Threats to Ground Systems
Aerospace analyzed each TTP from the ATT&CK for Enterprise matrix to map the TTP to Aerospace's Defense-in-Depth (DiD) model for the ground segment. The goal of this analysis was to bucket the TTPs into each layer, similar to the work performed on the spacecraft in TOR 2021-01333. The below table provides a mechanism at each layer to understand the TTPs a threat actor may leverage against that layer. Additionally, this analysis provides a mechanism to understand the best place for mitigations and detections. Clicking the individual TTP link will redirect to the ATT&CK for Enterprise entry that contains additional information (mitigations, detections, procedures, etc.) from ATT&CK. In addition to the ATT&CK matrix, there has also been work performed to map the TTP IDs to NIST RMF controls for more detailed mitigation elements. This work is hosted on GitHub at https://github.com/center-for-threat-informed-defense/attack-control-framework-mappings. There are spreadsheets, ATT&CK navigator overlays, etc. While understanding the mitigations is crucial, testing the detections or susceptibility of a ground segment element is equally important. An open-source resource has been published that enable automation of testing many of the ATT&CK TTPs. These "atomics" are tests broken down by TTP ID which will enable groups to test their ground system implementation for prevention and detection capability. This can be viewed at https://github.com/redcanaryco/atomic-red-team/tree/master/atomics