Limit Access to Resource Over Network

Restrict access to network resources, such as file shares, remote systems, and services, to only those users, accounts, or systems with a legitimate business requirement. This can include employing technologies like network concentrators, RDP gateways, and zero-trust network access (ZTNA) models, alongside hardening services and protocols. This mitigation can be implemented through the following measures:

Audit and Restrict Access:

  • Regularly audit permissions for file shares, network services, and remote access tools.
  • Remove unnecessary access and enforce least privilege principles for users and services.
  • Use Active Directory and IAM tools to restrict access based on roles and attributes.

Deploy Secure Remote Access Solutions:

  • Use RDP gateways, VPN concentrators, and ZTNA solutions to aggregate and secure remote access connections.
  • Configure access controls to restrict connections based on time, device, and user identity.
  • Enforce MFA for all remote access mechanisms.

Disable Unnecessary Services:

  • Identify running services using tools like netstat (Windows/Linux) or Nmap.
  • Disable unused services, such as Telnet, FTP, and legacy SMB, to reduce the attack surface.
  • Use firewall rules to block traffic on unused ports and protocols.

Network Segmentation and Isolation:

  • Use VLANs, firewalls, or micro-segmentation to isolate critical network resources from general access.
  • Restrict communication between subnets to prevent lateral movement.

Monitor and Log Access:

  • Monitor access attempts to file shares, RDP, and remote network resources using SIEM tools.
  • Enable auditing and logging for successful and failed attempts to access restricted resources.

Tools for Implementation

File Share Management:

  • Microsoft Active Directory Group Policies
  • Samba (Linux/Unix file share management)
  • AccessEnum (Windows access auditing tool)

Secure Remote Access:

  • Microsoft Remote Desktop Gateway
  • Apache Guacamole (open-source RDP/VNC gateway)
  • Zero Trust solutions: Tailscale, Cloudflare Zero Trust

Service and Protocol Hardening:

  • Nmap or Nessus for network service discovery
  • Windows Group Policy Editor for disabling SMBv1, Telnet, and legacy protocols
  • iptables or firewalld (Linux) for blocking unnecessary traffic

Network Segmentation:

  • pfSense for open-source network isolation
ID: M1035
Version: 1.1
Created: 11 June 2019
Last Modified: 18 December 2024

Techniques Addressed by Mitigation

Domain ID Name Use
Enterprise T1557 Adversary-in-the-Middle

Limit access to network infrastructure and resources that can be used to reshape traffic or otherwise produce AiTM conditions.

.002 ARP Cache Poisoning

Create static ARP entries for networked devices. Implementing static ARP entries may be infeasible for large networks.

Enterprise T1612 Build Image on Host

Limit communications with the container service to local Unix sockets or remote access via SSH. Require secure port access to communicate with the APIs over TLS by disabling unauthenticated access to the Docker API on port 2375. Instead, communicate with the Docker API over TLS on port 2376.[1]

Enterprise T1609 Container Administration Command

Limit communications with the container service to managed and secured channels, such as local Unix sockets or remote access via SSH. Require secure port access to communicate with the APIs over TLS by disabling unauthenticated access to the Docker API and Kubernetes API Server.[1][2] In Kubernetes clusters deployed in cloud environments, use native cloud platform features to restrict the IP ranges that are permitted to access to API server.[3] Where possible, consider enabling just-in-time (JIT) access to the Kubernetes API to place additional restrictions on access.[4]

Enterprise T1613 Container and Resource Discovery

Limit communications with the container service to managed and secured channels, such as local Unix sockets or remote access via SSH. Require secure port access to communicate with the APIs over TLS by disabling unauthenticated access to the Docker API and Kubernetes API Server.[1][2] In Kubernetes clusters deployed in cloud environments, use native cloud platform features to restrict the IP ranges that are permitted to access to API server.[3] Where possible, consider enabling just-in-time (JIT) access to the Kubernetes API to place additional restrictions on access.[4]

Enterprise T1610 Deploy Container

Limit communications with the container service to managed and secured channels, such as local Unix sockets or remote access via SSH. Require secure port access to communicate with the APIs over TLS by disabling unauthenticated access to the Docker API, Kubernetes API Server, and container orchestration web applications.[1][2] In Kubernetes clusters deployed in cloud environments, use native cloud platform features to restrict the IP ranges that are permitted to access to API server.[3] Where possible, consider enabling just-in-time (JIT) access to the Kubernetes API to place additional restrictions on access.[4]

Enterprise T1546 .008 Event Triggered Execution: Accessibility Features

If possible, use a Remote Desktop Gateway to manage connections and security configuration of RDP within a network.[5]

Enterprise T1190 Exploit Public-Facing Application

Ensure that all publicly exposed services are actually intended to be so, and restrict access to any that should only be available internally.

Enterprise T1133 External Remote Services

Limit access to remote services through centrally managed concentrators such as VPNs and other managed remote access systems.

Enterprise T1200 Hardware Additions

Establish network access control policies, such as using device certificates and the 802.1x standard. [6] Restrict use of DHCP to registered devices to prevent unregistered devices from communicating with trusted systems.

Enterprise T1542 Pre-OS Boot

Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.

.005 TFTP Boot

Restrict use of protocols without encryption or authentication mechanisms. Limit access to administrative and management interfaces from untrusted network sources.

Enterprise T1563 .002 Remote Service Session Hijacking: RDP Hijacking

Use remote desktop gateways.

Enterprise T1021 Remote Services

Prevent unnecessary remote access to file shares, hypervisors, sensitive systems, etc. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.[7]

.001 Remote Desktop Protocol

Use remote desktop gateways.

.002 SMB/Windows Admin Shares

Consider disabling Windows administrative shares.

Enterprise T1552 Unsecured Credentials

Limit network access to sensitive services, such as the Instance Metadata API.

.005 Cloud Instance Metadata API

Limit access to the Instance Metadata API using a host-based firewall such as iptables.

.007 Container API

Limit communications with the container service to managed and secured channels, such as local Unix sockets or remote access via SSH. Require secure port access to communicate with the APIs over TLS by disabling unauthenticated access to the Docker API and Kubernetes API Server.[1][2] In Kubernetes clusters deployed in cloud environments, use native cloud platform features to restrict the IP ranges that are permitted to access to API server.[3] Where possible, consider enabling just-in-time (JIT) access to the Kubernetes API to place additional restrictions on access.[4]

References