Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.
Adversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for Security Software Discovery. The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection.
There have also been examples of vulnerabilities in public cloud infrastructure of SaaS applications that may bypass defense boundaries (Citation: Salesforce zero-day in facebook phishing attack), evade security logs (Citation: Bypassing CloudTrail in AWS Service Catalog), or deploy hidden infrastructure.(Citation: GhostToken GCP flaw)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| UEM-05 | Endpoint Management | mitigates | T1211 | Exploitation for Defense Evasion |
Comments
This control provides for the implementation of best practices for endpoint management. Endpoint exploit protection capabilities can be used to detect, block, and mitigate conditions indicative of exploits to bypass security features.
References
|
| TVM-07 | Penetration Testing | mitigates | T1211 | Exploitation for Defense Evasion |
Comments
This control requires both CSP and CSC to conduct regular penetration testing using reputable third parties for overall testing processes and communication of results within agreed boundaries. The control guidance states that the penetration testing should be used to identify critical vulnerabilities, assess the effectiveness of security controls, validate compliance with industry standards, in order to provide recommendations for remediation and security improvements in cloud environments.
The mapping for TVM-07 Penetration Testing will be aligned with the M1016 Vulnerability Scanning mitigation definition of using "automated or manual assessment of systems, applications, and networks to identify misconfigurations, unpatched software, or other security weaknesses." Penetration testing in this context can take the form of Cloud Environment Scanning, use application security testing (SAST/DAST) tools, and the use of any red team cloud tools (Pacu, StormSpotter) to detect vulnerabilities and weaknesses for exploitation and impact.
References
|
| TVM-05 | Detection Updates | mitigates | T1211 | Exploitation for Defense Evasion |
Comments
This control requires both CSP and CSC to independently define, implement, and regularly update detection tools, threat signatures, and indicators of compromise based from a threat intelligence platform/program ensuring effective and timely detection of threats across all cloud service models.
A centralized threat intelligence platform or program enables organizations to proactively identify, analyze, and act on cyber threats by leveraging internal and external data sources. As it applies to mitigable techniques, developing a robust cyber threat intelligence capability to mitigate and determine what types and levels of threat may use software exploits and 0-days or N-days against a particular organization. For the impersonation, threat intelligence helps defenders and users be aware of and defend against common lures and active campaigns that have been used for impersonation.
References
|
| UEM-14 | Third-Party Endpoint Security Posture | mitigates | T1211 | Exploitation for Defense Evasion |
Comments
This control provides for the implementation of best practices for third-party endpoint management. Endpoint exploit protection capabilities can be used to detect, block, and mitigate conditions indicative of exploits to bypass security features.
References
|
| AIS-07 | Application Vulnerability Remediation | mitigates | T1211 | Exploitation for Defense Evasion |
Comments
The control requires prioritized remediation based on risk assessment and CVSS scores, automated patch management, and integration of remediation tools into CI/CD pipelines to address vulnerabilities as early as possible in the development lifecycle.
References
|