Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management and VNC can also be used externally.(Citation: MacOS VNC software for Remote Desktop)
Access to Valid Accounts to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.(Citation: Volexity Virtual Private Keylogging) Access to remote services may be used as a redundant or persistent access mechanism during an operation.
Access may also be gained through an exposed service that doesn’t require authentication. In containerized environments, this may include an exposed Docker API, Kubernetes API server, kubelet, or web application such as the Kubernetes dashboard.(Citation: Trend Micro Exposed Docker Server)(Citation: Unit 42 Hildegard Malware)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| IAM-14 | Strong Authentication | mitigates | T1133 | External Remote Services |
Comments
This control requires both CSP and CSC to independently enforce multi-factor authentication (MFA) for all non-console administrative, remote, sensitive data, and third-party access, implement secure centralized authentication systems and digital certificates, protect credentials, monitor authentication activity, and ensure strong, risk-based authentication measures are consistently applied and reviewed.
References
|
| I&S-06 | Segmentation and Segregation | mitigates | T1133 | External Remote Services |
Comments
This control provides for appropriately segmented and segregated cloud environments. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Network proxies, gateways, and firewalls can be used to deny direct remote access to internal systems.
References
|
| I&S-09 | Network Defense | mitigates | T1133 | External Remote Services |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Network proxies, gateways, and firewalls can be used to deny direct remote access to internal systems.
References
|
| IPY-03 | Secure Interoperability and Portability Management | mitigates | T1133 | External Remote Services |
Comments
This control requires the CSP to encrypt communications using industry-standard protocols, securely manage API certificates and keys, and monitor/patch for vulnerabilities. The guidance for CSC requires it to classify API data, encrypt sensitive information during import/export, use secure protocols, and manage encryption keys independently to mitigate risks of data tampering, loss, or unauthorized access.
References
|
| DSP-15 | Limitation of Production Data Use | mitigates | T1133 | External Remote Services |
Comments
This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations.
In terms of mitigation, denying direct remote access to internal production systems through the use of network proxies, gateways, and firewalls can lessen the abuse of this technique. Also, consider using IP allowlisting along with user account management to ensure that data access is restricted not only to valid users but only from expected IP ranges to mitigate the use of stolen or replication to access data.
References
|