CAPEC-524: Rogue Integration Procedures
An attacker alters or establishes rogue processes in an integration facility in order to insert maliciously altered components into the system. The attacker would then supply the malicious components. This would allow for malicious disruption or additional compromise when the system is deployed.
Last updated
Overview
CAPEC-524 (Rogue Integration Procedures) is a standard-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
What the attacker needs
Prerequisites
- Physical access to an integration facility that prepares the system before it is deployed at the victim location.
Skills required
- High skill: Advanced knowledge of the design of the system.
- High skill: Hardware creation and manufacture of replacement components.
How to mitigate it
Defenses that reduce the risk of CAPEC-524.
- Deploy strong code integrity policies to allow only authorized apps to run.
- Use endpoint detection and response solutions that can automaticalkly detect and remediate suspicious activities.
- Maintain a highly secure build and update infrastructure by immediately applying security patches for OS and software, implementing mandatory integrity controls to ensure only trusted tools run, and requiring multi-factor authentication for admins.
- Require SSL for update channels and implement certificate transparency based verification.
- Sign everything, including configuration files, XML files and packages.
- Develop an incident response process, disclose supply chain incidents and notify customers with accurate and timely information.
- Maintain strong physical system access controls and monitor networks and physical facilities for insider threats.
Examples
An attacker gains access to a system integrator's documentation for the preparation of purchased systems designated for deployment at the victim's location. As a part of the preparation, the included 100 megabit network card is to be replaced with a 1 gigabit network card. The documentation is altered to reflect the type of 1 gigabit network card to use, and the attacker ensures that this type of network card is provided by the attacker's own supply. The card has additional malicious functionality which will allow for additional compromise by the attacker at the victim location once the system is deployed.
Frequently asked questions
Common questions about CAPEC-524.
- What is CAPEC-524?
- An attacker alters or establishes rogue processes in an integration facility in order to insert maliciously altered components into the system. The attacker would then supply the malicious components. This would allow for malicious disruption or additional compromise when the system is deployed.
- How do you prevent CAPEC-524?
- Deploy strong code integrity policies to allow only authorized apps to run.
- How severe is CAPEC-524?
- MITRE rates CAPEC-524 as High severity with low likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-524
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.