Adversaries may bridge network boundaries by modifying a network device’s Network Address Translation (NAT) configuration. Malicious modifications to NAT may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.
Network devices such as routers and firewalls that connect multiple networks together may implement NAT during the process of passing packets between networks. When performing NAT, the network device will rewrite the source and/or destination addresses of the IP address header. Some network designs require NAT for the packets to cross the border device. A typical example of this is environments where internal networks make use of non-Internet routable addresses.(Citation: RFC1918)
When an adversary gains control of a network boundary device, they can either leverage existing NAT configurations to send traffic between two separated networks, or they can implement NAT configurations of their own design. In the case of network designs that require NAT to function, this enables the adversary to overcome inherent routing limitations that would normally prevent them from accessing protected systems behind the border device. In the case of network designs that do not require NAT, address translation can be used by adversaries to obscure their activities, as changing the addresses of packets that traverse a network boundary device can make monitoring data transmissions more challenging for defenders.
Adversaries may use Patch System Image to change the operating system of a network device, implementing their own custom NAT mechanisms to further obscure their activities
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1599.001 | Network Address Translation Traversal |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
References
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1599.001 | Network Address Translation Traversal |
Comments
This diagnostic statement protects against Network Address Translation Traversal through the use of privileged account management and the use of multi-factor authentication.
References
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1599.001 | Network Address Translation Traversal |
Comments
This diagnostic statement protects against Network Address Translation Traversal through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
References
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1599.001 | Network Address Translation Traversal |
Comments
This diagnostic statement protects against Network Address Translation Traversal through the use of revocation of keys and key management. Employing key protection strategies and key management for key material used in identity management and authentication processes (including multi-factor authentication or MFA for network devices using TACACS+/RADIUS), limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to perform Network Address Translation Traversal.
References
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1599.001 | Network Address Translation Traversal |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
References
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1599.001 | Network Address Translation Traversal |
Comments
This diagnostic statement protects against Network Address Translation Traversal through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1599.001 | Network Address Translation Traversal |
Comments
This diagnostic statement protects against Network Address Translation Traversal through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1599.001 | Network Address Translation Traversal |
Comments
This diagnostic statement protects against Network Address Translation Traversal through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Unknown | Unknown | related-to | T1599.001 | Network Address Translation Traversal |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| amazon_inspector | Amazon Inspector | technique_scores | T1599.001 | Network Address Translation Traversal |
Comments
The Amazon Inspector Best Practices assessment package can assess security control "Configure permissions for system directories" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Furthermore, Amazon Inspector only supports a subset of the sub-techniques for this technique. Due to these things and the fact the security control is only supported for Linux platforms, the score is Minimal.
References
|