Firewall

The deactivation, misconfiguration, or complete stoppage of firewall services, either on a host or in a cloud control plane. Such activity may involve turning off firewalls, modifying rules to disable protection, or deleting firewall-related configurations and activity logs. Examples:

• Disabling Host-Based Firewalls: Stopping the Windows Defender Firewall service or using iptables -F to flush all rules on a Linux system.
• Cloud Firewall Modification or Deactivation: Modifying or deleting security group rules in AWS or disabling a network firewall in Azure.
• Activity Log Deletion: Writing or deleting entries in Azure Firewall Activity Logs to hide unauthorized firewall changes.
• Temporary Disable for Malicious Operations: Temporarily disabling a firewall to allow malicious files or traffic, then re-enabling it to avoid detection.
• Using Command-Line Tools to Stop Firewalls: Running commands like Set-NetFirewallProfile -Enabled False on Windows or systemctl stop ufw on Linux.

This data component can be collected through the following measures:

Cloud Control Plane

• Azure Activity Logs:
  • Enable logging of administrative actions, such as stopping or modifying Azure Firewall configurations.
  • Use Azure Monitor to track specific firewall-related actions, including disabling or rule deletion.
• AWS CloudTrail Logs:
  • Monitor RevokeSecurityGroupIngress or RevokeSecurityGroupEgress events to detect rule changes in AWS Security Groups.
• Google Cloud Platform Logs:
  • Collect logs from the Firewall Rules resource in Google Cloud Operations Suite to detect rule deletions or modifications.

Host-Level Firewalls

• Windows Firewall Event Logs:
  • Enable logging of firewall state changes:
    • Security Event ID 2004: Firewall service stopped.
    • Security Event ID 2005: Firewall service started.
  • Use Sysmon for process creation events tied to firewall commands or scripts (Sysmon Event ID 1).
• Linux Firewall Logs: Use auditd to track commands like iptables, firewalld, or ufw: auditctl -a always,exit -F arch=b64 -S execve -k firewall_disable
• macOS Firewall: Monitor changes to the macOS Application Firewall using the log show command.

Network-Level Monitoring

• IDS/IPS Alerts: Deploy IDS/IPS systems to monitor abnormal traffic flows that could indicate firewall disablement.
• NetFlow Data: Analyze NetFlow or packet capture data for traffic patterns inconsistent with firewall enforcement.

SIEM and CSPM Tools

• SIEM Integration: Use tools like Splunk or QRadar to centralize and analyze firewall disablement events from both hosts and cloud platforms.
• Cloud Security Posture Management (CSPM): Use CSPM solutions to monitor misconfigurations and track deactivation of critical cloud services like firewalls.

Querying and extracting a list of available firewalls or their associated configurations and rules. This activity can occur across host systems and cloud control planes, providing insight into the state and configuration of firewalls that protect the environment. Examples:

• Querying Host-Based Firewalls: Using Windows PowerShell commands like Get-NetFirewallRule or Linux commands such as iptables -L or firewalld --list-all.
• Cloud Firewall Rule Listing: Running commands like az network firewall list for Azure or aws ec2 describe-security-groups for AWS.
• Using Management APIs: Leveraging APIs like Google Cloud Firewall's list API method or AWS's DescribeSecurityGroups API.Identifying Misconfigurations: Extracting firewall rules to identify "allow all" policies or rules that lack logging.
• Enumerating with CLI Tools: Using CLI commands like gcloud compute firewall-rules list to extract firewall settings in Google Cloud.

This data component can be collected through the following measures:

Cloud Control Plane

• Azure Activity Logs:Collect logs from Azure Firewall to monitor rule listing commands. Enable logging for az network firewall commands.
• AWS CloudTrail: Monitor calls to DescribeSecurityGroups or DescribeNetworkAcls APIs.Google Cloud Operations Suite: Collect logs for gcloud compute firewall-rules list or API calls to firewalls.list.

Host-Based Firewalls

• Windows Event Logs: Use PowerShell transcription logs to capture commands like Get-NetFirewallRule.
• Linux Auditd: Track executions of commands like iptables -L or ufw status using auditd: auditctl -a always,exit -F arch=b64 -S execve -k firewall_enum
• macOS: Monitor logs for firewall-related queries via the Console app or log monitoring tools.

SIEM Integration

• Collect logs from endpoints and cloud platforms to centralize data and detect enumeration activity.

Endpoint Detection and Response (EDR)

• Use EDR tools to track enumeration commands or API calls performed on managed devices.

CSPM Tools

• Deploy Cloud Security Posture Management tools to monitor for unauthorized enumeration of firewall rules or configurations.

Contextual information about firewalls, including their configurations, policies, status, and other details such as names and associated rules. This metadata provides valuable insights into the operational state and configurations of firewalls, both in cloud control planes and host systems. Examples:

• Firewall Name and Configuration: The name, type, and purpose of a firewall such as "Azure Firewall - Production Environment."
• Policy Details: Capturing firewall policy details, such as "Allow inbound TCP 443 to web servers."
• Firewall Status: Status indicators like "Active," "Disabled," or "Pending Updates."
• Audit Log Metadata: Log entries showing administrative changes, such as "Policy modified by admin@domain.com."
• Rules Associated with Firewalls: Rules specifying source/destination IP ranges, protocols, and ports.
• Tagging Information: Tags like "Environment: Production" or "Owner: NetworkOps."

This data component can be collected through the following measures:

Cloud Control Plane

• Azure: Use Azure Activity Logs and Network Watcher to collect metadata for Azure Firewall.
  • Example: az network firewall show --name <firewall-name>
• AWS: Use AWS CloudTrail and describe commands: aws ec2 describe-security-groups
• Google Cloud: Use gcloud commands to extract metadata: gcloud compute firewall-rules list --format=json

Host-Based Firewalls

• Windows: Use PowerShell to gather metadata: Get-NetFirewallRule -PolicyStore PersistentStore
• Linux: Query iptables or nftables rulesets: iptables -S
• macOS: Use pfctl to extract metadata: sudo pfctl -sr

SIEM Integration

• Collect logs from cloud platforms, host systems, and network appliances.

API Monitoring

• Monitor API calls for metadata requests. Example (AWS): Capture DescribeSecurityGroups or DescribeNetworkAcls calls via CloudTrail.

Endpoint Detection and Response (EDR)

• Use EDR solutions to monitor firewall management tools for configuration changes or queries.

The creation, deletion, or alteration of firewall rules to allow or block specific network traffic. Monitoring changes to these rules is critical for detecting misconfigurations, unauthorized access, or malicious attempts to bypass network protections. Examples:

• Rule Creation: Adding a new rule to allow inbound traffic on port 3389 (RDP).
• Rule Deletion: Deleting a rule that blocks inbound traffic from untrusted IP ranges.
• Rule Modification: Changing a rule to allow traffic from "any" source IP instead of a specific trusted range.
• Audit Log Metadata: Logs indicating "Firewall rule modified by admin@domain.com."
• Platform-Specific Scenarios
  • Azure: Altering rules in an Azure Network Security Group (NSG).
  • AWS: Modifying Security Group rules to allow traffic.
  • Windows: Changes tracked in Security Event Logs (EID 4950 or 4951).

This data component can be collected through the following measures:

Cloud Control Plane

• Azure: Collect rule modification logs from Azure Firewall Activity Logs.
  • Example Command: az network firewall policy rule-collection-group rule-collection list --policy-name <policy-name>
• AWS: Use CloudTrail to track AuthorizeSecurityGroupIngress or RevokeSecurityGroupIngress actions. Example: aws ec2 describe-security-groups
• Google Cloud: Use gcloud commands to extract firewall rules: gcloud compute firewall-rules list --format=json

Host-Based Firewalls

• Windows:
  • Collect events from the Windows Security Event Log (EID 4950: A rule has been modified).
  • Use PowerShell to track rule changes: Get-NetFirewallRule -PolicyStore PersistentStore
• Linux:
  • Monitor iptables or nftables rule modifications: iptables -L -v
  • Use auditd for real-time monitoring: auditctl -w /etc/iptables.rules -p wa
• macOS: Use pfctl to monitor rule changes: sudo pfctl -sr

SIEM Integration

• Collect logs from cloud platforms, host systems, and network appliances for centralized monitoring.

API Monitoring

• Monitor API calls for firewall rule modifications.