| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| I&S-09 | Network Defense | mitigates | T1008 | Fallback Channels |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware can be used to mitigate activity at the network level. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to restrict external network access and mitigate adversary use of fallback or alternative communication channels.
|
| I&S-09 | Network Defense | mitigates | T1072 | Software Deployment Tools |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Isolation of critical network systems through use of cloud-based segmentation, virtual private cloud (VPC) security groups, network access control lists (NACLs), and firewalls can mitigate abuse of centralized software suites.
|
| I&S-09 | Network Defense | mitigates | T1210 | Exploitation of Remote Services |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. This includes using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Segmenting networks and systems reduces access to critical systems and services, mitigating exploitation via remote services.
|
| I&S-09 | Network Defense | mitigates | T1090.002 | External Proxy |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or unexpected protocol standards and traffic flows can be used to mitigate activity at the network level. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate use of a connection proxy for communications.
|
| I&S-09 | Network Defense | mitigates | T1090.001 | Internal Proxy |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or unexpected protocol standards and traffic flows can be used to mitigate activity at the network level. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate use of a connection proxy for communications.
|
| I&S-09 | Network Defense | mitigates | T1090 | Proxy |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or unexpected protocol standards and traffic flows can be used to mitigate activity at the network level. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate use of a connection proxy for communications.
|
| I&S-09 | Network Defense | mitigates | T1090.003 | Multi-hop Proxy |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or unexpected protocol standards and traffic flows can be used to mitigate activity at the network level. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate use of a connection proxy for communications.
|
| I&S-09 | Network Defense | mitigates | T1572 | Protocol Tunneling |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Configuring firewalls to filter network traffic to untrusted domains or hosts can prevent encapsulating a protocol within another protocol for communication. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware and unexpected protocol standards or traffic flows can be used to mitigate activity at the network level.
|
| I&S-09 | Network Defense | mitigates | T1095 | Non-Application Layer Protocol |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Configuring firewalls and proxies to limit outgoing traffic to only necessary ports and through proper network gateway systems and also ensuring hosts are only provisioned to communicate over authorized interfaces can prevent the use of an OSI non-application layer protocol for communication. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware and uncommon patterns or flows can be used to mitigate activity at the network level.
|
| I&S-09 | Network Defense | mitigates | T1219 | Remote Access Tools |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Firewalls and proxies can be configured to limit outgoing traffic to sites and services used by remote access software. In addition, network intrusion detection and prevention systems that use network signatures may be able to prevent traffic to remote access services. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can also be used to limit traffic between systems and mitigate abuse of remote access tools.
|
| I&S-09 | Network Defense | mitigates | T1136 | Create Account |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Restricting access to domain controllers and systems used for account creation and management through access controls, firewalls, and separate VPC instances mitigates the ability of adversaries to create unauthorized accounts.
|
| I&S-09 | Network Defense | mitigates | T1046 | Network Service Discovery |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. This includes implementing cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level) to protect critical servers and devices from discovery and exploitation. In addition, network intrusion prevention devices can be configured to detect and prevent remote service scans.
|
| I&S-09 | Network Defense | mitigates | T1133 | External Remote Services |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Network proxies, gateways, and firewalls can be used to deny direct remote access to internal systems.
|
| I&S-09 | Network Defense | mitigates | T1570 | Lateral Tool Transfer |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or unusual data transfer over known tools and protocols can be used to mitigate activity at the network level. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate the transfer of tools or other files.
|
| I&S-09 | Network Defense | mitigates | T1029 | Scheduled Transfer |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for adversary command and control infrastructure, unexpected network connections or traffic, and malware can be used to mitigate activity at the network level.
|
| I&S-09 | Network Defense | mitigates | T1132.001 | Standard Encoding |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or uncommon data flows can be used to mitigate activity at the network level.
|
| I&S-09 | Network Defense | mitigates | T1199 | Trusted Relationship |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to isolate infrastructure components that do not require broad network access, limiting attacks that leverage trusted relationships.
|
| I&S-09 | Network Defense | mitigates | T1190 | Exploit Public-Facing Application |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. This includes using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). If an application is hosted on cloud-based infrastructure, VPC security perimeters can segment resources to further reduce access and operate in logically separate environments, limiting exposure.
|
| I&S-09 | Network Defense | mitigates | T1571 | Non-Standard Port |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Configuring firewalls and proxies to limit outgoing traffic to only necessary ports for that particular network segment can prevent the use of a protocol and port pairing that are typically not associated for communication. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware and unexpected patterns or protocols can be used to mitigate activity at the network level.
|
| I&S-09 | Network Defense | mitigates | T1048.001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Configuring access controls and network firewalls to enforce restrictions on accessing cloud resources, while allowing only essential ports and traffic, helps mitigate the risk of alternative exfiltration through cloud services. Also, network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate exfiltration activity at the network level.
|
| I&S-09 | Network Defense | mitigates | T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Configuring access controls and network firewalls to enforce restrictions on accessing cloud resources, while allowing only essential ports and traffic, helps mitigate the risk of alternative exfiltration through cloud services. Also, network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate exfiltration activity at the network level.
|
| I&S-09 | Network Defense | mitigates | T1048 | Exfiltration Over Alternative Protocol |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Configuring access controls and network firewalls to enforce restrictions on accessing cloud resources, while allowing only essential ports and traffic, helps mitigate the risk of alternative exfiltration through cloud services. Also, network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate exfiltration activity at the network level.
|
| I&S-09 | Network Defense | mitigates | T1132 | Data Encoding |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or uncommon data flows can be used to mitigate activity at the network level.
|
| I&S-09 | Network Defense | mitigates | T1602.001 | SNMP (MIB Dump) |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Access controls, firewalls, and cloud-based segmentation can be used to isolate and protect configuration repositories. In addition, network intrusion prevention devices can be configured to block SNMP queries and commands from unauthorized sources.
|
| I&S-09 | Network Defense | mitigates | T1602 | Data from Configuration Repository |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Access controls, firewalls, and cloud-based segmentation can be used to isolate and protect configuration repositories. In addition, network intrusion prevention devices can be configured to block SNMP queries and commands from unauthorized sources.
|
| I&S-09 | Network Defense | mitigates | T1136.003 | Cloud Account |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Restricting access to domain controllers and systems used for account creation and management through access controls, firewalls, and separate VPC instances mitigates the ability of adversaries to create unauthorized accounts.
|
| I&S-09 | Network Defense | mitigates | T1104 | Multi-Stage Channels |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or uncommon data flows can be used to mitigate activity at the network level.
|
| I&S-09 | Network Defense | mitigates | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Configuring access controls and network firewalls to enforce restrictions on accessing cloud resources, while allowing only essential ports and traffic, helps mitigate the risk of alternative exfiltration through cloud services. Also, network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate exfiltration activity at the network level.
|
| I&S-09 | Network Defense | mitigates | T1071 | Application Layer Protocol |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware can be used to mitigate activity at the network level, such as adversary use of OSI application layer protocols to embed commands.
|
| I&S-09 | Network Defense | mitigates | T1040 | Network Sniffing |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. This includes implementing cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Segmentation can be implemented to deny direct access of broadcasts and multicast sniffing, and prevent information capture.
|
| I&S-09 | Network Defense | mitigates | T1098.001 | Additional Cloud Credentials |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level) to filter traffic based on security rules. Limiting access to critical systems and domain controllers can mitigate adversary use of account manipulation to maintain and/or elevate access to systems.
|
| I&S-09 | Network Defense | mitigates | T1071.004 | DNS |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware can be used to mitigate activity at the network level, such as adversary use of the Domain Name System (DNS) application layer protocol to embed commands.
|
| I&S-09 | Network Defense | mitigates | T1071.003 | Mail Protocols |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware can be used to mitigate activity at the network level, such as adversary use of application layer protocols associated with electronic mail delivery to embed commands.
|
| I&S-09 | Network Defense | mitigates | T1071.002 | File Transfer Protocols |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware can be used to mitigate activity at the network level, such as adversary use of application layer protocols associated with transferring files to embed commands.
|
| I&S-09 | Network Defense | mitigates | T1071.001 | Web Protocols |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware can be used to mitigate activity at the network level, such as adversary use of application layer protocols associated with web traffic to embed commands.
|
| I&S-09 | Network Defense | mitigates | T1132.002 | Non-Standard Encoding |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or uncommon data flows can be used to mitigate activity at the network level.
|
| I&S-09 | Network Defense | mitigates | T1557 | Adversary-in-the-Middle |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that can identify traffic patterns indicative of AiTM activity can be used to mitigate activity at the network level. Network segmentation can be used to isolate infrastructure components that do not require broad network access. This may mitigate, or at least alleviate, the scope of AiTM activity.
|
| I&S-09 | Network Defense | mitigates | T1602.002 | Network Device Configuration Dump |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Access controls, firewalls, and cloud-based segmentation can be used to isolate and protect configuration repositories. In addition, network intrusion prevention devices can be configured to block SNMP queries and commands from unauthorized sources.
|
| I&S-09 | Network Defense | mitigates | T1098 | Account Manipulation |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level) to filter traffic based on security rules. Limiting access to critical systems and domain controllers can mitigate adversary use of account manipulation to maintain and/or elevate access to systems.
|
| I&S-09 | Network Defense | mitigates | T1071.005 | Publish/Subscribe Protocols |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware can be used to mitigate activity at the network level, such as adversary use of publish/subscribe (pub/sub) application layer protocols to embed commands.
|