T1491.002 External Defacement

An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. External Defacement may ultimately cause users to distrust the systems and to question/discredit the system’s integrity. Externally-facing websites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda.(Citation: FireEye Cyber Threats to Media Industries)(Citation: Kevin Mandia Statement to US Senate Committee on Intelligence)(Citation: Anonymous Hackers Deface Russian Govt Site) External Defacement may be used as a catalyst to trigger events, or as a response to actions taken by an organization or government. Similarly, website defacement may also be used as setup, or a precursor, for future attacks such as Drive-by Compromise.(Citation: Trend Micro Deep Dive Into Defacement)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.IR-03.01 Alternative resilience mechanisms Mitigates T1491.002 External Defacement
Comments
This diagnostic statement protects against External Defacement through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
References
    ID.IM-02.06 Accurate data recovery Mitigates T1491.002 External Defacement
    Comments
    This diagnostic statement emphasizes the importance of facilitating data recovery through the implementation of robust data backup strategies, comprehensive disaster recovery plans, and effective business continuity frameworks, aimed at mitigating the risks posed by potential adversarial attempts to compromise or manipulate organization's content and systems externally by targeting users through messages or propaganda.
    References

      NIST 800-53 Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      CP-07 Alternate Processing Site mitigates T1491.002 External Defacement
      CP-10 System Recovery and Reconstitution mitigates T1491.002 External Defacement
      CP-02 Contingency Plan mitigates T1491.002 External Defacement
      CP-09 System Backup mitigates T1491.002 External Defacement
      SI-03 Malicious Code Protection mitigates T1491.002 External Defacement
      SI-07 Software, Firmware, and Information Integrity mitigates T1491.002 External Defacement
      CM-02 Baseline Configuration mitigates T1491.002 External Defacement
      SI-04 System Monitoring mitigates T1491.002 External Defacement
      AC-03 Access Enforcement mitigates T1491.002 External Defacement
      AC-06 Least Privilege mitigates T1491.002 External Defacement

      VERIS Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      attribute.availability.variety.Obscuration Conversion or obscuration (ransomware) related-to T1491.002 External Defacement
      attribute.integrity.variety.Defacement Deface content related-to T1491.002 External Defacement

      Azure Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      azure_backup Azure Backup technique_scores T1491.002 External Defacement
      Comments
      Data backups provide a significant response to external or internal data defacement attacks by enabling the restoration of data from backup.
      References

      AWS Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      amazon_guardduty Amazon GuardDuty technique_scores T1491.002 External Defacement
      Comments
      The following finding types can be used to detect behavior that can lead to the defacement of cloud resources: Impact:S3/MaliciousIPCaller Exfiltration:S3/MaliciousIPCaller Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller
      References
        aws_cloudendure_disaster_recovery AWS CloudEndure Disaster Recovery technique_scores T1491.002 External Defacement
        Comments
        AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that servers are defaced, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant.
        References
          aws_config AWS Config technique_scores T1491.002 External Defacement
          Comments
          The following AWS Config managed rules can identify configuration problems that should be fixed in order to prevent malicious write access to data within Amazon Simple Storage Service (S3) storage, which may include internal and/or external defacement: "s3-bucket-blacklisted-actions-prohibited" checks whether bucket policies prohibit disallowed actions (including encryption configuration changes) for principals from other AWS accounts, "s3-bucket-default-lock-enabled" checks whether a bucket that should be locked in write-once-read-many (WORM) mode is configured to prevent modification, and "s3-bucket-public-write-prohibited" checks whether a bucket is configured to allow public access and modification. All of these controls are run on configuration changes. The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure backups and redundancy are in place which can mitigate the effects of malicious defacement: "aurora-mysql-backtracking-enabled" for data in Aurora MySQL; "db-instance-backup-enabled" and "rds-in-backup-plan" for Amazon Relational Database Service (RDS) data; "dynamodb-in-backup-plan" and "dynamodb-pitr-enabled" for Amazon DynamoDB table contents; "ebs-in-backup-plan" for Elastic Block Store (EBS) volumes; "efs-in-backup-plan" for Amazon Elastic File System (EFS) file systems; "elasticache-redis-cluster-automatic-backup-check" for Amazon ElastiCache Redis cluster data; "redshift-backup-enabled" and "redshift-cluster-maintenancesettings-check" for Redshift; "s3-bucket-replication-enabled" and "s3-bucket-versioning-enabled" for S3 storage; and "cloudfront-origin-failover-enabled" for CloudFront. Coverage factor is significant for these rules, since they cover a wide range of services used to host content for websites within AWS, resulting in an overall score of Significant.
          References