| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| I&S-06 | Segmentation and Segregation | mitigates | T1008 | Fallback Channels |
Comments
This control provides for appropriately segmented and segregated cloud environments. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to restrict external network access and mitigate adversary use of fallback or alternative communication channels.
|
| I&S-06 | Segmentation and Segregation | mitigates | T1095 | Non-Application Layer Protocol |
Comments
This control provides for appropriately segmented and segregated cloud environments. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Configuring firewalls and proxies to limit outgoing traffic to only necessary ports and through proper network gateway systems and also ensuring hosts are only provisioned to communicate over authorized interfaces can prevent the use of an OSI non-application layer protocol for communication.
|
| I&S-06 | Segmentation and Segregation | mitigates | T1136 | Create Account |
Comments
This control provides for appropriately segmented and segregated cloud environments. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Restricting access to domain controllers and systems used for account creation and management through access controls, firewalls, and separate VPC instances mitigates the ability of adversaries to create unauthorized accounts.
|
| I&S-06 | Segmentation and Segregation | mitigates | T1046 | Network Service Discovery |
Comments
This control provides for appropriately segmented and segregated cloud environments. This includes implementing cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level) to protect critical servers and devices from discovery and exploitation. In addition, network intrusion prevention devices can be configured to detect and prevent remote service scans.
|
| I&S-06 | Segmentation and Segregation | mitigates | T1133 | External Remote Services |
Comments
This control provides for appropriately segmented and segregated cloud environments. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Network proxies, gateways, and firewalls can be used to deny direct remote access to internal systems.
|
| I&S-06 | Segmentation and Segregation | mitigates | T1199 | Trusted Relationship |
Comments
This control provides for appropriately segmented and segregated cloud environments. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to isolate infrastructure components that do not require broad network access, limiting attacks that leverage trusted relationships.
|
| I&S-06 | Segmentation and Segregation | mitigates | T1190 | Exploit Public-Facing Application |
Comments
This control provides for appropriately segmented and segregated cloud environments. This includes using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). If an application is hosted on cloud-based infrastructure, VPC security perimeters can segment resources to further reduce access and operate in logically separate environments, limiting exposure.
|
| I&S-06 | Segmentation and Segregation | mitigates | T1571 | Non-Standard Port |
Comments
This control provides for appropriately segmented and segregated cloud environments. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Configuring firewalls and proxies to limit outgoing traffic to only necessary ports for that particular network segment can prevent the use of a protocol and port pairing that are typically not associated for communication.
|
| I&S-06 | Segmentation and Segregation | mitigates | T1048.001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
Comments
This control provides for appropriately segmented and segregated cloud environments. Configuring access controls and network firewalls to enforce restrictions on accessing cloud resources, while allowing only essential ports and traffic, helps mitigate the risk of alternative exfiltration through cloud services.
|
| I&S-06 | Segmentation and Segregation | mitigates | T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
Comments
This control provides for appropriately segmented and segregated cloud environments. Configuring access controls and network firewalls to enforce restrictions on accessing cloud resources, while allowing only essential ports and traffic, helps mitigate the risk of alternative exfiltration through cloud services.
|
| I&S-06 | Segmentation and Segregation | mitigates | T1048 | Exfiltration Over Alternative Protocol |
Comments
This control provides for appropriately segmented and segregated cloud environments. Configuring access controls and network firewalls to enforce restrictions on accessing cloud resources, while allowing only essential ports and traffic, helps mitigate the risk of alternative exfiltration through cloud services.
|
| I&S-06 | Segmentation and Segregation | mitigates | T1602.001 | SNMP (MIB Dump) |
Comments
This control provides for appropriately segmented and segregated cloud environments. Access controls, firewalls, and cloud-based segmentation can be used to isolate and protect configuration repositories. In addition, network intrusion prevention devices can be configured to block SNMP queries and commands from unauthorized sources.
|
| I&S-06 | Segmentation and Segregation | mitigates | T1602 | Data from Configuration Repository |
Comments
This control provides for appropriately segmented and segregated cloud environments. Access controls, firewalls, and cloud-based segmentation can be used to isolate and protect configuration repositories. In addition, network intrusion prevention devices can be configured to block SNMP queries and commands from unauthorized sources.
|
| I&S-06 | Segmentation and Segregation | mitigates | T1136.003 | Cloud Account |
Comments
This control provides for appropriately segmented and segregated cloud environments. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Restricting access to domain controllers and systems used for account creation and management through access controls, firewalls, and separate VPC instances mitigates the ability of adversaries to create unauthorized accounts.
|
| I&S-06 | Segmentation and Segregation | mitigates | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol |
Comments
This control provides for appropriately segmented and segregated cloud environments. Configuring access controls and network firewalls to enforce restrictions on accessing cloud resources, while allowing only essential ports and traffic, helps mitigate the risk of alternative exfiltration through cloud services.
|
| I&S-06 | Segmentation and Segregation | mitigates | T1040 | Network Sniffing |
Comments
This control provides for appropriately segmented and segregated cloud environments. This includes implementing cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Segmentation can be implemented to deny direct access of broadcasts and multicast sniffing, and prevent information capture.
|
| I&S-06 | Segmentation and Segregation | mitigates | T1098.001 | Additional Cloud Credentials |
Comments
This control provides for appropriately segmented and segregated cloud environments. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level) to filter traffic based on security rules. Limiting access to critical systems and domain controllers can mitigate adversary use of account manipulation to maintain and/or elevate access to systems.
|
| I&S-06 | Segmentation and Segregation | mitigates | T1557 | Adversary-in-the-Middle |
Comments
This control provides for appropriately segmented and segregated cloud environments. Network segmentation can be used to isolate infrastructure components that do not require broad network access. This may mitigate, or at least alleviate, the scope of AiTM activity.
|
| I&S-06 | Segmentation and Segregation | mitigates | T1602.002 | Network Device Configuration Dump |
Comments
This control provides for appropriately segmented and segregated cloud environments. Access controls, firewalls, and cloud-based segmentation can be used to isolate and protect configuration repositories. In addition, network intrusion prevention devices can be configured to block SNMP queries and commands from unauthorized sources.
|
| I&S-06 | Segmentation and Segregation | mitigates | T1098 | Account Manipulation |
Comments
This control provides for appropriately segmented and segregated cloud environments. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level) to filter traffic based on security rules. Limiting access to critical systems and domain controllers can mitigate adversary use of account manipulation to maintain and/or elevate access to systems.
|
| I&S-06 | Segmentation and Segregation | mitigates | T1072 | Software Deployment Tools |
Comments
This control provides for appropriately segmented and segregated cloud environments. Isolation of critical network systems through use of cloud-based segmentation, virtual private cloud (VPC) security groups, network access control lists (NACLs), and firewalls can mitigate abuse of centralized software suites.
|
| I&S-06 | Segmentation and Segregation | mitigates | T1210 | Exploitation of Remote Services |
Comments
This control provides for appropriately segmented and segregated cloud environments. This includes using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Segmenting networks and systems reduces access to critical systems and services, mitigating exploitation via remote services.
|
| I&S-06 | Segmentation and Segregation | mitigates | T1090 | Proxy |
Comments
This control provides for appropriately segmented and segregated cloud environments. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate use of a connection proxy for communications.
|
| I&S-06 | Segmentation and Segregation | mitigates | T1090.003 | Multi-hop Proxy |
Comments
This control provides for appropriately segmented and segregated cloud environments. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate use of a connection proxy for communications.
|
| I&S-06 | Segmentation and Segregation | mitigates | T1572 | Protocol Tunneling |
Comments
This control provides for appropriately segmented and segregated cloud environments. Configuring firewalls to filter network traffic to untrusted domains or hosts can prevent encapsulating a protocol within another protocol for communication.
|
| I&S-06 | Segmentation and Segregation | mitigates | T1090.001 | Internal Proxy |
Comments
This control provides for appropriately segmented and segregated cloud environments. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate use of a connection proxy for communications.
|
| I&S-06 | Segmentation and Segregation | mitigates | T1570 | Lateral Tool Transfer |
Comments
This control provides for appropriately segmented and segregated cloud environments. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate the transfer of tools or other files.
|
| I&S-06 | Segmentation and Segregation | mitigates | T1090.002 | External Proxy |
Comments
This control provides for appropriately segmented and segregated cloud environments. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate use of a connection proxy for communications.
|
| I&S-06 | Segmentation and Segregation | mitigates | T1219 | Remote Access Tools |
Comments
This control provides for appropriately segmented and segregated cloud environments. Firewalls and proxies can be configured to limit outgoing traffic to sites and services used by remote access software. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can also be used to limit traffic between systems and mitigate abuse of remote access tools.
|