Limit Access to Resource Over Network
Restrict access to network resources, such as file shares, remote systems, and services, to only those users, accounts, or systems with a legitimate business requirement. This can include employing technologies like network concentrators, RDP gateways, and zero-trust network access (ZTNA) models, alongside hardening services and protocols. This mitigation can be implemented through the following measures:
Audit and Restrict Access:
- Regularly audit permissions for file shares, network services, and remote access tools.
- Remove unnecessary access and enforce least privilege principles for users and services.
- Use Active Directory and IAM tools to restrict access based on roles and attributes.
Deploy Secure Remote Access Solutions:
- Use RDP gateways, VPN concentrators, and ZTNA solutions to aggregate and secure remote access connections.
- Configure access controls to restrict connections based on time, device, and user identity.
- Enforce MFA for all remote access mechanisms.
Disable Unnecessary Services:
- Identify running services using tools like netstat (Windows/Linux) or Nmap.
- Disable unused services, such as Telnet, FTP, and legacy SMB, to reduce the attack surface.
- Use firewall rules to block traffic on unused ports and protocols.
Network Segmentation and Isolation:
- Use VLANs, firewalls, or micro-segmentation to isolate critical network resources from general access.
- Restrict communication between subnets to prevent lateral movement.
Monitor and Log Access:
- Monitor access attempts to file shares, RDP, and remote network resources using SIEM tools.
- Enable auditing and logging for successful and failed attempts to access restricted resources.
Tools for Implementation
File Share Management:
- Microsoft Active Directory Group Policies
- Samba (Linux/Unix file share management)
- AccessEnum (Windows access auditing tool)
Secure Remote Access:
- Microsoft Remote Desktop Gateway
- Apache Guacamole (open-source RDP/VNC gateway)
- Zero Trust solutions: Tailscale, Cloudflare Zero Trust
Service and Protocol Hardening:
- Nmap or Nessus for network service discovery
- Windows Group Policy Editor for disabling SMBv1, Telnet, and legacy protocols
- iptables or firewalld (Linux) for blocking unnecessary traffic
Network Segmentation:
- pfSense for open-source network isolation
Techniques Addressed by Mitigation
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1557 | Adversary-in-the-Middle |
Limit access to network infrastructure and resources that can be used to reshape traffic or otherwise produce AiTM conditions. |
|
| .002 | ARP Cache Poisoning |
Create static ARP entries for networked devices. Implementing static ARP entries may be infeasible for large networks. |
||
| Enterprise | T1612 | Build Image on Host |
Limit communications with the container service to local Unix sockets or remote access via SSH. Require secure port access to communicate with the APIs over TLS by disabling unauthenticated access to the Docker API on port 2375. Instead, communicate with the Docker API over TLS on port 2376.[1] |
|
| Enterprise | T1609 | Container Administration Command |
Limit communications with the container service to managed and secured channels, such as local Unix sockets or remote access via SSH. Require secure port access to communicate with the APIs over TLS by disabling unauthenticated access to the Docker API and Kubernetes API Server.[1][2] In Kubernetes clusters deployed in cloud environments, use native cloud platform features to restrict the IP ranges that are permitted to access to API server.[3] Where possible, consider enabling just-in-time (JIT) access to the Kubernetes API to place additional restrictions on access.[4] |
|
| Enterprise | T1613 | Container and Resource Discovery |
Limit communications with the container service to managed and secured channels, such as local Unix sockets or remote access via SSH. Require secure port access to communicate with the APIs over TLS by disabling unauthenticated access to the Docker API and Kubernetes API Server.[1][2] In Kubernetes clusters deployed in cloud environments, use native cloud platform features to restrict the IP ranges that are permitted to access to API server.[3] Where possible, consider enabling just-in-time (JIT) access to the Kubernetes API to place additional restrictions on access.[4] |
|
| Enterprise | T1610 | Deploy Container |
Limit communications with the container service to managed and secured channels, such as local Unix sockets or remote access via SSH. Require secure port access to communicate with the APIs over TLS by disabling unauthenticated access to the Docker API, Kubernetes API Server, and container orchestration web applications.[1][2] In Kubernetes clusters deployed in cloud environments, use native cloud platform features to restrict the IP ranges that are permitted to access to API server.[3] Where possible, consider enabling just-in-time (JIT) access to the Kubernetes API to place additional restrictions on access.[4] |
|
| Enterprise | T1546 | .008 | Event Triggered Execution: Accessibility Features |
If possible, use a Remote Desktop Gateway to manage connections and security configuration of RDP within a network.[5] |
| Enterprise | T1190 | Exploit Public-Facing Application |
Ensure that all publicly exposed services are actually intended to be so, and restrict access to any that should only be available internally. |
|
| Enterprise | T1133 | External Remote Services |
Limit access to remote services through centrally managed concentrators such as VPNs and other managed remote access systems. |
|
| Enterprise | T1200 | Hardware Additions |
Establish network access control policies, such as using device certificates and the 802.1x standard. [6] Restrict use of DHCP to registered devices to prevent unregistered devices from communicating with trusted systems. |
|
| Enterprise | T1542 | Pre-OS Boot |
Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc. |
|
| .005 | TFTP Boot |
Restrict use of protocols without encryption or authentication mechanisms. Limit access to administrative and management interfaces from untrusted network sources. |
||
| Enterprise | T1563 | .002 | Remote Service Session Hijacking: RDP Hijacking |
Use remote desktop gateways. |
| Enterprise | T1021 | Remote Services |
Prevent unnecessary remote access to file shares, hypervisors, sensitive systems, etc. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.[7] |
|
| .001 | Remote Desktop Protocol |
Use remote desktop gateways. |
||
| .002 | SMB/Windows Admin Shares |
Consider disabling Windows administrative shares. |
||
| Enterprise | T1552 | Unsecured Credentials |
Limit network access to sensitive services, such as the Instance Metadata API. |
|
| .005 | Cloud Instance Metadata API |
Limit access to the Instance Metadata API using a host-based firewall such as iptables. |
||
| .007 | Container API |
Limit communications with the container service to managed and secured channels, such as local Unix sockets or remote access via SSH. Require secure port access to communicate with the APIs over TLS by disabling unauthenticated access to the Docker API and Kubernetes API Server.[1][2] In Kubernetes clusters deployed in cloud environments, use native cloud platform features to restrict the IP ranges that are permitted to access to API server.[3] Where possible, consider enabling just-in-time (JIT) access to the Kubernetes API to place additional restrictions on access.[4] |
||
References
- Docker. (n.d.). Protect the Docker Daemon Socket. Retrieved March 29, 2021.
- The Kubernetes Authors. (n.d.). Controlling Access to The Kubernetes API. Retrieved March 29, 2021.
- Kubernetes. (n.d.). Overview of Cloud Native Security. Retrieved March 8, 2023.
- Microsoft. (2023, February 27). AKS-managed Azure Active Directory integration. Retrieved March 8, 2023.