Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Контрмера Software Configuration
Риски
Каталоги
MITRE ATT&CK
Контрмеры
Software Configuration
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Software Configuration

Software configuration refers to making security-focused adjustments to the settings of applications, middleware, databases, or other software to mitigate potential threats. These changes help reduce the attack surface, enforce best practices, and protect sensitive data. This mitigation can be implemented through the following measures: Conduct a Security Review of Application Settings: - Review the software documentation to identify recommended security configurations. - Compare default settings against organizational policies and compliance requirements. Implement Access Controls and Permissions: - Restrict access to sensitive features or data within the software. - Enforce least privilege principles for all roles and accounts interacting with the software. Enable Logging and Monitoring: - Configure detailed logging for key application events such as authentication failures, configuration changes, or unusual activity. - Integrate logs with a centralized monitoring solution, such as a SIEM. Update and Patch Software Regularly: - Ensure the software is kept up-to-date with the latest security patches to address known vulnerabilities. - Use automated patch management tools to streamline the update process. Disable Unnecessary Features or Services: - Turn off unused functionality or components that could introduce vulnerabilities, such as debugging interfaces or deprecated APIs. Test Configuration Changes: - Perform configuration changes in a staging environment before applying them in production. - Conduct regular audits to ensure that settings remain aligned with security policies. *Tools for Implementation* Configuration Management Tools: - Ansible: Automates configuration changes across multiple applications and environments. - Chef: Ensures consistent application settings through code-based configuration management. - Puppet: Automates software configurations and audits changes for compliance. Security Benchmarking Tools: - CIS-CAT: Provides benchmarks and audits for secure software configurations. - Aqua Security Trivy: Scans containerized applications for configuration issues. Vulnerability Management Solutions: - Nessus: Identifies misconfigurations and suggests corrective actions. Logging and Monitoring Tools: - Splunk: Aggregates and analyzes application logs to detect suspicious activity.
ID: M1054
Version: 1.3
Created: 19 Jul 2019
Last Modified: 24 Dec 2024

Techniques Addressed by Mitigation
Domain ID Name Use
Enterprise T1672 Email Spoofing

Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)

Enterprise T1598 Phishing for Information

Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)

T1598.002 Spearphishing Attachment

Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)

T1598.003 Spearphishing Link

Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing) Furthermore, policies may enforce / install browser extensions that protect against IDN and homograph attacks. Browser password managers may also be configured to only populate credential fields when the URL matches that of the original, legitimate site.

Enterprise T1566 Phishing

Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)

T1566.001 Spearphishing Attachment

Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)

T1566.002 Spearphishing Link

Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing). Furthermore, policies may enforce / install browser extensions that protect against IDN and homograph attacks.

Enterprise T1667 Email Bombing

Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing) Note that additional filtering may be necessary if emails are coming from legitimate sources.

Enterprise T1666 Modify Cloud Resource Hierarchy

In Azure environments, consider setting a policy to block subscription transfers.(Citation: Azure Subscription Policies) In AWS environments, consider using Service Control Policies to prevent the use of the `LeaveOrganization` API call.(Citation: AWS RE:Inforce Threat Detection 2024)

Enterprise T1562 Impair Defenses

Consider implementing policies on internal web servers, such HTTP Strict Transport Security, that enforce the use of HTTPS/network traffic encryption to prevent insecure connections.(Citation: Chromium HSTS)

T1562.006 Indicator Blocking

Consider automatically relaunching forwarding mechanisms at recurring intervals (ex: temporal, on-logon, etc.) as well as applying appropriate change management to firewall rules and other related system configurations.

T1562.009 Safe Mode Boot

Ensure that endpoint defenses run in safe mode.(Citation: CyberArk Labs Safe Mode 2016)

T1562.010 Downgrade Attack

Consider implementing policies on internal web servers, such HTTP Strict Transport Security, that enforce the use of HTTPS/network traffic encryption to prevent insecure connections.(Citation: Chromium HSTS)

Enterprise T1602 Data from Configuration Repository

Allowlist MIB objects and implement SNMP views.(Citation: Cisco Securing SNMP)

T1602.001 SNMP (MIB Dump)

Allowlist MIB objects and implement SNMP views.(Citation: Cisco Securing SNMP)

T1602.002 Network Device Configuration Dump

Allowlist MIB objects and implement SNMP views. Disable Smart Install (SMI) if not used.(Citation: Cisco Securing SNMP)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)

Enterprise T1535 Unused/Unsupported Cloud Regions

Cloud service providers may allow customers to deactivate unused regions.(Citation: CloudSploit - Unused AWS Regions)

Enterprise T1559 Inter-Process Communication

Consider disabling embedded files in Office programs, such as OneNote, that do not work with Protected View.(Citation: Enigma Reviving DDE Jan 2018)(Citation: GitHub Disable DDEAUTO Oct 2017)

T1559.002 Dynamic Data Exchange

Consider disabling embedded files in Office programs, such as OneNote, that do not work with Protected View.(Citation: Enigma Reviving DDE Jan 2018)(Citation: GitHub Disable DDEAUTO Oct 2017)

Enterprise T1537 Transfer Data to Cloud Account

Configure appropriate data sharing restrictions in cloud services. For example, external sharing in Microsoft SharePoint and Google Drive can be turned off altogether, blocked for certain domains, or restricted to certain users.(Citation: Google Workspace External Sharing) (Citation: Microsoft 365 External Sharing)

Enterprise T1137 Office Application Startup

For the Office Test method, create the Registry key used to execute it and set the permissions to "Read Control" to prevent easy access to the key without administrator permissions or requiring Privilege Escalation. (Citation: Palo Alto Office Test Sofacy)

T1137.002 Office Test

Create the Registry key used to execute it and set the permissions to "Read Control" to prevent easy access to the key without administrator permissions or requiring Privilege Escalation.(Citation: Palo Alto Office Test Sofacy)

Enterprise T1539 Steal Web Session Cookie

Configure browsers or tasks to regularly delete persistent cookies. Additionally, minimize the length of time a web cookie is viable to potentially reduce the impact of stolen cookies while also increasing the needed frequency of cookie theft attempts – providing defenders with additional chances at detection.(Citation: Token tactics) For example, use non-persistent cookies to limit the duration a session ID will remain on the web client cache where an attacker could obtain it.(Citation: Session Management Cheat Sheet)

Enterprise T1553 Subvert Trust Controls

HTTP Public Key Pinning (HPKP) is one method to mitigate potential Adversary-in-the-Middle situations where and adversary uses a mis-issued or fraudulent certificate to intercept encrypted communications by enforcing use of an expected certificate. (Citation: Wikipedia HPKP)

T1553.004 Install Root Certificate

HTTP Public Key Pinning (HPKP) is one method to mitigate potential Adversary-in-the-Middle situations where and adversary uses a mis-issued or fraudulent certificate to intercept encrypted communications by enforcing use of an expected certificate. (Citation: Wikipedia HPKP)

Enterprise T1213 Data from Information Repositories

Consider implementing data retention policies to automate periodically archiving and/or deleting data that is no longer needed.

T1213.004 Customer Relationship Management Software

Consider implementing data retention policies to automate periodically archiving and/or deleting data that is no longer needed.

Enterprise T1543 Create or Modify System Process

Where possible, consider enforcing the use of container services in rootless mode to limit the possibility of privilege escalation or malicious effects on the host running the container.

T1543.005 Container Service

Where possible, consider enforcing the use of container services in rootless mode to limit the possibility of privilege escalation or malicious effects on the host running the container.

Enterprise T1606 Forge Web Credentials

Configure browsers/applications to regularly delete persistent web credentials (such as cookies).

T1606.001 Web Cookies

Configure browsers/applications to regularly delete persistent web cookies.

Enterprise T1590 T1590.002 Gather Victim Network Information: DNS

Consider implementing policies for DNS servers, such as Zone Transfer Policies, that enforce a list of validated servers permitted for zone transfers.(Citation: DNS-msft)
Enterprise T1550 T1550.004 Use Alternate Authentication Material: Web Session Cookie

Configure browsers or tasks to regularly delete persistent cookies.
Enterprise T1546 T1546.013 Event Triggered Execution: PowerShell Profile

Avoid PowerShell profiles if not needed. Use the -No Profile flag with when executing PowerShell scripts remotely to prevent local profiles and scripts from being executed.
Enterprise T1555 T1555.005 Credentials from Password Stores: Password Managers

Consider re-locking password managers after a short timeout to limit the time plaintext credentials live in memory from decrypted databases.

References

  1. Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved November 17, 2024.
  2. Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved November 17, 2024.
  3. Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved November 17, 2024.
  4. Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved November 17, 2024.
  5. Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved November 17, 2024.
  6. Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved November 17, 2024.
  7. Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved November 17, 2024.
  8. Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved November 17, 2024.
  9. Ben Fletcher and Steve de Vera. (2024, June). New tactics and techniques for proactive threat detection. Retrieved September 25, 2024.
  10. Microsoft Azure. (2024, March 21). Manage Azure subscription policies. Retrieved September 25, 2024.
  11. Chromium. (n.d.). HTTP Strict Transport Security. Retrieved May 24, 2023.
  12. Chromium. (n.d.). HTTP Strict Transport Security. Retrieved May 24, 2023.
  13. Cisco. (2006, May 10). Securing Simple Network Management Protocol. Retrieved October 19, 2020.
  14. Cisco. (2006, May 10). Securing Simple Network Management Protocol. Retrieved October 19, 2020.
  15. Cisco. (2006, May 10). Securing Simple Network Management Protocol. Retrieved October 19, 2020.
  16. CloudSploit. (2019, June 8). The Danger of Unused AWS Regions. Retrieved October 8, 2019.
  17. Naim, D.. (2016, September 15). CyberArk Labs: From Safe Mode to Domain Compromise. Retrieved June 23, 2021.
  18. Microsoft. (2022). DNS Policies Overview. Retrieved June 6, 2024.
  19. Nelson, M. (2018, January 29). Reviving DDE: Using OneNote and Excel for Code Execution. Retrieved February 3, 2018.
  20. Nelson, M. (2018, January 29). Reviving DDE: Using OneNote and Excel for Code Execution. Retrieved February 3, 2018.
  21. Nelson, M. (2018, January 29). Reviving DDE: Using OneNote and Excel for Code Execution. Retrieved February 3, 2018.
  22. Dormann, W. (2017, October 20). Disable DDEAUTO for Outlook, Word, OneNote, and Excel versions 2010, 2013, 2016. Retrieved February 3, 2018.
  23. Dormann, W. (2017, October 20). Disable DDEAUTO for Outlook, Word, OneNote, and Excel versions 2010, 2013, 2016. Retrieved February 3, 2018.
  24. Dormann, W. (2017, October 20). Disable DDEAUTO for Outlook, Word, OneNote, and Excel versions 2010, 2013, 2016. Retrieved February 3, 2018.
  25. Google. (n.d.). Manage external sharing for your organization. Retrieved March 4, 2024.
  26. Microsoft. (2023, October 11). Manage sharing settings for SharePoint and OneDrive in Microsoft 365. Retrieved March 4, 2024.
  27. Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.
  28. Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.
  29. Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.
  30. Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.
  31. Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.
  32. Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.
  33. Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.
  34. Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.
  35. Falcone, R. (2016, July 20). Technical Walkthrough: Office Test Persistence Method Used In Recent Sofacy Attacks. Retrieved July 3, 2017.
  36. Falcone, R. (2016, July 20). Technical Walkthrough: Office Test Persistence Method Used In Recent Sofacy Attacks. Retrieved July 3, 2017.
  37. OWASP CheatSheets Series Team. (n.d.). Session Management Cheat Sheet. Retrieved December 26, 2023.
  38. Microsoft Incident Response. (2022, November 16). Token tactics: How to prevent, detect, and respond to cloud token theft. Retrieved December 26, 2023.
  39. US-CERT. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.
  40. Wikipedia. (2017, February 28). HTTP Public Key Pinning. Retrieved March 31, 2017.
  41. Wikipedia. (2017, February 28). HTTP Public Key Pinning. Retrieved March 31, 2017.
  42. Wikipedia. (2017, February 28). HTTP Public Key Pinning. Retrieved March 31, 2017.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.