Exploit Public-Facing Application
Jump to navigation
Jump to search
| Exploit Public-Facing Application | |
|---|---|
| Technique | |
| ID | T0819 |
| Tactic | Initial Access |
| Data Sources | Web logs, Web application firewall logs, Application logs, Packet capture |
Description
Adversaries may attempt to exploit public-facing applications to leverage weaknesses on Internet-facing computer systems, programs, or assets in order to cause unintended or unexpected behavior. These public-facing applications may include user interfaces, software, data, or commands. In particular, a public-facing application in the IT environment may provide adversaries an interface into the OT environment.
ICS-CERT analysis has identified the probable initial infection vector for systems running GE’s Cimplicity HMI with a direct connection to the Internet.1
Mitigations
- Application Isolation and Sandboxing - Application isolation will limit the other processes and system features an exploited target can access. Examples of built in features are software restriction policies, AppLocker for Windows, and SELinux or AppArmor for Linux.
- Exploit Protection - Web Application Firewalls may be used to limit exposure of applications to prevent exploit traffic from reaching the application.2
- Network Segmentation - Segment externally facing servers and services from the rest of the network with a DMZ or on separate hosting infrastructure.
- Privileged Account Management - Use least privilege for service accounts.34
- Update Software - Regularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and public disclosure.
- Vulnerability Scanning - Regularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and public disclosure.
References
