Filter Network Traffic

From attackics
Jump to navigation Jump to search
Filter Network Traffic
Mitigation
ID M0937
NIST SP 800-53 Rev. 4 AC-3; SC-7
IEC 62443-3-3:2013 SR 5.1
IEC 62443-4-2:2019 CR 5.1

Description

Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.

Perform inline allow/denylisting of network messages based on the application layer (OSI Layer 7) protocol, especially for automation protocols. Application allowlists are beneficial when there are well-defined communication sequences, types, rates, or patterns needed during expected system operations. Application denylists may be needed if all acceptable communication sequences cannot be defined, but instead a set of known malicious uses can be denied (e.g., excessive communication attempts, shutdown messages, invalid commands). Devices performing these functions are often referred to as deep-packet inspection (DPI) firewalls, context-aware firewalls, or firewalls blocking specific automation/SCADA protocol aware firewalls.1


Techniques Addressed by Mitigation

NameUse
Activate Firmware Update ModeFilter for protocols and payloads associated with firmware activation or updating activity.
Brute Force I/OAllow/denylists can be used to block access when excessive I/O connections are detected from a system or device during a specified time period.
Connection ProxyTraffic to known anonymity networks and C2 infrastructure can be blocked through the use of network allow and block lists. It should be noted that this kind of blocking may be circumvented by other techniques like Domain Fronting.
Data Historian CompromiseFilter network traffic to data historians to ensure only authorized data flows are allowed, especially across network boundaries.
Detect Operating ModePerform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages.
Device Restart/ShutdownApplication denylists can be used to block automation protocol functions used to initiate device shutdowns or restarts, such as DNP3's 0x0D function code, or vulnerabilities that can be used to trigger device shutdowns (e.g., CVE-2014-9195, CVE-2015-5374).
Engineering Workstation CompromiseEnsure all communication is filtered for potentially malicious content, especially for mobile workstations that may not be protected by boundary firewalls.
Man in the MiddleUse network appliances and host-based security software to block network traffic that is not necessary within the environment, such as legacy protocols that may be leveraged for MiTM.
Module FirmwareFilter for protocols and payloads associated with firmware activation or updating activity.
Point & Tag IdentificationPerform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages.
Program DownloadFilter for protocols and payloads associated with program download activity to prevent unauthorized device configurations.
Program UploadFilter for protocols and payloads associated with program upload activity to prevent unauthorized access to device configurations.
Remote ServicesFilter application-layer protocol messages for remote services to block any unauthorized activity.
Rogue MasterPerform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid reporting messages.
Spoof Reporting MessagePerform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid reporting messages.
System FirmwareFilter for protocols and payloads associated with firmware activation or updating activity.
Unauthorized Command MessagePerform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages.
Valid AccountsConsider using IP allowlisting along with user account management to ensure that data access is restricted not only to valid users but only from expected IP ranges to mitigate the use of stolen credentials to access data.