Impair Defenses: Disable or Modify Cloud Firewall

Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from system firewalls that are described in Disable or Modify System Firewall.

Cloud environments typically utilize restrictive security groups and firewall rules that only allow network activity from trusted IP addresses via expected ports and protocols. An adversary may introduce new firewall rules or policies to allow access into a victim cloud environment. For example, an adversary may use a script or utility that creates new ingress rules in existing security groups to allow any TCP/IP connectivity, or remove networking limitations to support traffic associated with malicious activity (such as cryptomining).[1][2]

Modifying or disabling a cloud firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed.

ID: T1562.007
Sub-technique of:  T1562
Tactic: Defense Evasion
Platforms: IaaS
Contributors: Expel
Version: 1.2
Created: 24 June 2020
Last Modified: 15 April 2023

Procedure Examples

ID Name Description
S1091 Pacu

Pacu can allowlist IP addresses in AWS GuardDuty.[3]

Mitigations

ID Mitigation Description
M1047 Audit

Routinely check account role permissions to ensure only expected users and roles have permission to modify cloud firewalls.

M1018 User Account Management

Ensure least privilege principles are applied to Identity and Access Management (IAM) security policies.[1]

Detection

ID Data Source Data Component Detects
DS0018 Firewall Firewall Disable

Monitor for changes in the status of the system firewall such as Windows Security Auditing events 5025 (The Windows firewall service has been stopped) and 5034 (The Windows firewall driver was stopped).

Firewall Rule Modification

Monitor cloud logs for modification or creation of new security groups or firewall rules.

References