| Capability ID | Capability Description | Category | Value | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|---|
| network_security_groups | Network Security Groups | protect | partial | T1199 | Trusted Relationship |
Comments
This control can isolate portions of network that do not require network-wide access, limiting some attackers that leverage trusted relationships such as remote access for vendor maintenance. Coverage partial, Temporal Immediate.
References
|
| network_security_groups | Network Security Groups | protect | partial | T1557 | Man-in-the-Middle |
Comments
This control can be used to limit access to network infrastructure and resources that can be used to reshape traffic or otherwise produce MiTM conditions.
References
|
| network_security_groups | Network Security Groups | protect | partial | T1602 | Data from Configuration Repository |
Comments
This control can limit attackers access to configuration repositories such as SNMP management stations, or to dumps of client configurations from common management ports.
References
|
| network_security_groups | Network Security Groups | protect | partial | T1602.002 | Network Device Configuration Dump |
Comments
Can limit access to client management interfaces or configuration databases
References
|
| network_security_groups | Network Security Groups | protect | partial | T1602.001 | SNMP (MIB Dump) |
Comments
Can limit access to client management interfaces or configuration databases
References
|
| network_security_groups | Network Security Groups | protect | minimal | T1542 | Pre-OS Boot |
Comments
Provides protection coverage for only one sub-technique partially (booting from remote devies ala TFTP boot) resulting in an overall score of Minimal.
References
|
| network_security_groups | Network Security Groups | protect | partial | T1542.005 | TFTP Boot |
Comments
This control can be used to restrict clients to connecting (and therefore booting) from only trusted network resources.
References
|
| network_security_groups | Network Security Groups | protect | significant | T1048 | Exfiltration Over Alternative Protocol |
Comments
NSG can minimize alternative protocols allowed to communicate externally.
References
|
| network_security_groups | Network Security Groups | protect | significant | T1048.003 | Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
Comments
This control can reduce the protocols available for data exfiltration. Temporal immediate, coverage substantial.
References
|
| network_security_groups | Network Security Groups | protect | significant | T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
Comments
This control can reduce the protocols available for data exfiltration. Temporal immediate, coverage substantial.
References
|
| network_security_groups | Network Security Groups | protect | significant | T1048.001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
Comments
This control can reduce the protocols available for data exfiltration. Temporal immediate, coverage substantial.
References
|
| network_security_groups | Network Security Groups | protect | partial | T1210 | Exploitation of Remote Services |
Comments
This control can be used to restrict access to remote services to minimum necessary.
References
|
| network_security_groups | Network Security Groups | protect | partial | T1021 | Remote Services |
Comments
This control provides partial protection for all of its sub-techniques and procedure examples resulting in an overall score of Partial.
References
|
| network_security_groups | Network Security Groups | protect | partial | T1021.006 | Windows Remote Management |
Comments
This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.
References
|
| network_security_groups | Network Security Groups | protect | partial | T1021.005 | VNC |
Comments
This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.
References
|
| network_security_groups | Network Security Groups | protect | partial | T1021.004 | SSH |
Comments
This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.
References
|
| network_security_groups | Network Security Groups | protect | partial | T1021.003 | Distributed Component Object Model |
Comments
This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.
References
|
| network_security_groups | Network Security Groups | protect | partial | T1021.002 | SMB/Windows Admin Shares |
Comments
This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.
References
|
| network_security_groups | Network Security Groups | protect | partial | T1021.001 | Remote Desktop Protocol |
Comments
This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.
References
|
| network_security_groups | Network Security Groups | protect | partial | T1072 | Software Deployment Tools |
Comments
This control can be used to limit access to critical network systems such as software deployment tools.
References
|
| network_security_groups | Network Security Groups | protect | partial | T1133 | External Remote Services |
Comments
This control can be used to restrict direct access to remote service gateways and concentrators that typically accompany external remote services. This can be circumvented though if an adversary is able to compromise a trusted host and use it to access the external remote service. This results in an overall partial (coverage) score.
References
|
| network_security_groups | Network Security Groups | protect | partial | T1482 | Domain Trust Discovery |
Comments
This control can be used to isolate sensitive domains to limit discovery.
References
|
| network_security_groups | Network Security Groups | protect | partial | T1046 | Network Service Scanning |
Comments
This control can be used to restrict access to trusted networks.
References
|
| network_security_groups | Network Security Groups | protect | partial | T1095 | Non-Application Layer Protocol |
Comments
This control can be used to restrict access to trusted networks and protocols.
References
|
| network_security_groups | Network Security Groups | protect | significant | T1571 | Non-Standard Port |
Comments
This control can restrict traffic to standard ports and protocols.
References
|
| network_security_groups | Network Security Groups | protect | partial | T1499 | Endpoint Denial of Service |
Comments
This control provides partial protection for a majority of this control's sub-techinques and procedure examples resulting in overall score of Partial.
References
|
| network_security_groups | Network Security Groups | protect | partial | T1499.003 | Application Exhaustion Flood |
Comments
This control can be used to restrict access to endpoints and thereby mitigate low-end DOS attacks.
References
|
| network_security_groups | Network Security Groups | protect | partial | T1499.002 | Service Exhaustion Flood |
Comments
This control can be used to restrict access to endpoints and thereby mitigate low-end DOS attacks.
References
|
| network_security_groups | Network Security Groups | protect | partial | T1499.001 | OS Exhaustion Flood |
Comments
This control can be used to restrict access to endpoints and thereby mitigate low-end DOS attacks.
References
|
| network_security_groups | Network Security Groups | protect | partial | T1570 | Lateral Tool Transfer |
Comments
This control can be used to limit traffic between systems and enclaves to minimum necessary for example via a zero-trust strategy.
References
|
| network_security_groups | Network Security Groups | protect | partial | T1498 | Network Denial of Service |
Comments
This control can be used to restrict access to endpoints and thereby mitigate low-end network DOS attacks.
References
|
| network_security_groups | Network Security Groups | protect | partial | T1090 | Proxy |
Comments
This control can restrict ports and inter-system / inter-enclave connections as described by the Proxy related sub-techniques although it doesn't provide protection for domain-fronting. It furthermore provides partial protection of this technique's procedure examples resulting in an overall Partial score.
References
|
| network_security_groups | Network Security Groups | protect | partial | T1090.003 | Multi-hop Proxy |
Comments
This control can restrict access between systems, enclaves, and workloads thereby mitigating these proxy related sub-techniques.
References
|
| network_security_groups | Network Security Groups | protect | partial | T1090.002 | External Proxy |
Comments
This control can restrict access between systems, enclaves, and workloads thereby mitigating these proxy related sub-techniques.
References
|
| network_security_groups | Network Security Groups | protect | partial | T1090.001 | Internal Proxy |
Comments
This control can restrict access between systems, enclaves, and workloads thereby mitigating these proxy related sub-techniques.
References
|
| network_security_groups | Network Security Groups | protect | partial | T1219 | Remote Access Software |
Comments
This control can be used to restrict network communications to protect sensitive enclaves that may mitigate some of the procedure examples of this technique.
References
|
| network_security_groups | Network Security Groups | protect | partial | T1205 | Traffic Signaling |
Comments
This control provides partial protection for this technique's sub-techniques and procedure examples resulting in an overall Partial score. Other variations that trigger a special response, such as executing a malicous task are not mitigated by this control.
References
|
| network_security_groups | Network Security Groups | protect | significant | T1205.001 | Port Knocking |
Comments
This control can be used to implement whitelist based network rules that can mitigate variations of this sub-techniques that result in opening closed ports for communication. Because this control is able to drop traffic before reaching a compromised host, it can effectively mitigate this port knocking sub-technique.
References
|