Network Segmentation
Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.
Techniques Addressed by Mitigation
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1557 | 中间人攻击 |
Network segmentation can be used to isolate infrastructure components that do not require broad network access. This may mitigate, or at least alleviate, the scope of AiTM activity. |
|
| .001 | LLMNR/NBT-NS Poisoning and SMB Relay |
Network segmentation can be used to isolate infrastructure components that do not require broad network access. This may mitigate, or at least alleviate, the scope of AiTM activity. |
||
| Enterprise | T1602 | 从配置存储库获取数据 |
Segregate SNMP traffic on a separate management network.[1] |
|
| .001 | SNMP (MIB Dump) |
Segregate SNMP traffic on a separate management network.[1] |
||
| .002 | Network Device Configuration Dump |
Segregate SNMP traffic on a separate management network.[1] |
||
| Enterprise | T1199 | 信任关系 |
Network segmentation can be used to isolate infrastructure components that do not require broad network access. |
|
| Enterprise | T1136 | 创建账户 |
Configure access controls and firewalls to limit access to domain controllers and systems used to create and manage accounts. |
|
| .002 | Domain Account |
Configure access controls and firewalls to limit access to domain controllers and systems used to create and manage accounts. |
||
| .003 | Cloud Account |
Configure access controls and firewalls to limit access to critical systems and domain controllers. Most cloud environments support separate virtual private cloud (VPC) instances that enable further segmentation of cloud systems. |
||
| Enterprise | T1190 | 利用公开应用程序漏洞 |
Segment externally facing servers and services from the rest of the network with a DMZ or on separate hosting infrastructure. |
|
| Enterprise | T1612 | 在主机上构建镜像 |
Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. |
|
| Enterprise | T1482 | 域信任发现 |
Employ network segmentation for sensitive domains.[2]. |
|
| Enterprise | T1133 | 外部远程服务 |
Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. |
|
| Enterprise | T1613 | 容器与资源发现 |
Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. |
|
| Enterprise | T1565 | 数据操控 |
Identify critical business and system processes that may be targeted by adversaries and work to isolate and secure those systems against unauthorized access and tampering. |
|
| .003 | Runtime Data Manipulation |
Identify critical business and system processes that may be targeted by adversaries and work to isolate and secure those systems against unauthorized access and tampering. |
||
| Enterprise | T1048 | 替代协议渗出 |
Follow best practices for network firewall configurations to allow only necessary ports and traffic to enter and exit the network.[3] |
|
| .001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
Follow best practices for network firewall configurations to allow only necessary ports and traffic to enter and exit the network.[3] |
||
| .002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
Follow best practices for network firewall configurations to allow only necessary ports and traffic to enter and exit the network.[3] |
||
| .003 | Exfiltration Over Unencrypted Non-C2 Protocol |
Follow best practices for network firewall configurations to allow only necessary ports and traffic to enter and exit the network.[3] |
||
| Enterprise | T1489 | 服务停止 |
Operate intrusion detection, analysis, and response systems on a separate network from the production environment to lessen the chances that an adversary can see and interfere with critical response functions. |
|
| Enterprise | T1552 | .007 | 未加密凭证: Container API |
Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. |
| Enterprise | T1040 | 网络嗅探 |
Deny direct access of broadcasts and multicast sniffing, and prevent attacks such as LLMNR/NBT-NS Poisoning and SMB Relay |
|
| Enterprise | T1046 | 网络服务发现 |
Ensure proper network segmentation is followed to protect critical servers and devices. |
|
| Enterprise | T1098 | 账号操控 |
Configure access controls and firewalls to limit access to critical systems and domain controllers. Most cloud environments support separate virtual private cloud (VPC) instances that enable further segmentation of cloud systems. |
|
| .001 | Additional Cloud Credentials |
Configure access controls and firewalls to limit access to critical systems and domain controllers. Most cloud environments support separate virtual private cloud (VPC) instances that enable further segmentation of cloud systems. |
||
| Enterprise | T1072 | 软件部署工具 |
Ensure proper system isolation for critical network systems through use of firewalls. |
|
| Enterprise | T1021 | .001 | 远程服务: Remote Desktop Protocol |
Do not leave RDP accessible from the internet. Enable firewall rules to block RDP traffic between network security zones within a network. |
| .003 | 远程服务: Distributed Component Object Model |
Enable Windows firewall, which prevents DCOM instantiation by default. |
||
| .006 | 远程服务: Windows Remote Management |
If the service is necessary, lock down critical enclaves with separate WinRM infrastructure and follow WinRM best practices on use of host firewalls to restrict WinRM access to allow communication only to/from specific devices.[4] |
||
| Enterprise | T1563 | 远程服务会话劫持 |
Enable firewall rules to block unnecessary traffic between network security zones within a network. |
|
| .002 | RDP Hijacking |
Enable firewall rules to block RDP traffic between network security zones within a network. |
||
| Enterprise | T1210 | 远程服务漏洞利用 |
Segment networks and systems appropriately to reduce access to critical systems and services to controlled methods. |
|
| Enterprise | T1610 | 部署容器 |
Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. |
|
| Enterprise | T1095 | 非应用层协议 |
Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports and through proper network gateway systems. Also ensure hosts are only provisioned to communicate over authorized interfaces. |
|
| Enterprise | T1571 | 非标准端口 |
Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports for that particular network segment. |
|