Inhibit Response Function consists of techniques adversaries use to prevent safety, protection, quality assurance, and operator intervention functions from responding to a failure, hazard, or unsafe state. These techniques target Safety Instrumented Systems (SIS), alarm systems, serial communications, and other protective mechanisms that are designed to prevent equipment damage, environmental harm, and loss of life.
Tactic Overview
Tactic ID: TA0107 — Matrix: ICS — Techniques: 14
The Inhibit Response Function tactic represents a phase in the adversary lifecycle where the adversary is trying to prevent your safety, protection, quality assurance, and operator intervention functions from responding. This tactic is part of the MITRE ATT&CK ICS matrix and encompasses 14 known techniques that adversaries employ during this phase of an attack.
Understanding this tactic is critical for defenders to build effective detection strategies and implement appropriate countermeasures. Organizations should map their security controls against each technique to identify coverage gaps and prioritize defensive investments.
Techniques (14)
The following techniques are categorized under the Inhibit Response Function tactic in the MITRE ATT&CK ICS matrix:
| Technique ID | Name | Description | MITRE Reference |
|---|---|---|---|
T0800 | Activate Firmware Update Mode | Adversaries put controllers into firmware update mode to disable safety functions and prepare for malicious firmware installation. | T0800 |
T0878 | Alarm Suppression | Adversaries suppress alarms to prevent operators from noticing malicious process manipulation or equipment failures. | T0878 |
T0803 | Block Command Message | Adversaries block command messages between operators and controllers to prevent remediation of malicious process changes. | T0803 |
T0804 | Block Reporting Message | Adversaries block reporting messages from controllers to hide malicious process state changes from operators. | T0804 |
T0805 | Block Serial COM | Adversaries block serial communications between devices to prevent diagnostic access and remediation efforts. | T0805 |
T0892 | Change Credential | Adversaries change credentials on ICS devices to lock out legitimate operators and maintain exclusive access. | T0892 |
T0809 | Data Destruction | Adversaries destroy data on ICS systems including historian databases, project files, and configuration backups. | T0809 |
T0814 | Denial of Service | Adversaries cause denial of service conditions against ICS devices to disrupt monitoring and control functions. | T0814 |
T0816 | Device Restart/Shutdown | Adversaries restart or shut down ICS devices to disrupt process control and potentially cause unsafe conditions. | T0816 |
T0835 | Manipulate I/O Image | Adversaries manipulate the I/O image of controllers to send false outputs to actuators or present false inputs from sensors. | T0835 |
T0838 | Modify Alarm Settings | Adversaries modify alarm thresholds and settings to prevent detection of dangerous process conditions. | T0838 |
T0851 | Rootkit | Adversaries deploy rootkits on ICS hosts to hide malicious processes and maintain persistent covert access. | T0851 |
T0881 | Service Stop | Adversaries stop critical ICS services to disrupt monitoring, historian data collection, and operational functions. | T0881 |
T0857 | System Firmware | Adversaries modify system firmware on ICS devices to maintain persistent access across device reboots. | T0857 |
Detection & Mitigation
Organizations should implement layered defenses addressing each technique within this tactic. Below are key mitigation strategies recommended by Mjolnir Security analysts.
Key Mitigations
- Safety system isolation
- Independent safety monitoring
- Physical safety controls
- Alarm management best practices
- Redundant safety systems
Detection Strategies
Effective detection of Inhibit Response Function techniques requires a combination of log analysis, behavioral monitoring, and threat intelligence correlation. Security teams should focus on establishing baselines for normal activity and alerting on deviations that may indicate adversary behavior aligned with this tactic.
- SIEM Integration: Correlate events across multiple data sources to detect technique patterns
- Behavioral Analytics: Deploy UEBA solutions to identify anomalous activity indicative of this tactic
- Threat Hunting: Proactively search for indicators of techniques within this tactic using hypothesis-driven investigations
- Purple Teaming: Regularly test detection coverage by simulating techniques from this tactic
Associated Threat Actors
The following threat actors are known to heavily leverage techniques from the Inhibit Response Function tactic:
For comprehensive threat actor profiles, visit the APT Groups Hub.
Resources & References
Defend Against Inhibit Response Function Techniques
Mjolnir Security provides expert threat intelligence, purple team exercises, and detection engineering services to help organizations defend against adversary tactics mapped to the MITRE ATT&CK framework.
Stay updated on MITRE ATT&CK developments and threat intelligence insights.
View All Reports →Written by Mjolnir Security Research — Published March 7, 2026