T1491 Defacement

Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reasons for Defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.IR-03.01 Alternative resilience mechanisms Mitigates T1491 Defacement
Comments
This diagnostic statement protects against Defacement through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
References
    ID.IM-02.06 Accurate data recovery Mitigates T1491 Defacement
    Comments
    This diagnostic statement emphasizes the importance of facilitating data recovery through the implementation of robust data backup strategies, comprehensive disaster recovery plans, and effective business continuity frameworks, aimed at mitigating the risks posed by potential adversarial attempts to compromise or manipulate content within an enterprise network.
    References

      NIST 800-53 Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      CP-07 Alternate Processing Site mitigates T1491 Defacement
      CP-10 System Recovery and Reconstitution mitigates T1491 Defacement
      CP-02 Contingency Plan mitigates T1491 Defacement
      CP-09 System Backup mitigates T1491 Defacement
      SI-03 Malicious Code Protection mitigates T1491 Defacement
      SI-07 Software, Firmware, and Information Integrity mitigates T1491 Defacement
      CM-02 Baseline Configuration mitigates T1491 Defacement
      SI-04 System Monitoring mitigates T1491 Defacement
      AC-03 Access Enforcement mitigates T1491 Defacement
      AC-06 Least Privilege mitigates T1491 Defacement

      VERIS Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      attribute.availability.variety.Obscuration Conversion or obscuration (ransomware) related-to T1491 Defacement
      attribute.integrity.variety.Defacement Deface content related-to T1491 Defacement

      Azure Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      ai_threat_protection Microsoft Defender for Cloud: AI Threat Protection technique_scores T1491 Defacement
      Comments
      This capability can alert (using AI.Azure_MaliciousUrl.ModelResponse) when an AI model has shared a malicious URL with a user.
      References
      azure_backup Azure Backup technique_scores T1491 Defacement
      Comments
      Data backups provide a significant response to data defacement attacks by enabling the restoration of data from backup.
      References

      GCP Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      backup_and_dr_actifiogo Backup and DR-Actifio GO technique_scores T1491 Defacement
      Comments
      Backup and DR-Actifio GO is a copy data management plaform that virtualizes application data to improve an organizations resiliency and cloud mobility. This capability allows an organization to take regular backups and provides several methods of restoring applications and/or VM data to a previous state. This provides significant ability to respond to Defacement since an organization could easily restore defaced images back to the latest backup.
      References

      AWS Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      amazon_guardduty Amazon GuardDuty technique_scores T1491 Defacement
      Comments
      GuardDuty provides multiple finding types that flag malicious activity against resources. These findings focus on API calls that look suspicious and although they do not flag events such as Defacement specifically, it can be inferred that these findings can result in mitigating this technique's negative impact. With this assumption the score is capped at Partial.
      References
      aws_cloudendure_disaster_recovery AWS CloudEndure Disaster Recovery technique_scores T1491 Defacement
      Comments
      AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that servers are defaced, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. This mapping is given a score of Significant because it supports all of the sub-techniques (2 of 2 at the time of this mapping).
      References
      aws_config AWS Config technique_scores T1491 Defacement
      Comments
      This control provides significant coverage for all of this technique's sub-techniques, resulting in an overall score of Significant.
      References

      ATT&CK Subtechniques

      Technique ID Technique Name Number of Mappings
      T1491.002 External Defacement 18
      T1491.001 Internal Defacement 18