CSA CCM Infrastructure Security Capability Group

This control implements secure configuration best practices for hardening cloud platforms to mitigate adversary exploitation and abuse of system functionality. Application controls can help prevent the running of executables masquerading as other files.

This control implements secure configuration best practices for hardening cloud platforms to mitigate adversary exploitation and abuse of system functionality. Application controls to block unknown programs can limit adversaries from adding content to shared storage locations.

This control implements secure configuration best practices for hardening cloud platforms to mitigate adversary exploitation and abuse of system functionality. Use of application control, especially regarding the execution of tools outside of security policies, and ensuring that only approved security applications are used can prevent adversaries from maliciously modifying an environment to hinder or disable security tools.

This control implements secure configuration best practices for hardening cloud platforms to mitigate adversary exploitation and abuse of system functionality. Use of application control, especially regarding the execution of tools outside of security policies, and ensuring that only approved security applications are used can prevent adversaries from maliciously modifying an environment to hinder or disable defensive mechanisms.

This control implements secure configuration best practices for hardening cloud platforms to mitigate adversary exploitation and abuse of system functionality. Use of application control and disabling or removing any unnecessary or unused shells or interpreters can mitigate adversary use of cloud APIs to execute malicious commands.

This control implements secure configuration best practices for hardening cloud platforms to mitigate adversary exploitation and abuse of system functionality. Use of application control and disabling or removing any unnecessary or unused shells or interpreters can mitigate adversary use of command and script interpreters to execute malicious commands.

This control implements secure configuration best practices for hardening cloud platforms to mitigate adversary exploitation and abuse of system functionality. Restricting access to sensitive sensitive data such as Cloud Formation templates and preventing a user's command history from being stored can prevent adversaries from obtaining insecurely stored credentials.

This control implements secure configuration best practices for hardening cloud platforms to mitigate adversary exploitation and abuse of system functionality. Restricting access to cloud resources and APIs can reduce the risk of adversaries modifying authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts.

This control implements secure configuration best practices for hardening cloud platforms to mitigate adversary exploitation and abuse of system functionality. Implement application controls and technical controls to prevent adversaries from disabling versioning and backup policies and deleting files involved in disaster recovery scenarios.

This control implements secure configuration best practices for hardening cloud platforms to mitigate adversary exploitation and abuse of system functionality. Configuring access to critical servers and systems used to create and manage accounts can prevent adversaries from creating accounts.

This control implements secure configuration best practices for hardening cloud platforms to mitigate adversary exploitation and abuse of system functionality. Configuring access to critical servers by limiting unnecessary protocols and services and removing unnecessary and potentially abusable authentication and authorization mechanisms can mitigate account manipulation.

This control implements secure configuration best practices for hardening cloud platforms to mitigate adversary exploitation and abuse of system functionality. Secure system settings can help prevent adversaries from circumventing mechanisms designed to control elevate privileges and gain higher-level permissions. Performing regular software updates also mitigates exploitation risk.

This control implements secure configuration best practices for hardening cloud platforms to mitigate adversary exploitation and abuse of system functionality. Preventing accounts from being enumerated and limiting accessible interfaces to obtain user lists can prevent adversaries from identifying valid email addresses and account names.

This control provides for monitoring, encrypting, and restricting communications between environments. Ensuring that all traffic is encrypted, using best practices for authentication protocols, and protecting web traffic with SSL/TLS can help prevent and adversary from capturing information, such as user credentials and network characteristics, through network sniffing.

This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware can be used to mitigate activity at the network level.

This control provides for appropriately segmented and segregated cloud environments. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to restrict external network access and mitigate adversary use of fallback or alternative communication channels.

This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or unexpected protocol standards and traffic flows can be used to mitigate activity at the network level. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate use of a connection proxy for communications.

This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or unexpected protocol standards and traffic flows can be used to mitigate activity at the network level. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate use of a connection proxy for communications.

This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or unexpected protocol standards and traffic flows can be used to mitigate activity at the network level. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate use of a connection proxy for communications.

This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or unexpected protocol standards and traffic flows can be used to mitigate activity at the network level. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate use of a connection proxy for communications.

This control provides for monitoring, encrypting, and restricting communications between environments. Configuring firewalls to filter network traffic to untrusted domains or hosts can prevent encapsulating a protocol within another protocol for communication. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware and unexpected protocol standards or traffic flows can be used to mitigate activity at the network level.

This control provides for monitoring, encrypting, and restricting communications between environments. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Filtering network traffic to prevent use of protocols across the network boundary that are unnecessary can prevent the use of an OSI non-application layer protocol for communication. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware and uncommon patterns or flows can be used to mitigate activity at the network level.

This control provides for monitoring, encrypting, and restricting communications between environments. Firewalls and proxies can be configured to limit outgoing traffic to sites and services used by remote access software. In addition, network intrusion detection and prevention systems that use network signatures may be able to prevent traffic to remote access services. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can also be used to limit traffic between systems and mitigate abuse of remote access tools.

This control provides for monitoring, encrypting, and restricting communications between environments. This includes ensuring that unnecessary ports and services are closed to prevent risk of discovery and potential exploitation. In addition, network intrusion prevention devices can be configured to detect and prevent remote service scans.

This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or unusual data transfer over known tools and protocols can be used to mitigate activity at the network level. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate the transfer of tools or other files.

This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for adversary command and control infrastructure, unexpected network connections or traffic, and malware can be used to mitigate activity at the network level.

This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or uncommon data flows can be used to mitigate activity at the network level.

This control provides for monitoring, encrypting, and restricting communications between environments. Configuring firewalls and proxies to limit outgoing traffic to only necessary ports for that particular network segment can prevent the use of a protocol and port pairing that are typically not associated for communication. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware and unexpected patterns or protocols can be used to mitigate activity at the network level.

This control provides for monitoring, encrypting, and restricting communications between environments. Configuring access controls, network firewalls, and IP-based restrictions for accessing cloud resources helps mitigate the risk of alternative exfiltration through cloud services. Also, network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate exfiltration activity at the network level.

This control provides for monitoring, encrypting, and restricting communications between environments. Configuring access controls, network firewalls, and IP-based restrictions for accessing cloud resources helps mitigate the risk of alternative exfiltration through cloud services. Also, network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate exfiltration activity at the network level.

This control provides for monitoring, encrypting, and restricting communications between environments. Configuring access controls, network firewalls, and IP-based restrictions for accessing cloud resources helps mitigate the risk of alternative exfiltration through cloud services. Also, network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate exfiltration activity at the network level.

This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or uncommon data flows can be used to mitigate activity at the network level.

This control provides for monitoring, encrypting, and restricting communications between environments. Configuring SNMPv3 to use the highest level of security (authPriv) available and applying extended ACLs to block unauthorized protocols outside the trusted network can protect configuration repositories. In addition, network intrusion prevention devices can be configured to block SNMP queries and commands from unauthorized sources.

This control provides for monitoring, encrypting, and restricting communications between environments. Configuring SNMPv3 to use the highest level of security (authPriv) available and applying extended ACLs to block unauthorized protocols outside the trusted network can protect configuration repositories. In addition, network intrusion prevention devices can be configured to block SNMP queries and commands from unauthorized sources.

This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or uncommon data flows can be used to mitigate activity at the network level.

This control provides for monitoring, encrypting, and restricting communications between environments. Configuring access controls, network firewalls, and IP-based restrictions for accessing cloud resources helps mitigate the risk of alternative exfiltration through cloud services. Also, network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate exfiltration activity at the network level.

This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware can be used to mitigate activity at the network level, such as adversary use of OSI application layer protocols to embed commands.

This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware can be used to mitigate activity at the network level, such as adversary use of the Domain Name System (DNS) application layer protocol to embed commands.

This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware can be used to mitigate activity at the network level, such as adversary use of application layer protocols associated with electronic mail delivery to embed commands.

This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware can be used to mitigate activity at the network level, such as adversary use of application layer protocols associated with transferring files to embed commands.

This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware can be used to mitigate activity at the network level, such as adversary use of application layer protocols associated with web traffic to embed commands.

This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or uncommon data flows can be used to mitigate activity at the network level.

This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that can identify traffic patterns indicative of AiTM activity can be used to mitigate activity at the network level. Ensure that all traffic is encrypted appropriately to mitigate, or at least alleviate, the scope of AiTM activity. Network appliances and security software can be used to block network traffic that is not necessary within the environment, such as legacy protocols that may be leveraged for AiTM conditions.

This control provides for monitoring, encrypting, and restricting communications between environments. Configuring SNMPv3 to use the highest level of security (authPriv) available and applying extended ACLs to block unauthorized protocols outside the trusted network can protect configuration repositories. In addition, network intrusion prevention devices can be configured to block SNMP queries and commands from unauthorized sources.

This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware can be used to mitigate activity at the network level, such as adversary use of publish/subscribe (pub/sub) application layer protocols to embed commands.

This control provides for appropriately segmented and segregated cloud environments. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Configuring firewalls and proxies to limit outgoing traffic to only necessary ports and through proper network gateway systems and also ensuring hosts are only provisioned to communicate over authorized interfaces can prevent the use of an OSI non-application layer protocol for communication.

This control provides for appropriately segmented and segregated cloud environments. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Restricting access to domain controllers and systems used for account creation and management through access controls, firewalls, and separate VPC instances mitigates the ability of adversaries to create unauthorized accounts.

This control provides for appropriately segmented and segregated cloud environments. This includes implementing cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level) to protect critical servers and devices from discovery and exploitation. In addition, network intrusion prevention devices can be configured to detect and prevent remote service scans.

This control provides for appropriately segmented and segregated cloud environments. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Network proxies, gateways, and firewalls can be used to deny direct remote access to internal systems.

This control provides for appropriately segmented and segregated cloud environments. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to isolate infrastructure components that do not require broad network access, limiting attacks that leverage trusted relationships.

This control provides for appropriately segmented and segregated cloud environments. This includes using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). If an application is hosted on cloud-based infrastructure, VPC security perimeters can segment resources to further reduce access and operate in logically separate environments, limiting exposure.

This control provides for appropriately segmented and segregated cloud environments. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Configuring firewalls and proxies to limit outgoing traffic to only necessary ports for that particular network segment can prevent the use of a protocol and port pairing that are typically not associated for communication.

This control provides for appropriately segmented and segregated cloud environments. Configuring access controls and network firewalls to enforce restrictions on accessing cloud resources, while allowing only essential ports and traffic, helps mitigate the risk of alternative exfiltration through cloud services.

This control provides for appropriately segmented and segregated cloud environments. Configuring access controls and network firewalls to enforce restrictions on accessing cloud resources, while allowing only essential ports and traffic, helps mitigate the risk of alternative exfiltration through cloud services.

This control provides for appropriately segmented and segregated cloud environments. Configuring access controls and network firewalls to enforce restrictions on accessing cloud resources, while allowing only essential ports and traffic, helps mitigate the risk of alternative exfiltration through cloud services.

This control provides for appropriately segmented and segregated cloud environments. Access controls, firewalls, and cloud-based segmentation can be used to isolate and protect configuration repositories. In addition, network intrusion prevention devices can be configured to block SNMP queries and commands from unauthorized sources.

This control provides for appropriately segmented and segregated cloud environments. Access controls, firewalls, and cloud-based segmentation can be used to isolate and protect configuration repositories. In addition, network intrusion prevention devices can be configured to block SNMP queries and commands from unauthorized sources.

This control provides for appropriately segmented and segregated cloud environments. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Restricting access to domain controllers and systems used for account creation and management through access controls, firewalls, and separate VPC instances mitigates the ability of adversaries to create unauthorized accounts.

This control provides for appropriately segmented and segregated cloud environments. Configuring access controls and network firewalls to enforce restrictions on accessing cloud resources, while allowing only essential ports and traffic, helps mitigate the risk of alternative exfiltration through cloud services.

This control provides for appropriately segmented and segregated cloud environments. This includes implementing cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Segmentation can be implemented to deny direct access of broadcasts and multicast sniffing, and prevent information capture.

This control provides for appropriately segmented and segregated cloud environments. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level) to filter traffic based on security rules. Limiting access to critical systems and domain controllers can mitigate adversary use of account manipulation to maintain and/or elevate access to systems.

This control provides for appropriately segmented and segregated cloud environments. Network segmentation can be used to isolate infrastructure components that do not require broad network access. This may mitigate, or at least alleviate, the scope of AiTM activity.

This control provides for appropriately segmented and segregated cloud environments. Access controls, firewalls, and cloud-based segmentation can be used to isolate and protect configuration repositories. In addition, network intrusion prevention devices can be configured to block SNMP queries and commands from unauthorized sources.

This control provides for appropriately segmented and segregated cloud environments. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level) to filter traffic based on security rules. Limiting access to critical systems and domain controllers can mitigate adversary use of account manipulation to maintain and/or elevate access to systems.

This control provides for appropriately segmented and segregated cloud environments. Isolation of critical network systems through use of cloud-based segmentation, virtual private cloud (VPC) security groups, network access control lists (NACLs), and firewalls can mitigate abuse of centralized software suites.

This control provides for appropriately segmented and segregated cloud environments. This includes using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Segmenting networks and systems reduces access to critical systems and services, mitigating exploitation via remote services.

This control provides for appropriately segmented and segregated cloud environments. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate use of a connection proxy for communications.

This control provides for appropriately segmented and segregated cloud environments. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate use of a connection proxy for communications.

This control provides for appropriately segmented and segregated cloud environments. Configuring firewalls to filter network traffic to untrusted domains or hosts can prevent encapsulating a protocol within another protocol for communication.

This control provides for appropriately segmented and segregated cloud environments. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate use of a connection proxy for communications.

This control provides for appropriately segmented and segregated cloud environments. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate the transfer of tools or other files.

This control provides for appropriately segmented and segregated cloud environments. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate use of a connection proxy for communications.

This control provides for appropriately segmented and segregated cloud environments. Firewalls and proxies can be configured to limit outgoing traffic to sites and services used by remote access software. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can also be used to limit traffic between systems and mitigate abuse of remote access tools.

This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware can be used to mitigate activity at the network level. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to restrict external network access and mitigate adversary use of fallback or alternative communication channels.

This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Isolation of critical network systems through use of cloud-based segmentation, virtual private cloud (VPC) security groups, network access control lists (NACLs), and firewalls can mitigate abuse of centralized software suites.

This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. This includes using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Segmenting networks and systems reduces access to critical systems and services, mitigating exploitation via remote services.

This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or unexpected protocol standards and traffic flows can be used to mitigate activity at the network level. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate use of a connection proxy for communications.

This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or unexpected protocol standards and traffic flows can be used to mitigate activity at the network level. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate use of a connection proxy for communications.

This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or unexpected protocol standards and traffic flows can be used to mitigate activity at the network level. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate use of a connection proxy for communications.

This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or unexpected protocol standards and traffic flows can be used to mitigate activity at the network level. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate use of a connection proxy for communications.

This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Configuring firewalls to filter network traffic to untrusted domains or hosts can prevent encapsulating a protocol within another protocol for communication. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware and unexpected protocol standards or traffic flows can be used to mitigate activity at the network level.

This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Configuring firewalls and proxies to limit outgoing traffic to only necessary ports and through proper network gateway systems and also ensuring hosts are only provisioned to communicate over authorized interfaces can prevent the use of an OSI non-application layer protocol for communication. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware and uncommon patterns or flows can be used to mitigate activity at the network level.

This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Firewalls and proxies can be configured to limit outgoing traffic to sites and services used by remote access software. In addition, network intrusion detection and prevention systems that use network signatures may be able to prevent traffic to remote access services. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can also be used to limit traffic between systems and mitigate abuse of remote access tools.

This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Restricting access to domain controllers and systems used for account creation and management through access controls, firewalls, and separate VPC instances mitigates the ability of adversaries to create unauthorized accounts.

This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. This includes implementing cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level) to protect critical servers and devices from discovery and exploitation. In addition, network intrusion prevention devices can be configured to detect and prevent remote service scans.

This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Network proxies, gateways, and firewalls can be used to deny direct remote access to internal systems.

This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or unusual data transfer over known tools and protocols can be used to mitigate activity at the network level. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate the transfer of tools or other files.

This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for adversary command and control infrastructure, unexpected network connections or traffic, and malware can be used to mitigate activity at the network level.

This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or uncommon data flows can be used to mitigate activity at the network level.

This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to isolate infrastructure components that do not require broad network access, limiting attacks that leverage trusted relationships.

This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. This includes using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). If an application is hosted on cloud-based infrastructure, VPC security perimeters can segment resources to further reduce access and operate in logically separate environments, limiting exposure.

This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Configuring firewalls and proxies to limit outgoing traffic to only necessary ports for that particular network segment can prevent the use of a protocol and port pairing that are typically not associated for communication. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware and unexpected patterns or protocols can be used to mitigate activity at the network level.

This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Configuring access controls and network firewalls to enforce restrictions on accessing cloud resources, while allowing only essential ports and traffic, helps mitigate the risk of alternative exfiltration through cloud services. Also, network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate exfiltration activity at the network level.

This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Configuring access controls and network firewalls to enforce restrictions on accessing cloud resources, while allowing only essential ports and traffic, helps mitigate the risk of alternative exfiltration through cloud services. Also, network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate exfiltration activity at the network level.

This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Configuring access controls and network firewalls to enforce restrictions on accessing cloud resources, while allowing only essential ports and traffic, helps mitigate the risk of alternative exfiltration through cloud services. Also, network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate exfiltration activity at the network level.

This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or uncommon data flows can be used to mitigate activity at the network level.

This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Access controls, firewalls, and cloud-based segmentation can be used to isolate and protect configuration repositories. In addition, network intrusion prevention devices can be configured to block SNMP queries and commands from unauthorized sources.

This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Access controls, firewalls, and cloud-based segmentation can be used to isolate and protect configuration repositories. In addition, network intrusion prevention devices can be configured to block SNMP queries and commands from unauthorized sources.

This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Restricting access to domain controllers and systems used for account creation and management through access controls, firewalls, and separate VPC instances mitigates the ability of adversaries to create unauthorized accounts.

This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or uncommon data flows can be used to mitigate activity at the network level.

This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Configuring access controls and network firewalls to enforce restrictions on accessing cloud resources, while allowing only essential ports and traffic, helps mitigate the risk of alternative exfiltration through cloud services. Also, network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate exfiltration activity at the network level.

This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware can be used to mitigate activity at the network level, such as adversary use of OSI application layer protocols to embed commands.

This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. This includes implementing cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Segmentation can be implemented to deny direct access of broadcasts and multicast sniffing, and prevent information capture.

This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level) to filter traffic based on security rules. Limiting access to critical systems and domain controllers can mitigate adversary use of account manipulation to maintain and/or elevate access to systems.

This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware can be used to mitigate activity at the network level, such as adversary use of the Domain Name System (DNS) application layer protocol to embed commands.

This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware can be used to mitigate activity at the network level, such as adversary use of application layer protocols associated with electronic mail delivery to embed commands.

This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware can be used to mitigate activity at the network level, such as adversary use of application layer protocols associated with transferring files to embed commands.

This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware can be used to mitigate activity at the network level, such as adversary use of application layer protocols associated with web traffic to embed commands.

This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or uncommon data flows can be used to mitigate activity at the network level.

This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that can identify traffic patterns indicative of AiTM activity can be used to mitigate activity at the network level. Network segmentation can be used to isolate infrastructure components that do not require broad network access. This may mitigate, or at least alleviate, the scope of AiTM activity.

This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Access controls, firewalls, and cloud-based segmentation can be used to isolate and protect configuration repositories. In addition, network intrusion prevention devices can be configured to block SNMP queries and commands from unauthorized sources.

This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level) to filter traffic based on security rules. Limiting access to critical systems and domain controllers can mitigate adversary use of account manipulation to maintain and/or elevate access to systems.

This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware can be used to mitigate activity at the network level, such as adversary use of publish/subscribe (pub/sub) application layer protocols to embed commands.

This control provides for the use of secure and encrypted communication channels when migrating to cloud environments. Encrypting data at all stages, from storage to transmission, ensures the confidentiality of data and can mitigate adversary access to information of value, such as sensitive documents or data that may aid their further objectives.

This control maintains separation of production and non-production environments, which can prevent the introduction of exploitable weaknesses and avoid exposure of sensitive information. Ensure that production environments do not store sensitive data or credentials insecurely (e.g. plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage) to mitigate adversaries from obtaining credentials of existing accounts.

This control maintains separation of production and non-production environments, which can prevent the introduction of exploitable weaknesses and avoid exposure of sensitive information. Restricting the use of authentication material outside of expected contexts can help prevent adversary misuse of alternate authentication material.

This control maintains separation of production and non-production environments, which can prevent the introduction of exploitable weaknesses and avoid exposure of sensitive information. Restricting the use of authentication material outside of expected contexts can help prevent adversary misuse of alternate authentication material.

This control maintains separation of production and non-production environments, which can prevent the introduction of exploitable weaknesses and avoid exposure of sensitive information. During development, apply caution when selecting third-party libraries to integrate into applications and, where possible, lock software dependencies to specific versions rather than pulling the latest version on build to help mitigate supply chain compromise.

This control provides for the use of secure and encrypted communication channels when migrating to cloud environments. Encryption ensures the confidentiality and integrity of data, such as OAuth access tokens used in a cloud-based email service. File encryption across email communications containing sensitive information that may be obtained through access to email services can help prevent adversaries from stealing application access tokens.

This control provides for the use of secure and encrypted communication channels when migrating to cloud environments. Encryption ensures the confidentiality and integrity of data, preventing unauthorized access or tampering. Ensuring that all wireless traffic is encrypted appropriately can safeguard ARP traffic and mitigate adversary use of ARP cache poisoning.

This control provides for the use of secure and encrypted communication channels when migrating to cloud environments. Encrypting data at all stages, from storage to transmission, ensures the confidentiality of data such as credentials, preventing unauthorized access.

This control provides for the use of secure and encrypted communication channels when migrating to cloud environments. Encrypting data at all stages, from storage to transmission, ensures the confidentiality of data such as credentials, preventing unauthorized access.

This control provides for the use of secure and encrypted communication channels when migrating to cloud environments. Encrypting data at all stages, from storage to transmission, ensures the confidentiality of data such as credentials, preventing unauthorized access.

This control provides for the use of secure and encrypted communication channels when migrating to cloud environments. Encryption ensures the confidentiality and integrity of data, preventing unauthorized access or tampering. Encrypting important data flows reduces the impact of adversary tailored data modifications.

This control provides for the use of secure and encrypted communication channels when migrating to cloud environments. Encrypting data at all stages, from storage to transmission, ensures the confidentiality and integrity of data, preventing unauthorized access or tampering. Encrypting important information reduces an adversary’s ability to perform tailored data modifications.

This control provides for the use of secure and encrypted communication channels when migrating to cloud environments. Encryption ensures the confidentiality and integrity of data, preventing unauthorized access or tampering. Encrypting important information reduces an adversary’s ability to perform tailored data modifications.

This control provides for the use of secure and encrypted communication channels when migrating to cloud environments. Ensuring that all wireless traffic is encrypted appropriately can mitigate adversary abuse of traffic mirroring for redirection of network traffic and automated data exfiltration.

This control provides for the use of secure and encrypted communication channels when migrating to cloud environments. Encrypting data at all stages, from storage to transmission, ensures the confidentiality of data and can help to mitigate adversary use of automated techniques for automatically collecting data and files.

This control provides for the use of secure and encrypted communication channels when migrating to cloud environments. Encryption ensures the confidentiality and integrity of data, preventing unauthorized access or tampering. Ensuring that all wireless traffic is encrypted appropriately can safeguard data and mitigate adversary-in-the-middle activities such as information collection.

This control provides for the use of secure and encrypted communication channels when migrating to cloud environments. Encrypting data at all stages, from storage to transmission, ensures the confidentiality of data and can mitigate adversary access to information of value in cloud storage.