CNA Tactics and Techniques: A Structure Proposal

: Destructive and control operations are today a major threat for cyber physical systems. These operations, known as Computer Network Attack (CNA), and usually linked to state-sponsored actors, are much less analyzed than Computer Network Exploitation activities (CNE), those related to intelligence gathering. While in CNE operations the main tactics and techniques are deﬁned and well structured, in CNA there is a lack of such consensuated approaches. This situation hinders the modeling of threat actors, which prevents an accurate deﬁnition of control to identify and to neutralize malicious activities. In this paper, we propose the ﬁrst global approach for CNA operations that can be used to map real-world activities. The proposal signiﬁcantly reduces the amount of effort need to identify, analyze, and neutralize advanced threat actors targeting cyber physical systems. It follows a logical structure that can be easy to expand and adapt.


Introduction
An important threat against cyber physical systems is operations focused on its disruption or control. Although these activities can be directed against pure IT environments, the impact they can produce in a cyber physical system is usually much bigger, as it exceeds the cyberspace and materialize into the real-world, thus causing, for example, human losses. These activities are identified as Computer Network Attack (CNA), operations taken via computer networks to disrupt, deny, degrade, or destroy the information within computers and computer networks and/or the computers/networks themselves, as we will define later, and are performed by advanced threat actors, specially state-sponsored ones. Please note that when we refer to an attack, we are referring to disruption or manipulation operations, not just to any kind of attack (or cyber attack); this is an important point, as in many works the authors consider attack any operation against a technological infrastructure, no matter the objective of the attacker is.
CNA operations are much less analyzed than Computer Network Exploitation ones, or CNE, those related to cyber espionage; as an example, the main de facto standard to identify tactics and techniques-and to link them to advanced threat actors-MITRE ATT&CK, focuses mainly on CNE tactics and techniques, leaving CNA ones as a secondary aspect. This is due to the prevalence of CNE activities among advanced threat actors, which is a confirmation of the lack of studies to structure those attacks and its modus operandi. Although CNA operations are not as usual as those related to intelligence gathering, their importance is increasing with the expansion of cyber physical systems. An operation targeting these environments to destroy or to control them can cause damage not only to a specific industrial process, but to the society on the whole.
This work provides a structure of tactics and techniques for CNA operations and actors aligned with ATT&CK, thus complementing the effort that MITRE has done in this framework and helping to improve it. We have followed the MITRE ATT&CK structure as the reference to develop those tactics and techniques, as it is the main public effort to establish a classification of Tactics, Techniques, and Procedures (TTP) used by threat actors, and we also propose an initial mapping for our approach to this classification. The tactics-and its associated techniques-linked to CNA activities will be submitted to MITRE to be included in the Enterprise Tactics section at MITRE ATT&CK. It is important to note that this work is the first proposal towards a global approach for CNA operations that can be used for establish a definitive taxonomy of TTP in those operations that nowadays have become a major threat for cyber physical systems. Moreover, a key point is that our proposal is not linked to specific components of a cyber physical system (for example, to improve specific detection mechanisms, those usually based on attack signatures in an expert system), but provides an upper approach to model and categorize threat activities against infrastructures.
One of the most important tactics is the manipulation one, as its effects are usually not noticed immediately, and so the damage on the cyber physical system can be larger; apart from that, it is the less analyzed tactic until now. In this tactic, we have identified a new research line that has to do with the identification of subcategories for manipulation families that are stated here, in order to refine the taxonomy and to cover all the relevant particular techniques; for example, inside the falsification family we could mention spoofing, a family of techniques in which an actor successfully masquerades as another by falsifying data, thereby gaining an illegitimate advantage [1].
The contributions of this paper are as follows.
• Identify the tactics linked to CNA operations. • Discuss and establish techniques for each of the tactics identified. • Define a structure for CNA tactics and techniques compatible with standards accepted among the community and suitable for its improvement. • Identify a key research line for the structure and analysis of the manipulation tactic.
The rest of the paper is organized as follows. The background Section 2 provides a brief introduction to Information Operations-where CNA is located-and to the MITRE ATT&CK framework, as the main reference for the development of tactics and techniques. In Section 3, we assess the problem of the lack of a unified structure for CNA tactics and techniques, and its importance for the modeling of advanced threat actors. Section 4 analyzes the prior work in this field, stating that little research has been done, specially for the manipulation tactic. In Section 5, we propose a novel taxonomy for CNA tactics in which we identify four specific ones, and for each one of them we establish a classification for its associated techniques. In Section 6, we discuss the results of our work, comparing them with other approaches and identifying improvements. Finally, Section 7 summarizes the outcome of the overall work and identify future research lines.

Computer Network Attack
Information Operations (IO) is defined as the integrated employment, during military operations, of information-related capabilities in concert with other lines of operation to influence, disrupt, corrupt, or usurp the decision-making of adversaries and potential adversaries while protecting our own [2]. One of the core capabilities inside IO is Computer Network Operations (CNO), which can be described as the actions taken through the use of computers and networks to gain information superiority or to deny the adversary this enabling capability. CNO is an umbrella term that comprises three main activities [3]: (1) Computer Network Attack (CNA), (2) Computer Network Defense (CND), defensive measures to protect and defend information, computers, and networks from disruption, denial, degradation, or destruction [4], and (3) Computer Network Exploitation (CNE). While CND is about computer and network protection, whereas CNE is focused on information gathering, that is, in espionage (or cyber espionage).
CNA operations are [2] those taken via computer networks to disrupt, deny, degrade, or destroy the information within computers and computer networks and/or the computers/networks themselves. As we can see from its definition, CNA has been usually linked to the socalled 4D: disrupt, deny, degrade, and destroy [5], referring to destructive-with more or less impact-actions performed through computer networks. This one, through computer networks, is a key point: a missile launched against a data center is not CNA, despite the fact that it shall destroy computers and networks.
The CNA concept is currently under revision and may be soon replaced by a more generic one: Cyberspace Attack (CA), a capability inside Cyberspace Operations (CO) [6], defined as [7] the employment of cyberspace capabilities where the primary purpose is to achieve objectives in or through cyberspace. In this context, CA is a broader term than CNA: in fact, an interesting point in [7] is the relationship between CO and Electronic Warfare (EW). CA includes not only the 4D, but also manipulation, for example, in operations associated with deception, corruption, or usurpation. A compilation of these doctrine and terminology (and its use and history) can be found in [8,9]. Every threat actor that performs CNE or CNA activities develops Tactics, Techniques, and Procedures (TTP) to achieve its goals [10]. Table 1 briefly describes the TTP definitions. Table 1. Tactics, Techniques, and Procedures (TTP) definitions.

Tactics
The employment and ordered arrangement of forces in relation to each other.
Techniques Non-prescriptive ways or methods used to perform missions, functions, or tasks.

Procedures
Standard, detailed steps that prescribe how to perform specific tasks.
Tactics specify what a threat actor is doing, at the highest level of description, to accomplish a certain mission, and techniques specify how tactics are implemented and procedures-outside of the scope of this work-describe a particular implementation. These Tactics, Techniques, and Procedures represent the behavior of the actor, very similar to what we usually call its modus operandi, from the highest level description (tactic) to the lowest level one (procedure) [11].

MITRE ATT&CK
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. This knowledge, contributed by analysts worldwide, can be used as the base for the development of specific threat models and methodologies. Started in 2013 and published in 2015, ATT&CK develops a process for modeling an adversary's post-compromise behavior at a fine level. An excellent description of the framework and the work done can be found at [12].
MITRE ATT&CK framework is today's de facto standard to structure tactics and techniques of advanced threat actors. As of March 2019, ATT&CK had defined 11 enterprise tactics-those related to the activities of an attacker into its victim-and 223 enterprise techniques associated with those tactics. Apart from that, ATT&CK defines 15 pre-attack tactics-related to the activities of an attacker before compromising its victim-and 174 preattack techniques linked to them, as well as 13 mobile tactics-related to to the compromise of mobile devices-and 66 mobile techniques. Beside tactics and techniques, ATT&CK identifies software-a generic term for tools, artifacts, malware, etc.-that can be used to implement one or more of the techniques, and which is out of the scope of this work.
MITRE ATT&CK also links Advanced Persistent Threat groups (APT) to tactics, techniques, and software. With 78 identified groups at the time of this writing, everyone of them is named, aliased, described, and linked to specific techniques (including pre-attack and mobile) and software. In this way, an analyst can establish relations between those entities to model an adversary and its activities against a target and, most important, to establish defense mechanisms to prevent, detect and respond to a threat.
Without any doubt, ATT&CK is an enormous effort to provide to the community an unified framework to identify the activities of advanced threat actors, from their TTP to the software they use, correlate information among those entities and improve not only the knowledge about APT, but also the defense mechanisms required to counter them. It constitutes a framework that, as usual, has to be improved with continuous work and contributions; in this sense, we miss in ATT&CK a deeper approach to the tactics, the techniques, and even to the software related to CNA activities.
Until 2019 MITRE ATT&CK was focused on CNE rather than in destructive operations or threat actors. In April 2019, a new enterprise tactic called "Impact" was added, where they specify the techniques whose primary objective is to reduce the availability or integrity of a system, service, or network, including manipulation of data to impact a business or operational process. This Impact tactic is directly related to CNA activities, and includes fourteen techniques, such as defacements, data manipulation, or data destruction. Although this tactic from MITRE ATT&CK is a good starting point, it is mandatory to develop it in depth.

The Issue
The impact of CNA operations in cyber physical systems has been largely discussed [13], especially since the discovery of Stuxnet [14]. This malware, Stuxnet, is a key piece in one of the best known manipulation operations. Although it was not the first one or the most noxious, it was the most reported [3]. Stuxnet is a cyber weapon, probably developed by United States and Israel, that compromised industrial systems to manipulate the centrifuges that enriched Uranium, so slowing down the Iranian nuclear program and directly impacting on a critical cyber physical system [15].
As stated before, CNA operations, those destructive-in more or less grade-or control-oriented, are much less analyzed than CNE ones; although many of a threat actor's TTP are common to CNE and CNA operations, in some cases, especially when dealing with actions on the target-or, depending of the tactic used, with actions against the target-they differ. As TTP are critical to identify and model threat actors, much work has been done to structure tactics and techniques, but most of the efforts in this sense are related to CNE activities. This focus on CNE may be due to two main facts: • Many threat actors are engaged in intelligence gathering more than in destructive attack campaigns. • Most of CNA activities require a previous CNE operation to know the attacked target, so CNE is almost always present.
During the last years, CNA operations that are publicly known are arising and we can face different threat actors engaged in both CNE and CNA operations; a good example is APT28, a group linked to the GRU, the Russian Military Intelligence Service, working not only in cyber espionage, but also in destructive campaigns against its targets. This is an important threat not only to pure IT environments but also to OT ones, where their impact exceeds the cyberspace by causing denial effects on cyber physical infrastructures, especially on critical ones. In fact, it is considered the fastest growing threat for cyber physical systems [16].
In this work, we address an issue that has not been largely approached and whose importance is increasing during the last years. Threat modeling, including the modeling of specific cyber attacks, has been largely discussed and many approaches exist nowadays to face the problem. However, when dealing with tactics and techniques for CNA operations no global view has been defined, a situation that hinders the modeling of advanced threat actors Most of the work regarding the structure of tactics and techniques for these actors have been focused on CNE operations, while CNA ones are not so structured. This situation has an obvious reason: as stated before, CNE is much common, and all advanced CNA operations require a previous CNE one. However, destruction and manipulation operations have increased during the last decade, as well as the actors performing them. They have become a major threat to cyber physical systems, especially against critical infrastructures, where the damage exceeds the cyber world and can impact in the real one, including a potential loss of life. Therefore, we are facing an increasing problem, and the lack of a structure suitable for the modeling of these actors and its operations causes a weak protection against them. Without accurate capabilities to model CNA operations, starting with a structured view of its tactics and techniques as key elements, infrastructures are not well protected, especially cyber physical systems.

Approaches and Limitations
Some works have established a taxonomy for computer network attacks; the authors of [17] provide an ontology whose goal is to automate the classification of a network attack during its early stages. In this ontology, the "Attack goal class" refers to the purpose of the attack, which could be considered equivalent to the tactic. The authors identify five goals in CNA operations: to change data, to destroy data, to disrupt data, to steal data, and a springboard to other goals. While this last goal cannot be considered a tactic itself and the theft of information is not inside CNA but inside CNE operations (although as stated before all CNA serious operations require a previous CNE one), the change, destruction, and manipulation of data are all considered in the taxonomy we propose; not only referring to data, but referring to all pieces of a cyber physical systems that can impact in the process they support.
As stated before, when dealing with CNA we usually refer to 4D: disrupt, deny, degrade, or destroy the information or the systems or networks themselves; this initial set of actions, expressed in many works since the 1990s [18][19][20][21] has been superseded by two approaches: to consider denial as an umbrella term for the other 3D and to include manipulation as a form of attack, beside the denial tactics.
The first of these approaches considers denial as the actions to prevent access to, operation of, or availability of a target function by a specified level for a specified time [6]; in other words, denial is not a tactic, but an effect that can be achieved by degradation, disruption, or destruction. This approach is used in many works, and seems specially consolidated in modern doctrines [7, 22,23], thus considering denial as a goal, but not as a tactic itself.
Apart from denial tactics, inside CNA operations we must consider a tactic called manipulation [6,7], whose goal is to control or change the target's information, information systems, and/or networks in a manner that supports the attacker's objectives. Those objectives, in CNA operations, are clear: to cause denial effects against access or operation, goals that can be achieved by tactics such as degradation, disruption, destruction, and manipulation. However, following this approach, what is the difference between a manipulation that achieves a degradation or a direct degradation as a tactic? It is a very subtle one: mainly, manipulation refers to a manner that is not immediate apparent or detected: a DDoS (degradation or disruption) or a ransomware attack (destruction) are immediately identified by the victim. If the tactic was manipulation, the attack would not have been immediately detected, and would extend in time, so impact would have been higher in advance.
It is important to differentiate CNA from Electronic Attack (EA), a branch of Electronic Warfare (EW), another IO core capability. EA relies on the use of electromagnetic spectrum, while CNA relies on the data stream to execute the attack [24], although both capabilities are converging inside the cyber field; a good reference to identify EW and CNO relationships can be found in [25]. However, EA tactics and techniques could be equivalent to CNA ones in some cases, so we must consider them in our work.
Attack modeling methodologies have been largely discussed. A summary and analysis of some of these methodologies can be found in [26,27] and of course in [28], in which it is still one of the main references in the topic. Particular approaches to model an attack have been developed: • The Cyber Kill Chain ® , developed by Lockheed Martin, is part of the Intelligence-Driven Defense ® model for identification and prevention of cyber intrusions activity, specifying what a threat actor must complete in order to achieve their objective. This model represents an industry accepted methodology for understanding how an attacker will conduct the activities necessary to cause harm to the organizations and has been largely discussed [29]. • The Diamond Model of Intrusion Analysis (DMIA) [30] establishes a formal method applying scientific principles to intrusion analysis, providing a simple, formal, and comprehensive method of activity documentation, synthesis, and correlation. The model represents an adversary deploying a capability over some infrastructure against a victim; these activities, called events, are the atomic features of the model, and they define one step in a series that a threat actor must execute to achieve its goal. • MITRE ATT&CK, previously discussed in this work. • The Detection Maturity Level (DML) [31] is a model to assess the maturity of an organization to detect cyber attacks in terms of its capabilities to consume and act upon given threat information. The DML model is composed of nine levels of maturity, from the most technical ones-level 0 represents no information about the threat-to the highest level ones-goals and strategy of the attacker. This hierarchical model and its improvements [32,33] can give an approach not only to evaluate the detection capabilities of an organization, but also to the semantic modeling of an advanced threat actor: from a group to specific indicators left after an operation, thus helping the analysts to model the interests and behavior of the actor and its modus operandi in specific operations.
With the exception of MITRE ATT&CK, none of these approaches focuses on the tactics and techniques of an attacker. The Cyber Kill Chain ® tries to specify the steps an attacker has to perform to achieve its objectives, without discussing how these steps can performed (a work that is done in MITRE ATT&CK). The Diamond Model provides a framework to identify adversary operations and to discover new capabilities, infrastructure, and victims, but once again it does not focus on what and how a threat actor works. An adversarial approach like DML does refer to tactics, techniques, and procedures of an actor, but not in depth.
As tactics and techniques are not widely discussed in threat models, and the only approach focused on these aspects (MITRE ATT&CK) does not cover CNA techniques in a structured way, it is mandatory to consider particular approaches for specific techniques and to contextualize them in a global structure, as well as to analyze other kind of attacks related to cyber activities (this is, EA), trying to provide a global, common structure for CNA operations.
The work in [34] states that EA tactics are disruption, delaying, deviation, and denial, and refers to techniques such as deception, jamming, masking, and directed energy, in no particular structure. The work in [35] considers degradation, disruption, and deception as techniques to accomplish the denial tactic, together with destruction. At this point deception emerges, being unclear in literature review where is located in a tactics and techniques structure. Apart from the "4D" (deny, degrade, disrupt, and destruct) linked to CNA, some authors [7,36] directly advocate the existence of a fifth "D" while dealing with EA tactics, referring to deception. In this work, we will consider deception as a particular manipulation with two possible goals: dissimulation, to hide the real, or simulation, to show the false; later we will discuss the role of equivalence between deception and manipulation.
Most of the literature reviewed is focused on degradation techniques, and inside them, in two main directions: the first one is the characterization of electronic attacks against WiFi networks; for example, in [37,38] the authors propose a classification of DoS attacks in wireless infrastructures, based on the network layer in which the attack is performed, from the physical layer to the application one. As stated before, this kind of techniques is outside of the scope of this paper because they are closer to EA than to CNA.
The other research field has been DDoS attacks taxonomies, that is, taxonomies of attacks engaging multiple hostile actors to degrade or disrupt a victim through a network connection. In spite of the fact that some authors state that there is not a DDoS classification model [39] and try to define a general and simple scheme that differentiates between attacks on bandwidth, host resources, and weaknesses, other studies try to define a taxonomy for DDoS attacks; for example, early works like [40,41] established a classification for DDoS attacks that has been improved during those years [42]. In this model, the authors distinguish between active and passive attacks (in this case, the only established category is packet dropping). While referring to active attacks, the second difference is based on the depleted object: bandwidth or an object mandatory to access the targeted system. First, bandwidth can be depleted by flood attacks (those that require a bandwidth usage larger in the attacker than in the target) or by amplification attacks, in which a simple request is amplified in the target system thus degrading its performance when many requests are made; a typical example of an amplification attack is DNS amplification. Related to resource depletion, it can be accomplished by exploiting flaws in network protocols or by malformed packets that fool those protocol's implementation.
As seen, depletion is a key technique inside degradation; some approaches try to establish a taxonomy based on the depleted resource. The authors of [40,41] identify bandwidth depletion and resource depletion; they defend that the first one can be achieved by flooding and amplification techniques, while the second one, resource depletion, can be achieved by techniques based on exploiting vulnerabilities. Our approach is different in the sense that we do not differentiate between bandwidth or resource depletion-at the end, bandwidth is just a resource to be depleted, just like CPU or storage, joining all the techniques above depletion: for example, an application can be flooded by legit queries-not exploiting-to deplete CPU.
The less-studied tactic we are addressing deals with the manipulation of cyber physical systems; we are facing a complex and novel task, because there are no works on the subject, and the few literatures we found are confusing. Although there are many taxonomies and ontologies for attacks [43][44][45] (a good summary can be found in [46]), none of them focus on techniques, but most on the complete modeling of an attack (and mainly understanding attack not only as a denial or manipulation operation). Even a good work on terminology and concepts referred below [6] includes deception, decoying, conditioning, spoofing, and falsification as examples of techniques to perform the manipulation tactic; after analyzing literature and practical cases, we cannot agree with these examples: apart from the fact that this relation is not exhaustive, it mixes techniques that should be considered as particular instances of an umbrella category (spoofing is just a family of techniques linked to falsification). Other, less doctrinal studies [47], identify data modification and infrastructure manipulation as the tactics related to what we-and other references-have called manipulation and that should be considered as a single tactic.
Other relevant work on manipulation is CAPEC (Common Attack Pattern Enumeration and Classification), from MITRE, which defines different mechanisms of attack that include infrastructure manipulation, file manipulation, configuration or environment manipulation, software integrity attack, modification during manufacture, manipulation during distribution, hardware integrity attack, malicious logic insertion, resource contamination, and obstruction; as its name implies, this resource focuses on attack patterns, not on techniques performed to accomplish manipulation. For example, a pattern like file manipulation can be performed by many techniques but techniques define how, no matter if it is applied to configuration, file, infrastructure, or manipulation.
As we can see, there is no global approach to define a structure for CNA tactics and techniques. Network attack is a common problem to face nowadays, and some approaches have been developed to classify them from different (objectives, mechanisms. . . ). However, when dealing with TTP only partial approaches have been addressed, mainly focused on degradation techniques (and inside them, particularly inside DDoS techniques). These partial approaches do not cover the full spectrum of CNA activities and they are neither aligned with today key references. Even MITRE, which has developed standards such as CAPEC (focusing on patterns of attack, not in TTP) and, specially, ATT&CK, do not cover the full range of CNA operations in a suitable manner.
As far as we know, our work is the first global approach for CNA operations TTP structure; all work done can be considered partial, focused on specific techniques like some DDoS types, and without a common framework where to structure CNA TTP. The lack of an unified, well-accepted taxonomy of CNA tactics and techniques impacts in the security of cyber physical systems, which nowadays are one of the main targets of state-sponsored threat actors. We propose a novel approach for a structure suitable for the modeling of such actors and its activities, that can be used to prevent, identify, and neutralize operations against technological infrastructures. We cannot compare our approach against existing ones, because as we have stated, all the reviewed research focuses on particular techniques without a common framework for CNA tactic and techniques. Our approach follows MITRE ATT&CK structure, so it can be easily used in real world scenarios and can improve MITRE's effort to maintain a global shared knowledge about threat actors' modus operandi.

Proposed Approach: A Novel CNA Tactics Taxonomy
In this section, we present a novel structure for tactics and techniques linked to destructive and manipulative operations against cyber physical systems. Our approach includes manipulation as a tactic in CNA operations, but we will not consider denial as a tactic itself but a goal or a meta tactic that can be performed by degradation, disruption, and destruction-in fact, also by manipulation. Furthermore, it is not differentiated degradation from disruption techniques: disruption is a particular case of degradation where degradation level is 100%, so all of the techniques families expressed in degradation directly apply to the disruption tactic. Therefore, although we can face four main tactics for CNA operations (degradation, disruption, destruction, and manipulation) as Table 2 shows, only for three of them (all but disruption, seen as a particular case of degradation) are we going to define categories and subcategories, where applicable, in order to classify specific techniques in each of them. Table 2. CNA tactics.

Degradation
Degradation consists [6] of techniques used to deny access to, or operation of, a target to a level represented as a percentage of capacity; if this percentage is 100%, we refer to disruption.

Disruption
Disruption consists of techniques used to completely but temporarily deny access to, or operation of, a target for a period of time; it is a degradation whose level is 100%.

Destruction
Destruction consists of techniques used to completely and irreparably deny access to, or operation of, a target.

Manipulation
Manipulation consists of techniques used to control or change the target's information, information systems, and/or networks in a manner that supports the attacker's objectives.
Our criteria for the proposed structure of TTP are based primarily (tactics) on what an attacker is trying to achieve against its target to accomplish its objectives: that is, on the effects of the operation or attack. In this way, CNA operations try to degrade, disrupt, destruct, or manipulate. Once the tactics are stated, inside each of them we identify the different techniques the attacker can develop to get the desired effect (as stated before, techniques refer to how a tactic is accomplished). Here, we identify some techniques that can be seen similar to others (for example, alteration vs. modification or deletion vs. cancellation); the key difference between them is the tactic they are linked to, which reflects what the attacker is trying to achieve. At this point, it is also important to note that the same technique can be used to perform different tactics: for example, manipulation techniques can also be executed both to degrade or to destroy a target, depending on the particular assets attacked in the target or on the particular kind of the manipulation performed. When we consider deletion or encryption, linked to destruction, we are not seeing the destruction of particular files of a cyber physical environment, but the destruction of its functionality.
The different tactics identified and analyzed in this work can also be classified from an impact point of view. In this sense, although it is hard to establish a global classification, and the final impact will depend on many factors (as on the complexity of a particular campaign, or on the early detection of an operation in a target), the manipulation tactic can considered by far the most dangerous for cyber physical processes. For advanced threat actors, manipulation implies not only knowledge about particular industrial processes, but also a high control level of the targeted infrastructure. Following manipulation, destruction attacks are the most impactful ones for the target, as they imply an irreversible damage for cyber physical systems, that can only be restored by entirely rebuilding them. Disruption, as a fully degradation level, and degradation tactics can be considered the ones with less impact on the target, as the normal behavior of the affected cyber physical systems is usually recovered once the degradation operation is contained and the affected environments are turned again to a stable status. Please note that, in spite of its impact level, all CNA tactics can lead to fatal consequences, especially when the target is a cyber physical system for a critical infrastructure.

Degradation
Degradation is a tactic whose goal is to reduce the effectiveness or efficiency of command and control systems and information collections efforts or means [7], and can be implemented using various techniques, including what we usually call Denial of Service (DoS), an explicit attempt to avoid legitimate users of a service make use of it [48], or Distributed DoS (DDoS), depending on the number of attackers.
We propose a classification for degradation techniques based not only on depletion attacks, but considering other techniques to accomplish the tactic; we differentiate between depletion, interference, and alteration approaches, and identify techniques in all of them as shown in Figure 1. This proposal includes all the main techniques and its subtechniques, dealing with all the different mechanisms an attacker can use to degrade a cyber physical system, thus providing a full coverage of the degradation tactic.

Depletion
Interference Alteration Flooding Amplification Reflection Exploiting Dropping Misrouting Incapacitation Corruption

Depletion
While dealing with degradation, the family of most studied techniques are those based on depletion-the degradation of an element whose work is mandatory to provide a service; depletion can be performed in any point between the target system and its legitimate users: the typically attacked points are the system itself or network devices whose degradation impacts in most users (usually, an attacker will want to maximize impact thus denying service to as many users as possible). In the special case of cyber physical systems, depletion attacks can also target physical elements of an infrastructure, although if its impact is not immediately noticed then we are facing not a degradation, but a manipulation tactic. Depletion can be achieved through different mechanisms, presented in this section.
Flooding techniques aim to degrade services by sending vast amounts of valid service requests, trying to degrade a key resource for the provision of the service: it may be the target system itself or an intermediate infrastructure mandatory to provide service to legit users, typically a network device. Usually, flooding is performed as an N-to-1 attack, where a lot of zombies send valid requests to a destination thus achieving a service degradationknown as Distributed Denial of Service (DDoS); it is a simple and cheap attack.
Amplification techniques are those that benefit from sending small requests to services that produce responses orders of magnitude larger in size, in such a way that with a reduced number of queries an attacker can exhaust the service; inside amplification we find techniques such like DNS or NTP amplification.
A third commonly accepted technique nowadays [49] is reflection; reflection techniques are those in which the hostile actor sends requests, spoofing its source address pretending to be the victim, to a reflector server. This reflector, unable to distinguish legitimate from spoofed requests, replies directly to the victim [50,51]; launching a reflection attack from a botnet against a particular target will cause the target to be answered, thus degrading at least its bandwidth.
Finally, inside depletion, we can discuss exploiting techniques, those which are based on the exploitation of one or more flaws in a policy or in the mechanism that enforces the policy, or a bug in the software that implements the target system, and aims to consume excessive amount of resources of the target by sending it a few carefully crafted requests [52]. Inside exploiting we can consider techniques related to protocol exploiting or violationincluding all layers, from infrastructure to application level-and also techniques related to application exploiting: malicious queries to a web application with a poor database structure can lead to CPU depletion on the web or database server, for example.

Interference
Interference attacks in CNA activities work by intentionally inducing noise or injecting false data into the target, thus degrading its service. While regarding these techniques, it is mandatory to mention jamming, a subset of denial of service attacks in which malicious nodes block legitimate communication by causing intentional interference in networks [53] and which is a key threat to cyber physical systems [54][55][56][57]; while jamming could be included inside an interference category for degradation or disruption operations, especially in WiFi sensor networks, we cannot consider jamming inside CNA techniques as it is related to Electronic Warfare. Anyway, interference techniques exist in CNA operations, with most well-known instances of this category relying upon features of the TCP protocol [58]; inside this category we can include packet dropping [59,60], an attack whose goal is to make the source and the destination perceive disconnection or degradation of path quality. Of course, while referring to degradation not all packets are to be dropped-as it could be easily detected, and will fall into the disruption tactic-but only a subset of the packets is dropped, thereby making it more difficult to detect [59]. Although packet dropping is usually performed in wireless networks by EA techniques, it can also be used in wired infrastructures, mainly in network devices (just as routers). As stated, this kind of attack can be seen as techniques inside interference, as well as routing attacks: those related to the modification of routes that interconnect source and destination of a communication, from poisoning to black holing.

Alteration
Another family of techniques inside degradation is alteration of system components. In this category, we can mention incapacitation, when the attacker disables one or more of key components, and change, when the attacker modifies key functions or data of the target (please note that the term "target" not only refers to a final infrastructure, but also to any point of the service delivery that can be attacked to degrade the service).
A particular tactic inside change techniques to achieve degradation is the corruption of system memory; it is a technique analyzed in many works [61][62][63]. Although it could be usually considered inside the destruction tactic-memory corruption attacks destroy the data, we identify it inside alteration techniques because it is performed against volatile memories and rebooting the system usually recovers its functionality (the goal of the attacker is not to destroy, but to degrade).
It is important to state that what we have called alteration differs from the manipulation tactic, although both imply the modification of key system components: in this context, alteration techniques must be seen inside the denial meta tactic, this is, they prevent access to, operation of, or availability of a target, while manipulation tactic tries to control or change information in a manner that supports the attacker's objectives. For example, defacement can be seen as a technique inside alteration (change in particular): it directly denies the access to a legit resource, and although web defacement is usually a simple attack but it can be also performed by advanced actors-for example, for political purposes as we saw in Georgia 2008 attacks. Some authors distinguish between sophisticated and unsophisticated attacks (see in [20] for references).

Destruction
Although destruction can be performed through hardware, firmware, software, data, or network destruction, in most cases both logical and physical, while dealing with it in CNA operations targeting cyber physical systems we can identify techniques that delete firmware, software or data, that make them unusable-corruption-or that make them unusable unless a condition is met-encryption, unless the encryption key is known. All of them, when successfully used, damage its target in an irreversible manner: the target cannot perform any function or be restored to a usable condition without being entirely rebuilt [7]. Other destruction techniques, such as physical destruction, degaussing, or physical shredding, are considered outside CNA operations (some attacks, especially those against cyber physical systems, result in the physical destruction of one or more components of an infrastructure, but we will consider them inside the manipulation tactic: the attacker manipulates an industrial process, thus causing physical destruction), although they can also impact cyber physical systems.
Destruction techniques performed by advanced threat actors are usually executed against the components of the cyber physical system that most impact can cause (it is important to note that no destruction tactic can be executed without the destruction of one of these components); for example, file shredding would not be a regular technique because the file could be easily recovered from a backup, while disk wiping or cryptographic erasure are more common techniques in this context.
We propose three techniques to accomplish destruction, no matter which component they are performed against, as shown in Figure 2: deletion, the removal of key components; encryption, the encoding of those components thus rendering them or the system unusable; and corruption, the modification of key components with the same objective. In addition, the alteration techniques shown before can also be used to cause destruction of a target, although they can be included in the corruption family.

Deletion
Deletion is the removal of files on a target's system in order to interrupt availability in its services. In its simplest form (clearing), it applies logical techniques to sanitize data in all user addressable storage locations [64], protecting against simple noninvasive data recovery techniques. Clearing is usually performed through system commands or methods that do not really destroy the information-it could be retrieved by a forensic analysis, but the references, in the form of file system pointers, to it.
Of course, advanced actors do not usually perform clearing techniques on CNA operations, but erasure or purging, the logical removal of data from a storage so that it can no longer be read using state of the art laboratory techniques. Unlike clearing, purging is a real deletion of data. If it is performed against a storage structure, such as a hard disk or a file system, it is usually called wiping, while if it is performed against individual files or folders, it is called shredding, which destroys data by overwriting the space used by the object with a random pattern.

Encryption
Encryption is a technique used to achieve destruction by encoding, in an irreversible way for the victim, data stored into a system. This non-reversible way implies that the victim does not have access to the decryption key; if access to this key is granted, data can be recovered. In some contexts, the use of this kind of cryptographic techniques when the decryption key has been destroyed is called cryptographic erasure and is an accepted technique for legit data sanitization [64]; if the decryption key does not even exist it shall be considered as corruption.
Although in some cases it is been possible for the analysts to recover the encrypted data, due to weaknesses on the encryption algorithm or in its implementation, this fact has been seen in some general, non-directed, ransomware, but no case linked to advanced actors in CNA operations is known.

Corruption
Finally, in the destruction context, corruption can be seen as the deliberate modification of information-firmware, software, or data-to render it unusable; of course, while considering corruption in CNA operations context, we are referring to intentional corruption, not to unintended changes to data caused by errors. A good example of corruption in computer network attacks, although not performed by advanced actors, is CIH virus, which in the late 1990s was able to replace boot-time code in particular BIOS with junk, rendering systems unusable until their BIOS was replaced.
A particular case inside corruption is decaying, techniques linked to a gradual corruption of data; although decaying is usually caused by failures in computer systems, with factors like media type, file systems design or preallocation strategies [65], it also can be considered a progressive, not easily detected, CNA technique.

Manipulation
Manipulation is an attack against integrity and, while in CNA, its goal is clear: to create denial effects [6]. Manipulation alters its target not to enable intelligence gatheringas in CNE operations-but to damage it in an manner that is not immediately apparent or detected and, in many cases, that manifests in physical domains [7]. This one, not to be immediately apparent, is a key concept in manipulation attacks; as opposite to other tactics inside CNA, manipulation degrades or destroys its target without being detected. While all CNA tactics have become an important threat to cyber physical systems, manipulation is perhaps the most dangerous one, as it extends over time, so its impact is usually higher than these of other CNA tactics. For example, Stuxnet, previously referred in this work, influenced the development of cyber weapons not only from a technical perspective, and marked a milestone on the security of cyber physical systems [66].
As previously stated, we are addressing a novel task when establishing a categorization for manipulation techniques; our position is to keep it as simple as possible, and following this approach, we can subdivide manipulation techniques into three families: fabrication, modification, and cancellation, as stated in [67,68]. These three families are capable of including different threats classification, for example, those presented in [69] against integrity, which refer to substitution, change (both considered inside modification), removal (cancellation), and addition (fabrication).
All of these types of attack can be applied against a target from the lower part of a cyber physical infrastructure [70,71] to the higher one, and can be performed during the transmission, storage, runtime, as well as during manufacturing or supply of information.
In Figure 3, we show the structure for this simple manipulation techniques classification.

Fabrication
Modification Cancellation The definitions we could state for these techniques are obvious, as shown in Table 3, always remembering the goal of the tactic (denial) against cyber physical systems: Fabrication techniques are those that include additional data into a system; these data can range from a single parameter in a configuration file to a piece of malware that causes an incorrect behavior of the target. Modification techniques alter existing legit data, changing it with logic, inputs, outputs, etc. that will cause a malfunction on the target. Finally, cancellation deals with the removal of certain data which is critical to the correct behavior of the target system; although cancellation is just a synonym for deletion, the techniques linked to destruction and those linked to manipulation are not similar: while in manipulation, we are referring to techniques that are not immediately detected, so their goal is not the destruction of data itself but a stealth removal of key elements in order to cause a malfunction of a process.

Name Description
Fabrication Inclusion of spurious data into a key element (or elements) in order to cause a malfunction of the target system Modification Replacement of legitimate data with malicious one, also in order to achieve a malfunction Cancellation Removal of key data in the target, with the same proposal than previous techniques Under this simple structure we can cover all techniques introduced in works cited before, like in [6], and it is also consistent with the techniques stated in MITRE ATT&CK for the Impact tactic regarding data manipulation (runtime, stored, and transmitted). In the same way, all CAPEC mechanisms for manipulation (data structures, system resources, and timing and state) can be linked to the proposed manipulation techniques structure.

Summary
In our proposal, we state that the tactics associated to CNA operations are degradation, disruption, destruction, and manipulation (we shall no longer mention 4D, as denial can be considered just a meta tactic); for all four tactics ("what") we have structured techniques ("how") families, with more or less detail, trying to define a common base to classify particular techniques in each of these families or categories. For example, a SYN Flooding is considered a technique to achieve degradation or disruption, so obviously it should be classified inside these tactics; more specifically, and following our proposed structure, it should be classified inside the Depletion category and the Flooding subcategory.
The proposed structure that we have developed in this paper is summarized in Table 4. We summarize the different identified techniques for each CNA tactic and, if applicable, we also propose subtechniques inside techniques. This structure also follow MITRE ATT&CK that, as we have stated, is today's de facto standard.

Mapping to MITRE ATT&CK
As stated in this work, MITRE ATT&CK is the main public effort to establish a classification of TTP used by threat actors; for this reason, we have developed our approach following this standard, and as interesting exercise we propose a mapping of the MITRE ATT&CK "Impact" tactic (where the standard places the techniques oriented to manipulation and destruction) to our proposed structure.
At the time of this writing, MITRE ATT&CK "Impact" tactic (last modified on 25th July 2019), identified as TA0040, consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes. For this particular tactic, MITRE identifies the techniques shown in Table 5.  As we can see, MITRE ATT&CK provides no structure for techniques inside the "Impact" tactic, but places all of them at the same level under the tactic. Although this approach is followed in all ATT&CK tactics and techniques, given the importance of CNA activities, and its trends during last years, we consider it is mandatory to provide a wider detail, at least by splitting "Impact" tactic into the three main targets we propose in this work. T1531, Account Access Removal, refers to the inhibition of access to accounts utilized by legitimate users; this is obviously not any destruction, but a "Degradation" or disruption tactic, and it maps to the "Change" subtechnique in our approach, stated as modification of key functions or data of the target.
T1485, Data Destruction, refers to render stored data irrecoverable by forensic techniques; it is a technique inside the "Destruction" tactic, mapping directly to "Deletion" technique in our approach, and more specifically T1485 maps to the "Purging" subtechniques inside deletion.
T1486, Data Encrypted for Impact, refers to the non-recoverable encryption of systems data or information. Like T1485, it is linked to the "Destruction" tactic and it maps directly to the "Encryption" technique in our approach.
T1565, Data Manipulation, refers to the insertion, deletion, or manipulation of data in order to hide activities. This technique is considered a tactic in our approach, mapping obviously to "Manipulation"; depending on the type of manipulation performed in each case, it could be mapped to specific techniques (fabrication, modification, or cancellation). This example shows why MITRE ATT&CK "Impact" should be detailed more in depth, as it is considering a whole tactic for CNA operations as a specific technique. T1491, Defacement, refers to the modification of visual content; MITRE ATT&CK considers two types of defacement, internal and external, based on from where the modified content can be accessed. Following our approach, T1491 is considered inside "Degradation" tactic, particularly mapping to the "Change" subtechniques, inside the "Alteration" technique, as we have stated previously in our work. T1561, Disk Wipe, refers to the destruction of data (from content to structure) stored in disks. Like T1485, it is linked to the "Destruction" tactic and maps to the "Purging" subtechniques, inside the "Deletion" technique. Unlike MITRE ATT&CK, in our approach we do not differentiate what type of data is purged, being in this way independent from specific approaches, close to particular technologies but not suitable for a high-level classification.
T1499, Endpoint Denial of Service, refers to the degradation or disruption of service to legitimate users. It is obviously linked to the "Degradation" (or disruption) tactic, more particularly mapped to the "Depletion" technique. Depending on how this Denial of Service is performed by the attacker, it can be mapped to particular subtechniques; MITRE ATT&CK establishes different subtechniques, where all the "Flood" ones can be mapped to "Flooding" in our approach and "Exploitation" maps directly to the "Exploiting" subtechnique in our approach.
T1495, Firmware Corruption, refers to the corruption of firmware in devices attached to a system in order to render them inoperable. As the specific firmware is targeted in an irreversible manner, we map this technique directly to the "Corruption" technique inside the "Destruction" tactic.
T1490, Inhibit System Recovery, refers to the removing of built-in capabilities designed to aid in the recovery of a corrupted system. Depending on how this technique is performed, it can be mapped to different techniques in our approach. MITRE ATT&CK specifies two possible actions to impact on system recovery features: to disable or to delete them. In the first case, this technique would map to "Incapacitation", a particular subtechnique of "Alteration" inside the "Degradation" tactic. In the second one, that referring to deletion, the technique maps obviously to the "Deletion" technique inside the "Destruction" tactic.
T1498, Network Denial of Service, refers to the degradation or disruption of the availability of targeted resources to legitimate users. As T1499, it is obviously linked to the "Degradation" (or disruption) tactic, more particularly mapped to the "Depletion" technique. Moreover, as in T1499, depending on how this Denial of Service is performed by the attacker, it can be mapped to particular subtechniques; in this case, MITRE ATT&CK establishes two subtechniques, the first one regarding a flooding approach and the second one regarding a mix of reflection and amplification techniques. Inside our proposal, these subtechniques can also be directly mapped to "Flooding", "Reflection", or "Amplification". Please note that MITRE ATT&CK does not establish a subtechnique for "Exploitation", as proposed in our work.
T1496, Resource Hijacking, refers to the leverage of resources impacting in availability. Although it could be considered a technique inside "Degradation", a particular case of a Denial of Service (in MITRE ATT&CK approach, T1499, Endpoint DoS), we cannot consider it a valid technique in a CNA approach. Of course, it is an action could lead to the degradation or disruption of particular services (those hosted on the targeted system), what attackers are trying to achieve is not this tactic, but simply an economic benefit from the earning of cryptocurrencies (as MITRE ATT&CK) states as most common. In this case, degradation is just a secondary effect from the operation, not what the attacker is achieving; if degradation was the desired effect, inside our approach this one would be considered a "Depletion" technique in most cases.
T1489, Service Stop, refers to the stopping of services on a system to render them unavailable to legitimate users. As no destruction is considered, this technique is linked to the "Degradation" or "Disruption" tactic; more specifically T1489 is mapped to the "Incapacitation" subtechnique inside the "Alteration" technique.
Finally, T1529, System Shutdown/Reboot, as it name implies refers to the shutdown or reboot systems to interrupt access to, or aid in the destruction of, them. In this particular case, our approach would link this technique to the "Degradation" tactic, specifically to "Alteration" techniques, particularly to the "Change" subtechnique: the attacker is modifying key functions of its target. In no way would T1529 be linked to the "Destruction" tactic: in spite of the case a reboot can be used to aid in the destruction of a target, as MITRE ATT&CK states, it is not a destructive technique by itself but a support action.
All identified MITRE ATT&CK techniques for "Impact" tactic can be mapped to our proposed structure; apart from that, different techniques and subtechniques showed in our work do not appear in MITRE ATT&CK actual specification. In Table 6, we summarize the mapping of MITRE ATT&CK techniques to the structure we propose in our work.
At this point, it is important to note that we are using MITRE ATT&CK for references, not ATT&CK ICS. This one is a knowledge base useful for describing the actions an adversary may take while operating within cyber physical systems, but we consider it an ongoing effort focused on the goals of the attacker, not in its tactics and techniques. For example, the techniques identified in this knowledge base are not techniques (objectives) from a pure point of view, but global goals of the attacker: a sample one, "Damage to property", cannot be considered a technique but an impact the threat is trying to cause.

Practical Example
The specification and structuring of CNA tactics and techniques provide organizations a higher capability to identify and analyze threats and, most important, to map defensive controls to mitigate these threats. Our proposal does not focus on specific attack detection, but on the modeling of threats regarding its objectives. Using abstract models for threat modeling allows analysts to be independent of specific technologies or systems, thus facilitating a global definition of security requirements and the implementation of defense mechanisms [72].
Focusing on a specific example, we can consider the most common techniques for degradation and disruption: those related to pure Denial of Service (DoS). In the MITRE ATT&CK approach, they identify two techniques for performing DoS: those based on the endpoint and those based on the network. For Network DoS, MITRE ATT&CK defines two subtechniques, Direct Network Flood (0.001) and reflection and amplification (0.002), and for endpoint DoS they define four subtechniques, being three of them based on flooding of resources (OS, service and application, 0.001, 0.002, and 0.003) and the last one (0.004) on the exploitation of vulnerabilities in application or systems. For all of these techniques and subtechniques, MITRE ATT&CK identifies a single mitigation countermeasure: to filter network traffic.
By including endpoint and network, this approach identifies flooding, reflection and amplification, and exploitation; for all of them, as stated before, there is a single mitigation technique based on the filtering of network traffic. We cannot agree with this approach because it mixes different techniques and does not identify appropriate countermeasures in each case. Our proposal provides a more specific classification of tactics and techniques, so it can be used to identify more suitable countermeasures in each case.
In first place, amplification is not considered as a specific technique, in spite of the given name; amplification is not a subset neither a specific subtechnique inside reflection, because both techniques differ in how they are deployed, so they also differ in how they are mitigated. Countermeasures against amplification rely in many cases in the implementation and configuration of specific applications, while the ones regarding reflection do not rely on these aspects. In this way, we cannot deal with protection against amplification the same way we deal with protection against reflection. By considering them at the same technique level, countermeasures against them will not be appropriate.
The approach followed by MITRE ATT&CK also considers network denial of service only by exhausting the network bandwidth services rely on, while endpoint DoS are considered those that denies the availability of a service without saturating the network used to provide access to the service. This simple approach does not cover the possibility of interference in the network, that degrades its performance not by a depletion technique, so a potential threat actor performing interference operations (as such seen on Electronic Warfare) would not be considered, so no countermeasures would be applied to mitigate those attacks. This is an interesting point: as shown in Table 6, interference is the only technique not even considered in the MITRE ATT&CK approach, once again reflecting the absence of a unified common structure for tactics and techniques in this field of operations.
Apart from this two simple examples relating the mapping of defensive controls to specific attack techniques, a valid, complete, structure for CNA tactics and techniques allows organizations to improve the identification of threat offensive capabilities in a threat modeling approach as well as the attribution of specific operations. For a threat actor who can execute encryption techniques for destruction, is easiest to perform corruption or deletion techniques than to perform manipulation ones, on a prior basis.
Finally, tactics specification in three main categories provides potential information about threats not only regarding their objectives (what they are trying to do) and intentions, but also about their capabilities; in general terms, tactics can be seen from less (degradation and disruption) to more complex (manipulation). Manipulation attacks usually require specific knowledge about the target, its processes and its technologies, while a degradation attack, for example, based on depletion techniques, does not require these skills.

Discussion
We have identified an absence of a suitable structure of the tactics and techniques commonly used by advanced threat actors; even MITRE ATT&CK, as a key reference in the subject, lacks an approach for disruptive and manipulative operations, and we can assess that it has not been defined until now. As the number and impact of these operations are increasing in the last years, until they have become a major, significant threat for cyber physical systems, we consider it mandatory to establish such an structure that allows the prevention, detection, and neutralization of these operations.
Our work states an initial classification for that structure, following commonly accepted frameworks such as MITRE ATT&CK, thus allowing the identification of operations and the early adoption of appropriate countermeasures. We identify the main tactics specific techniques linked to this structure; of course, we do not try to provide an exhaustive compendium of particular techniques, but to identify the most relevant ones and to classify them into the defined categories. This provides a novel approach to the problem of structuring CNA operations, a mandatory requirement for the modeling of advanced threat actors' activities.
Until now, there was no doctrine providing this base model, a fact that directly impacts on the security of cyber physical systems. Most of the previous research has been focused on the study of particular techniques, such as Denial of Service, or in the analysis of particular operations, such as Stuxnet. No global structure for CNA threat actors' activities or operations has been previously stated, a fact that hinders the knowledge of those activities and the modeling of the threat actors behind them. As we have shown in previous sections, this lack of a global approach can lead to improper countermeasures against threat actions, thus degrading the security of cyber physical systems.
To specify an initial approach in a field where no doctrine has been established is a complex task. In the case of CNA tactics and techniques, it has been mandatory to analyze other disciplines inside Information Operations, such as Electronic Attack, in order for us to compare methods and concepts. It the evaluation of disruptive approaches has also been relevant for the less analyzed tactic, manipulation, where no previous work, neither partial, has been identified.
We provide the basis for the identification of techniques in CNA operations, generating a practical structure ready to be used in commonly accepted standards, such as MITRE ATT&CK. We have provided a proposal mapping to this standard, and it would be also interesting to expand and to improve the information provided by MITRE ATT&CK regarding particular techniques by identifying activities from advanced actors that perform them; for example, APT28, linked to Russian GRU, used this technique during 2017 attacks against Ukraine (NotPetya, BadRabbit), encrypting hard drives with a non-reversible algorithm and rendering them inoperable [73].
As we have previously stated, the manipulation tactic is the less studied and structured. We have proposed a taxonomy for techniques inside this particular tactic but, in every case, a future research line is to compare manipulation techniques as those stated while referring to deception in classic references like [74]. If we look at the definition we have stated in this paper, and we replace the technical aspects with cognitive ones we could consider that (technical) manipulation is just (human) deception; in fact, deceit is just an active manipulation of reality in order to manufacture it, alter it, or hide it [75].
A key reference, such as the work in [6], refers to some techniques directly linked to deception. Under this approach, manipulation (deception) techniques should include those to hide the real, or dissimulation, and those to show the false, or simulation [74,76,77]. Under dissimulation the authors identify masking (hiding the real by making it invisible), repackaging (hiding the real by disguising) and dazzling (hiding the real by confusion), and under simulation it is included mimicking (showing the false through imitation), inventing (showing the false by displaying a different reality) and decoying (showing the false by diverting attention) [78]. Although deception is considered a usual tactic in CND operations [79][80][81], their study from an offensive point of view is not as usual, so we consider it as a key research line.
Applying a valid up-to-date taxonomy may guarantee a significant advantage in terms of appropriateness and fitness for attack prevention; in [82], the authors present a taxonomy that is tested against the behavior of sensors modeled as agents. Other relevant attack taxonomies are those presented in [83,84], but none of them is based on TTP for those attacks. Such contextualization should provide a global framework for the prevention, identification, and neutralization of attacks against cyber physical systems.
Finally, the use of machine learning approaches to detect intrusions against cyber physical systems, and its contextualization in a taxonomy of CNA tactics and techniques may be also a relevant research line. In [85][86][87], the authors provide relevant approaches, while in [88] the authors provide approaches not only in the detection, but also in the classification of such attacks. Loukas et al. [89] provides a taxonomy focused not in tactics or techniques regarding attacks, but in intrusion detection systems characteristics and architectures designed for vehicles. Extending those approaches for general taxonomies relevant to cyber physical systems and aligning them with a suitable classification, as the one provided in this work, could be an interesting research line.

Conclusions
Destructive and manipulation activities against all kind of targets, but especially against cyber physical systems, have increased in the last years. A classification and structure for the tactics and techniques linked to these operations is a must in order to identify capabilities, to profile advanced actors and to implement security controls to counteract them. However, few researches have been done in this sense, so analysts have almost no references to establish capabilities, families, etc. For destructive or manipulation activities performed by advanced actors, not even military doctrine has been found with the required depth level.
In this work, we propose a novel approach to identify and structure the techniques followed to perform each of the tactics linked to CNA operations against cyber physical systems. We have identified the main tactics accepted nowadays (degradation, disruption, destruction, and manipulation) and, for each of them, we have discussed and proposed the different techniques suitable to accomplish each of the tactics. Where applicable, we have also identified subtechniques. The proposed structure is aligned with MITRE ATT&CK, the main effort and the de facto standard to identify and analyze tactics and techniques from advanced threat actors. This proposed novel structure of tactics and techniques significantly contributes to improve the threat model of CNA actors.
Tactics and techniques are one of the first key points to model those actors and to deploy capabilities in order to prevent, to detect and to neutralize them, thus increasing the security not only of cyber physical systems, but of all technological infrastructures. We consider our proposal as the first, and therefore the starting point towards a commonly accepted taxonomy that helps researches to better know hostile actors, especially advanced ones, performing CNA operations.
In future works, our proposal can be used as a fundamental basis for new and more refined approaches. In this sense, manipulation techniques are the less structured ones until now-in fact, manipulation is not always considered as a tactic inside CNA operations-so in this particular case we identify an important research line.