{"description": "Enterprise techniques mitigated by Limit Access to Resource Over Network, ATT&CK mitigation M1035 (v1.1)", "name": "Limit Access to Resource Over Network (M1035)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "18", "navigator": "5.2.0"}, "techniques": [{"techniqueID": "T1557", "comment": "Limit access to network infrastructure and resources that can be used to reshape traffic or otherwise produce AiTM conditions.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1557.002", "comment": "Create static ARP entries for networked devices. Implementing static ARP entries may be infeasible for large networks.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1612", "comment": "Limit communications with the container service to local Unix sockets or remote access via SSH. Require secure port access to communicate with the APIs over TLS by disabling unauthenticated access to the Docker API on port 2375. Instead, communicate with the Docker API over TLS on port 2376.(Citation: Docker Daemon Socket Protect)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1609", "comment": "Limit communications with the container service to managed and secured channels, such as local Unix sockets or remote access via SSH. Require secure port access to communicate with the APIs over TLS by disabling unauthenticated access to the Docker API and Kubernetes API Server.(Citation: Docker Daemon Socket Protect)(Citation: Kubernetes API Control Access) In Kubernetes clusters deployed in cloud environments, use native cloud platform features to restrict the IP ranges that are permitted to access to API server.(Citation: Kubernetes Cloud Native Security) Where possible, consider enabling just-in-time (JIT) access to the Kubernetes API to place additional restrictions on access.(Citation: Microsoft AKS Azure AD 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1613", "comment": "Limit communications with the container service to managed and secured channels, such as local Unix sockets or remote access via SSH. Require secure port access to communicate with the APIs over TLS by disabling unauthenticated access to the Docker API and Kubernetes API Server.(Citation: Docker Daemon Socket Protect)(Citation: Kubernetes API Control Access) In Kubernetes clusters deployed in cloud environments, use native cloud platform features to restrict the IP ranges that are permitted to access to API server.(Citation: Kubernetes Cloud Native Security) Where possible, consider enabling just-in-time (JIT) access to the Kubernetes API to place additional restrictions on access.(Citation: Microsoft AKS Azure AD 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1610", "comment": "Limit communications with the container service to managed and secured channels, such as local Unix sockets or remote access via SSH. Require secure port access to communicate with the APIs over TLS by disabling unauthenticated access to the Docker API, Kubernetes API Server, and container orchestration web applications.(Citation: Docker Daemon Socket Protect)(Citation: Kubernetes API Control Access) In Kubernetes clusters deployed in cloud environments, use native cloud platform features to restrict the IP ranges that are permitted to access to API server.(Citation: Kubernetes Cloud Native Security) Where possible, consider enabling just-in-time (JIT) access to the Kubernetes API to place additional restrictions on access.(Citation: Microsoft AKS Azure AD 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1546", "showSubtechniques": true}, {"techniqueID": "T1546.008", "comment": "If possible, use a Remote Desktop Gateway to manage connections and security configuration of RDP within a network.(Citation: TechNet RDP Gateway)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1190", "comment": "Ensure that all publicly exposed services are actually intended to be so, and restrict access to any that should only be available internally. ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1133", "comment": "Limit access to remote services through centrally managed concentrators such as VPNs and other managed remote access systems.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1200", "comment": "Establish network access control policies, such as using device certificates and the 802.1x standard. (Citation: Wikipedia 802.1x) Restrict use of DHCP to registered devices to prevent unregistered devices from communicating with trusted systems.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1542", "comment": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1542.005", "comment": "Restrict use of protocols without encryption or authentication mechanisms. Limit access to administrative and management interfaces from untrusted network sources. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1563", "showSubtechniques": true}, {"techniqueID": "T1563.002", "comment": "Use remote desktop gateways.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021", "comment": "Prevent unnecessary remote access to file shares, hypervisors, sensitive systems, etc. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.(Citation: Sygnia ESXi Ransomware 2024)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1021.001", "comment": "Use remote desktop gateways.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021.002", "comment": "Consider disabling Windows administrative shares.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1552", "comment": "Limit network access to sensitive services, such as the Instance Metadata API.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1552.005", "comment": "Limit access to the Instance Metadata API using a host-based firewall such as iptables.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1552.007", "comment": "Limit communications with the container service to managed and secured channels, such as local Unix sockets or remote access via SSH. Require secure port access to communicate with the APIs over TLS by disabling unauthenticated access to the Docker API and Kubernetes API Server.(Citation: Docker Daemon Socket Protect)(Citation: Kubernetes API Control Access) In Kubernetes clusters deployed in cloud environments, use native cloud platform features to restrict the IP ranges that are permitted to access to API server.(Citation: Kubernetes Cloud Native Security) Where possible, consider enabling just-in-time (JIT) access to the Kubernetes API to place additional restrictions on access.(Citation: Microsoft AKS Azure AD 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "mitigated by Limit Access to Resource Over Network", "color": "#66b1ff"}]}