Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Контрмера Application Isolation and Sandboxing
Риски
Каталоги
MITRE ATT&CK
Контрмеры
Application Isolation and Sand...
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Application Isolation and Sandboxing

Application Isolation and Sandboxing refers to the technique of restricting the execution of code to a controlled and isolated environment (e.g., a virtual environment, container, or sandbox). This method prevents potentially malicious code from affecting the rest of the system or network by limiting access to sensitive resources and critical operations. The goal is to contain threats and minimize their impact. This mitigation can be implemented through the following measures: Browser Sandboxing: - Use Case: Implement browser sandboxing to isolate untrusted web content, preventing malicious web pages or scripts from accessing sensitive system files. - Implementation: Use tools like Google Chrome's built-in sandbox or deploy solutions like Bromium to secure user web interactions. Application Virtualization: - Use Case: Deploy critical or high-risk applications in a virtualized environment to ensure any compromise does not affect the host system. - Implementation: Use application virtualization platforms to run applications in isolated environments. Email Attachment Sandboxing: - Use Case: Route email attachments to a sandbox environment to detect and block malware before delivering emails to end-users. - Implementation: Integrate security solutions with sandbox capabilities to analyze email attachments. Endpoint Sandboxing: - Use Case: Run all downloaded files and applications in a restricted environment to monitor their behavior for malicious activity. - Implementation: Use endpoint protection tools for sandboxing at the endpoint level.
ID: M1048
Version: 1.2
Created: 11 Jun 2019
Last Modified: 10 Dec 2024

Techniques Addressed by Mitigation
Domain ID Name Use
Enterprise T1189 Drive-by Compromise

Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist.(Citation: Windows Blogs Microsoft Edge Sandbox)(Citation: Ars Technica Pwn2Own 2017 VM Escape) Other types of virtualization and application microsegmentation may also mitigate the impact of client-side exploitation. The risks of additional exploits and weaknesses in implementation may still exist for these types of systems.(Citation: Ars Technica Pwn2Own 2017 VM Escape)

Enterprise T1068 Exploitation for Privilege Escalation

Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)

Enterprise T1210 Exploitation of Remote Services

Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)

Enterprise T1203 Exploitation for Client Execution

Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist. (Citation: Windows Blogs Microsoft Edge Sandbox) (Citation: Ars Technica Pwn2Own 2017 VM Escape) Other types of virtualization and application microsegmentation may also mitigate the impact of client-side exploitation. Risks of additional exploits and weaknesses in those systems may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)

Enterprise T1212 Exploitation for Credential Access

Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist.(Citation: Ars Technica Pwn2Own 2017 VM Escape)

Enterprise T1211 Exploitation for Defense Evasion

Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)

Enterprise T1611 Escape to Host

Consider utilizing seccomp, seccomp-bpf, or a similar solution that restricts certain system calls such as mount. In Kubernetes environments, consider defining Pod Security Standards that limit container access to host process namespaces, the host network, and the host file system.(Citation: Kubernetes Hardening Guide)

Enterprise T1559 Inter-Process Communication

Ensure all COM alerts and Protected View are enabled.(Citation: Microsoft Protected View)

T1559.001 Component Object Model

Ensure all COM alerts and Protected View are enabled.(Citation: Microsoft Protected View)

T1559.002 Dynamic Data Exchange

Ensure Protected View is enabled.(Citation: Microsoft Protected View)

Enterprise T1190 Exploit Public-Facing Application

Application isolation will limit what other processes and system features the exploited target can access.

Enterprise T1021 T1021.003 Remote Services: Distributed Component Object Model

Ensure all COM alerts and Protected View are enabled.(Citation: Microsoft Protected View)
Enterprise T1027 T1027.006 Obfuscated Files or Information: HTML Smuggling

Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist.

T1027.017 SVG Smuggling

Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist.

References

  1. Goodin, D. (2017, March 17). Virtual machine escape fetches $105,000 at Pwn2Own hacking contest - updated. Retrieved March 12, 2018.
  2. Goodin, D. (2017, March 17). Virtual machine escape fetches $105,000 at Pwn2Own hacking contest - updated. Retrieved March 12, 2018.
  3. Goodin, D. (2017, March 17). Virtual machine escape fetches $105,000 at Pwn2Own hacking contest - updated. Retrieved March 12, 2018.
  4. Goodin, D. (2017, March 17). Virtual machine escape fetches $105,000 at Pwn2Own hacking contest - updated. Retrieved March 12, 2018.
  5. Goodin, D. (2017, March 17). Virtual machine escape fetches $105,000 at Pwn2Own hacking contest - updated. Retrieved March 12, 2018.
  6. Goodin, D. (2017, March 17). Virtual machine escape fetches $105,000 at Pwn2Own hacking contest - updated. Retrieved March 12, 2018.
  7. National Security Agency, Cybersecurity and Infrastructure Security Agency. (2022, March). Kubernetes Hardening Guide. Retrieved April 1, 2022.
  8. Windows Defender Research. (2016, March 22). New feature in Office 2016 can block macros and help prevent infection. Retrieved April 11, 2018.
  9. Microsoft. (n.d.). What is Protected View?. Retrieved November 22, 2017.
  10. Microsoft. (n.d.). What is Protected View?. Retrieved November 22, 2017.
  11. Microsoft. (n.d.). What is Protected View?. Retrieved November 22, 2017.
  12. Microsoft. (n.d.). What is Protected View?. Retrieved November 22, 2017.
  13. Microsoft. (n.d.). What is Protected View?. Retrieved November 22, 2017.
  14. Microsoft. (n.d.). What is Protected View?. Retrieved November 22, 2017.
  15. Cowan, C. (2017, March 23). Strengthening the Microsoft Edge Sandbox. Retrieved March 12, 2018.
  16. Cowan, C. (2017, March 23). Strengthening the Microsoft Edge Sandbox. Retrieved March 12, 2018.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.