Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from system firewalls that are described in Disable or Modify System Firewall.
Cloud environments typically utilize restrictive security groups and firewall rules that only allow network activity from trusted IP addresses via expected ports and protocols. An adversary with appropriate permissions may introduce new firewall rules or policies to allow access into a victim cloud environment and/or move laterally from the cloud control plane to the data plane. For example, an adversary may use a script or utility that creates new ingress rules in existing security groups (or creates new security groups entirely) to allow any TCP/IP connectivity to a cloud-hosted instance.(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022) They may also remove networking limitations to support traffic associated with malicious activity (such as cryptomining).(Citation: Expel IO Evil in AWS)(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022)
Modifying or disabling a cloud firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. It may also be used to open up resources for Brute Force or Endpoint Denial of Service.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1562.007 | Disable or Modify Cloud Firewall |
Comments
This diagnostic statement protects against Disable or Modify Cloud Firewall through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-05 | Access Restrictions for Change | mitigates | T1562.007 | Disable or Modify Cloud Firewall | |
| IA-02 | Identification and Authentication (Organizational Users) | mitigates | T1562.007 | Disable or Modify Cloud Firewall | |
| AC-02 | Account Management | mitigates | T1562.007 | Disable or Modify Cloud Firewall | |
| AC-03 | Access Enforcement | mitigates | T1562.007 | Disable or Modify Cloud Firewall | |
| AC-05 | Separation of Duties | mitigates | T1562.007 | Disable or Modify Cloud Firewall | |
| AC-06 | Least Privilege | mitigates | T1562.007 | Disable or Modify Cloud Firewall |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| microsoft_sentinel | Microsoft Sentinel | technique_scores | T1562.007 | Disable or Modify Cloud Firewall |
Comments
The following Microsoft Sentinel Hunting queries can identify potentially malicious modifications to cloud firewall resources: "Azure Network Security Group NSG Administrative Operations" query can identify potential defensive evasion involving changing or disabling network access rules. "Port opened for an Azure Resource" may indicate an adversary increasing the accessibility of a resource for easier collection/exfiltration.
The Microsoft Sentinel Analytics "Security Service Registry ACL Modification" query can detect attempts to modify registry ACLs, potentially done to evade security solutions.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| resource_manager | Resource Manager | technique_scores | T1562.007 | Disable or Modify Cloud Firewall |
Comments
This control adopts the security principle of least privilege, which grants necessary access to user's resources when justified and needed. This control manages access control and ensures proper user permissions are in place to prevent adversaries that try to modify and/or disable firewall.
References
|
| resource_manager | Resource Manager | technique_scores | T1562.007 | Disable or Modify Cloud Firewall |
Comments
An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. GCP allows configuration of account policies to enable logging and IAM permissions and roles to determine your ability to access audit logs data in Google Cloud resources.
References
|
| security_command_center | Security Command Center | technique_scores | T1562.007 | Disable or Modify Cloud Firewall |
Comments
SCC is able to detect changes to VPC service controls that could modify and reduced the secured perimeter. This security solution protects against modifications that could lead to a lower security posture and defense evasion. Because of the near-real time temporal factor to detect against this cyber-attack the control was graded as significant.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| aws_config | AWS Config | technique_scores | T1562.007 | Disable or Modify Cloud Firewall |
Comments
The following AWS Config managed rules can identify potentially malicious changes to cloud firewall status and ensure that a WAF is enabled and enforcing specified ACLs: "lab-waf-enabled" for Application Load Balancers; "api-gw-associated-with-waf" for Amazon API Gateway API stages; "cloudfront-associated-with-waf" for Amazon CloudFront distributions; "fms-webacl-resource-policy-check", "fms-webacl-resource-policy-check", and "fms-webacl-rulegroup-association-check" for AWS Firewall Manager; "vpc-default-security-group-closed", "vpc-network-acl-unused-check", and "vpc-sg-open-only-to-authorized-ports" for VPC security groups; and "ec2-security-group-attached-to-eni" for EC2 and ENI security groups; all of which are run on configuration changes.
The following AWS Config managed rules can identify specific configuration changes to VPC configuration that may suggest malicious modification to bypass protections: "internet-gateway-authorized-vpc-only" can identify Internet gateways (IGWs) attached to unauthorized VPCs, which can allow unwanted communication between a VPC and the Internet; "lambda-inside-vpc" can identify VPCs that have granted execution access to unauthorized Lambda functions; "service-vpc-endpoint-enabled" can verify that endpoints are active for the appropriate services across VPCs; "subnet-auto-assign-public-ip-disabled" checks for public IP addresses assigned to subnets within VPCs.
Coverage factor is significant for these rules, since they cover firewall configuration for and via a wide range of services, resulting in an overall score of Significant.
References
|
| aws_security_hub | AWS Security Hub | technique_scores | T1562.007 | Disable or Modify Cloud Firewall |
Comments
AWS Security Hub performs checks from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting changes to key AWS services. AWS Security Hub provides these detections with the following checks.
3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes 3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes 3.10 Ensure a log metric filter and alarm exist for security group changes 3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) 3.12 Ensure a log metric filter and alarm exist for changes to network gateways 3.13 Ensure a log metric filter and alarm exist for route table changes 3.14 Ensure a log metric filter and alarm exist for VPC changes
This is scored as Significant because it can detect when changes are made to key AWS services (e.g., CloudTrail, Config, etc.) such as when they stop logging or other configuration changes are made.
References
|