Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-4 | Information Flow Enforcement | Protects | T1008 | Fallback Channels | |
| CA-7 | Continuous Monitoring | Protects | T1008 | Fallback Channels | |
| CM-2 | Baseline Configuration | Protects | T1008 | Fallback Channels | |
| CM-6 | Configuration Settings | Protects | T1008 | Fallback Channels | |
| CM-7 | Least Functionality | Protects | T1008 | Fallback Channels | |
| SC-7 | Boundary Protection | Protects | T1008 | Fallback Channels | |
| SI-3 | Malicious Code Protection | Protects | T1008 | Fallback Channels | |
| SI-4 | System Monitoring | Protects | T1008 | Fallback Channels | |
| action.hacking.variety.Use of backdoor or C2 | Use of Backdoor or C2 channel | related-to | T1008 | Fallback Channels | |
| action.hacking.vector.Backdoor or C2 | Backdoor or command and control channel | related-to | T1008 | Fallback Channels | |
| action.malware.variety.C2 | Command and control (C2) | related-to | T1008 | Fallback Channels | |
| amazon_virtual_private_cloud | Amazon Virtual Private Cloud | technique_scores | T1008 | Fallback Channels |
Comments
VPC security groups and network access control lists (NACLs) can be used to restrict external network access to the minimum required and can therefore mitigate an adversary utilizing a fallback or alternative communication channels. In environments where unrestricted Internet access is required, security groups and NACLs can still be used to block known malicious endpoints. Because in such environments the protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.
References
|
| aws_network_firewall | AWS Network Firewall | technique_scores | T1008 | Fallback Channels |
Comments
AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block communication with known fallback channels by filtering based on known bad IP addresses and domains. This mapping is given a score of Partial because it only protects against known fallback channels and not channels yet to be identified.
References
|