Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port, vulnerability, and/or wordlist scans using tools that are brought onto a system.(Citation: CISA AR21-126A FIVEHANDS May 2021)
Within cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.
Within macOS environments, adversaries may use the native Bonjour application to discover services running on other macOS hosts within a network. The Bonjour mDNSResponder daemon automatically registers and advertises a host’s registered services on the network. For example, adversaries can use a mDNS query (such as <code>dns-sd -B _ssh._tcp .</code>) to find other systems broadcasting the ssh service.(Citation: apple doco bonjour description)(Citation: macOS APT Activity Bradley)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| I&S-03 | Network Security | mitigates | T1046 | Network Service Discovery |
Comments
This control provides for monitoring, encrypting, and restricting communications between environments. This includes ensuring that unnecessary ports and services are closed to prevent risk of discovery and potential exploitation. In addition, network intrusion prevention devices can be configured to detect and prevent remote service scans.
References
|
| I&S-06 | Segmentation and Segregation | mitigates | T1046 | Network Service Discovery |
Comments
This control provides for appropriately segmented and segregated cloud environments. This includes implementing cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level) to protect critical servers and devices from discovery and exploitation. In addition, network intrusion prevention devices can be configured to detect and prevent remote service scans.
References
|
| I&S-09 | Network Defense | mitigates | T1046 | Network Service Discovery |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. This includes implementing cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level) to protect critical servers and devices from discovery and exploitation. In addition, network intrusion prevention devices can be configured to detect and prevent remote service scans.
References
|