From ATT&CKcon 4.0
By Ozan Olali, IBM Security
The Electronic Flight Bag (EFB) has become an indispensable tool in modern aviation, providing pilots with digital resources and critical flight information. However, the increased reliance on EFB systems running on operating systems, introduces various security challenges. In this session, a technical assessment approach with MITRE ATT&CK framework to perform a comprehensive threat analysis of an EFB solution, will be presented. The potential attack vectors and relation with the risks for business/ flight operations will be demonstrated.
MITRE ATT&CK based Threat Analysis for Electronic Flight Bag
1. Electronic Flight Bag
MITRE ATT&CK Based Threat Analysis for Electronic Flight Bag
—
Ozan Olali
IBM X-Force Red Offensive Security Services
2. Agenda
1 About Speaker
2 Quick Overview - Aviation Business
3 Electronic Flight Bags
4 MITRE ATT&CK Based EFB Threat Assessment
5 Recon, Resource Development, and Initial Access
IBM Security | MITRE ATT&CK CON 4.0 X-Force Red
3. 3
About Speaker
Ozan Olali
14 years professional
23 years unprofessional
Cybersecurity
IBM X-Force Red – MEA
Security Research
Astrophotography
5+ Aviation Company & EFBs
5. Airlines contend with a
massive attack surface,
capable of exerting
significant influence on
both their business
operations and the
overall experience of
their passengers.
↓
Detailed threats for
each service/ platform;
and each components
within that platform
should be assessed
considering business
impact
Electronic Flight Bag Booking & Reservation
Services
Agency Management
Cargo Services Crew and Employee
Portals
Loyalty Programs &
Miles Management
Availability Management
& Forecasting
Customer
Correspondence Center
In-Flight Entertainment
(IFE) Systems
Check-in Platforms and
Applications
Self-Service Baggage
Check-in And Many Others…
IBM Security | MITRE ATT&CK CON 4.0 X-Force Red
6. Airline Companies have
also extensive trust
relation with suppliers
to run business
operations and
maintenance
↓
Critical 3rd Parties
and Integrated
Ecosystem of Airline
Companies
Aircraft
Manufacturers
Maintenance and
Repair Organizations
Air Traffic Control
Payment Processors Ground Handling
Companies
Catering and In-Flight
Services
Fuel Suppliers Weather and
Meteorological Services
Airport
Authorities
Regulatory Authorities Insurance Providers
And Many Others…
IBM Security | MITRE ATT&CK CON 4.0 X-Force Red
8. Electronic Flight Bags in a Nutshell
Customization
Not plug and play solutions, it
needs many customization
according to airline company’s
environment, many configuration
requirements.
Functions
Flight Briefing, Pre-flight and Post-
flight reporting, Cockpit Security
Checks, Document Library, Take-
off and Landing Performance, MEL
& Defect Reporting and many
others.
Paperless Cockpit
Consolidate in single app all
the relevant information and
functionalities for the mission
of the pilot and to provide all
that they need at every stage of
the flight.
Integrations
Capable for lots of custom
integrations with popular SaaS
solutions; content management
and document distribution, and
some federated authentication to
those platforms
EFB, very critical component of modern aviation, providing
pilots with digital resources and critical flight information.
X-Force Red
8
IBM Security | MITRE ATT&CK CON 4.0
9. Electronic Flight Bags in a Nutshell
Customization
Not plug and play solutions, it
needs many customization
according to airline company’s
environment, many configuration
requirements.
Functions
Flight Briefing, Pre-flight and Post-
flight reporting, Cockpit Security
Checks, Document Library, Take-
off and Landing Performance, MEL
& Defect Reporting and many
others.
Paperless Cockpit
Consolidate in single app all
the relevant information and
functionalities for the mission
of the pilot and to provide all
that they need at every stage of
the flight.
Integrations
Capable for lots of custom
integrations with popular SaaS
solutions; content management
and document distribution, and
some federated authentication to
those platforms
EFB, very critical component of modern aviation, providing
pilots with digital resources and critical flight information.
X-Force Red
9
IBM Security | MITRE ATT&CK CON 4.0
11. The Threat Surface associated with EFB is complex, potential compromise scenarios and
business impact should be identified to enable cyber prevention and detection capabilities
High Level Threat Surface for EFB
EFB Tablet
Network Shares
*Credentials in Files
EFF
Domain
Account
App Level
Auth
Tablet
Auth
Local Account
Email
Ground
Messaging
Email
Comm.
In Flight
Comm.
OS Layer
of Tablet
Operating
System
Fuel Order
& Plan
Ground
Ops.
Document
Mng. Systems
Read
Docs.
Cloud Update
Hubs
Takeoff Landing
Performance DB
Reporting
Update OS
Update App
Briefing Room
/ Hub
Update
Data
Corporate Network
Servers Other Technologies
Cloud Platforms
Servers Other
Technologies
OS Layer Components
Registry Local Files Terminal Others
Auth
Headers
Supportive
Applications
Authentication Components
User Repo Auth Protocols Policies
Public Facing
App Services
Airplane
Avionic Net.
Back Office
Administration
Flight
Operations
IBM Security | MITRE ATT&CK CON 4.0 X-Force Red
EFB Vendor
12. The Threat Surface associated with EFB is complex, potential compromise scenarios and
business impact should be identified to enable cyber prevention and detection capabilities
High Level Threat Surface for EFB
EFB Tablet
Network Shares
EFF
Domain
Account
App Level
Auth
Tablet
Auth
Local Account
Email
Ground
Messaging
Email
Comm.
In Flight
Comm.
OS Layer
of Tablet
Operating
System
Fuel Order
& Plan
Ground
Ops.
Document
Mng. Systems
Read
Docs.
Cloud Update
Hubs
Takeoff Landing
Performance DB
Reporting
Update OS
Update App
Briefing Room
/ Hub
Update
Data
Corporate Network
Servers Other Technologies
Cloud Platforms
Servers Other
Technologies
OS Layer Components
Registry Local Files Terminal Others
Auth
Headers
Supportive
Applications
Authentication Components
User Repo Auth Protocols Policies
Public Facing
App Services
Airplane
Avionic Net.
Back Office
Administration
Flight
Operations
IBM Security | MITRE ATT&CK CON 4.0 X-Force Red
Initial Access
T1566: Phishing
EFB Vendor
Initial Access
T1199: Trusted Relationship
Initial Access
T1190: Exploit Public-Facing Application
T1078: Valid Accounts
T1189: Drive-by Compromise
Initial Access
T1558: Lockscreen Bypass
T1091: Removable Media
13. The Threat Surface associated with EFB is complex, potential compromise scenarios and
business impact should be identified to enable cyber prevention and detection capabilities
High Level Threat Surface for EFB
EFB Tablet
Network Shares
EFF
Domain
Account
App Level
Auth
Tablet
Auth
Local Account
Email
Ground
Messaging
Email
Comm.
In Flight
Comm.
OS Layer
of Tablet
Operating
System
Fuel Order
& Plan
Ground
Ops.
Document
Mng. Systems
Read
Docs.
Cloud Update
Hubs
Takeoff Landing
Performance DB
Reporting
Update OS
Update App
Briefing Room
/ Hub
Update
Data
Corporate Network
Servers Other Technologies
Cloud Platforms
Servers Other
Technologies
OS Layer Components
Registry Local Files Terminal Others
Auth
Headers
Supportive
Applications
Authentication Components
User Repo Auth Protocols Policies
Public Facing
App Services
Airplane
Avionic Net.
Back Office
Administration
Flight
Operations
IBM Security | MITRE ATT&CK CON 4.0 X-Force Red
Initial Access
T1566: Phishing
EFB Vendor
Execution
T1059: Command and
Scripting Interpreter
T1204: User Execution:
Malicious File/ Link
T1106: Native API
T1053: Scheduled Task
Initial Access
T1199: Trusted Relationship
Initial Access
T1190: Exploit Public-Facing Application
T1078: Valid Accounts
T1189: Drive-by Compromise
Initial Access
T1558: Lockscreen Bypass
T1091: Removable Media
14. The Threat Surface associated with EFB is complex, potential compromise scenarios and
business impact should be identified to enable cyber prevention and detection capabilities
High Level Threat Surface for EFB
EFB Tablet
Network Shares
EFF
Domain
Account
App Level
Auth
Tablet
Auth
Local Account
Email
Ground
Messaging
Email
Comm.
In Flight
Comm.
OS Layer
of Tablet
Operating
System
Fuel Order
& Plan
Ground
Ops.
Document
Mng. Systems
Read
Docs.
Cloud Update
Hubs
Takeoff Landing
Performance DB
Reporting
Update OS
Update App
Briefing Room
/ Hub
Update
Data
Corporate Network
Servers Other Technologies
Cloud Platforms
Servers Other
Technologies
OS Layer Components
Registry Local Files Terminal Others
Auth
Headers
Supportive
Applications
Authentication Components
User Repo Auth Protocols Policies
Public Facing
App Services
Airplane
Avionic Net.
Back Office
Administration
Flight
Operations
IBM Security | MITRE ATT&CK CON 4.0 X-Force Red
Initial Access
T1566: Phishing
EFB Vendor
Execution
T1059: Command and
Scripting Interpreter
T1204: User Execution:
Malicious File/ Link
T1106: Native API
T1053: Scheduled Task
Initial Access
T1199: Trusted Relationship
Initial Access
T1190: Exploit Public-Facing Application
T1078: Valid Accounts
T1189: Drive-by Compromise
Initial Access
T1558: Lockscreen Bypass
T1091: Removable Media
Persistence
T1554: Compromise
Client Software Binary
T1547: Boot or Logon
Autostart Execution
15. The Threat Surface associated with EFB is complex, potential compromise scenarios and
business impact should be identified to enable cyber prevention and detection capabilities
High Level Threat Surface for EFB
EFB Tablet
Network Shares
EFF
Domain
Account
App Level
Auth
Tablet
Auth
Local Account
Email
Ground
Messaging
Email
Comm.
In Flight
Comm.
OS Layer
of Tablet
Operating
System
Fuel Order
& Plan
Ground
Ops.
Document
Mng. Systems
Read
Docs.
Cloud Update
Hubs
Takeoff Landing
Performance DB
Reporting
Update OS
Update App
Briefing Room
/ Hub
Update
Data
Corporate Network
Servers Other Technologies
Cloud Platforms
Servers Other
Technologies
OS Layer Components
Registry Local Files Terminal Others
Auth
Headers
Supportive
Applications
Authentication Components
User Repo Auth Protocols Policies
Public Facing
App Services
Airplane
Avionic Net.
Back Office
Administration
Flight
Operations
IBM Security | MITRE ATT&CK CON 4.0 X-Force Red
Initial Access
T1566: Phishing
EFB Vendor
Execution
T1059: Command and
Scripting Interpreter
T1204: User Execution:
Malicious File/ Link
T1106: Native API
T1053: Scheduled Task
Initial Access
T1199: Trusted Relationship
Initial Access
T1190: Exploit Public-Facing Application
T1078: Valid Accounts
T1189: Drive-by Compromise
Initial Access
T1558: Lockscreen Bypass
T1091: Removable Media
Persistence
T1554: Compromise
Client Software Binary
T1547: Boot or Logon
Autostart Execution
Privilege Escalation
T1548: Exploitation for
Privilege Escalation
T1078: Local Accounts
16. The Threat Surface associated with EFB is complex, potential compromise scenarios and
business impact should be identified to enable cyber prevention and detection capabilities
High Level Threat Surface for EFB
EFB Tablet
Network Shares
EFF
Domain
Account
App Level
Auth
Tablet
Auth
Local Account
Email
Ground
Messaging
Email
Comm.
In Flight
Comm.
OS Layer
of Tablet
Operating
System
Fuel Order
& Plan
Ground
Ops.
Document
Mng. Systems
Read
Docs.
Cloud Update
Hubs
Takeoff Landing
Performance DB
Reporting
Update OS
Update App
Briefing Room
/ Hub
Update
Data
Corporate Network
Servers Other Technologies
Cloud Platforms
Servers Other
Technologies
OS Layer Components
Registry Local Files Terminal Others
Auth
Headers
Supportive
Applications
Authentication Components
User Repo Auth Protocols Policies
Public Facing
App Services
Airplane
Avionic Net.
Back Office
Administration
Flight
Operations
IBM Security | MITRE ATT&CK CON 4.0 X-Force Red
Initial Access
T1566: Phishing
EFB Vendor
Execution
T1059: Command and
Scripting Interpreter
T1204: User Execution:
Malicious File/ Link
T1106: Native API
T1053: Scheduled Task
Initial Access
T1199: Trusted Relationship
Initial Access
T1190: Exploit Public-Facing Application
T1078: Valid Accounts
T1189: Drive-by Compromise
Initial Access
T1558: Lockscreen Bypass
T1091: Removable Media
Persistence
T1554: Compromise
Client Software Binary
T1547: Boot or Logon
Autostart Execution
Privilege Escalation
T1548: Exploitation for
Privilege Escalation
T1078: Local Accounts
Credential Access
T1461: Steal or Forge Kerberos
Tickets
Credential Access
T1552: Unsecured
Credentials: Credentials
in Registry
17. The Threat Surface associated with EFB is complex, potential compromise scenarios and
business impact should be identified to enable cyber prevention and detection capabilities
High Level Threat Surface for EFB
EFB Tablet
Network Shares
EFF
Domain
Account
App Level
Auth
Tablet
Auth
Local Account
Email
Ground
Messaging
Email
Comm.
In Flight
Comm.
OS Layer
of Tablet
Operating
System
Fuel Order
& Plan
Ground
Ops.
Document
Mng. Systems
Read
Docs.
Cloud Update
Hubs
Takeoff Landing
Performance DB
Reporting
Update OS
Update App
Briefing Room
/ Hub
Update
Data
Corporate Network
Servers Other Technologies
Cloud Platforms
Servers Other
Technologies
OS Layer Components
Registry Local Files Terminal Others
Auth
Headers
Supportive
Applications
Authentication Components
User Repo Auth Protocols Policies
Public Facing
App Services
Airplane
Avionic Net.
Back Office
Administration
Flight
Operations
IBM Security | MITRE ATT&CK CON 4.0 X-Force Red
Initial Access
T1566: Phishing
EFB Vendor
Execution
T1059: Command and
Scripting Interpreter
T1204: User Execution:
Malicious File/ Link
T1106: Native API
T1053: Scheduled Task
Initial Access
T1199: Trusted Relationship
Initial Access
T1190: Exploit Public-Facing Application
T1078: Valid Accounts
T1189: Drive-by Compromise
Initial Access
T1558: Lockscreen Bypass
T1091: Removable Media
Persistence
T1554: Compromise
Client Software Binary
T1547: Boot or Logon
Autostart Execution
Privilege Escalation
T1548: Exploitation for
Privilege Escalation
T1078: Local Accounts
Credential Access
T1461: Steal or Forge Kerberos
Tickets
Credential Access
T1552: Unsecured
Credentials: Credentials
in Registry
Discovery
T1087: Account Discovery
Discovery
T1619: Cloud Storage Object
Discovery
T1526: Cloud Service Discovery
Discovery
T1083: File and
Directory Discovery
T1135: Network Share
Discovery
Discovery
T1615: Group Policy Discovery
Discovery
T1018: Remote System Discovery
18. The Threat Surface associated with EFB is complex, potential compromise scenarios and
business impact should be identified to enable cyber prevention and detection capabilities
High Level Threat Surface for EFB
EFB Tablet
Network Shares
EFF
Domain
Account
App Level
Auth
Tablet
Auth
Local Account
Email
Ground
Messaging
Email
Comm.
In Flight
Comm.
OS Layer
of Tablet
Operating
System
Fuel Order
& Plan
Ground
Ops.
Document
Mng. Systems
Read
Docs.
Cloud Update
Hubs
Takeoff Landing
Performance DB
Reporting
Update OS
Update App
Briefing Room
/ Hub
Update
Data
Corporate Network
Servers Other Technologies
Cloud Platforms
Servers Other
Technologies
OS Layer Components
Registry Local Files Terminal Others
Auth
Headers
Supportive
Applications
Authentication Components
User Repo Auth Protocols Policies
Public Facing
App Services
Airplane
Avionic Net.
Back Office
Administration
Flight
Operations
IBM Security | MITRE ATT&CK CON 4.0 X-Force Red
Initial Access
T1566: Phishing
EFB Vendor
Execution
T1059: Command and
Scripting Interpreter
T1204: User Execution:
Malicious File/ Link
T1106: Native API
T1053: Scheduled Task
Initial Access
T1199: Trusted Relationship
Initial Access
T1190: Exploit Public-Facing Application
T1078: Valid Accounts
T1189: Drive-by Compromise
Initial Access
T1558: Lockscreen Bypass
T1091: Removable Media
Persistence
T1554: Compromise
Client Software Binary
T1547: Boot or Logon
Autostart Execution
Privilege Escalation
T1548: Exploitation for
Privilege Escalation
T1078: Local Accounts
Credential Access
T1461: Steal or Forge Kerberos
Tickets
Credential Access
T1552: Unsecured
Credentials: Credentials
in Registry
Discovery
T1087: Account Discovery
Discovery
T1619: Cloud Storage Object
Discovery
T1526: Cloud Service Discovery
Discovery
T1083: File and
Directory Discovery
T1135: Network Share
Discovery
Discovery
T1615: Group Policy Discovery
Discovery
T1018: Remote System Discovery
Lateral Movement
T1021: Remote Services: Cloud Services
Lateral Movement
T1210: Exploitation of
Remote Services Lateral Movement
T1550: Use Alternate Authentication
Material
19. The Threat Surface associated with EFB is complex, potential compromise scenarios and
business impact should be identified to enable cyber prevention and detection capabilities
High Level Threat Surface for EFB
EFB Tablet
Network Shares
EFF
Domain
Account
App Level
Auth
Tablet
Auth
Local Account
Email
Ground
Messaging
Email
Comm.
In Flight
Comm.
OS Layer
of Tablet
Operating
System
Fuel Order
& Plan
Ground
Ops.
Document
Mng. Systems
Read
Docs.
Cloud Update
Hubs
Takeoff Landing
Performance DB
Reporting
Update OS
Update App
Briefing Room
/ Hub
Update
Data
Corporate Network
Servers Other Technologies
Cloud Platforms
Servers Other
Technologies
OS Layer Components
Registry Local Files Terminal Others
Auth
Headers
Supportive
Applications
Authentication Components
User Repo Auth Protocols Policies
Public Facing
App Services
Airplane
Avionic Net.
Back Office
Administration
Flight
Operations
IBM Security | MITRE ATT&CK CON 4.0 X-Force Red
Initial Access
T1566: Phishing
EFB Vendor
Execution
T1059: Command and
Scripting Interpreter
T1204: User Execution:
Malicious File/ Link
T1106: Native API
T1053: Scheduled Task
Initial Access
T1199: Trusted Relationship
Initial Access
T1190: Exploit Public-Facing Application
T1078: Valid Accounts
T1189: Drive-by Compromise
Initial Access
T1558: Lockscreen Bypass
T1091: Removable Media
Persistence
T1554: Compromise
Client Software Binary
T1547: Boot or Logon
Autostart Execution
Privilege Escalation
T1548: Exploitation for
Privilege Escalation
T1078: Local Accounts
Credential Access
T1461: Steal or Forge Kerberos
Tickets
Credential Access
T1552: Unsecured
Credentials: Credentials
in Registry
Discovery
T1087: Account Discovery
Discovery
T1619: Cloud Storage Object
Discovery
T1526: Cloud Service Discovery
Discovery
T1083: File and
Directory Discovery
T1135: Network Share
Discovery
Discovery
T1615: Group Policy Discovery
Discovery
T1018: Remote System Discovery
Lateral Movement
T1021: Remote Services: Cloud Services
Lateral Movement
T1210: Exploitation of
Remote Services Lateral Movement
T1550: Use Alternate Authentication
Material
Collection
T1123: Audio Capture
T1114: Email Collection
T1113: Screen Capture
Collection:
T1530: Data from Cloud Storage
20. The Threat Surface associated with EFB is complex, potential compromise scenarios and
business impact should be identified to enable cyber prevention and detection capabilities
High Level Threat Surface for EFB
EFB Tablet
Network Shares
EFF
Domain
Account
App Level
Auth
Tablet
Auth
Local Account
Email
Ground
Messaging
Email
Comm.
In Flight
Comm.
OS Layer
of Tablet
Operating
System
Fuel Order
& Plan
Ground
Ops.
Document
Mng. Systems
Read
Docs.
Cloud Update
Hubs
Takeoff Landing
Performance DB
Reporting
Update OS
Update App
Briefing Room
/ Hub
Update
Data
Corporate Network
Servers Other Technologies
Cloud Platforms
Servers Other
Technologies
OS Layer Components
Registry Local Files Terminal Others
Auth
Headers
Supportive
Applications
Authentication Components
User Repo Auth Protocols Policies
Public Facing
App Services
Airplane
Avionic Net.
Back Office
Administration
Flight
Operations
IBM Security | MITRE ATT&CK CON 4.0 X-Force Red
Initial Access
T1566: Phishing
EFB Vendor
Execution
T1059: Command and
Scripting Interpreter
T1204: User Execution:
Malicious File/ Link
T1106: Native API
T1053: Scheduled Task
Initial Access
T1199: Trusted Relationship
Initial Access
T1190: Exploit Public-Facing Application
T1078: Valid Accounts
T1189: Drive-by Compromise
Initial Access
T1558: Lockscreen Bypass
T1091: Removable Media
Persistence
T1554: Compromise
Client Software Binary
T1547: Boot or Logon
Autostart Execution
Privilege Escalation
T1548: Exploitation for
Privilege Escalation
T1078: Local Accounts
Credential Access
T1461: Steal or Forge Kerberos
Tickets
Credential Access
T1552: Unsecured
Credentials: Credentials
in Registry
Discovery
T1087: Account Discovery
Discovery
T1619: Cloud Storage Object
Discovery
T1526: Cloud Service Discovery
Discovery
T1083: File and
Directory Discovery
T1135: Network Share
Discovery
Discovery
T1615: Group Policy Discovery
Discovery
T1018: Remote System Discovery
Lateral Movement
T1021: Remote Services: Cloud Services
Lateral Movement
T1210: Exploitation of
Remote Services Lateral Movement
T1550: Use Alternate Authentication
Material
Collection
T1123: Audio Capture
T1114: Email Collection
T1113: Screen Capture
Collection:
T1530: Data from Cloud Storage
Command and Control
T1071: Application Layer Protocol (Mail,
Web)
21. The Threat Surface associated with EFB is complex, potential compromise scenarios and
business impact should be identified to enable cyber prevention and detection capabilities
High Level Threat Surface for EFB
EFB Tablet
Network Shares
EFF
Domain
Account
App Level
Auth
Tablet
Auth
Local Account
Email
Ground
Messaging
Email
Comm.
In Flight
Comm.
OS Layer
of Tablet
Operating
System
Fuel Order
& Plan
Ground
Ops.
Document
Mng. Systems
Read
Docs.
Cloud Update
Hubs
Takeoff Landing
Performance DB
Reporting
Update OS
Update App
Briefing Room
/ Hub
Update
Data
Corporate Network
Servers Other Technologies
Cloud Platforms
Servers Other
Technologies
OS Layer Components
Registry Local Files Terminal Others
Auth
Headers
Supportive
Applications
Authentication Components
User Repo Auth Protocols Policies
Public Facing
App Services
Airplane
Avionic Net.
Back Office
Administration
Flight
Operations
IBM Security | MITRE ATT&CK CON 4.0 X-Force Red
Initial Access
T1566: Phishing
EFB Vendor
Execution
T1059: Command and
Scripting Interpreter
T1204: User Execution:
Malicious File/ Link
T1106: Native API
T1053: Scheduled Task
Initial Access
T1199: Trusted Relationship
Initial Access
T1190: Exploit Public-Facing Application
T1078: Valid Accounts
T1189: Drive-by Compromise
Initial Access
T1558: Lockscreen Bypass
T1091: Removable Media
Persistence
T1554: Compromise
Client Software Binary
T1547: Boot or Logon
Autostart Execution
Privilege Escalation
T1548: Exploitation for
Privilege Escalation
T1078: Local Accounts
Credential Access
T1461: Steal or Forge Kerberos
Tickets
Credential Access
T1552: Unsecured
Credentials: Credentials
in Registry
Discovery
T1087: Account Discovery
Discovery
T1619: Cloud Storage Object
Discovery
T1526: Cloud Service Discovery
Discovery
T1083: File and
Directory Discovery
T1135: Network Share
Discovery
Discovery
T1615: Group Policy Discovery
Discovery
T1018: Remote System Discovery
Lateral Movement
T1021: Remote Services: Cloud Services
Lateral Movement
T1210: Exploitation of
Remote Services Lateral Movement
T1550: Use Alternate Authentication
Material
Collection
T1123: Audio Capture
T1114: Email Collection
T1113: Screen Capture
Collection:
T1530: Data from Cloud Storage
Command and Control
T1071: Application Layer Protocol (Mail,
Web)
Impact
T1565: Data Manipulation
Impact
T1489: Service Stop
22. The Threat Surface associated with EFB is complex, potential compromise scenarios and
business impact should be identified to enable cyber prevention and detection capabilities
High Level Threat Surface for EFB
EFB Tablet
Network Shares
EFF
Domain
Account
App Level
Auth
Tablet
Auth
Local Account
Email
Ground
Messaging
Email
Comm.
In Flight
Comm.
OS Layer
of Tablet
Operating
System
Fuel Order
& Plan
Ground
Ops.
Document
Mng. Systems
Read
Docs.
Cloud Update
Hubs
Takeoff Landing
Performance DB
Reporting
Update OS
Update App
Briefing Room
/ Hub
Update
Data
Corporate Network
Servers Other Technologies
Cloud Platforms
Servers Other
Technologies
OS Layer Components
Registry Local Files Terminal Others
Auth
Headers
Supportive
Applications
Authentication Components
User Repo Auth Protocols Policies
Public Facing
App Services
Airplane
Avionic Net.
Back Office
Administration
Flight
Operations
IBM Security | MITRE ATT&CK CON 4.0 X-Force Red
Initial Access
T1566: Phishing
EFB Vendor
Execution
T1059: Command and
Scripting Interpreter
T1106: Native API
T1053: Scheduled Task
Initial Access
T1199: Trusted Relationship
Initial Access
T1190: Exploit Public-Facing Application
T1078: Valid Accounts
T1189: Drive-by Compromise
Credential Access
T1461: Steal or Forge Kerberos
Tickets
Persistence
T1554: Compromise
Client Software Binary
T1547: Boot or Logon
Autostart Execution
Credential Access
T1552: Unsecured
Credentials: Credentials
in Registry
Discovery
T1087: Account Discovery
Discovery
T1619: Cloud Storage Object
Discovery
T1526: Cloud Service Discovery
Discovery
T1083: File and
Directory Discovery
T1135: Network Share
Discovery
Discovery
T1615: Group Policy Discovery
Discovery
T1018: Remote System Discovery
Lateral Movement
T1021: Remote Services: Cloud Services
Lateral Movement
T1210: Exploitation of
Remote Services Lateral Movement
T1550: Use Alternate Authentication
Material
Collection
T1123: Audio Capture
T1114: Email Collection
T1113: Screen Capture
Collection:
T1530: Data from Cloud Storage
Command and Control
T1071: Application Layer Protocol (Mail,
Web)
Impact
T1565: Data Manipulation
Impact
T1489: Service Stop
Initial Access
T1558: Lockscreen Bypass
T1091: Removable Media
Privilege Escalation
T1548: Exploitation for
Privilege Escalation
T1078: Local Accounts
23. Reconnaissance Resource
Development
Mapping the top priority controls from the MITRE ATT&CK framework to an EFB platform
Acquire Access
Acquire
Infrastructure
Compromise
Accounts
Compromise
Infrastructure
Develop
Capabilities
Establish
Accounts
Exploit Public-
Facing
Application
Valid Accounts
Phishing
Supply Chain
Compromise
Drive-by
Compromise
Lockscreen
Bypass
Replication
Through
Removable Media
Initial
Access
Command and
Scripting
Interpreter
Native API
Scheduled
Task/Job
Exploitation for
Client Execution
Create Account
Compromise
Client Software
Binary
Boot or Logon
Autostart
Execution
Scheduled
Task/Job
Bypass UAC
Exploitation for
Privilege
Escalation
Valid Accounts
Local Accounts
Obfuscated Files
or Information
Valid Accounts
Steal or Forge
Kerberos Tickets
Unsecured
Credentials
Credentials from
Password Stores
Network Sniffing
Cloud Storage
Object Discovery
Cloud Service
Discovery
Remote System
Discovery
File and Directory
Discovery
Network Share
Discovery
Account
Discovery
Group Policy
Discovery
Network Sniffing
Remote Services:
Cloud Services
Exploitation of
Remote Services
Use Alternate
Authentication
Material
Audio Capture
Email Collection
Screen Capture
Data from Cloud
Storage
Ingress Tool
Transfer
Non-Standard
Port
Application Layer
Protocol (Mail,
Web)
Active Scanning
Gather Victim
Host Information
Gather Victim
Identity
Information
Gather Victim
Network
Information
Gather Victim Org
Information
Phishing for
Information
Search Closed
Sources
Search Open
Technical
Databases
Search Open
Websites/
Domains
Search Victim-
Owned Websites
Custom Techniques
Targeting EFB
APT33
Execution Persistence Privilege
Escalation
Defense
Evasion
Credential
Access Discovery
Lateral
Movement
Collection
Service Stop
Data Manipulation
Command and
Control
Impact
IBM Security | MITRE ATT&CK CON 4.0 X-Force Red
24. ATT&CK Threat Assessment for EFB
Identify the Techniques and Test All
Choose an Attack
Technique/
Sub-Technique
Choose a Test
Methodology for
Technique
Execute the Test
Procedure
Analyze the
Prevention,
Detection &
Response Capability
Take Notes and
Suggest
Improvement for
Defense
Adversary Simulation
IBM Security | MITRE ATT&CK CON 4.0 X-Force Red
26. Search Victim-Owned
Websites
Gather Victim Identity
Information
Business
Relationships
Compromise
Infrastructure
Compromise
Accounts
Reconnaissance
↓
A general research was
conducted to identify
potential attack surface
with Public information
using Open-Source
solutions.
X-Force Red
- Quick research on Airlines &
Aviation Companies &
Websites
- 634 Airlines Website
- 37.694 Subdomains
- 158 Public EFB Services
(Subdomains)
- Email Addresses:
- EFB Product Owners
- EFB Administrators
- Pilots
- EFB Developers
- EFB Vendors
- Vendor’s Support Team
- Alliances & Partnerships
Identify & Compromise
trusted accounts:
- Email Accounts
- Cloud Accounts
Compromise and use trusted
resources:
- Domains
- Web Services
- Servers
Resource Development
↓
Obtain or build trusted
infrastructure by Aviation
Industry
Aviation / Airlines
Company Take Over
IBM Security | MITRE ATT&CK CON 4.0
27. Post Covid for Aviation Industry?
X-Force Red
Mirroring its impact on
aviation, the COVID-19
pandemic had a
significant impact on
airline or aviation
supply chain
companies due to
travel restrictions and
a slump in demand
among travellers
Numerous airline travel
agencies have shuttered
operations
43 commercial airlines had
gone bankrupt (only 2020)
Airlines Supply Chain
Companies
30 Private Jet Companies
Thousands of Users
Emails
Authentications
Integrations
IBM Security | MITRE ATT&CK CON 4.0
28. Post Covid for Aviation Industry?
X-Force Red
Mirroring its impact on
aviation, the COVID-19
pandemic had a
significant impact on
airline or aviation
supply chain
companies due to
travel restrictions and
a slump in demand
among travellers
Numerous airline travel
agencies have shuttered
operations
43 commercial airlines had
gone bankrupt (only 2020)
Airlines Supply Chain
Companies
30 Private Jet Companies
Thousands of Users
Emails
Authentications
Integrations
Domain Names Are Expiring or Already Expired
IBM Security | MITRE ATT&CK CON 4.0
29. Post Covid for Aviation Industry?
What You May
See If You
Own One?
HTTP Requests
You would probably get
millions of requests
coming from integrations,
test activities and Bots.
Thousands of Emails
You will receive emails with real
account memberships,
passwords, spams, alerts etc…
Critical Information
Many critical information will be
gathered by Emails, POST or
Header analysis, including API
Keys, Credentials and
memberships etc..
IBM Security | MITRE ATT&CK CON 4.0 X-Force Red
30. The Phases of Research to Identify All Potential Risk Areas
Email
Listener
Build Cloud
Environment
Web
Listener
Domain
Registration
Following the
Drop Date of
Domains
(Using Domain
Catching Service to
Register Domain)
Developing the
Listeners,
Certificate,
Servers, DBs and
Source Codes:
Leave System to
Listen the HTTP &
Other Connections
for a timeframe to
obtain enough data
for analysis phase
Create an Email
Listener to follow
all emails coming
associated with
that domain name
(*@airline.com)
Analysis &
Reporting
Analysis all the
data including Web
traffic, other Port
requests, Emails
received.
IBM Security | MITRE ATT&CK CON 4.0 X-Force Red