T1190 Exploit Public-Facing Application

This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Use least privilege for service accounts to limit what permissions the exploited process gets on the rest of the system.

This diagnostic statement protects against Exploit Public-Facing Application through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Exploit Public-Facing Application through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.

This particular diagnostic statement highlights the use of software security testing, code integrity verifications, and vulnerability scanning to mitigate security weaknesses and vulnerabilities in developed code or applications that an adversary may be able to take advantage of.

This diagnostic statement provides protection from vulnerabilities in exposed applications from across the organization through the use of tools that scan for and review vulnerabilities along with patch management and remediation of those vulnerabilities.

This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, updating software regularly by employing patch management for internal enterprise endpoints and servers can help prevent adversary exploitation of a weakness in an Internet-facing host or system to initially access a network.

This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Ensuring software is up-to-date with the latest security patches helps prevent adversaries from exploiting known vulnerabilities, reducing the risk of successful attacks.

Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.

This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.

This diagnostic statement describes the organization's formal process for evaluating externally-sourced applications, software, and firmware by assessing compatibility, security, integrity, and authenticity before deployment and after major changes. For example, requiring the use of vulnerability scanning of third-party application development to scan for common vulnerabilities like SQL injection or cross-site scripting (XSS), including the use of regular scans post major changes to identify newly introduced vulnerabilities.

This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Segment externally facing servers and services to mitigate exploitation of public-facing applications.

The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. Application isolation will limit what other processes and system features the exploited target can access, thus aiding with mitigations related to exploiting public facing applications.

This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.

This diagnostic statement protects against Exploit Public-Facing Application through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.

The Microsoft Sentinel Hunting "Potential IIS code injection attempt" query can detect some potential injection attacks against public-facing applications. The Microsoft Sentinel Analytics "A potentially malicious web request was executed against a web server" query can detect a high ratio of blocked requests and unobstructed requests to a Web Application Firewall (WAF) for a given client IP and hostnam. The coverage for these queries is minimal (e.g. IIS) resulting in an overall Minimal score.

This capability can protect against exploitation of public facing applications by ensuring application security is baked into DevOps.

This control may alert on usage of faulty SQL statements. This generates an alert for a possible SQL injection by an application. Alerts may not be generated on usage of valid SQL statements by attackers for malicious purposes.

This control's CORS related recommendations can help lead to hardened web applications. This can reduce the likelihood of an application being exploited to reveal sensitive data that can lead to the compromise of an environment. Likewise this control's recommendations related to keeping Java/PHP up to date for API/Function/Web apps can lead to hardening the public facing content that uses these runtimes. This control's recommendations related to disabling Public network access for Azure databases can lead to reducing the exposure of resources to the public Internet and thereby reduce the attack surface. These recommendations are limited to specific technologies (Java, PHP and CORS, SQL DBs) and therefore provide Minimal coverage leading to a Minimal score.

This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".

This control can detect anomalous traffic to and from externally facing systems with respect to network security group (NSG) policy.

This control may provide recommendations to restrict access to applications that are public facing and providing information on vulnerable applications.

This control provides partial coverage for techniques that exploit vulnerabilities in (common) unpatched software since it enables automated updates of software and rapid configuration change management.

This control can detect common web application attack vectors.

This control can protect web applications from common attacks (e.g. SQL injection, XSS).

This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode injected to exploit a vulnerability in a public-facing application. Detection is periodic at an unknown rate.

This control provides recommendations to patch if SQL server is out of date and to disable unneeded features to reduce exploitable surface area.

This control may provide provide information about vulnerabilities within container images. The limited scope of containers and registries that are applicable to this control contribute to the lower score.

This control may alert on publicly exposed Kubernetes services. This may provide context on services that should be patched or hardened for public access.

This control can detect artifacts of common exploit traffic.

This control can be configured to completely block inbound access to selected ports until access is requested. This prevents any attempt at exploitation of a public-facing application unless the attacker has the credentials and permissions to request such access. Even if permission has been granted to an authorized user to access the virtual machine, a list of authorized IP addresses for that access can be configured. The score is minimal, since this control only applies to specific applications requiring credentialed access, as opposed to a public webserver

Once this control is deployed, it can detect known vulnerabilities in Windows and various Linux endpoints. This information can be used to patch, isolate, or remove vulnerable software and machines. This control does not directly protect against exploitation and it is not effective against zero day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.

Mandiant Attack Surface Management continuously discovers and assesses an organization's assets for vulnerabilities, misconfigurations, and exposures. This control can discover vulnerable Remote Services offered on the cloud or on hosted servers. Since this monitoring is continual and is derived from Mandiant cyber threat intelligence, this control is scored as significant.

Artifact Analysis performs vulnerability scans on artifacts in Artifact Registry or Container Registry (deprecated). When Artifact Analysis is deployed, it can detect known vulnerabilities in various Linux OS packages. This information can be used to patch, isolate, or remove vulnerable software and machines. This control does not directly protect against exploitation and is not effective against zero day attacks, vulnerabilities with no available patch, and other end-of-life packages.

Google Cloud Armor security policies protect your application by providing Layer 7 filtering and by scrubbing incoming requests for common web attacks or other Layer 7 attributes. Google Cloud Armor detects malicious requests and drops them at the edge of Google's infrastructure.

Often used by adversaries to take advantage of software weaknesses in web applications, Palo Alto Network's vulnerability signatures are able to detect SQL-injection attacks that attempt to read or modify a system database using common web hacking techniques (e.g., OWASP top 10). Although there are ways an attacker could leverage web application weaknesses to affect the sensitive data and databases, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.

Google Security Ops triggers an alert based on suspicious behavior, such as exploitation attempts against web servers and/or applications (e.g., F5 BIG-IP CVE 2020-5902). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/proactive_exploit_detection/big_ip/possible_f5_big_ip_tmui_attack_cve_2020_5902_part_1.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/proactive_exploit_detection/big_ip/possible_f5_big_ip_tmui_attack_cve_2020_5902_part_2.yaral

When an application or resource is protected by IAP, it can only be accessed through the proxy by principals, also known as users, who have the correct Identity and Access Management (IAM) role. IAP secures authentication and authorization of all requests to App Engine, Cloud Load Balancing (HTTPS), or internal HTTP load balancing. With adversaries that may try to attempt malicious activity via applications, the application Firewalls may be used to limit exposure of applications to prevent exploit traffic from reaching the application.

Using Web Security Scanner, SCC is able to detect and provide guidance for web application security risks (e.g., Cross-Site Scripting, SQL injection, Server Side Request Forgery, Insecure Deserialization). Adversaries may exploit these web app weaknesses in a cloud-based environment to compromise the underlying instance or container. This technique was graded as significant due to the high detect coverage against varying forms of this attack.

VM Manager can apply on-demand and scheduled patches via automated patch deployment. This can remediate OS and software vulnerabilities that could otherwise be exploited. Since VM Manager doesn't directly prevent exploitation of active vulnerabilities (including zero day vulnerabilities) this control has resulted in a score of Partial.

VPC security perimeters can segment private resources to further reduce user access and operate in a logically separate hosting environment.

There is a GuardDuty finding type that captures when vulnerable publicly facing resources are leveraged to capture data not intended to be viewable (e.g., IAM credentials associated with the resource). UnauthorizedAccess:EC2/MetadataDNSRebind - This finding type only detects MetadataDNSRebind and is more focused on the EC2 instance and not the application running on the instance itself resulting in Minimal coverage.

Amazon Inspector can detect known vulnerabilities on various Windows and Linux endpoints. Furthermore, the Amazon Inspector Best Practices assessment package can assess security controls for "Enable Address Space Layout Randomization (ASLR)" and "Enable Data Execution Prevention (DEP)" that makes it more difficult for an attacker to exploit vulnerabilities in software. This information can be used to patch, isolate, and remove vulnerable software and endpoints. Amazon Inspector does not directly protect against exploitation and it is not effective against zero-day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.

AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that a public-facing application or server is compromised, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant.

The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that applications intended for internal use cannot be accessed externally for exploitation: "api-gw-endpoint-type-check" can ensure that Amazon API Gateway APIs are private and can only be accessed from within VPCs, "elasticsearch-in-vpc-only" can ensure that Amazon ElasticSearch Service (Amazon ES) domains are in the same VPC and the domain endpoint is not public, "lambda-function-public-access-prohibited" can verify that AWS Lambda functions are not publicly available, and "ec2-instance-no-public-ip" can verify whether EC2 instances have public IP addresses. The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that insecure applications are not installed and installed packages are kept updated, reducing the likelihood of adversary exploitation: the "ec2-managedinstance-applications-blacklisted" managed rule verifies that a pre-defined list of applications are not installed on specified managed instances. It can be used to identify the presence of vulnerable applications (prompting removal before they can be exploited) and/or to identify the presence of allowed packages below a minimum version (prompting updates before they can be exploited). The "ec2-managedinstance-platform-check" managed rule verifies that managed instances are running desired platform types, including using a desired version (as opposed to an out-of-date one). Both can reduce instances' attack surface for adversary exploitation. "rds-automatic-minor-version-upgrade-enabled" can verify that Amazon RDS is being patched, and "elastic-beanstalk-managed-updates-enabled" can verify that Elastic Beanstalk is being patched. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services that can be used to host public-facing applications and will only protect against certain forms of identifiable exploitation, resulting in an overall score of Partial.

AWS RDS supports the automatic patching of minor versions of database instances. This can result in security flaws in the database instances being fixed before they can be exploited. This mapping is given a score of Partial because it does not protect against misconfigured database instances which may be susceptible to exploitation.

AWS RDS supports the replication and recovery of database instances. In the event that a database instance is compromised, AWS RDS can be used to restore the database instance to a previous point in time. As a result, this mapping is given a score of Significant.

AWS Security Hub reports on EC2 instances that are missing security patches for vulnerabilities which could enable an adversary to exploit vulnerabilities through the attack lifecycle. AWS Security Hub provides this detection with the following managed insight. EC2 instances that have missing security patches for important vulnerabilities This is scored as Partial because the checks associated with Security Hub would only report on missing patches for known vulnerabilities. It doesn't not cover zero-day vulnerabilities.

The AWS WAF protects public-facing applications against a range of vulnerabilities including those listed in the OWASP Top 10. AWS WAF provides this protection via the following rule sets that block malicious traffic across a variety of operating systems and applications. AWSManagedRulesCommonRuleSet AWSManagedRulesKnownBadInputRuleSet AWSManagedRulesSQLiRuleSet AWSManagedRulesLinuxRuleSet AWSManagedRulesUnixRuleSet AWSManagedRulesWindowsRuleSet AWSManagedRulesPHPRuleSet AWSManagedRulesWordPressRuleSet This is given a score of Significant because it protects against vulnerabilities across multiple operating systems (Windows, Linux, POSIX) and technologies (JavaScript, SQL, PHP, WordPress). Furthermore, it blocks the malicious content in near real-time.