Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend in with normal network activity, to avoid more detailed inspection. They may use the protocol associated with the port, or a completely different protocol. They may use commonly open ports, such as the examples provided below.
|M0942||Disable or Remove Feature or Program||
Ensure that unnecessary ports and services are closed to prevent risk of discovery and potential exploitation.
|M0804||Human User Authentication||
All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management.
|M0931||Network Intrusion Prevention||
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. 
Configure internal and external firewalls to block traffic using common ports that associate to network protocols that may be unnecessary for that particular network segment.
|ID||Data Source||Data Component|
|DS0029||Network Traffic||Network Traffic Flow|