Register to stream ATT&CKcon 2.0 October 29-30

Restrict Web-Based Content

Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.

ID: M1021
Version: 1.0

Techniques Addressed by Mitigation

Domain ID Name Description
Enterprise T1223 Compiled HTML File Consider blocking download/transfer and execution of potentially uncommon file types known to be used in adversary campaigns, such as CHM files.
Enterprise T1483 Domain Generation Algorithms In some cases a local DNS sinkhole may be used to help prevent DGA-based command and control at a reduced cost.
Enterprise T1189 Drive-by Compromise For malicious code served up through ads, adblockers can help prevent that code from executing in the first place.

Script blocking extensions can help prevent the execution of JavaScript that may commonly be used during the exploitation process.

Enterprise T1193 Spearphishing Attachment Block unknown or unused attachments by default that should not be transmitted over email as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. Some email scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious attachments in Obfuscated Files or Information.
Enterprise T1192 Spearphishing Link Determine if certain websites that can be used for spearphishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.
Enterprise T1194 Spearphishing via Service Determine if certain social media sites, personal webmail services, or other service that can be used for spearphishing is necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.
Enterprise T1204 User Execution If a link is being visited by a user, block unknown or unused files in transit by default that should not be downloaded or by policy from suspicious sites as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. Some download scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious files in Obfuscated Files or Information.
Enterprise T1102 Web Service Web proxies can be used to enforce external network communication policy that prevents use of unauthorized external services.