Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1008 | Fallback Channels |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
|
| DE.CM-01.03 | Unauthorized network connections and data transfers | Mitigates | T1008 | Fallback Channels |
Comments
This diagnostic statement provides protection from Fallback Channels by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries.
References
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1008 | Fallback Channels |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
References
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1008 | Fallback Channels |
Comments
This diagnostic statement protects against Fallback Channels through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CA-07 | Continuous Monitoring | mitigates | T1008 | Fallback Channels | |
| CM-06 | Configuration Settings | mitigates | T1008 | Fallback Channels | |
| SI-03 | Malicious Code Protection | mitigates | T1008 | Fallback Channels | |
| CM-02 | Baseline Configuration | mitigates | T1008 | Fallback Channels | |
| CM-07 | Least Functionality | mitigates | T1008 | Fallback Channels | |
| SI-04 | System Monitoring | mitigates | T1008 | Fallback Channels | |
| AC-04 | Information Flow Enforcement | mitigates | T1008 | Fallback Channels | |
| SC-07 | Boundary Protection | mitigates | T1008 | Fallback Channels |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| azure_firewall | Azure Firewall | technique_scores | T1008 | Fallback Channels |
Comments
This control's threat intelligence-based filtering feature can be enabled to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| cloud_ngfw | Cloud Next-Generation Firewall (NGFW)_ | technique_scores | T1008 | Fallback Channels |
Comments
Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block communication with known fallback channels by filtering based on known bad IP addresses and domains. This mapping is given a score of Partial because it only protects against known fallback channels and not channels yet to be identified.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| amazon_virtual_private_cloud | Amazon Virtual Private Cloud | technique_scores | T1008 | Fallback Channels |
Comments
VPC security groups and network access control lists (NACLs) can be used to restrict external network access to the minimum required and can therefore mitigate an adversary utilizing a fallback or alternative communication channels. In environments where unrestricted Internet access is required, security groups and NACLs can still be used to block known malicious endpoints. Because in such environments the protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.
References
|
| aws_network_firewall | AWS Network Firewall | technique_scores | T1008 | Fallback Channels |
Comments
AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block communication with known fallback channels by filtering based on known bad IP addresses and domains. This mapping is given a score of Partial because it only protects against known fallback channels and not channels yet to be identified.
References
|