T1562.007 Disable or Modify Cloud Firewall Mappings

Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from system firewalls that are described in Disable or Modify System Firewall.

Cloud environments typically utilize restrictive security groups and firewall rules that only allow network activity from trusted IP addresses via expected ports and protocols. An adversary may introduce new firewall rules or policies to allow access into a victim cloud environment. For example, an adversary may use a script or utility that creates new ingress rules in existing security groups to allow any TCP/IP connectivity.(Citation: Expel IO Evil in AWS)

Modifying or disabling a cloud firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-2 Account Management Protects T1562.007 Disable or Modify Cloud Firewall
AC-3 Access Enforcement Protects T1562.007 Disable or Modify Cloud Firewall
AC-5 Separation of Duties Protects T1562.007 Disable or Modify Cloud Firewall
AC-6 Least Privilege Protects T1562.007 Disable or Modify Cloud Firewall
CM-5 Access Restrictions for Change Protects T1562.007 Disable or Modify Cloud Firewall
IA-2 Identification and Authentication (organizational Users) Protects T1562.007 Disable or Modify Cloud Firewall
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562.007 Impair Defenses: Disable or Modify Cloud Firewall
aws_config AWS Config technique_scores T1562.007 Disable or Modify Cloud Firewall
Comments
The following AWS Config managed rules can identify potentially malicious changes to cloud firewall status and ensure that a WAF is enabled and enforcing specified ACLs: "lab-waf-enabled" for Application Load Balancers; "api-gw-associated-with-waf" for Amazon API Gateway API stages; "cloudfront-associated-with-waf" for Amazon CloudFront distributions; "fms-webacl-resource-policy-check", "fms-webacl-resource-policy-check", and "fms-webacl-rulegroup-association-check" for AWS Firewall Manager; "vpc-default-security-group-closed", "vpc-network-acl-unused-check", and "vpc-sg-open-only-to-authorized-ports" for VPC security groups; and "ec2-security-group-attached-to-eni" for EC2 and ENI security groups; all of which are run on configuration changes. The following AWS Config managed rules can identify specific configuration changes to VPC configuration that may suggest malicious modification to bypass protections: "internet-gateway-authorized-vpc-only" can identify Internet gateways (IGWs) attached to unauthorized VPCs, which can allow unwanted communication between a VPC and the Internet; "lambda-inside-vpc" can identify VPCs that have granted execution access to unauthorized Lambda functions; "service-vpc-endpoint-enabled" can verify that endpoints are active for the appropriate services across VPCs; "subnet-auto-assign-public-ip-disabled" checks for public IP addresses assigned to subnets within VPCs. Coverage factor is significant for these rules, since they cover firewall configuration for and via a wide range of services, resulting in an overall score of Significant.
References
    aws_security_hub AWS Security Hub technique_scores T1562.007 Disable or Modify Cloud Firewall
    Comments
    AWS Security Hub performs checks from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting changes to key AWS services. AWS Security Hub provides these detections with the following checks. 3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes 3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes 3.10 Ensure a log metric filter and alarm exist for security group changes 3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) 3.12 Ensure a log metric filter and alarm exist for changes to network gateways 3.13 Ensure a log metric filter and alarm exist for route table changes 3.14 Ensure a log metric filter and alarm exist for VPC changes This is scored as Significant because it can detect when changes are made to key AWS services (e.g., CloudTrail, Config, etc.) such as when they stop logging or other configuration changes are made.
    References