{
    "type": "bundle",
    "id": "bundle--2685f246-a7fc-4846-b5b0-ddca34288b03",
    "spec_version": "2.0",
    "objects": [
        {
            "modified": "2023-03-30T20:13:55.599Z",
            "name": "Alarm Suppression",
            "description": "Adversaries may target protection function alarms to prevent them from notifying operators of critical conditions. Alarm messages may be a part of an overall reporting system and of particular interest for adversaries. Disruption of the alarm system does not imply the disruption of the reporting system as a whole.\n\nA Secura presentation on targeting OT notes a dual fold goal for adversaries attempting alarm suppression: prevent outgoing alarms from being raised and prevent incoming alarms from being responded to. (Citation: Jos Wetzels, Marina Krotofil 2019) The method of suppression may greatly depend on the type of alarm in question:  \n\n* An alarm raised by a protocol message \n* An alarm signaled with I/O \n* An alarm bit set in a flag (and read) \n\nIn ICS environments, the adversary may have to suppress or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring. (Citation: Jos Wetzels, Marina Krotofil 2019)  Methods of suppression may involve tampering or altering device displays and logs, modifying in memory code to fixed values, or even tampering with assembly level instruction code.",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-ics-attack",
                    "phase_name": "inhibit-response-function"
                }
            ],
            "x_mitre_contributors": [
                "Marina Krotofil",
                "Jos Wetzels - Midnight Blue"
            ],
            "x_mitre_deprecated": false,
            "x_mitre_detection": "",
            "x_mitre_domains": [
                "ics-attack"
            ],
            "x_mitre_is_subtechnique": false,
            "x_mitre_platforms": [
                "Field Controller/RTU/PLC/IED",
                "Safety Instrumented System/Protection Relay",
                "Device Configuration/Parameters"
            ],
            "x_mitre_version": "1.2",
            "x_mitre_data_sources": [
                "Operational Databases: Process History/Live Data",
                "Network Traffic: Network Traffic Flow",
                "Operational Databases: Process/Event Alarm",
                "Operational Databases: Device Alarm"
            ],
            "type": "attack-pattern",
            "id": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc",
            "created": "2020-05-21T17:43:26.506Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "revoked": false,
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/techniques/T0878",
                    "external_id": "T0878"
                },
                {
                    "source_name": "Jos Wetzels, Marina Krotofil 2019",
                    "description": "Jos Wetzels, Marina Krotofil 2019 A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded Devices Retrieved. 2019/11/01 ",
                    "url": "https://troopers.de/downloads/troopers19/TROOPERS19_NGI_IoT_diet_poisoned_fruit.pdf"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "x_mitre_attack_spec_version": "3.1.0",
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
        }
    ]
}