Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.
Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet-accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) On ESXi infrastructure, adversaries may exploit exposed OpenSLP services; they may alternatively exploit exposed VMware vCenter servers.(Citation: Recorded Future ESXiArgs Ransomware 2023)(Citation: Ars Technica VMWare Code Execution Vulnerability 2021) Depending on the flaw being exploited, this may also involve Exploitation for Defense Evasion or Exploitation for Client Execution.
If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs (e.g., via the Cloud Instance Metadata API), exploit container host access via Escape to Host, or take advantage of weak identity and access management policies.
Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)
For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| STA-10 | Supply Chain Risk Management | mitigates | T1190 | Exploit Public-Facing Application |
Comments
The mitigative applications of this control relate to:
"(c) documentation and testing of the specific technical controls implemented to support the product or service (e.g., identity and access management, network design and security)"
"(e) software supply chain risk management practices for ensuring software integrity, traceability, and provenance (e.g., software build practices, component management, and use of Software Bill of Materials (SBOMs))"
SBOMs are known to provide transparency into software components, which may enable the identification of vulnerable software libraries, components, or code and mitigate the injection or execution of vulnerable or malicious code on public-facing applications or systems.
References
|
| I&S-06 | Segmentation and Segregation | mitigates | T1190 | Exploit Public-Facing Application |
Comments
This control provides for appropriately segmented and segregated cloud environments. This includes using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). If an application is hosted on cloud-based infrastructure, VPC security perimeters can segment resources to further reduce access and operate in logically separate environments, limiting exposure.
References
|
| TVM-07 | Penetration Testing | mitigates | T1190 | Exploit Public-Facing Application |
Comments
This control requires both CSP and CSC to conduct regular penetration testing using reputable third parties for overall testing processes and communication of results within agreed boundaries. The control guidance states that the penetration testing should be used to identify critical vulnerabilities, assess the effectiveness of security controls, validate compliance with industry standards, in order to provide recommendations for remediation and security improvements in cloud environments.
The mapping for TVM-07 Penetration Testing will be aligned with the M1016 Vulnerability Scanning mitigation definition of using "automated or manual assessment of systems, applications, and networks to identify misconfigurations, unpatched software, or other security weaknesses." Penetration testing in this context can take the form of Cloud Environment Scanning, use application security testing (SAST/DAST) tools, and the use of any red team cloud tools (Pacu, StormSpotter) to detect vulnerabilities and weaknesses for exploitation and impact.
References
|
| TVM-06 | External Library Vulnerabilities | mitigates | T1190 | Exploit Public-Facing Application |
Comments
This control requires both CSP and CSC to independently manage third-party and open-source libraries by maintaining accurate inventories, integrating with vulnerability databases, automating patching and updates, using dependency and scanning tools to mitigate risks from library vulnerabilities.
References
|
| I&S-09 | Network Defense | mitigates | T1190 | Exploit Public-Facing Application |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. This includes using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). If an application is hosted on cloud-based infrastructure, VPC security perimeters can segment resources to further reduce access and operate in logically separate environments, limiting exposure.
References
|
| IPY-03 | Secure Interoperability and Portability Management | mitigates | T1190 | Exploit Public-Facing Application |
Comments
This control requires the CSP to encrypt communications using industry-standard protocols, securely manage API certificates and keys, and monitor/patch for vulnerabilities. The guidance for CSC requires it to classify API data, encrypt sensitive information during import/export, use secure protocols, and manage encryption keys independently to mitigate risks of data tampering, loss, or unauthorized access.
References
|
| DSP-17 | Sensitive Data Protection | mitigates | T1190 | Exploit Public-Facing Application |
Comments
This control requires the Cloud Service Provider (CSP) to implement robust mitigative controls such as network segmentation and firewalling, encryption, access controls with multi-factor authentication and intrusion detection to ensure sensitive customer data is protected throughout its lifecycle.
For this technique, if an application is hosted on cloud-based infrastructure then exploiting it may lead to compromise of the underlying sensitive data hosted on that platform. In terms of mitigation, Web Application Firewalls (WAFs) may be used to limit exposure of applications to prevent exploit traffic from reaching the application, or segment externally facing servers and services from the rest of the network with a DMZ or on separate hosting infrastructure could limit the impact the exploited application has on the rest of the infrastructure hosting the data.
References
|
| AIS-06 | Automated Secure Application Deployment | mitigates | T1190 | Exploit Public-Facing Application |
Comments
This control applies to the secure deployments of applications and emphasizes the prevention of misconfigurations and malicious deployment activities. Adversaries may attempt to exploit a weakness in an cloud-hosted applications through software bugs or even deployment misconfigurations. Protecting cloud-hosted applications through standardized security configurations and deployment templates can mitigate the impact of this technique.
References
|
| AIS-04 | Secure Application Design and Development | mitigates | T1190 | Exploit Public-Facing Application |
Comments
This control requires both Cloud Service Providers and customers to implement a Secure Software Development Lifecycle (SSDLC) with security practices throughout the entire application development process to protect cloud-based applications from cyber threats. Adversaries will use T1190 to exploit vulnerabilities in web applications internet-facing host or system to initially access a network. Proper input validation and secure coding practices can prevent exploitation of web application vulnerabilities.
References
|
| AIS-05 | Automated Application Security Testing | mitigates | T1190 | Exploit Public-Facing Application |
Comments
The control describes multiple testing approaches with automated tools to identify vulnerabilities from development through production. The control outlines testing for injection attacks, session hijacking, and aligning with industry standards like OWASP Top 10 to ensure applications are secure. Adversaries may attempt to exploit a weakness in an Internet-facing host or application by using techniques such as as SQL injection, command injections, Cross-site scripting (XSS), and Cross-Site Request Forgery (CSRF).
References
|
| AIS-07 | Application Vulnerability Remediation | mitigates | T1190 | Exploit Public-Facing Application |
Comments
The control requires prioritized remediation based on risk assessment and CVSS scores, automated patch management, and integration of remediation tools into CI/CD pipelines to address vulnerabilities as early as possible in the development lifecycle.
References
|