Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Software Configuration

Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.
ID: M1054
Version: 1.1
Created: 19 Jul 2019
Last Modified: 31 Mar 2020

Techniques Addressed by Mitigation

Domain ID Name Use
Enterprise T1555 T1555.005 Credentials from Password Stores: Password Managers

Consider re-locking password managers after a short timeout to limit the time plaintext credentials live in memory from decrypted databases.

Enterprise T1602 Data from Configuration Repository

Allowlist MIB objects and implement SNMP views.(Citation: Cisco Securing SNMP)

T1602.001 SNMP (MIB Dump)

Allowlist MIB objects and implement SNMP views.(Citation: Cisco Securing SNMP)

T1602.002 Network Device Configuration Dump

Allowlist MIB objects and implement SNMP views. Disable Smart Install (SMI) if not used.(Citation: Cisco Securing SNMP)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)

Enterprise T1546 T1546.013 Event Triggered Execution: PowerShell Profile

Avoid PowerShell profiles if not needed. Use the -No Profile flag with when executing PowerShell scripts remotely to prevent local profiles and scripts from being executed.

Enterprise T1606 Forge Web Credentials

Configure browsers/applications to regularly delete persistent web credentials (such as cookies).

T1606.001 Web Cookies

Configure browsers/applications to regularly delete persistent web cookies.

Enterprise T1562 T1562.006 Impair Defenses: Indicator Blocking

Consider automatically relaunching forwarding mechanisms at recurring intervals (ex: temporal, on-logon, etc.) as well as applying appropriate change management to firewall rules and other related system configurations.

T1562.009 Safe Mode Boot

Ensure that endpoint defenses run in safe mode.(Citation: CyberArk Labs Safe Mode 2016)

Enterprise T1559 Inter-Process Communication

Consider disabling embedded files in Office programs, such as OneNote, that do not work with Protected View.(Citation: Enigma Reviving DDE Jan 2018)(Citation: GitHub Disable DDEAUTO Oct 2017)

T1559.002 Dynamic Data Exchange

Consider disabling embedded files in Office programs, such as OneNote, that do not work with Protected View.(Citation: Enigma Reviving DDE Jan 2018)(Citation: GitHub Disable DDEAUTO Oct 2017)

Enterprise T1137 Office Application Startup

For the Office Test method, create the Registry key used to execute it and set the permissions to "Read Control" to prevent easy access to the key without administrator permissions or requiring Privilege Escalation. (Citation: Palo Alto Office Test Sofacy)

T1137.002 Office Test

Create the Registry key used to execute it and set the permissions to "Read Control" to prevent easy access to the key without administrator permissions or requiring Privilege Escalation.(Citation: Palo Alto Office Test Sofacy)

Enterprise T1566 Phishing

Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)

T1566.001 Spearphishing Attachment

Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)

T1566.002 Spearphishing Link

Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing). Furthermore, policies may enforce / install browser extensions that protect against IDN and homograph attacks.

Enterprise T1598 Phishing for Information

Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)

T1598.002 Spearphishing Attachment

Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)

T1598.003 Spearphishing Link

Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing) Furthermore, policies may enforce / install browser extensions that protect against IDN and homograph attacks. Browser password managers may also be configured to only populate credential fields when the URL matches that of the original, legitimate site.

Enterprise T1539 Steal Web Session Cookie

Configure browsers or tasks to regularly delete persistent cookies.

Enterprise T1553 Subvert Trust Controls

HTTP Public Key Pinning (HPKP) is one method to mitigate potential Adversary-in-the-Middle situations where and adversary uses a mis-issued or fraudulent certificate to intercept encrypted communications by enforcing use of an expected certificate. (Citation: Wikipedia HPKP)

T1553.004 Install Root Certificate

HTTP Public Key Pinning (HPKP) is one method to mitigate potential Adversary-in-the-Middle situations where and adversary uses a mis-issued or fraudulent certificate to intercept encrypted communications by enforcing use of an expected certificate. (Citation: Wikipedia HPKP)

Enterprise T1535 Unused/Unsupported Cloud Regions

Cloud service providers may allow customers to deactivate unused regions.(Citation: CloudSploit - Unused AWS Regions)

Enterprise T1550 T1550.004 Use Alternate Authentication Material: Web Session Cookie

Configure browsers or tasks to regularly delete persistent cookies.

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.