microsoft Lync 2010 - Practical ApplicationsMicrosoft Lync 2010 - Practical Applications
Microsoft Lync 2010 - Practical Applications
 
Big Data Transforms Flight Operations
Big Data Transforms Flight OperationsBig Data Transforms Flight Operations
Big Data Transforms Flight Operations
 
Ramco Aviation M&E MRO Software for Civil & Defense
Ramco Aviation M&E MRO Software for Civil & DefenseRamco Aviation M&E MRO Software for Civil & Defense
Ramco Aviation M&E MRO Software for Civil & Defense
 
Dronesafe™ Flyer - Simply connect, stream and comply
Dronesafe™ Flyer - Simply connect, stream and complyDronesafe™ Flyer - Simply connect, stream and comply
Dronesafe™ Flyer - Simply connect, stream and comply
 
Ppt00000
Ppt00000Ppt00000
Ppt00000
 
[Solace] Open Data Movement for Connected Vehicles
[Solace] Open Data Movement for Connected Vehicles[Solace] Open Data Movement for Connected Vehicles
[Solace] Open Data Movement for Connected Vehicles
 
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
 
Troubleshooting App Health and Performance with PCF Metrics 1.2
Troubleshooting App Health and Performance with PCF Metrics 1.2Troubleshooting App Health and Performance with PCF Metrics 1.2
Troubleshooting App Health and Performance with PCF Metrics 1.2
 
Improving Software quality for the Modern Web
Improving Software quality for the Modern WebImproving Software quality for the Modern Web
Improving Software quality for the Modern Web
 
Middleware Technologies ppt
Middleware Technologies pptMiddleware Technologies ppt
Middleware Technologies ppt
 

More from MITRE ATT&CK

Dealing With ATT&CK's Different Levels Of Detail
Dealing With ATT&CK's Different Levels Of DetailDealing With ATT&CK's Different Levels Of Detail
Dealing With ATT&CK's Different Levels Of DetailMITRE ATT&CK
 
Automating testing by implementing ATT&CK using the Blackboard Architecture
Automating testing by implementing ATT&CK using the Blackboard ArchitectureAutomating testing by implementing ATT&CK using the Blackboard Architecture
Automating testing by implementing ATT&CK using the Blackboard ArchitectureMITRE ATT&CK
 
I can haz cake: Benefits of working with MITRE on ATT&CK
I can haz cake: Benefits of working with MITRE on ATT&CKI can haz cake: Benefits of working with MITRE on ATT&CK
I can haz cake: Benefits of working with MITRE on ATT&CKMITRE ATT&CK
 
ATT&CK’s Adoption in CTI: A Great Success (with Room to Grow!)
ATT&CK’s Adoption in CTI: A Great Success (with Room to Grow!)ATT&CK’s Adoption in CTI: A Great Success (with Room to Grow!)
ATT&CK’s Adoption in CTI: A Great Success (with Room to Grow!)MITRE ATT&CK
 
MITRE ATT&CK Updates: State of the Cloud
MITRE ATT&CK Updates: State of the CloudMITRE ATT&CK Updates: State of the Cloud
MITRE ATT&CK Updates: State of the CloudMITRE ATT&CK
 
Using ATT&CK to created wicked actors in real data
Using ATT&CK to created wicked actors in real dataUsing ATT&CK to created wicked actors in real data
Using ATT&CK to created wicked actors in real dataMITRE ATT&CK
 
MITRE ATT&CK Updates: New Ideas in Enterprise - Pushing the boundaries of ATT...
MITRE ATT&CK Updates: New Ideas in Enterprise - Pushing the boundaries of ATT...MITRE ATT&CK Updates: New Ideas in Enterprise - Pushing the boundaries of ATT...
MITRE ATT&CK Updates: New Ideas in Enterprise - Pushing the boundaries of ATT...MITRE ATT&CK
 
Navigating the Attention Economy – Using MITRE ATT&CK to Communicate to Stake...
Navigating the Attention Economy – Using MITRE ATT&CK to Communicate to Stake...Navigating the Attention Economy – Using MITRE ATT&CK to Communicate to Stake...
Navigating the Attention Economy – Using MITRE ATT&CK to Communicate to Stake...MITRE ATT&CK
 
The case for quishing
The case for quishingThe case for quishing
The case for quishingMITRE ATT&CK
 
Discussion on Finding Relationships in Cyber Data
Discussion on Finding Relationships in Cyber DataDiscussion on Finding Relationships in Cyber Data
Discussion on Finding Relationships in Cyber DataMITRE ATT&CK
 
The art of communicating ATT&CK to the CFO
The art of communicating ATT&CK to the CFOThe art of communicating ATT&CK to the CFO
The art of communicating ATT&CK to the CFOMITRE ATT&CK
 
MITRE ATT&CK Updates: Software
MITRE ATT&CK Updates: SoftwareMITRE ATT&CK Updates: Software
MITRE ATT&CK Updates: SoftwareMITRE ATT&CK
 
Or Lenses and Layers: Adding Business Context to Enterprise Mappings
Or Lenses and Layers: Adding Business Context to Enterprise MappingsOr Lenses and Layers: Adding Business Context to Enterprise Mappings
Or Lenses and Layers: Adding Business Context to Enterprise MappingsMITRE ATT&CK
 
Adjectives for ATT&CK
Adjectives for ATT&CKAdjectives for ATT&CK
Adjectives for ATT&CKMITRE ATT&CK
 

More from MITRE ATT&CK (14)

Dealing With ATT&CK's Different Levels Of Detail
Dealing With ATT&CK's Different Levels Of DetailDealing With ATT&CK's Different Levels Of Detail
Dealing With ATT&CK's Different Levels Of Detail
 
Automating testing by implementing ATT&CK using the Blackboard Architecture
Automating testing by implementing ATT&CK using the Blackboard ArchitectureAutomating testing by implementing ATT&CK using the Blackboard Architecture
Automating testing by implementing ATT&CK using the Blackboard Architecture
 
I can haz cake: Benefits of working with MITRE on ATT&CK
I can haz cake: Benefits of working with MITRE on ATT&CKI can haz cake: Benefits of working with MITRE on ATT&CK
I can haz cake: Benefits of working with MITRE on ATT&CK
 
ATT&CK’s Adoption in CTI: A Great Success (with Room to Grow!)
ATT&CK’s Adoption in CTI: A Great Success (with Room to Grow!)ATT&CK’s Adoption in CTI: A Great Success (with Room to Grow!)
ATT&CK’s Adoption in CTI: A Great Success (with Room to Grow!)
 
MITRE ATT&CK Updates: State of the Cloud
MITRE ATT&CK Updates: State of the CloudMITRE ATT&CK Updates: State of the Cloud
MITRE ATT&CK Updates: State of the Cloud
 
Using ATT&CK to created wicked actors in real data
Using ATT&CK to created wicked actors in real dataUsing ATT&CK to created wicked actors in real data
Using ATT&CK to created wicked actors in real data
 
MITRE ATT&CK Updates: New Ideas in Enterprise - Pushing the boundaries of ATT...
MITRE ATT&CK Updates: New Ideas in Enterprise - Pushing the boundaries of ATT...MITRE ATT&CK Updates: New Ideas in Enterprise - Pushing the boundaries of ATT...
MITRE ATT&CK Updates: New Ideas in Enterprise - Pushing the boundaries of ATT...
 
Navigating the Attention Economy – Using MITRE ATT&CK to Communicate to Stake...
Navigating the Attention Economy – Using MITRE ATT&CK to Communicate to Stake...Navigating the Attention Economy – Using MITRE ATT&CK to Communicate to Stake...
Navigating the Attention Economy – Using MITRE ATT&CK to Communicate to Stake...
 
The case for quishing
The case for quishingThe case for quishing
The case for quishing
 
Discussion on Finding Relationships in Cyber Data
Discussion on Finding Relationships in Cyber DataDiscussion on Finding Relationships in Cyber Data
Discussion on Finding Relationships in Cyber Data
 
The art of communicating ATT&CK to the CFO
The art of communicating ATT&CK to the CFOThe art of communicating ATT&CK to the CFO
The art of communicating ATT&CK to the CFO
 
MITRE ATT&CK Updates: Software
MITRE ATT&CK Updates: SoftwareMITRE ATT&CK Updates: Software
MITRE ATT&CK Updates: Software
 
Or Lenses and Layers: Adding Business Context to Enterprise Mappings
Or Lenses and Layers: Adding Business Context to Enterprise MappingsOr Lenses and Layers: Adding Business Context to Enterprise Mappings
Or Lenses and Layers: Adding Business Context to Enterprise Mappings
 
Adjectives for ATT&CK
Adjectives for ATT&CKAdjectives for ATT&CK
Adjectives for ATT&CK
 

Recently uploaded

"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 

Recently uploaded (20)

"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 

MITRE ATT&CK based Threat Analysis for Electronic Flight Bag

  • 1. Electronic Flight Bag MITRE ATT&CK Based Threat Analysis for Electronic Flight Bag — Ozan Olali IBM X-Force Red Offensive Security Services
  • 2. Agenda 1 About Speaker 2 Quick Overview - Aviation Business 3 Electronic Flight Bags 4 MITRE ATT&CK Based EFB Threat Assessment 5 Recon, Resource Development, and Initial Access IBM Security | MITRE ATT&CK CON 4.0 X-Force Red
  • 3. 3 About Speaker Ozan Olali 14 years professional 23 years unprofessional Cybersecurity IBM X-Force Red – MEA Security Research Astrophotography 5+ Aviation Company & EFBs
  • 4. Quick Overview - Aviation Business
  • 5. Airlines contend with a massive attack surface, capable of exerting significant influence on both their business operations and the overall experience of their passengers. ↓ Detailed threats for each service/ platform; and each components within that platform should be assessed considering business impact Electronic Flight Bag Booking & Reservation Services Agency Management Cargo Services Crew and Employee Portals Loyalty Programs & Miles Management Availability Management & Forecasting Customer Correspondence Center In-Flight Entertainment (IFE) Systems Check-in Platforms and Applications Self-Service Baggage Check-in And Many Others… IBM Security | MITRE ATT&CK CON 4.0 X-Force Red
  • 6. Airline Companies have also extensive trust relation with suppliers to run business operations and maintenance ↓ Critical 3rd Parties and Integrated Ecosystem of Airline Companies Aircraft Manufacturers Maintenance and Repair Organizations Air Traffic Control Payment Processors Ground Handling Companies Catering and In-Flight Services Fuel Suppliers Weather and Meteorological Services Airport Authorities Regulatory Authorities Insurance Providers And Many Others… IBM Security | MITRE ATT&CK CON 4.0 X-Force Red
  • 8. Electronic Flight Bags in a Nutshell Customization Not plug and play solutions, it needs many customization according to airline company’s environment, many configuration requirements. Functions Flight Briefing, Pre-flight and Post- flight reporting, Cockpit Security Checks, Document Library, Take- off and Landing Performance, MEL & Defect Reporting and many others. Paperless Cockpit Consolidate in single app all the relevant information and functionalities for the mission of the pilot and to provide all that they need at every stage of the flight. Integrations Capable for lots of custom integrations with popular SaaS solutions; content management and document distribution, and some federated authentication to those platforms EFB, very critical component of modern aviation, providing pilots with digital resources and critical flight information. X-Force Red 8 IBM Security | MITRE ATT&CK CON 4.0
  • 9. Electronic Flight Bags in a Nutshell Customization Not plug and play solutions, it needs many customization according to airline company’s environment, many configuration requirements. Functions Flight Briefing, Pre-flight and Post- flight reporting, Cockpit Security Checks, Document Library, Take- off and Landing Performance, MEL & Defect Reporting and many others. Paperless Cockpit Consolidate in single app all the relevant information and functionalities for the mission of the pilot and to provide all that they need at every stage of the flight. Integrations Capable for lots of custom integrations with popular SaaS solutions; content management and document distribution, and some federated authentication to those platforms EFB, very critical component of modern aviation, providing pilots with digital resources and critical flight information. X-Force Red 9 IBM Security | MITRE ATT&CK CON 4.0
  • 10. MITRE ATT&CK Based EFB Threat Assessment
  • 11. The Threat Surface associated with EFB is complex, potential compromise scenarios and business impact should be identified to enable cyber prevention and detection capabilities High Level Threat Surface for EFB EFB Tablet Network Shares *Credentials in Files EFF Domain Account App Level Auth Tablet Auth Local Account Email Ground Messaging Email Comm. In Flight Comm. OS Layer of Tablet Operating System Fuel Order & Plan Ground Ops. Document Mng. Systems Read Docs. Cloud Update Hubs Takeoff Landing Performance DB Reporting Update OS Update App Briefing Room / Hub Update Data Corporate Network Servers Other Technologies Cloud Platforms Servers Other Technologies OS Layer Components Registry Local Files Terminal Others Auth Headers Supportive Applications Authentication Components User Repo Auth Protocols Policies Public Facing App Services Airplane Avionic Net. Back Office Administration Flight Operations IBM Security | MITRE ATT&CK CON 4.0 X-Force Red EFB Vendor
  • 12. The Threat Surface associated with EFB is complex, potential compromise scenarios and business impact should be identified to enable cyber prevention and detection capabilities High Level Threat Surface for EFB EFB Tablet Network Shares EFF Domain Account App Level Auth Tablet Auth Local Account Email Ground Messaging Email Comm. In Flight Comm. OS Layer of Tablet Operating System Fuel Order & Plan Ground Ops. Document Mng. Systems Read Docs. Cloud Update Hubs Takeoff Landing Performance DB Reporting Update OS Update App Briefing Room / Hub Update Data Corporate Network Servers Other Technologies Cloud Platforms Servers Other Technologies OS Layer Components Registry Local Files Terminal Others Auth Headers Supportive Applications Authentication Components User Repo Auth Protocols Policies Public Facing App Services Airplane Avionic Net. Back Office Administration Flight Operations IBM Security | MITRE ATT&CK CON 4.0 X-Force Red Initial Access T1566: Phishing EFB Vendor Initial Access T1199: Trusted Relationship Initial Access T1190: Exploit Public-Facing Application T1078: Valid Accounts T1189: Drive-by Compromise Initial Access T1558: Lockscreen Bypass T1091: Removable Media
  • 13. The Threat Surface associated with EFB is complex, potential compromise scenarios and business impact should be identified to enable cyber prevention and detection capabilities High Level Threat Surface for EFB EFB Tablet Network Shares EFF Domain Account App Level Auth Tablet Auth Local Account Email Ground Messaging Email Comm. In Flight Comm. OS Layer of Tablet Operating System Fuel Order & Plan Ground Ops. Document Mng. Systems Read Docs. Cloud Update Hubs Takeoff Landing Performance DB Reporting Update OS Update App Briefing Room / Hub Update Data Corporate Network Servers Other Technologies Cloud Platforms Servers Other Technologies OS Layer Components Registry Local Files Terminal Others Auth Headers Supportive Applications Authentication Components User Repo Auth Protocols Policies Public Facing App Services Airplane Avionic Net. Back Office Administration Flight Operations IBM Security | MITRE ATT&CK CON 4.0 X-Force Red Initial Access T1566: Phishing EFB Vendor Execution T1059: Command and Scripting Interpreter T1204: User Execution: Malicious File/ Link T1106: Native API T1053: Scheduled Task Initial Access T1199: Trusted Relationship Initial Access T1190: Exploit Public-Facing Application T1078: Valid Accounts T1189: Drive-by Compromise Initial Access T1558: Lockscreen Bypass T1091: Removable Media
  • 14. The Threat Surface associated with EFB is complex, potential compromise scenarios and business impact should be identified to enable cyber prevention and detection capabilities High Level Threat Surface for EFB EFB Tablet Network Shares EFF Domain Account App Level Auth Tablet Auth Local Account Email Ground Messaging Email Comm. In Flight Comm. OS Layer of Tablet Operating System Fuel Order & Plan Ground Ops. Document Mng. Systems Read Docs. Cloud Update Hubs Takeoff Landing Performance DB Reporting Update OS Update App Briefing Room / Hub Update Data Corporate Network Servers Other Technologies Cloud Platforms Servers Other Technologies OS Layer Components Registry Local Files Terminal Others Auth Headers Supportive Applications Authentication Components User Repo Auth Protocols Policies Public Facing App Services Airplane Avionic Net. Back Office Administration Flight Operations IBM Security | MITRE ATT&CK CON 4.0 X-Force Red Initial Access T1566: Phishing EFB Vendor Execution T1059: Command and Scripting Interpreter T1204: User Execution: Malicious File/ Link T1106: Native API T1053: Scheduled Task Initial Access T1199: Trusted Relationship Initial Access T1190: Exploit Public-Facing Application T1078: Valid Accounts T1189: Drive-by Compromise Initial Access T1558: Lockscreen Bypass T1091: Removable Media Persistence T1554: Compromise Client Software Binary T1547: Boot or Logon Autostart Execution
  • 15. The Threat Surface associated with EFB is complex, potential compromise scenarios and business impact should be identified to enable cyber prevention and detection capabilities High Level Threat Surface for EFB EFB Tablet Network Shares EFF Domain Account App Level Auth Tablet Auth Local Account Email Ground Messaging Email Comm. In Flight Comm. OS Layer of Tablet Operating System Fuel Order & Plan Ground Ops. Document Mng. Systems Read Docs. Cloud Update Hubs Takeoff Landing Performance DB Reporting Update OS Update App Briefing Room / Hub Update Data Corporate Network Servers Other Technologies Cloud Platforms Servers Other Technologies OS Layer Components Registry Local Files Terminal Others Auth Headers Supportive Applications Authentication Components User Repo Auth Protocols Policies Public Facing App Services Airplane Avionic Net. Back Office Administration Flight Operations IBM Security | MITRE ATT&CK CON 4.0 X-Force Red Initial Access T1566: Phishing EFB Vendor Execution T1059: Command and Scripting Interpreter T1204: User Execution: Malicious File/ Link T1106: Native API T1053: Scheduled Task Initial Access T1199: Trusted Relationship Initial Access T1190: Exploit Public-Facing Application T1078: Valid Accounts T1189: Drive-by Compromise Initial Access T1558: Lockscreen Bypass T1091: Removable Media Persistence T1554: Compromise Client Software Binary T1547: Boot or Logon Autostart Execution Privilege Escalation T1548: Exploitation for Privilege Escalation T1078: Local Accounts
  • 16. The Threat Surface associated with EFB is complex, potential compromise scenarios and business impact should be identified to enable cyber prevention and detection capabilities High Level Threat Surface for EFB EFB Tablet Network Shares EFF Domain Account App Level Auth Tablet Auth Local Account Email Ground Messaging Email Comm. In Flight Comm. OS Layer of Tablet Operating System Fuel Order & Plan Ground Ops. Document Mng. Systems Read Docs. Cloud Update Hubs Takeoff Landing Performance DB Reporting Update OS Update App Briefing Room / Hub Update Data Corporate Network Servers Other Technologies Cloud Platforms Servers Other Technologies OS Layer Components Registry Local Files Terminal Others Auth Headers Supportive Applications Authentication Components User Repo Auth Protocols Policies Public Facing App Services Airplane Avionic Net. Back Office Administration Flight Operations IBM Security | MITRE ATT&CK CON 4.0 X-Force Red Initial Access T1566: Phishing EFB Vendor Execution T1059: Command and Scripting Interpreter T1204: User Execution: Malicious File/ Link T1106: Native API T1053: Scheduled Task Initial Access T1199: Trusted Relationship Initial Access T1190: Exploit Public-Facing Application T1078: Valid Accounts T1189: Drive-by Compromise Initial Access T1558: Lockscreen Bypass T1091: Removable Media Persistence T1554: Compromise Client Software Binary T1547: Boot or Logon Autostart Execution Privilege Escalation T1548: Exploitation for Privilege Escalation T1078: Local Accounts Credential Access T1461: Steal or Forge Kerberos Tickets Credential Access T1552: Unsecured Credentials: Credentials in Registry
  • 17. The Threat Surface associated with EFB is complex, potential compromise scenarios and business impact should be identified to enable cyber prevention and detection capabilities High Level Threat Surface for EFB EFB Tablet Network Shares EFF Domain Account App Level Auth Tablet Auth Local Account Email Ground Messaging Email Comm. In Flight Comm. OS Layer of Tablet Operating System Fuel Order & Plan Ground Ops. Document Mng. Systems Read Docs. Cloud Update Hubs Takeoff Landing Performance DB Reporting Update OS Update App Briefing Room / Hub Update Data Corporate Network Servers Other Technologies Cloud Platforms Servers Other Technologies OS Layer Components Registry Local Files Terminal Others Auth Headers Supportive Applications Authentication Components User Repo Auth Protocols Policies Public Facing App Services Airplane Avionic Net. Back Office Administration Flight Operations IBM Security | MITRE ATT&CK CON 4.0 X-Force Red Initial Access T1566: Phishing EFB Vendor Execution T1059: Command and Scripting Interpreter T1204: User Execution: Malicious File/ Link T1106: Native API T1053: Scheduled Task Initial Access T1199: Trusted Relationship Initial Access T1190: Exploit Public-Facing Application T1078: Valid Accounts T1189: Drive-by Compromise Initial Access T1558: Lockscreen Bypass T1091: Removable Media Persistence T1554: Compromise Client Software Binary T1547: Boot or Logon Autostart Execution Privilege Escalation T1548: Exploitation for Privilege Escalation T1078: Local Accounts Credential Access T1461: Steal or Forge Kerberos Tickets Credential Access T1552: Unsecured Credentials: Credentials in Registry Discovery T1087: Account Discovery Discovery T1619: Cloud Storage Object Discovery T1526: Cloud Service Discovery Discovery T1083: File and Directory Discovery T1135: Network Share Discovery Discovery T1615: Group Policy Discovery Discovery T1018: Remote System Discovery
  • 18. The Threat Surface associated with EFB is complex, potential compromise scenarios and business impact should be identified to enable cyber prevention and detection capabilities High Level Threat Surface for EFB EFB Tablet Network Shares EFF Domain Account App Level Auth Tablet Auth Local Account Email Ground Messaging Email Comm. In Flight Comm. OS Layer of Tablet Operating System Fuel Order & Plan Ground Ops. Document Mng. Systems Read Docs. Cloud Update Hubs Takeoff Landing Performance DB Reporting Update OS Update App Briefing Room / Hub Update Data Corporate Network Servers Other Technologies Cloud Platforms Servers Other Technologies OS Layer Components Registry Local Files Terminal Others Auth Headers Supportive Applications Authentication Components User Repo Auth Protocols Policies Public Facing App Services Airplane Avionic Net. Back Office Administration Flight Operations IBM Security | MITRE ATT&CK CON 4.0 X-Force Red Initial Access T1566: Phishing EFB Vendor Execution T1059: Command and Scripting Interpreter T1204: User Execution: Malicious File/ Link T1106: Native API T1053: Scheduled Task Initial Access T1199: Trusted Relationship Initial Access T1190: Exploit Public-Facing Application T1078: Valid Accounts T1189: Drive-by Compromise Initial Access T1558: Lockscreen Bypass T1091: Removable Media Persistence T1554: Compromise Client Software Binary T1547: Boot or Logon Autostart Execution Privilege Escalation T1548: Exploitation for Privilege Escalation T1078: Local Accounts Credential Access T1461: Steal or Forge Kerberos Tickets Credential Access T1552: Unsecured Credentials: Credentials in Registry Discovery T1087: Account Discovery Discovery T1619: Cloud Storage Object Discovery T1526: Cloud Service Discovery Discovery T1083: File and Directory Discovery T1135: Network Share Discovery Discovery T1615: Group Policy Discovery Discovery T1018: Remote System Discovery Lateral Movement T1021: Remote Services: Cloud Services Lateral Movement T1210: Exploitation of Remote Services Lateral Movement T1550: Use Alternate Authentication Material
  • 19. The Threat Surface associated with EFB is complex, potential compromise scenarios and business impact should be identified to enable cyber prevention and detection capabilities High Level Threat Surface for EFB EFB Tablet Network Shares EFF Domain Account App Level Auth Tablet Auth Local Account Email Ground Messaging Email Comm. In Flight Comm. OS Layer of Tablet Operating System Fuel Order & Plan Ground Ops. Document Mng. Systems Read Docs. Cloud Update Hubs Takeoff Landing Performance DB Reporting Update OS Update App Briefing Room / Hub Update Data Corporate Network Servers Other Technologies Cloud Platforms Servers Other Technologies OS Layer Components Registry Local Files Terminal Others Auth Headers Supportive Applications Authentication Components User Repo Auth Protocols Policies Public Facing App Services Airplane Avionic Net. Back Office Administration Flight Operations IBM Security | MITRE ATT&CK CON 4.0 X-Force Red Initial Access T1566: Phishing EFB Vendor Execution T1059: Command and Scripting Interpreter T1204: User Execution: Malicious File/ Link T1106: Native API T1053: Scheduled Task Initial Access T1199: Trusted Relationship Initial Access T1190: Exploit Public-Facing Application T1078: Valid Accounts T1189: Drive-by Compromise Initial Access T1558: Lockscreen Bypass T1091: Removable Media Persistence T1554: Compromise Client Software Binary T1547: Boot or Logon Autostart Execution Privilege Escalation T1548: Exploitation for Privilege Escalation T1078: Local Accounts Credential Access T1461: Steal or Forge Kerberos Tickets Credential Access T1552: Unsecured Credentials: Credentials in Registry Discovery T1087: Account Discovery Discovery T1619: Cloud Storage Object Discovery T1526: Cloud Service Discovery Discovery T1083: File and Directory Discovery T1135: Network Share Discovery Discovery T1615: Group Policy Discovery Discovery T1018: Remote System Discovery Lateral Movement T1021: Remote Services: Cloud Services Lateral Movement T1210: Exploitation of Remote Services Lateral Movement T1550: Use Alternate Authentication Material Collection T1123: Audio Capture T1114: Email Collection T1113: Screen Capture Collection: T1530: Data from Cloud Storage
  • 20. The Threat Surface associated with EFB is complex, potential compromise scenarios and business impact should be identified to enable cyber prevention and detection capabilities High Level Threat Surface for EFB EFB Tablet Network Shares EFF Domain Account App Level Auth Tablet Auth Local Account Email Ground Messaging Email Comm. In Flight Comm. OS Layer of Tablet Operating System Fuel Order & Plan Ground Ops. Document Mng. Systems Read Docs. Cloud Update Hubs Takeoff Landing Performance DB Reporting Update OS Update App Briefing Room / Hub Update Data Corporate Network Servers Other Technologies Cloud Platforms Servers Other Technologies OS Layer Components Registry Local Files Terminal Others Auth Headers Supportive Applications Authentication Components User Repo Auth Protocols Policies Public Facing App Services Airplane Avionic Net. Back Office Administration Flight Operations IBM Security | MITRE ATT&CK CON 4.0 X-Force Red Initial Access T1566: Phishing EFB Vendor Execution T1059: Command and Scripting Interpreter T1204: User Execution: Malicious File/ Link T1106: Native API T1053: Scheduled Task Initial Access T1199: Trusted Relationship Initial Access T1190: Exploit Public-Facing Application T1078: Valid Accounts T1189: Drive-by Compromise Initial Access T1558: Lockscreen Bypass T1091: Removable Media Persistence T1554: Compromise Client Software Binary T1547: Boot or Logon Autostart Execution Privilege Escalation T1548: Exploitation for Privilege Escalation T1078: Local Accounts Credential Access T1461: Steal or Forge Kerberos Tickets Credential Access T1552: Unsecured Credentials: Credentials in Registry Discovery T1087: Account Discovery Discovery T1619: Cloud Storage Object Discovery T1526: Cloud Service Discovery Discovery T1083: File and Directory Discovery T1135: Network Share Discovery Discovery T1615: Group Policy Discovery Discovery T1018: Remote System Discovery Lateral Movement T1021: Remote Services: Cloud Services Lateral Movement T1210: Exploitation of Remote Services Lateral Movement T1550: Use Alternate Authentication Material Collection T1123: Audio Capture T1114: Email Collection T1113: Screen Capture Collection: T1530: Data from Cloud Storage Command and Control T1071: Application Layer Protocol (Mail, Web)
  • 21. The Threat Surface associated with EFB is complex, potential compromise scenarios and business impact should be identified to enable cyber prevention and detection capabilities High Level Threat Surface for EFB EFB Tablet Network Shares EFF Domain Account App Level Auth Tablet Auth Local Account Email Ground Messaging Email Comm. In Flight Comm. OS Layer of Tablet Operating System Fuel Order & Plan Ground Ops. Document Mng. Systems Read Docs. Cloud Update Hubs Takeoff Landing Performance DB Reporting Update OS Update App Briefing Room / Hub Update Data Corporate Network Servers Other Technologies Cloud Platforms Servers Other Technologies OS Layer Components Registry Local Files Terminal Others Auth Headers Supportive Applications Authentication Components User Repo Auth Protocols Policies Public Facing App Services Airplane Avionic Net. Back Office Administration Flight Operations IBM Security | MITRE ATT&CK CON 4.0 X-Force Red Initial Access T1566: Phishing EFB Vendor Execution T1059: Command and Scripting Interpreter T1204: User Execution: Malicious File/ Link T1106: Native API T1053: Scheduled Task Initial Access T1199: Trusted Relationship Initial Access T1190: Exploit Public-Facing Application T1078: Valid Accounts T1189: Drive-by Compromise Initial Access T1558: Lockscreen Bypass T1091: Removable Media Persistence T1554: Compromise Client Software Binary T1547: Boot or Logon Autostart Execution Privilege Escalation T1548: Exploitation for Privilege Escalation T1078: Local Accounts Credential Access T1461: Steal or Forge Kerberos Tickets Credential Access T1552: Unsecured Credentials: Credentials in Registry Discovery T1087: Account Discovery Discovery T1619: Cloud Storage Object Discovery T1526: Cloud Service Discovery Discovery T1083: File and Directory Discovery T1135: Network Share Discovery Discovery T1615: Group Policy Discovery Discovery T1018: Remote System Discovery Lateral Movement T1021: Remote Services: Cloud Services Lateral Movement T1210: Exploitation of Remote Services Lateral Movement T1550: Use Alternate Authentication Material Collection T1123: Audio Capture T1114: Email Collection T1113: Screen Capture Collection: T1530: Data from Cloud Storage Command and Control T1071: Application Layer Protocol (Mail, Web) Impact T1565: Data Manipulation Impact T1489: Service Stop
  • 22. The Threat Surface associated with EFB is complex, potential compromise scenarios and business impact should be identified to enable cyber prevention and detection capabilities High Level Threat Surface for EFB EFB Tablet Network Shares EFF Domain Account App Level Auth Tablet Auth Local Account Email Ground Messaging Email Comm. In Flight Comm. OS Layer of Tablet Operating System Fuel Order & Plan Ground Ops. Document Mng. Systems Read Docs. Cloud Update Hubs Takeoff Landing Performance DB Reporting Update OS Update App Briefing Room / Hub Update Data Corporate Network Servers Other Technologies Cloud Platforms Servers Other Technologies OS Layer Components Registry Local Files Terminal Others Auth Headers Supportive Applications Authentication Components User Repo Auth Protocols Policies Public Facing App Services Airplane Avionic Net. Back Office Administration Flight Operations IBM Security | MITRE ATT&CK CON 4.0 X-Force Red Initial Access T1566: Phishing EFB Vendor Execution T1059: Command and Scripting Interpreter T1106: Native API T1053: Scheduled Task Initial Access T1199: Trusted Relationship Initial Access T1190: Exploit Public-Facing Application T1078: Valid Accounts T1189: Drive-by Compromise Credential Access T1461: Steal or Forge Kerberos Tickets Persistence T1554: Compromise Client Software Binary T1547: Boot or Logon Autostart Execution Credential Access T1552: Unsecured Credentials: Credentials in Registry Discovery T1087: Account Discovery Discovery T1619: Cloud Storage Object Discovery T1526: Cloud Service Discovery Discovery T1083: File and Directory Discovery T1135: Network Share Discovery Discovery T1615: Group Policy Discovery Discovery T1018: Remote System Discovery Lateral Movement T1021: Remote Services: Cloud Services Lateral Movement T1210: Exploitation of Remote Services Lateral Movement T1550: Use Alternate Authentication Material Collection T1123: Audio Capture T1114: Email Collection T1113: Screen Capture Collection: T1530: Data from Cloud Storage Command and Control T1071: Application Layer Protocol (Mail, Web) Impact T1565: Data Manipulation Impact T1489: Service Stop Initial Access T1558: Lockscreen Bypass T1091: Removable Media Privilege Escalation T1548: Exploitation for Privilege Escalation T1078: Local Accounts
  • 23. Reconnaissance Resource Development Mapping the top priority controls from the MITRE ATT&CK framework to an EFB platform Acquire Access Acquire Infrastructure Compromise Accounts Compromise Infrastructure Develop Capabilities Establish Accounts Exploit Public- Facing Application Valid Accounts Phishing Supply Chain Compromise Drive-by Compromise Lockscreen Bypass Replication Through Removable Media Initial Access Command and Scripting Interpreter Native API Scheduled Task/Job Exploitation for Client Execution Create Account Compromise Client Software Binary Boot or Logon Autostart Execution Scheduled Task/Job Bypass UAC Exploitation for Privilege Escalation Valid Accounts Local Accounts Obfuscated Files or Information Valid Accounts Steal or Forge Kerberos Tickets Unsecured Credentials Credentials from Password Stores Network Sniffing Cloud Storage Object Discovery Cloud Service Discovery Remote System Discovery File and Directory Discovery Network Share Discovery Account Discovery Group Policy Discovery Network Sniffing Remote Services: Cloud Services Exploitation of Remote Services Use Alternate Authentication Material Audio Capture Email Collection Screen Capture Data from Cloud Storage Ingress Tool Transfer Non-Standard Port Application Layer Protocol (Mail, Web) Active Scanning Gather Victim Host Information Gather Victim Identity Information Gather Victim Network Information Gather Victim Org Information Phishing for Information Search Closed Sources Search Open Technical Databases Search Open Websites/ Domains Search Victim- Owned Websites Custom Techniques Targeting EFB APT33 Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Service Stop Data Manipulation Command and Control Impact IBM Security | MITRE ATT&CK CON 4.0 X-Force Red
  • 24. ATT&CK Threat Assessment for EFB Identify the Techniques and Test All Choose an Attack Technique/ Sub-Technique Choose a Test Methodology for Technique Execute the Test Procedure Analyze the Prevention, Detection & Response Capability Take Notes and Suggest Improvement for Defense Adversary Simulation IBM Security | MITRE ATT&CK CON 4.0 X-Force Red
  • 25. Recon, Resource Development, and Initial Access
  • 26. Search Victim-Owned Websites Gather Victim Identity Information Business Relationships Compromise Infrastructure Compromise Accounts Reconnaissance ↓ A general research was conducted to identify potential attack surface with Public information using Open-Source solutions. X-Force Red - Quick research on Airlines & Aviation Companies & Websites - 634 Airlines Website - 37.694 Subdomains - 158 Public EFB Services (Subdomains) - Email Addresses: - EFB Product Owners - EFB Administrators - Pilots - EFB Developers - EFB Vendors - Vendor’s Support Team - Alliances & Partnerships Identify & Compromise trusted accounts: - Email Accounts - Cloud Accounts Compromise and use trusted resources: - Domains - Web Services - Servers Resource Development ↓ Obtain or build trusted infrastructure by Aviation Industry Aviation / Airlines Company Take Over IBM Security | MITRE ATT&CK CON 4.0
  • 27. Post Covid for Aviation Industry? X-Force Red Mirroring its impact on aviation, the COVID-19 pandemic had a significant impact on airline or aviation supply chain companies due to travel restrictions and a slump in demand among travellers Numerous airline travel agencies have shuttered operations 43 commercial airlines had gone bankrupt (only 2020) Airlines Supply Chain Companies 30 Private Jet Companies Thousands of Users Emails Authentications Integrations IBM Security | MITRE ATT&CK CON 4.0
  • 28. Post Covid for Aviation Industry? X-Force Red Mirroring its impact on aviation, the COVID-19 pandemic had a significant impact on airline or aviation supply chain companies due to travel restrictions and a slump in demand among travellers Numerous airline travel agencies have shuttered operations 43 commercial airlines had gone bankrupt (only 2020) Airlines Supply Chain Companies 30 Private Jet Companies Thousands of Users Emails Authentications Integrations Domain Names Are Expiring or Already Expired IBM Security | MITRE ATT&CK CON 4.0
  • 29. Post Covid for Aviation Industry? What You May See If You Own One? HTTP Requests You would probably get millions of requests coming from integrations, test activities and Bots. Thousands of Emails You will receive emails with real account memberships, passwords, spams, alerts etc… Critical Information Many critical information will be gathered by Emails, POST or Header analysis, including API Keys, Credentials and memberships etc.. IBM Security | MITRE ATT&CK CON 4.0 X-Force Red
  • 30. The Phases of Research to Identify All Potential Risk Areas Email Listener Build Cloud Environment Web Listener Domain Registration Following the Drop Date of Domains (Using Domain Catching Service to Register Domain) Developing the Listeners, Certificate, Servers, DBs and Source Codes: Leave System to Listen the HTTP & Other Connections for a timeframe to obtain enough data for analysis phase Create an Email Listener to follow all emails coming associated with that domain name (*@airline.com) Analysis & Reporting Analysis all the data including Web traffic, other Port requests, Emails received. IBM Security | MITRE ATT&CK CON 4.0 X-Force Red