-
Notifications
You must be signed in to change notification settings - Fork 0
/
AmazonVirtualPrivateCloud.yaml
400 lines (400 loc) · 19.1 KB
/
AmazonVirtualPrivateCloud.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
version: 1
ATT&CK version: 9
creation date: 06/26/2021
name: Amazon Virtual Private Cloud
contact: [email protected]
organization: Center for Threat Informed Defense (CTID)
platform: AWS
tags:
- Network
description: >-
Amazon Virtual Private Cloud (Amazon VPC) is a service that lets you launch AWS resources in a
logically isolated virtual network that you define. Amazon VPC provides advanced security
features that allow you to perform inbound and outbound filtering at the instance and subnet
level. Amazon VPC also has monitoring features that let you perform functions like out-of-band
monitoring and inline traffic inspection, which help you screen and secure traffic.
techniques:
- id: T1590
name: Gather Victim Network Information
technique-scores:
- category: Protect
value: Partial
comments: >-
VPC security groups and network access control lists (NACLs) can prevent the gathering of victim network
information via (active) scanning methods but is not effective against other methods of gathering victim network
information such as via Phishing or online databases (e.g. WHOIS) resulting in a Partial coverage score
and an overall Partial score.
sub-techniques-scores:
- sub-techniques:
- id: T1590.001
name: Domain Properties
- id: T1590.004
name: Network Topology
- id: T1590.005
name: IP Addresses
- id: T1590.006
name: Network Security Appliances
scores:
- category: Protect
value: Partial
comments: >-
VPC security groups and network access control lists (NACLs) can prevent the gathering of victim network
information via (active) scanning methods but is not effective against other methods of gathering victim
network information such as via Phishing or online databases (e.g. WHOIS) resulting in a Partial coverage
score and an overall Partial score.
- id: T1595
name: Active Scanning
technique-scores:
- category: Protect
value: Partial
comments: >-
VPC security groups and network access control lists (NACLs) can be used to restrict inbound traffic
that can protect against active scanning techniques such as Scanning IP Blocks and/or Vulnerability
Scanning. Because this protection is limited to known malicious IP addresses and domains and does not provide
protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage
resulting in an overall Partial score.
sub-techniques-scores:
- sub-techniques:
- id: T1595.001
name: Scanning IP Blocks
- id: T1595.002
name: Vulnerability Scanning
scores:
- category: Protect
value: Partial
comments: >-
VPC security groups and network access control lists (NACLs) can be used to restrict inbound traffic
that can protect against active scanning techniques such as Scanning IP Blocks and/or Vulnerability
Scanning. Because this protection is limited to known malicious IP addresses and domains and does not provide
protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage
resulting in an overall Partial score.
- id: T1133
name: External Remote Services
technique-scores:
- category: Protect
value: Partial
comments: >-
VPC security groups and network access control lists (NACLs) can limit access to external remote services
to the minimum necessary.
- id: T1205
name: Traffic Signaling
technique-scores:
- category: Protect
value: Partial
comments: >-
VPC security groups and network access control lists (NACLs) can provide significant protection for some variations
of this technique, for example Port Knocking. Other variations of this technique such as using traffic signaling
to execute a malicious task is not easily mitigated by security groups or NACLs. Consequently, its coverage score
is Partial resulting in an overall Partial score.
sub-techniques-scores:
- sub-techniques:
- id: T1205.001
name: Port Knocking
scores:
- category: Protect
value: Significant
comments: >-
VPC security groups and network access control lists (NACLs) can protect against this sub-technique by
enforcing limited access to only required ports. Consequently, even if the adversary is able to utilize
port knocking to open additional ports at the host level, it is still blocked at the security group or NACL
level.
- id: T1046
name: Network Service Scanning
technique-scores:
- category: Protect
value: Significant
comments: >-
VPC security groups and network access control lists (NACLs) can filter both internal and external network traffic
and therefore, can mitigate unauthorized network service scanning.
- id: T1018
name: Remote System Discovery
technique-scores:
- category: Protect
value: Partial
comments: >-
VPC security groups and network access control lists (NACLs) can filter network traffic and therefore can be
effective for mitigating network based remote system discovery. Other remote system discovery methods such
as discovering hosts from local host files are not mitigated resulting in Partial coverage score and an overall
score of Partial.
- id: T1008
name: Fallback Channels
technique-scores:
- category: Protect
value: Partial
comments: >-
VPC security groups and network access control lists (NACLs) can be used to restrict external network access to the
minimum required and can therefore mitigate an adversary utilizing a fallback or alternative communication
channels. In environments where unrestricted Internet access is required, security groups and NACLs can still be
used to block known malicious endpoints. Because in such environments the protection is limited to known
malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and
IP addresses, this is scored as partial coverage resulting in an overall Partial score.
- id: T1095
name: Non-Application Layer Protocol
technique-scores:
- category: Protect
value: Partial
comments: >-
VPC security groups and network access control lists (NACLs) can be used to restrict external network access to the
minimum required and can therefore mitigate adversary attempts to utilize non-application layer protocols for
communication. In environments where unrestricted Internet access is required, security groups and NACLs can still
be used to block known malicious endpoints. Because in such environments the protection is limited to known
malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and
IP addresses, this is scored as partial coverage resulting in an overall Partial score.
- id: T1571
name: Non-Standard Port
technique-scores:
- category: Protect
value: Significant
comments: >-
VPC security groups and network access control lists (NACLs) can limit access to the minimum required ports and
therefore, protect against adversaries attempting to use non-standard ports for C2 traffic.
- id: T1219
name: Remote Access Software
technique-scores:
- category: Protect
value: Partial
comments: >-
VPC security groups and network access control lists (NACLs) can be used to limit outgoing traffic to only sites
and services used by authorized remote access tools. This is scored as partial because it doesn't protect against
an adversary using an authorized remote access tool for malicious activity.
- id: T1048
name: Exfiltration Over Alternative Protocol
technique-scores:
- category: Protect
value: Partial
comments: >-
VPC security groups and network access control lists (NACLs) can limit access to external hosts and can therefore
provide mitigation of this technique. For environments where Internet access is required, these controls can be
used to block known malicious addresses. Because this latter protection is limited to known malicious
endpoints, it provides Partial coverage resulting in an overall Partial score.
sub-techniques-scores:
- sub-techniques:
- id: T1048.001
name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol
- id: T1048.002
name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
- id: T1048.003
name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
scores:
- category: Protect
value: Partial
comments: >-
VPC security groups and network access control lists (NACLs) can limit access to the minimum required ports and
therefore protect against adversaries attempting to exfiltrate data using a different protocol than that of the
existing command and control channel. In environments where unrestricted Internet access is required, security
groups and NACLs can still be used to block known malicious endpoints. Because in such environments the
protection is limited to known malicious IP addresses and domains and does not provide protection from such
attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall
Partial score.
- id: T1040
name: Network Sniffing
technique-scores:
- category: Protect
value: Significant
comments: >-
The VPC service's support for the AWS Virtual Private Network (VPN) can be used to encrypt traffic traversing over
untrusted networks which can prevent information from being gathered via network sniffing.
- id: T1557
name: Man-in-the-Middle
technique-scores:
- category: Protect
value: Significant
comments: >-
The VPC service's support for the AWS Virtual Private Network (VPN) can be used to encrypt traffic traversing over
untrusted networks which can mitigate Man-in-the-Middle attacks that manipulate network protocol data in transit.
VPC Peering can also be utilized to route traffic privately between two VPCs which can reduce the Man-in-the-Middle
attack surface. VPC Endpoints can also similarly reduce the attack surface of Man-in-the-Middle attacks by ensuring
network traffic between a VPC and supported AWS services are not exposed to the Internet.
sub-techniques-scores:
- sub-techniques:
- id: T1557.002
name: ARP Cache Poisoning
- id: T1557.001
name: LLMNR/NBT-NS Poisoning and SMB Relay
scores:
- category: Protect
value: Significant
- id: T1565
name: Data Manipulation
technique-scores:
- category: Protect
value: Partial
comments: >-
The VPC service's support for the AWS Virtual Private Network (VPN) can be used to encrypt traffic traversing over
untrusted networks which can provide protection against one sub-technique (Transmitted Data Manipulation) of this
technique while not providing protection for its remaining sub-techniques resulting in overall score of Partial.
sub-techniques-scores:
- sub-techniques:
- id: T1565.002
name: Transmitted Data Manipulation
scores:
- category: Protect
value: Significant
- id: T1199
name: Trusted Relationship
technique-scores:
- category: Protect
value: Partial
comments: >-
VPC network access control lists (NACLs) can isolate portions of the network that do not require network-wide
access, limiting some attackers that leverage trusted relationships such as remote access for vendor maintenance.
Coverage partial, Temporal Immediate.
- id: T1602
name: Data from Configuration Repository
technique-scores:
- category: Protect
value: Partial
comments: >-
VPC security groups and network access control lists (NACLs) can limit attackers' access to configuration
repositories such as SNMP management stations, or to dumps of client configurations from common management ports.
sub-techniques-scores:
- sub-techniques:
- id: T1602.002
name: Network Device Configuration Dump
- id: T1602.001
name: SNMP (MIB Dump)
scores:
- category: Protect
value: Partial
comments: Can limit access to client management interfaces or configuration databases.
- id: T1542
name: Pre-OS Boot
technique-scores:
- category: Protect
value: Minimal
comments: >-
VPC security groups and network access control lists (NACLs) can provide partial protection coverage of Pre-OS Boot
mechanisms that utilize TFTP boot resulting in an overall score of Minimal.
sub-techniques-scores:
- sub-techniques:
- id: T1542.005
name: TFTP Boot
scores:
- category: Protect
value: Partial
comments: >-
VPC security groups and network access control lists (NACLs) can be used to restrict clients to connecting
(and therefore booting) from only trusted network resources.
- id: T1210
name: Exploitation of Remote Services
technique-scores:
- category: Protect
value: Partial
comments: >-
VPC security groups and network access control lists (NACLs) can be used to restrict access to remote
services to the minimum necessary.
- id: T1021
name: Remote Services
technique-scores:
- category: Protect
value: Partial
comments: >-
VPC security groups and network access control lists (NACLs) can provide partial protection for all of its
sub-techniques and procedure examples resulting in an overall score of Partial.
sub-techniques-scores:
- sub-techniques:
- id: T1021.006
name: Windows Remote Management
- id: T1021.005
name: VNC
- id: T1021.004
name: SSH
- id: T1021.003
name: Distributed Component Object Model
- id: T1021.002
name: SMB/Windows Admin Shares
- id: T1021.001
name: Remote Desktop Protocol
scores:
- category: Protect
value: Partial
comments: >-
VPC security groups and network access control lists (NACLs) can be used to restrict direct access to remote
services to trusted networks. This mitigates even an adversary with a valid account from accessing resources.
This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a
protected network. This results in an overall partial (coverage) score.
- id: T1072
name: Software Deployment Tools
technique-scores:
- category: Protect
value: Partial
comments: >-
VPC security groups and network access control lists (NACLs) can be used to limit access to critical network
systems such as software deployment tools.
- id: T1482
name: Domain Trust Discovery
technique-scores:
- category: Protect
value: Partial
comments: >-
VPC security groups and network access control lists (NACLs) can be used to isolate sensitive domains to
limit discovery.
- id: T1498
name: Network Denial of Service
technique-scores:
- category: Protect
value: Minimal
comments: >-
VPC security groups and network access control lists (NACLs) can be used to restrict access to endpoints but
will prove effective at mitigating only low-end DOS attacks resulting in a Minimal score.
- id: T1499
name: Endpoint Denial of Service
technique-scores:
- category: Protect
value: Minimal
comments: >-
VPC security groups and network access control lists (NACLs) provides minimal protection for a majority of this
control's sub-techniques and procedure examples resulting in an overall score of Minimal.
sub-techniques-scores:
- sub-techniques:
- id: T1499.003
name: Application Exhaustion Flood
- id: T1499.002
name: Service Exhaustion Flood
- id: T1499.001
name: OS Exhaustion Flood
scores:
- category: Protect
value: Minimal
comments: >-
VPC security groups and network access control lists (NACLs) can be used to restrict access to endpoints but
will prove effective at mitigating only low-end DOS attacks resulting in a Minimal score.
- id: T1570
name: Lateral Tool Transfer
technique-scores:
- category: Protect
value: Partial
comments: >-
VPC security groups and network access control lists (NACLs) can be used to limit traffic between systems and
enclaves to minimum necessary for example via a zero-trust strategy.
- id: T1090
name: Proxy
technique-scores:
- category: Protect
value: Partial
comments: >-
VPC security groups and network access control lists (NACLs) can restrict ports and inter-system / inter-enclave
connections as described by the Proxy related sub-techniques although it doesn't provide protection for
domain-fronting. It furthermore provides partial protection of this technique's procedure examples resulting
in an overall Partial score.
sub-techniques-scores:
- sub-techniques:
- id: T1090.003
name: Multi-hop Proxy
- id: T1090.002
name: External Proxy
- id: T1090.001
name: Internal Proxy
scores:
- category: Protect
value: Partial
comments: >-
VPC security groups and network access control lists (NACLs) can restrict access between systems, enclaves,
and workloads thereby mitigating these proxy related sub-techniques.
comments: >-
The mappings contained in this file were based on Amazon's "Security in Amazon Virtual Private Cloud" documentation listed
in the references section.
The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs),
VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).
references:
- 'https://docs.aws.amazon.com/vpc/latest/userguide/security.html'