T1491.002 External Defacement Mappings

An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. Externally-facing websites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda.(Citation: FireEye Cyber Threats to Media Industries)(Citation: Kevin Mandia Statement to US Senate Committee on Intelligence)(Citation: Anonymous Hackers Deface Russian Govt Site) External Defacement may be used as a catalyst to trigger events, or as a response to actions taken by an organization or government. Similarly, website defacement may also be used as setup, or a precursor, for future attacks such as Drive-by Compromise.(Citation: Trend Micro Deep Dive Into Defacement)

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-3 Access Enforcement Protects T1491.002 External Defacement
AC-6 Least Privilege Protects T1491.002 External Defacement
CM-2 Baseline Configuration Protects T1491.002 External Defacement
CP-10 System Recovery and Reconstitution Protects T1491.002 External Defacement
CP-2 Contingency Plan Protects T1491.002 External Defacement
CP-7 Alternate Processing Site Protects T1491.002 External Defacement
CP-9 System Backup Protects T1491.002 External Defacement
SI-3 Malicious Code Protection Protects T1491.002 External Defacement
SI-4 System Monitoring Protects T1491.002 External Defacement
SI-7 Software, Firmware, and Information Integrity Protects T1491.002 External Defacement

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
attribute.integrity.variety.Defacement Deface content related-to T1491.002 Defacement: External Defacement

AWS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
aws_config AWS Config technique_scores T1491.002 External Defacement
Comments
The following AWS Config managed rules can identify configuration problems that should be fixed in order to prevent malicious write access to data within Amazon Simple Storage Service (S3) storage, which may include internal and/or external defacement: "s3-bucket-blacklisted-actions-prohibited" checks whether bucket policies prohibit disallowed actions (including encryption configuration changes) for principals from other AWS accounts, "s3-bucket-default-lock-enabled" checks whether a bucket that should be locked in write-once-read-many (WORM) mode is configured to prevent modification, and "s3-bucket-public-write-prohibited" checks whether a bucket is configured to allow public access and modification. All of these controls are run on configuration changes. The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure backups and redundancy are in place which can mitigate the effects of malicious defacement: "aurora-mysql-backtracking-enabled" for data in Aurora MySQL; "db-instance-backup-enabled" and "rds-in-backup-plan" for Amazon Relational Database Service (RDS) data; "dynamodb-in-backup-plan" and "dynamodb-pitr-enabled" for Amazon DynamoDB table contents; "ebs-in-backup-plan" for Elastic Block Store (EBS) volumes; "efs-in-backup-plan" for Amazon Elastic File System (EFS) file systems; "elasticache-redis-cluster-automatic-backup-check" for Amazon ElastiCache Redis cluster data; "redshift-backup-enabled" and "redshift-cluster-maintenancesettings-check" for Redshift; "s3-bucket-replication-enabled" and "s3-bucket-versioning-enabled" for S3 storage; and "cloudfront-origin-failover-enabled" for CloudFront. Coverage factor is significant for these rules, since they cover a wide range of services used to host content for websites within AWS, resulting in an overall score of Significant.
References
    amazon_guardduty Amazon GuardDuty technique_scores T1491.002 External Defacement
    Comments
    The following finding types can be used to detect behavior that can lead to the defacement of cloud resources: Impact:S3/MaliciousIPCaller Exfiltration:S3/MaliciousIPCaller Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller
    References
      aws_cloudendure_disaster_recovery AWS CloudEndure Disaster Recovery technique_scores T1491.002 External Defacement
      Comments
      AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that servers are defaced, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant.
      References