CSA CCM DCS-09

This control enforces equipment identification as part of connection authentication, mitigating attacker techniques such as device spoofing, rogue device connections, and unauthorized network access through unverified or compromised hardware. Blocking unknown devices and accessories by endpoint security configuration and monitoring agent can help with blocking this technique. Blocking unknown devices and accessories by endpoint security configuration and monitoring agent may help in blocking this technique. Adversaries may bridge network boundaries by modifying a network device’s Network Address Translation (NAT) configuration, effectively compromising the device. Malicious modifications to NAT may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks. Upon identifying a compromised network device being used to bridge a network boundary, block the malicious packets using an unaffected network device in path, such as a firewall or a router that has not been compromised. Continue to monitor for additional activity and to ensure that the blocks are indeed effective.

Adversaries may bridge network boundaries by compromising perimeter network devices or internal devices responsible for network segmentation. Breaching these devices may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks. This control enforces equipment identification as part of connection authentication, mitigating attacker techniques such as device spoofing, rogue device connections, and unauthorized network access through unverified or compromised hardware. Blocking unknown devices and accessories by endpoint security configuration and monitoring agent can help with blocking this technique. Blocking unknown devices and accessories by endpoint security configuration and monitoring agent may help in blocking this technique. Upon identifying a compromised network device being used to bridge a network boundary, block the malicious packets using an unaffected network device in path, such as a firewall or a router that has not been compromised. Continue to monitor for additional activity and to ensure that the blocks are indeed effective.

Adversaries may physically introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. This control enforces equipment identification as part of connection authentication, mitigating attacker techniques such as device spoofing, rogue device connections, and unauthorized network access through unverified or compromised hardware. Blocking unknown devices and accessories by endpoint security configuration and monitoring agent can help with blocking this technique. Blocking unknown devices and accessories by endpoint security configuration and monitoring agent may help in blocking this technique.

An adversary may use legitimate remote access hardware to establish an interactive command and control channel to target systems within networks. Remote access hardware may be physically installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote session with the target system. This control enforces equipment identification as part of connection authentication, mitigating attacker techniques such as device spoofing, rogue device connections, and unauthorized network access through unverified or compromised hardware. Blocking unknown devices and accessories by endpoint security configuration and monitoring agent can help with blocking this technique.