The sub-techniques beta is now live! Read the release blog post for more info.

Network Segmentation

Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.

ID: M1030
Version: 1.0
Created: 10 June 2019
Last Modified: 10 June 2019

Techniques Addressed by Mitigation

Domain ID Name Description
Enterprise T1098 Account Manipulation

Configure access controls and firewalls to limit access to critical systems and domain controllers. Most cloud environments support separate virtual private cloud (VPC) instances that enable further segmentation of cloud systems.

Enterprise T1017 Application Deployment Software

Ensure proper system and access isolation for critical network systems through use of firewalls, account privilege separation, group policy, and multi-factor authentication.

Enterprise T1043 Commonly Used Port

Configure internal and external firewalls to block traffic using common ports that associate to network protocols that may be unnecessary for that particular network segment.

Enterprise T1175 Component Object Model and Distributed COM

Enable Windows firewall, which prevents DCOM instantiation by default.

Enterprise T1136 Create Account

Configure access controls and firewalls to limit access to domain controllers and systems used to create and manage accounts.

Enterprise T1094 Custom Command and Control Protocol

Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports and through proper network gateway systems. Also ensure hosts are only provisioned to communicate over authorized interfaces.

Enterprise T1482 Domain Trust Discovery

Employ network segmentation for sensitive domains..[1]

Enterprise T1048 Exfiltration Over Alternative Protocol

Follow best practices for network firewall configurations to allow only necessary ports and traffic to enter and exit the network.[3]

Enterprise T1190 Exploit Public-Facing Application

Segment externally facing servers and services from the rest of the network with a DMZ or on separate hosting infrastructure.

Enterprise T1210 Exploitation of Remote Services

Segment networks and systems appropriately to reduce access to critical systems and services to controlled methods.

Enterprise T1133 External Remote Services

Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls.

Enterprise T1046 Network Service Scanning

Ensure proper network segmentation is followed to protect critical servers and devices.

Enterprise T1145 Private Keys

Use separate infrastructure for managing critical systems to prevent overlap of credentials and permissions on systems that could be used as vectors for lateral movement.

Enterprise T1076 Remote Desktop Protocol

Do not leave RDP accessible from the internet. Enable firewall rules to block RDP traffic between network security zones within a network.

Enterprise T1494 Runtime Data Manipulation

Identify critical business and system processes that may be targeted by adversaries and work to isolate and secure those systems against unauthorized access and tampering.

Enterprise T1489 Service Stop

Operate intrusion detection, analysis, and response systems on a separate network from the production environment to lessen the chances that an adversary can see and interfere with critical response functions.

Enterprise T1051 Shared Webroot

Networks that allow for open development and testing of Web content and allow users to set up their own Web servers on the enterprise network may be particularly vulnerable if the systems and Web servers are not properly secured to limit unauthenticated network share access and network/system isolation

Enterprise T1095 Standard Non-Application Layer Protocol

Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports and through proper network gateway systems. Also ensure hosts are only provisioned to communicate over authorized interfaces.

Enterprise T1072 Third-party Software

Ensure proper system isolation for critical network systems through use of firewalls.

Enterprise T1199 Trusted Relationship

Network segmentation can be used to isolate infrastructure components that do not require broad network access.

Enterprise T1065 Uncommonly Used Port

Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports for that particular network segment.

Enterprise T1028 Windows Remote Management

If the service is necessary, lock down critical enclaves with separate WinRM infrastructure and follow WinRM best practices on use of host firewalls to restrict WinRM access to allow communication only to/from specific devices.[2]

References