Network Intrusion Prevention

Use intrusion detection signatures to block traffic at network boundaries. In industrial control environments, network intrusion prevention should be configured so it will not disrupt protocols and communications responsible for real-time functions related to control or safety.

ID: M0931
Security Controls: IEC 62443-3-3:2013 - SR 6.2, IEC 62443-4-2:2019 - CR 6.2, NIST SP 800-53 Rev. 5 - SI-4
Version: 1.0
Created: 10 June 2019
Last Modified: 19 September 2023

Techniques Addressed by Mitigation

Domain ID Name Use
ICS T0830 Adversary-in-the-Middle

Network intrusion detection and prevention systems that can identify traffic patterns indicative of AiTM activity can be used to mitigate activity at the network level.

ICS T0885 Commonly Used Port

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. [1]

ICS T0884 Connection Proxy

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific C2 protocol used by a particular adversary or tool and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. [1]

ICS T0867 Lateral Tool Transfer

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known tools and protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. [1]

ICS T0865 Spearphishing Attachment

Network intrusion prevention systems and systems designed to scan and remove malicious email attachments can be used to block activity.

ICS T0869 Standard Application Layer Protocol

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.

ICS T0863 User Execution

If a link is being visited by a user, network intrusion prevention systems and systems designed to scan and remove malicious downloads can be used to block activity.

References