Skip to content

Hide Navigation Hide TOC

Filter Network Traffic - M1037 (20f6a9df-37c4-4e20-9e47-025983b1b39d)

Employ network appliances and endpoint software to filter ingress, egress, and lateral network traffic. This includes protocol-based filtering, enforcing firewall rules, and blocking or restricting traffic based on predefined conditions to limit adversary movement and data exfiltration. This mitigation can be implemented through the following measures:

Ingress Traffic Filtering:

  • Use Case: Configure network firewalls to allow traffic only from authorized IP addresses to public-facing servers.
  • Implementation: Limit SSH (port 22) and RDP (port 3389) traffic to specific IP ranges.

Egress Traffic Filtering:

  • Use Case: Use firewalls or endpoint security software to block unauthorized outbound traffic to prevent data exfiltration and command-and-control (C2) communications.
  • Implementation: Block outbound traffic to known malicious IPs or regions where communication is unexpected.

Protocol-Based Filtering:

  • Use Case: Restrict the use of specific protocols that are commonly abused by adversaries, such as SMB, RPC, or Telnet, based on business needs.
  • Implementation: Disable SMBv1 on endpoints to prevent exploits like EternalBlue.

Network Segmentation:

  • Use Case: Create network segments for critical systems and restrict communication between segments unless explicitly authorized.
  • Implementation: Implement VLANs to isolate IoT devices or guest networks from core business systems.

Application Layer Filtering:

  • Use Case: Use proxy servers or Web Application Firewalls (WAFs) to inspect and block malicious HTTP/S traffic.
  • Implementation: Configure a WAF to block SQL injection attempts or other web application exploitation techniques.
Cluster A Galaxy A Cluster B Galaxy B Level
Socket Filters - T1205.002 (005cc321-08ce-4d17-b1ea-cb5275926520) Attack Pattern Filter Network Traffic - M1037 (20f6a9df-37c4-4e20-9e47-025983b1b39d) Course of Action 1
Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c) Attack Pattern Filter Network Traffic - M1037 (20f6a9df-37c4-4e20-9e47-025983b1b39d) Course of Action 1
Filter Network Traffic - M1037 (20f6a9df-37c4-4e20-9e47-025983b1b39d) Course of Action Data from Configuration Repository - T1602 (0ad7bc5c-235a-4048-944b-3b286676cb74) Attack Pattern 1
Filter Network Traffic - M1037 (20f6a9df-37c4-4e20-9e47-025983b1b39d) Course of Action Forced Authentication - T1187 (b77cf5f3-6060-475d-bd60-40ccbf28fdc2) Attack Pattern 1
Filter Network Traffic - M1037 (20f6a9df-37c4-4e20-9e47-025983b1b39d) Course of Action Transfer Data to Cloud Account - T1537 (d4bdbdea-eaec-4071-b4f9-5105e12ea4b6) Attack Pattern 1
BITS Jobs - T1197 (c8e87b83-edbb-48d4-9295-4974897525b7) Attack Pattern Filter Network Traffic - M1037 (20f6a9df-37c4-4e20-9e47-025983b1b39d) Course of Action 1
Service Exhaustion Flood - T1499.002 (38eb0c22-6caf-46ce-8869-5964bd735858) Attack Pattern Filter Network Traffic - M1037 (20f6a9df-37c4-4e20-9e47-025983b1b39d) Course of Action 1
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Filter Network Traffic - M1037 (20f6a9df-37c4-4e20-9e47-025983b1b39d) Course of Action 1
Network Denial of Service - T1498 (d74c4a7e-ffbf-432f-9365-7ebf1f787cab) Attack Pattern Filter Network Traffic - M1037 (20f6a9df-37c4-4e20-9e47-025983b1b39d) Course of Action 1
Network Address Translation Traversal - T1599.001 (4ffc1794-ec3b-45be-9e52-42dbcb2af2de) Attack Pattern Filter Network Traffic - M1037 (20f6a9df-37c4-4e20-9e47-025983b1b39d) Course of Action 1
Endpoint Denial of Service - T1499 (c675646d-e204-4aa8-978d-e3d6d65885c4) Attack Pattern Filter Network Traffic - M1037 (20f6a9df-37c4-4e20-9e47-025983b1b39d) Course of Action 1
Filter Network Traffic - M1037 (20f6a9df-37c4-4e20-9e47-025983b1b39d) Course of Action Publish/Subscribe Protocols - T1071.005 (241f9ea8-f6ae-4f38-92f5-cef5b7e539dd) Attack Pattern 1
Filter Network Traffic - M1037 (20f6a9df-37c4-4e20-9e47-025983b1b39d) Course of Action Data from Cloud Storage - T1530 (3298ce88-1628-43b1-87d9-0b5336b193d7) Attack Pattern 1
ARP Cache Poisoning - T1557.002 (cabe189c-a0e3-4965-a473-dcff00f17213) Attack Pattern Filter Network Traffic - M1037 (20f6a9df-37c4-4e20-9e47-025983b1b39d) Course of Action 1
Filter Network Traffic - M1037 (20f6a9df-37c4-4e20-9e47-025983b1b39d) Course of Action Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 1
Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern Filter Network Traffic - M1037 (20f6a9df-37c4-4e20-9e47-025983b1b39d) Course of Action 1
Filter Network Traffic - M1037 (20f6a9df-37c4-4e20-9e47-025983b1b39d) Course of Action Protocol Tunneling - T1572 (4fe28b27-b13c-453e-a386-c2ef362a573b) Attack Pattern 1
Cloud Instance Metadata API - T1552.005 (19bf235b-8620-4997-b5b4-94e0659ed7c3) Attack Pattern Filter Network Traffic - M1037 (20f6a9df-37c4-4e20-9e47-025983b1b39d) Course of Action 1
SNMP (MIB Dump) - T1602.001 (ee7ff928-801c-4f34-8a99-3df965e581a5) Attack Pattern Filter Network Traffic - M1037 (20f6a9df-37c4-4e20-9e47-025983b1b39d) Course of Action 1
Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern Filter Network Traffic - M1037 (20f6a9df-37c4-4e20-9e47-025983b1b39d) Course of Action 1
VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b) Attack Pattern Filter Network Traffic - M1037 (20f6a9df-37c4-4e20-9e47-025983b1b39d) Course of Action 1
Application Exhaustion Flood - T1499.003 (18cffc21-3260-437e-80e4-4ab8bf2ba5e9) Attack Pattern Filter Network Traffic - M1037 (20f6a9df-37c4-4e20-9e47-025983b1b39d) Course of Action 1
Reflection Amplification - T1498.002 (36b2a1d7-e09e-49bf-b45e-477076c2ec01) Attack Pattern Filter Network Traffic - M1037 (20f6a9df-37c4-4e20-9e47-025983b1b39d) Course of Action 1
Network Boundary Bridging - T1599 (b8017880-4b1e-42de-ad10-ae7ac6705166) Attack Pattern Filter Network Traffic - M1037 (20f6a9df-37c4-4e20-9e47-025983b1b39d) Course of Action 1
Remote Desktop Software - T1219.002 (d4287702-e2f7-4946-bdfa-2c7f5aaa5032) Attack Pattern Filter Network Traffic - M1037 (20f6a9df-37c4-4e20-9e47-025983b1b39d) Course of Action 1
Filter Network Traffic - M1037 (20f6a9df-37c4-4e20-9e47-025983b1b39d) Course of Action DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern 1
Filter Network Traffic - M1037 (20f6a9df-37c4-4e20-9e47-025983b1b39d) Course of Action Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern 1
Application or System Exploitation - T1499.004 (2bee5ffb-7a7a-4119-b1f2-158151b19ac0) Attack Pattern Filter Network Traffic - M1037 (20f6a9df-37c4-4e20-9e47-025983b1b39d) Course of Action 1
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern Filter Network Traffic - M1037 (20f6a9df-37c4-4e20-9e47-025983b1b39d) Course of Action 1
Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) Attack Pattern Filter Network Traffic - M1037 (20f6a9df-37c4-4e20-9e47-025983b1b39d) Course of Action 1
Exfiltration Over Symmetric Encrypted Non-C2 Protocol - T1048.001 (79a4052e-1a89-4b09-aea6-51f1d11fe19c) Attack Pattern Filter Network Traffic - M1037 (20f6a9df-37c4-4e20-9e47-025983b1b39d) Course of Action 1
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002 (8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5) Attack Pattern Filter Network Traffic - M1037 (20f6a9df-37c4-4e20-9e47-025983b1b39d) Course of Action 1
Filter Network Traffic - M1037 (20f6a9df-37c4-4e20-9e47-025983b1b39d) Course of Action LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e) Attack Pattern 1
Network Device Configuration Dump - T1602.002 (52759bf1-fe12-4052-ace6-c5b0cf7dd7fd) Attack Pattern Filter Network Traffic - M1037 (20f6a9df-37c4-4e20-9e47-025983b1b39d) Course of Action 1
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern Filter Network Traffic - M1037 (20f6a9df-37c4-4e20-9e47-025983b1b39d) Course of Action 1
Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd) Attack Pattern Filter Network Traffic - M1037 (20f6a9df-37c4-4e20-9e47-025983b1b39d) Course of Action 1
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern Filter Network Traffic - M1037 (20f6a9df-37c4-4e20-9e47-025983b1b39d) Course of Action 1
Filter Network Traffic - M1037 (20f6a9df-37c4-4e20-9e47-025983b1b39d) Course of Action Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 1
Direct Network Flood - T1498.001 (0bda01d5-4c1d-4062-8ee2-6872334383c3) Attack Pattern Filter Network Traffic - M1037 (20f6a9df-37c4-4e20-9e47-025983b1b39d) Course of Action 1
OS Exhaustion Flood - T1499.001 (0df05477-c572-4ed6-88a9-47c581f548f7) Attack Pattern Filter Network Traffic - M1037 (20f6a9df-37c4-4e20-9e47-025983b1b39d) Course of Action 1
Filter Network Traffic - M1037 (20f6a9df-37c4-4e20-9e47-025983b1b39d) Course of Action System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 1
Verclsid - T1218.012 (808e6329-ca91-4b87-ac2d-8eadc5f8f327) Attack Pattern Filter Network Traffic - M1037 (20f6a9df-37c4-4e20-9e47-025983b1b39d) Course of Action 1
Remote Access Tools - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7) Attack Pattern Filter Network Traffic - M1037 (20f6a9df-37c4-4e20-9e47-025983b1b39d) Course of Action 1
DHCP Spoofing - T1557.003 (59ff91cd-1430-4075-8563-e6f15f4f9ff5) Attack Pattern Filter Network Traffic - M1037 (20f6a9df-37c4-4e20-9e47-025983b1b39d) Course of Action 1
Socket Filters - T1205.002 (005cc321-08ce-4d17-b1ea-cb5275926520) Attack Pattern Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c) Attack Pattern 2
Service Exhaustion Flood - T1499.002 (38eb0c22-6caf-46ce-8869-5964bd735858) Attack Pattern Endpoint Denial of Service - T1499 (c675646d-e204-4aa8-978d-e3d6d65885c4) Attack Pattern 2
Network Boundary Bridging - T1599 (b8017880-4b1e-42de-ad10-ae7ac6705166) Attack Pattern Network Address Translation Traversal - T1599.001 (4ffc1794-ec3b-45be-9e52-42dbcb2af2de) Attack Pattern 2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Publish/Subscribe Protocols - T1071.005 (241f9ea8-f6ae-4f38-92f5-cef5b7e539dd) Attack Pattern 2
ARP Cache Poisoning - T1557.002 (cabe189c-a0e3-4965-a473-dcff00f17213) Attack Pattern Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern 2
Cloud Instance Metadata API - T1552.005 (19bf235b-8620-4997-b5b4-94e0659ed7c3) Attack Pattern Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 2
SNMP (MIB Dump) - T1602.001 (ee7ff928-801c-4f34-8a99-3df965e581a5) Attack Pattern Data from Configuration Repository - T1602 (0ad7bc5c-235a-4048-944b-3b286676cb74) Attack Pattern 2
VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
Application Exhaustion Flood - T1499.003 (18cffc21-3260-437e-80e4-4ab8bf2ba5e9) Attack Pattern Endpoint Denial of Service - T1499 (c675646d-e204-4aa8-978d-e3d6d65885c4) Attack Pattern 2
Reflection Amplification - T1498.002 (36b2a1d7-e09e-49bf-b45e-477076c2ec01) Attack Pattern Network Denial of Service - T1498 (d74c4a7e-ffbf-432f-9365-7ebf1f787cab) Attack Pattern 2
Remote Desktop Software - T1219.002 (d4287702-e2f7-4946-bdfa-2c7f5aaa5032) Attack Pattern Remote Access Tools - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7) Attack Pattern 2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern 2
Application or System Exploitation - T1499.004 (2bee5ffb-7a7a-4119-b1f2-158151b19ac0) Attack Pattern Endpoint Denial of Service - T1499 (c675646d-e204-4aa8-978d-e3d6d65885c4) Attack Pattern 2
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) Attack Pattern 2
Exfiltration Over Symmetric Encrypted Non-C2 Protocol - T1048.001 (79a4052e-1a89-4b09-aea6-51f1d11fe19c) Attack Pattern Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern 2
Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002 (8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5) Attack Pattern 2
Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e) Attack Pattern 2
Network Device Configuration Dump - T1602.002 (52759bf1-fe12-4052-ace6-c5b0cf7dd7fd) Attack Pattern Data from Configuration Repository - T1602 (0ad7bc5c-235a-4048-944b-3b286676cb74) Attack Pattern 2
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern 2
Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c) Attack Pattern Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 2
Direct Network Flood - T1498.001 (0bda01d5-4c1d-4062-8ee2-6872334383c3) Attack Pattern Network Denial of Service - T1498 (d74c4a7e-ffbf-432f-9365-7ebf1f787cab) Attack Pattern 2
OS Exhaustion Flood - T1499.001 (0df05477-c572-4ed6-88a9-47c581f548f7) Attack Pattern Endpoint Denial of Service - T1499 (c675646d-e204-4aa8-978d-e3d6d65885c4) Attack Pattern 2
Verclsid - T1218.012 (808e6329-ca91-4b87-ac2d-8eadc5f8f327) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern DHCP Spoofing - T1557.003 (59ff91cd-1430-4075-8563-e6f15f4f9ff5) Attack Pattern 2