Eavesdropping

Threat actors may seek to capture network communications throughout the ground station and communication channel (i.e. radio frequency, optical) used for uplink and downlink communications

Subtechniques ( 2 )

ID	Name
EXF-0003.01	Uplink Intercept
EXF-0003.02	Downlink Intercept

ID: EXF-0003

Sub-techniques: EXF-0003.01 | EXF-0003.02

ⓘ

Tactic: Exfiltration

Created: 2022/10/19

Last Modified: 2022/10/19

Countermeasures

ID	Name	Description	NIST Rev5	D3FEND	ISO 27001
CM0002	COMSEC	Utilizing secure communication protocols with strong cryptographic mechanisms to prevent unauthorized disclosure of, and detect changes to, information during transmission. Systems should also maintain the confidentiality and integrity of information during preparation for transmission and during reception. Spacecraft should not employ a mode of operations where cryptography on the TT&C link can be disabled (i.e., crypto-bypass mode). The cryptographic mechanisms should identify and reject wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters.	AC-17(1) \| AC-17(10) \| AC-17(10) \| AC-17(2) \| AC-18(1) \| AC-2(11) \| AC-3(10) \| IA-4(9) \| IA-5 \| IA-5(7) \| IA-7 \| SA-8(18) \| SA-9(6) \| SC-10 \| SC-12 \| SC-12(1) \| SC-12(2) \| SC-12(3) \| SC-12(6) \| SC-13 \| SC-16(3) \| SC-28(1) \| SC-28(3) \| SC-7 \| SC-7(11) \| SC-7(18) \| SI-10 \| SI-10(3) \| SI-10(5) \| SI-10(6) \| SI-19(4)		A.8.16 \| A.5.16 \| A.5.17 \| A.5.14 \| A.8.16 \| A.8.20 \| A.8.22 \| A.8.23 \| A.8.26 \| A.8.20 \| A.8.24 \| A.8.24 \| A.8.26 \| A.5.31 \| A.5.33 \| A.8.11
CM0036	Session Termination	Terminate the connection associated with a communications session at the end of the session or after an acceptable amount of inactivity which is established via the concept of operations.	AC-12 \| SC-10 \| SI-14(3)		A.8.20
CM0029	TRANSEC	Utilize TRANSEC to secure data transmissions from being infiltrated, exploited, or intercepted.	AC-18(5) \| CP-8 \| SC-40 \| SC-40(1) \| SC-40(3) \| SC-40(4) \| SC-8(4)		A.5.29 \| A.7.11

Related CWE Classes

Priority 1	Priority 2	Priority 3	Priority 4
CWE-1390: Weak Authentication	CWE-311: Missing Encryption of Sensitive Data	CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-326: Inadequate Encryption Strength	CWE-923: Improper Restriction of Communication Channel to Intended Endpoints
CWE-327: Use of a Broken or Risky Cryptographic Algorithm
CWE-330: Use of Insufficiently Random Values
CWE-346: Origin Validation Error
CWE-665: Improper Initialization

Related Aerospace Threat ID

Related MITRE ATT&CK TTPs

No related MITRE ATT&CK TTPs

Related ESA SPACE-SHIELD TTPs

No related Spaceshield TTPs

Related MITRE EMB3D Threats

No related MITRE EMB3D Threats

Indicators of Behavior

ID	Name	Description	STIX Pattern
CSNE-16	Suspicious Network Traffic Without Expected Encryption	Detection of unencrypted telemetry data being transmitted to the ground station when encryption is expected, potentially indicating that encryption has been bypassed to enable unauthorized data exfiltration.	[network-traffic:encryption_status != 'encrypted' AND network-traffic:protocols[*] = 'satellite_communication' AND network-traffic:dst_ref.role = 'ground_station']