This repository has been archived by the owner on Apr 3, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 60
/
Firewalls.yaml
158 lines (158 loc) 路 14.4 KB
/
Firewalls.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
version: 1
ATT&CK version: 10
creation date: 02/07/2022
name: Firewalls
contact: ctid@mitre-engenuity.org
organization: Center for Threat Informed Defense (CTID)
platform: GCP
tags:
- Firewall
- Logging
- Network
description: >-
Google Cloud VPC Firewalls can allow or deny traffic based on the traffic's protocol, destination
ports, sources, and destinations and. VPC firewalls are stateful and exist not only between your
instances and other networks, but also between individual instances within the same network.
Connections are allowed or denied on a per-instance basis. Firewall activity can be captured via
Firewall rules logging and analyzed with Firewall Insights.
techniques:
- id: T1008
name: Fallback Channels
technique-scores:
- category: Protect
value: Partial
comments: "Google Cloud Firewalls can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block communication with known fallback channels by filtering based on known bad IP addresses and domains. This mapping is given a score of Partial because it only protects against known fallback channels and not channels yet to be identified."
- id: T1018
name: Remote System Discovery
technique-scores:
- category: Protect
value: Partial
comments: "Google Cloud Firewalls can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block adversaries from discovering endpoints behind the firewall. This mapping is given a score of Partial because it does not protect against discovering endpoints within the network and behind the firewall."
- id: T1021
name: Remote Services
technique-scores:
- category: Protect
value: Partial
comments: "Google Cloud Firewalls can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to only allow remote services from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because even though it can restrict remote services traffic from untrusted hosts for most of the sub-techniques (5 of 6), it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack."
- id: T1041
name: Exfiltration Over C2 Channel
technique-scores:
- category: Protect
value: Partial
comments: "Google Cloud Firewalls can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block adversaries from accessing resources from which to exfiltrate data as well as prevent resources from communicating with known-bad IP addresses and domains that might be used to receive exfiltrated data. This mapping is given a score of Partial because the known-bad IP addresses and domains would need to be known in advance."
- id: T1046
name: Network Service Scanning
technique-scores:
- category: Protect
value: Partial
comments: "Google Cloud Firewalls can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against network service scanning. This mapping is given a score of Partial because it only protects against network service scanning attacks that originate from outside the firewall and not from within network protected by the firewall."
- id: T1048
name: Exfiltration Over Alternative Protocol
technique-scores:
- category: Protect
value: Partial
comments: "Google Cloud Firewalls can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block adversaries from accessing resources from which to exfiltrate data as well as prevent resources from communicating with known-bad IP addresses and domains that might be used to receive exfiltrated data. This mapping is given a score of Partial because the known-bad IP addresses and domains would need to be known in advance and AWS Network Firewall wouldn't have deep packet inspection visibility into encrypted non-C2 protocols."
- id: T1071
name: Application Layer Protocol
technique-scores:
- category: Protect
value: Significant
comments: "Google Cloud Firewalls can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block malicious or unwanted traffic leveraging application layer protocols. Given this supports all sub-techniques, the mapping is given a score of Significant."
- id: T1090
name: Proxy
technique-scores:
- category: Protect
value: Partial
comments: "Google Cloud Firewalls can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block traffic from known bad IP addresses and to known bad domains that serve as proxies for adversaries. This mapping is given a score of partial because it only supports a subset of the sub-techniques (2 of 4) and because it only blocks known bad IP addresses and domains and does not protect against unknown ones."
- id: T1095
name: Non-Application Layer Protocol
technique-scores:
- category: Protect
value: Significant
comments: "Google Cloud Firewalls can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block malicious or unwanted traffic leveraging non-application layer protocols. Given this, the mapping is given a score of Significant."
- id: T1104
name: Multi-Stage Channels
technique-scores:
- category: Protect
value: Partial
comments: "Google Cloud Firewalls can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block communication with known command and control channels by filtering based on known bad IP addresses and domains. This mapping is given a score of Partial because it only protects against known channels and not channels yet to be identified."
- id: T1133
name: External Remote Services
technique-scores:
- category: Protect
value: Partial
comments: "Google Cloud Firewalls can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to only allow certain remote services to be available. Furthermore, it can enforce restrictions such that remote services are only from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because while it can limit which external remote services and hosts can be used to access the network, it cannot protect against the misuse of legitimate external remote services (e.g., it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack)."
- id: T1187
name: Forced Authentication
technique-scores:
- category: Protect
value: Significant
comments: "Google Cloud Firewalls can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block SMB and WebDAV traffic from exiting the network which can protect against adversaries from forcing authentication over SMB and WebDAV. This mapping is given a score of Significant because Google Cloud Firewalls can block this traffic or restrict where it can go to."
- id: T1205
name: Traffic Signaling
technique-scores:
- category: Protect
value: Partial
comments: "Google Cloud Firewalls can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block traffic to unused ports from reaching hosts on the network which may help protect against traffic signaling from external systems. This mapping is given a score of partial because the Google Cloud Firewalls does not do anything to protect against traffic signaling among hosts within the network and behind the firewall."
- id: T1219
name: Remote Access Software
technique-scores:
- category: Protect
value: Partial
comments: "Google Cloud Firewalls can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to only allow remote access software from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because even though it can restrict remote access software traffic from untrusted hosts, it cannot protect against an adversary using a trusted host that is permitted to use remote access software as part of an attack."
- id: T1498
name: Network Denial of Service
technique-scores:
- category: Protect
value: Minimal
comments: "Google Cloud Firewalls can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block the sources of smaller-scale network denial of service attacks. While Google Cloud Firewalls support both sub-techniques (2 of 2), this mapping is given a score of Minimal because often times it is necessary to block the traffic at an Internet Service Provider or Content Provider Network level."
- id: T1499
name: Endpoint Denial of Service
technique-scores:
- category: Protect
value: Partial
comments: "Google Cloud Firewalls can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block adversaries from carrying out denial of service attacks by implementing restrictions on which IP addresses and domains can access the resources (e.g., allow lists) as well as which protocol traffic is permitted. That is, Google Cloud Firewalls could block the source of the denial-of-service attack. This mapping is given a score of Partial because it only supports a subset of the sub-techniques (3 of 4) and because the source of the attack would have to be known before rules could be put in place to protect against it."
- id: T1530
name: Data from Cloud Storage Object
technique-scores:
- category: Protect
value: Partial
comments: "Google Cloud Firewalls can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block adversaries from accessing resources such as cloud storage objects by implementing restrictions on which IP addresses and domains can access the resources (e.g., allow lists). However, since cloud storage objects are located outside the virtual private cloud where Google Cloud Firewalls protect, the mapping is only given a score of Partial."
- id: T1542
name: Pre-OS Boot
technique-scores:
- category: Protect
value: Minimal
comments: "Google Cloud Firewalls can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block traffic over known TFTP ports. This mapping is given a score of Minimal because Google Cloud Firewalls only support a subset of sub-techniques (1 of 5) and don't do anything to protect against TFTP booting among hosts within the network and behind the firewall."
- id: T1571
name: Non-Standard Port
technique-scores:
- category: Protect
value: Significant
comments: "Google Cloud Firewalls can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to restrict which protocols and port numbers are allowed through the firewall and prevent adversaries from using non-standard ports. As a result, this mapping is given a score of Significant."
- id: T1572
name: Protocol Tunneling
technique-scores:
- category: Protect
value: Partial
comments: "Google Cloud Firewalls can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block traffic from known bad IP addresses and domains which could protect against protocol tunneling by adversaries. This mapping is given a score of partial because it only blocks known bad IP addresses and domains and does not protect against unknown ones."
- id: T1590
name: Gather Victim Network Information
technique-scores:
- category: Protect
value: Partial
comments: "Google Cloud Firewalls can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against adversaries gathering information about the network. While this mapping supports most of the sub-techniques (4 of 6), it is only given a score of Partial because it only protects against attempts to gather information via scanning that originate from outside the firewall, and it does not protect against phishing."
- id: T1595
name: Active Scanning
technique-scores:
- category: Protect
value: Partial
comments: "Google Cloud Firewalls can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against active scanning. While this mapping supports both sub-techniques (2 of 2), this mapping is given a score of Partial because it only protects against active scanning attacks that originate from outside the firewall and not from within network protected by the firewall."
comments: >-
Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies,
Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and
Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the
data in these sections should correspond to the "Firewalls" control, or the parent control under
which its documented.
references:
- 'https://cloud.google.com/firewalls'