T1095 Non-Application Layer Protocol

This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.

This diagnostic statement provides protection from Non-Application Layer Protocol by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries.

This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Configuring firewalls and proxies to limit outgoing traffic to only necessary ports and proper systems can mitigate use of this technique.

This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.

This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversary use of non-application layer protocols.

This diagnostic statement protects against Non-Application Layer Protocol through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.

This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise.

This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.

This diagnostic statement protects against Non-Application Layer Protocol through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.

This control's threat intelligence-based filtering feature can be enabled to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score. Furthermore, it can be used to filter non-application layer protocol traffic such as ICMP.

This control can be used to restrict access to trusted networks and protocols.

Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block malicious or unwanted traffic leveraging non-application layer protocols. Given this, the mapping is given a score of Significant.

VPC security groups and network access control lists (NACLs) can be used to restrict external network access to the minimum required and can therefore mitigate adversary attempts to utilize non-application layer protocols for communication. In environments where unrestricted Internet access is required, security groups and NACLs can still be used to block known malicious endpoints. Because in such environments the protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.

The following AWS IoT Device Defender cloud-side detection metrics can detect indicators that an adversary may be leveraging compromised AWS IoT devices and non-application layer protocols - especially TCP and UDP - to communicate for command and control purposes: "Source IP" ("aws:source-ip-address") values outside of expected IP address ranges may suggest that a device has been stolen. "Messages sent" ("aws:num-messages-sent"), "Messages received" ("aws:num-messages-received"), and "Message size" ("aws:message-byte-size") values outside of expected norms may indicate that devices are sending and/or receiving non-standard traffic, which may include command and control traffic. The following AWS IoT Device Defender device-side detection metrics can detect indicators that an adversary may be leveraging compromised AWS IoT devices and non-application layer protocols - especially TCP and UDP - to communicate for command and control purposes: "Destination IPs" ("aws:destination-ip-addresses") outside of expected IP address ranges may suggest that a device is communicating with unexpected parties. "Bytes in" ("aws:all-bytes-in"), "Bytes out" ("aws:all-bytes-out"), "Packets in" ("aws:all-packets-in"), and "Packets out" ("aws:all-packets-out") values outside of expected norms may indicate that the device is sending and/or receiving non-standard traffic, which may include command and control traffic. "Listening TCP ports" ("aws:listening-tcp-ports"), "Listening TCP port count" ("aws:num-listening-tcp-ports"), "Established TCP connections count" ("aws:num-established-tcp-connections"), "Listening UDP ports" ("aws:listening-udp-ports"), and "Listening UDP port count" ("aws:num-listening-udp-ports") values outside of expected norms may indicate that devices are communicating via TCP and/or UDP on unexpected ports that may suggest command and control traffic. Coverage factor is minimal, since these metrics are limited to IoT device communication and none of this technique's sub-techniques are addressed, resulting in an overall score of Minimal.

AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block malicious or unwanted traffic leveraging non-application layer protocols. Given this, the mapping is given a score of Significant.