Application Isolation and Sandboxing
Techniques Addressed by Mitigation |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1189 | Drive-by Compromise |
Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist.(Citation: Windows Blogs Microsoft Edge Sandbox)(Citation: Ars Technica Pwn2Own 2017 VM Escape) Other types of virtualization and application microsegmentation may also mitigate the impact of client-side exploitation. The risks of additional exploits and weaknesses in implementation may still exist for these types of systems.(Citation: Ars Technica Pwn2Own 2017 VM Escape) |
|
Enterprise | T1611 | Escape to Host |
Consider utilizing seccomp, seccomp-bpf, or a similar solution that restricts certain system calls such as mount. In Kubernetes environments, consider defining Pod Security Standards that limit container access to host process namespaces, the host network, and the host file system.(Citation: Kubernetes Hardening Guide) |
|
Enterprise | T1190 | Exploit Public-Facing Application |
Application isolation will limit what other processes and system features the exploited target can access. |
|
Enterprise | T1203 | Exploitation for Client Execution |
Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist. (Citation: Windows Blogs Microsoft Edge Sandbox) (Citation: Ars Technica Pwn2Own 2017 VM Escape) Other types of virtualization and application microsegmentation may also mitigate the impact of client-side exploitation. Risks of additional exploits and weaknesses in those systems may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape) |
|
Enterprise | T1212 | Exploitation for Credential Access |
Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist.(Citation: Ars Technica Pwn2Own 2017 VM Escape) |
|
Enterprise | T1211 | Exploitation for Defense Evasion |
Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape) |
|
Enterprise | T1068 | Exploitation for Privilege Escalation |
Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape) |
|
Enterprise | T1210 | Exploitation of Remote Services |
Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape) |
|
Enterprise | T1559 | Inter-Process Communication |
Ensure all COM alerts and Protected View are enabled.(Citation: Microsoft Protected View) |
|
T1559.001 | Component Object Model |
Ensure all COM alerts and Protected View are enabled.(Citation: Microsoft Protected View) |
||
T1559.002 | Dynamic Data Exchange |
Ensure Protected View is enabled.(Citation: Microsoft Protected View) |
||
Enterprise | T1027 | T1027.006 | Obfuscated Files or Information: HTML Smuggling |
Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist. |
Enterprise | T1021 | T1021.003 | Remote Services: Distributed Component Object Model |
Ensure all COM alerts and Protected View are enabled.(Citation: Microsoft Protected View) |
References
- National Security Agency, Cybersecurity and Infrastructure Security Agency. (2022, March). Kubernetes Hardening Guide. Retrieved April 1, 2022.
- Cowan, C. (2017, March 23). Strengthening the Microsoft Edge Sandbox. Retrieved March 12, 2018.
- Goodin, D. (2017, March 17). Virtual machine escape fetches $105,000 at Pwn2Own hacking contest - updated. Retrieved March 12, 2018.
- Microsoft. (n.d.). What is Protected View?. Retrieved November 22, 2017.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.