Document Text Contents
Page 13
harm to organizational missions/business functions.
Subverted individuals may be active supporters of
adversary, supporting adversary (albeit under duress),
or unknowingly supporting adversary (e.g., false flag).
Insert counterfeited hardware
into the supply chain.
Adversary intercepts hardware from legitimate
suppliers. Adversary modifies the hardware or replaces
it with faulty or otherwise modified hardware.
Inserting malicious code into
organizational information
systems and information
system components (e.g.,
commercial information
technology products) known to
be used by organizations.
Adversary inserts malware into information systems
specifically targeted to the hardware, software, and
firmware used by organizations (resulting from the
reconnaissance of organizations by adversary).
Inserting specialized, non-
detectable, malicious code
into organizational information
systems based on system
configurations.
Adversary launches multiple, potentially changing
attacks specifically targeting critical information system
components based on reconnaissance and placement
within organizational information systems.
Insider-based session
hijacking.
Adversary places an entity within organizations in order
to gain access to organizational information systems or
networks for the express purpose of taking control
(hijacking) an already established, legitimate session
either between organizations and external entities
(e.g., users connecting from remote locations) or
between two locations within internal networks.
Installing persistent and
targeted sniffers on
organizational information
systems and networks.
Adversary places within the internal organizational
information systems or networks software designed to
(over a continuous period of time) collect (sniff)
network traffic.
Intercept/decrypt weak or
unencrypted communication
traffic and protocols.
Adversary takes advantage of communications that are
either unencrypted or use weak encryption (e.g.,
encryption containing publically known flaws), targets
those communications, and gains access to transmitted
information and channels.
Jamming wireless
communications.
Adversary takes measures to interfere with the wireless
communications so as to impede or prevent
communications from reaching intended recipients.
Malicious activity using
unauthorized ports, protocols,
and services.
Adversary conducts attacks using ports, protocols, and
services for ingress and egress that are not authorized
for use by organizations.
Page 14
Malicious creation, deletion,
and/or modification of files on
publicly accessible information
systems (e.g., Web
defacement).
Adversary vandalizes, or otherwise makes unauthorized
changes to organizational Web sites or files on Web
sites.
Mapping and scanning
organization-controlled
(internal) networks and
information systems from
within (inside) organizations.
Adversary installs malware inside perimeter that allows
the adversary to scan network to identify targets of
opportunity. Because the scanning does not cross the
perimeter, it is not detected by externally placed
intrusion detection systems.
Mishandling of critical and/or
sensitive information by
authorized users.
Authorized users inadvertently expose critical/sensitive
information.
Multistage attacks (e.g.,
hopping).
Adversary moves attack location from one
compromised information system to other information
systems making identification of source difficult.
Network traffic modification
(man in the middle) attacks by
externally placed adversary.
Adversary intercepts/eavesdrops on sessions between
organizations and external entities. Adversary then
relays messages between the organizations and
external entities, making them believe that they are
talking directly to each other over a private connection,
when in fact the entire communication is controlled by
the adversary.
Network traffic modification
(man in the middle) attacks by
internally placed adversary.
Adversary operating within the infrastructure of
organizations intercepts and corrupts data sessions.
Non-target specific insertion of
malware into downloadable
software and/or into
commercial information
technology products.
Adversary corrupts or inserts malware into common
freeware, shareware, or commercial information
technology products. Adversary is not targeting specific
organizations in this attack, simply looking for entry
points into internal organizational information systems.
Operate across organizations
to acquire specific information
or achieve desired outcome.
Adversary does not limit planning to the targeting of
one organization. Adversary observes multiple
organizations to acquire necessary information on
targets of interest.
Opportunistically stealing or
scavenging information
systems/components.
Adversary takes advantage of opportunities (due to
advantageous positioning) to steal information systems
or components (e. g., laptop computers or data storage
media) that are left unattended outside of the physical
perimeters of organizations.
Perimeter network Adversary uses commercial or free software to scan
harm to organizational missions/business functions.
Subverted individuals may be active supporters of
adversary, supporting adversary (albeit under duress),
or unknowingly supporting adversary (e.g., false flag).
Insert counterfeited hardware
into the supply chain.
Adversary intercepts hardware from legitimate
suppliers. Adversary modifies the hardware or replaces
it with faulty or otherwise modified hardware.
Inserting malicious code into
organizational information
systems and information
system components (e.g.,
commercial information
technology products) known to
be used by organizations.
Adversary inserts malware into information systems
specifically targeted to the hardware, software, and
firmware used by organizations (resulting from the
reconnaissance of organizations by adversary).
Inserting specialized, non-
detectable, malicious code
into organizational information
systems based on system
configurations.
Adversary launches multiple, potentially changing
attacks specifically targeting critical information system
components based on reconnaissance and placement
within organizational information systems.
Insider-based session
hijacking.
Adversary places an entity within organizations in order
to gain access to organizational information systems or
networks for the express purpose of taking control
(hijacking) an already established, legitimate session
either between organizations and external entities
(e.g., users connecting from remote locations) or
between two locations within internal networks.
Installing persistent and
targeted sniffers on
organizational information
systems and networks.
Adversary places within the internal organizational
information systems or networks software designed to
(over a continuous period of time) collect (sniff)
network traffic.
Intercept/decrypt weak or
unencrypted communication
traffic and protocols.
Adversary takes advantage of communications that are
either unencrypted or use weak encryption (e.g.,
encryption containing publically known flaws), targets
those communications, and gains access to transmitted
information and channels.
Jamming wireless
communications.
Adversary takes measures to interfere with the wireless
communications so as to impede or prevent
communications from reaching intended recipients.
Malicious activity using
unauthorized ports, protocols,
and services.
Adversary conducts attacks using ports, protocols, and
services for ingress and egress that are not authorized
for use by organizations.
Page 14
Malicious creation, deletion,
and/or modification of files on
publicly accessible information
systems (e.g., Web
defacement).
Adversary vandalizes, or otherwise makes unauthorized
changes to organizational Web sites or files on Web
sites.
Mapping and scanning
organization-controlled
(internal) networks and
information systems from
within (inside) organizations.
Adversary installs malware inside perimeter that allows
the adversary to scan network to identify targets of
opportunity. Because the scanning does not cross the
perimeter, it is not detected by externally placed
intrusion detection systems.
Mishandling of critical and/or
sensitive information by
authorized users.
Authorized users inadvertently expose critical/sensitive
information.
Multistage attacks (e.g.,
hopping).
Adversary moves attack location from one
compromised information system to other information
systems making identification of source difficult.
Network traffic modification
(man in the middle) attacks by
externally placed adversary.
Adversary intercepts/eavesdrops on sessions between
organizations and external entities. Adversary then
relays messages between the organizations and
external entities, making them believe that they are
talking directly to each other over a private connection,
when in fact the entire communication is controlled by
the adversary.
Network traffic modification
(man in the middle) attacks by
internally placed adversary.
Adversary operating within the infrastructure of
organizations intercepts and corrupts data sessions.
Non-target specific insertion of
malware into downloadable
software and/or into
commercial information
technology products.
Adversary corrupts or inserts malware into common
freeware, shareware, or commercial information
technology products. Adversary is not targeting specific
organizations in this attack, simply looking for entry
points into internal organizational information systems.
Operate across organizations
to acquire specific information
or achieve desired outcome.
Adversary does not limit planning to the targeting of
one organization. Adversary observes multiple
organizations to acquire necessary information on
targets of interest.
Opportunistically stealing or
scavenging information
systems/components.
Adversary takes advantage of opportunities (due to
advantageous positioning) to steal information systems
or components (e. g., laptop computers or data storage
media) that are left unattended outside of the physical
perimeters of organizations.
Perimeter network Adversary uses commercial or free software to scan
