CSA CCM I&S-03

This control provides for monitoring, encrypting, and restricting communications between environments. Ensuring that all traffic is encrypted, using best practices for authentication protocols, and protecting web traffic with SSL/TLS can help prevent and adversary from capturing information, such as user credentials and network characteristics, through network sniffing.

This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware can be used to mitigate activity at the network level.

This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or unexpected protocol standards and traffic flows can be used to mitigate activity at the network level. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate use of a connection proxy for communications.

This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or unexpected protocol standards and traffic flows can be used to mitigate activity at the network level. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate use of a connection proxy for communications.

This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or unexpected protocol standards and traffic flows can be used to mitigate activity at the network level. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate use of a connection proxy for communications.

This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or unexpected protocol standards and traffic flows can be used to mitigate activity at the network level. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate use of a connection proxy for communications.

This control provides for monitoring, encrypting, and restricting communications between environments. Configuring firewalls to filter network traffic to untrusted domains or hosts can prevent encapsulating a protocol within another protocol for communication. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware and unexpected protocol standards or traffic flows can be used to mitigate activity at the network level.

This control provides for monitoring, encrypting, and restricting communications between environments. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Filtering network traffic to prevent use of protocols across the network boundary that are unnecessary can prevent the use of an OSI non-application layer protocol for communication. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware and uncommon patterns or flows can be used to mitigate activity at the network level.

This control provides for monitoring, encrypting, and restricting communications between environments. Firewalls and proxies can be configured to limit outgoing traffic to sites and services used by remote access software. In addition, network intrusion detection and prevention systems that use network signatures may be able to prevent traffic to remote access services. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can also be used to limit traffic between systems and mitigate abuse of remote access tools.

This control provides for monitoring, encrypting, and restricting communications between environments. This includes ensuring that unnecessary ports and services are closed to prevent risk of discovery and potential exploitation. In addition, network intrusion prevention devices can be configured to detect and prevent remote service scans.

This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or unusual data transfer over known tools and protocols can be used to mitigate activity at the network level. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate the transfer of tools or other files.

This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for adversary command and control infrastructure, unexpected network connections or traffic, and malware can be used to mitigate activity at the network level.

This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or uncommon data flows can be used to mitigate activity at the network level.

This control provides for monitoring, encrypting, and restricting communications between environments. Configuring firewalls and proxies to limit outgoing traffic to only necessary ports for that particular network segment can prevent the use of a protocol and port pairing that are typically not associated for communication. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware and unexpected patterns or protocols can be used to mitigate activity at the network level.

This control provides for monitoring, encrypting, and restricting communications between environments. Configuring access controls, network firewalls, and IP-based restrictions for accessing cloud resources helps mitigate the risk of alternative exfiltration through cloud services. Also, network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate exfiltration activity at the network level.

This control provides for monitoring, encrypting, and restricting communications between environments. Configuring access controls, network firewalls, and IP-based restrictions for accessing cloud resources helps mitigate the risk of alternative exfiltration through cloud services. Also, network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate exfiltration activity at the network level.

This control provides for monitoring, encrypting, and restricting communications between environments. Configuring access controls, network firewalls, and IP-based restrictions for accessing cloud resources helps mitigate the risk of alternative exfiltration through cloud services. Also, network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate exfiltration activity at the network level.

This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or uncommon data flows can be used to mitigate activity at the network level.

This control provides for monitoring, encrypting, and restricting communications between environments. Configuring SNMPv3 to use the highest level of security (authPriv) available and applying extended ACLs to block unauthorized protocols outside the trusted network can protect configuration repositories. In addition, network intrusion prevention devices can be configured to block SNMP queries and commands from unauthorized sources.

This control provides for monitoring, encrypting, and restricting communications between environments. Configuring SNMPv3 to use the highest level of security (authPriv) available and applying extended ACLs to block unauthorized protocols outside the trusted network can protect configuration repositories. In addition, network intrusion prevention devices can be configured to block SNMP queries and commands from unauthorized sources.

This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or uncommon data flows can be used to mitigate activity at the network level.

This control provides for monitoring, encrypting, and restricting communications between environments. Configuring access controls, network firewalls, and IP-based restrictions for accessing cloud resources helps mitigate the risk of alternative exfiltration through cloud services. Also, network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate exfiltration activity at the network level.

This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware can be used to mitigate activity at the network level, such as adversary use of OSI application layer protocols to embed commands.

This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware can be used to mitigate activity at the network level, such as adversary use of the Domain Name System (DNS) application layer protocol to embed commands.

This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware can be used to mitigate activity at the network level, such as adversary use of application layer protocols associated with electronic mail delivery to embed commands.

This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware can be used to mitigate activity at the network level, such as adversary use of application layer protocols associated with transferring files to embed commands.

This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware can be used to mitigate activity at the network level, such as adversary use of application layer protocols associated with web traffic to embed commands.

This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or uncommon data flows can be used to mitigate activity at the network level.

This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that can identify traffic patterns indicative of AiTM activity can be used to mitigate activity at the network level. Ensure that all traffic is encrypted appropriately to mitigate, or at least alleviate, the scope of AiTM activity. Network appliances and security software can be used to block network traffic that is not necessary within the environment, such as legacy protocols that may be leveraged for AiTM conditions.

This control provides for monitoring, encrypting, and restricting communications between environments. Configuring SNMPv3 to use the highest level of security (authPriv) available and applying extended ACLs to block unauthorized protocols outside the trusted network can protect configuration repositories. In addition, network intrusion prevention devices can be configured to block SNMP queries and commands from unauthorized sources.

This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware can be used to mitigate activity at the network level, such as adversary use of publish/subscribe (pub/sub) application layer protocols to embed commands.