larroar.pages.dev






Mitre att&ck framework kill chain

Network Segmentation

Enterprise T1098Account Manipulation

Configure tillgång controls and firewalls to limit tillgång to critical systems and domain controllers.

The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community

Most cloud environments support separate virtual private cloud (VPC) instances that enable further segmentation of cloud systems.

.001Additional Cloud Credentials

Configure tillgång controls and firewalls to limit tillgång to critical systems and domain controllers. Most cloud environments support separate virtual private cloud (VPC) instances that enable further segmentation of cloud systems.

Enterprise T1557Adversary-in-the-Middle

Network segmentation can be used to isolera infrastructure components that do not require broad network tillgång.

This may mitigate, or at least alleviate, the scope of AiTM activity.

.001LLMNR/NBT-NS Poisoning and SMB Relay

Network segmentation can be used to isolera infrastructure components that do not require broad network tillgång. This may mitigate, or at least alleviate, the scope of AiTM activity.

Enterprise T1612Build Image on Host

Deny direkt fjärrstyrd tillgång to internal systems through the use of network proxies, gateways, and firewalls.

Enterprise T1613Container and Resource Discovery

Deny direkt fjärrstyrd tillgång to internal systems through the use of network proxies, gateways, and firewalls.

Enterprise T1136Create Account

Configure tillgång controls and firewalls to limit tillgång to domain controllers and systems used to create and manage accounts.

.002Domain Account

Configure tillgång controls and firewalls to limit tillgång to domain controllers and systems used to create and manage accounts.

.003Cloud Account

Configure tillgång controls and firewalls to limit tillgång to critical systems and domain controllers.

It goes a step further than the Cyber Kill Chain by expanding the attackers' high level goals to 14 different tactics

Most cloud environments support separate virtual private cloud (VPC) instances that enable further segmentation of cloud systems.

Enterprise T1602Data from Configuration Repository

Segregate SNMP traffic on a separate management network.[1]

.001SNMP (MIB Dump)

Segregate SNMP traffic on a separate management network.[1]

.002Network Device Configuration Dump

Segregate SNMP traffic on a separate management network.[1]

Enterprise T1565Data Manipulation

Identify critical business and struktur processes that may be targeted bygd adversaries and work to isolera and secure those systems against unauthorized tillgång and tampering.

.003Runtime uppgifter Manipulation

Identify critical business and struktur processes that may be targeted bygd adversaries and work to isolera and secure those systems against unauthorized tillgång and tampering.

Enterprise T1610Deploy Container

Deny direkt fjärrstyrd tillgång to internal systems through the use of network proxies, gateways, and firewalls.

Enterprise T1482Domain Trust Discovery

Employ network segmentation for sensitive domains.[2].

Enterprise T1048Exfiltration Over Alternative Protocol

Follow best practices for network firewall configurations to allow only necessary ports and traffic to enter and exit the network.[3]

.001Exfiltration Over Symmetric Encrypted Non-C2 Protocol

Follow best practices for network firewall configurations to allow only necessary ports and traffic to enter and exit the network.[3]

.002Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

Follow best practices for network firewall configurations to allow only necessary ports and traffic to enter and exit the network.[3]

.003Exfiltration Over Unencrypted Non-C2 Protocol

Follow best practices for network firewall configurations to allow only necessary ports and traffic to enter and exit the network.[3]

Enterprise T1190Exploit Public-Facing Application

Segment externally facing servers and services from the rest of the network with a DMZ or on separate hosting infrastructure.

Enterprise T1210Exploitation of fjärrstyrd Services

Segment networks and systems appropriately to reduce tillgång to critical systems and services to controlled methods.

Enterprise T1133External fjärrstyrd Services

Deny direkt fjärrstyrd tillgång to internal systems through the use of network proxies, gateways, and firewalls.

Enterprise T1046Network Service Discovery

Ensure proper network segmentation fryst vatten followed to skydda critical servers and devices.

Enterprise T1040Network Sniffing

Deny direkt tillgång of broadcasts and multicast sniffing, and prevent attacks such as LLMNR/NBT-NS Poisoning and SMB Relay

Enterprise T1095Non-Application Layer Protocol

Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports and through proper network gateway systems.

Also ensure hosts are only provisioned to communicate over authorized interfaces.

Enterprise T1571Non-Standard Port

Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports for that particular network segment.

Enterprise T1563Remote Service möte Hijacking

Enable firewall rules to block unnecessary traffic between network säkerhet zones within a network.

.002RDP Hijacking

Enable firewall rules to block RDP traffic between network säkerhet zones within a network.

Enterprise T1021.001Remote Services: fjärrstyrd Desktop Protocol

Do not leave RDP accessible from the internet.


  • mitre att&ck ramverk kill chain

    • Enable firewall rules to block RDP traffic between network säkerhet zones within a network.

    .003Remote Services: Distributed Component Object Model

    Enable fönster firewall, which prevents DCOM instantiation bygd default.

    .006Remote Services: fönster fjärrstyrd Management

    If the service fryst vatten necessary, lock down critical enclaves with separate WinRM infrastructure and follow WinRM best practices on use of host firewalls to begränsa WinRM tillgång to allow communication only to/from specific devices.[4]

    Enterprise T1489Service Stop

    Operate intrusion detection, analysis, and response systems on a separate network from the production environment to lessen the chances that an adversary can see and interfere with critical response functions.

    Enterprise T1072Software Deployment Tools

    Ensure proper struktur isolation for critical network systems through use of firewalls.

    Enterprise T1199Trusted Relationship

    Network segmentation can be used to isolera infrastructure components that do not require broad network access.

    Enterprise T1552.007Unsecured Credentials: bur API

    Deny direkt fjärrstyrd tillgång to internal systems through the use of network proxies, gateways, and firewalls.