Permissive network access is an attack technique where an attacker targets and exploits network configurations that allow overly permissive access to a cloud-based network.
This could include open ports, insecure protocols, or misconfigured network security groups (NSGs).
An attacker can leverage this permissive access to launch a variety of attacks, such as network scanning, port scanning, or remote code execution.
For example, an organization may have a public-facing web application that requires access to a backend database server.
If the NSG rules for the database server are too permissive, allowing access from any IP address, an attacker could potentially gain access to the database server from anywhere on the internet.
ID:T0128
Type:Technique
Tactic:Initial Access
Summary:Permissive network access
State:Draft
Mitigations
ID
TYPE
SUMMARY
DESCRIPTION
M1280
Mitigation
Mitigation Implement least privilege network access Follow the principle of least privilege and restrict network access to only what is necessary.
Limit the number of open ports, protocols, and services to the minimum required for the intended purpose of the system or application.
M1281
Mitigation
Mitigation Configure network security group Review and regularly update NSG configurations to ensure that only necessary inbound and outbound traffic is allowed.
Use explicit deny rules to block all other unnecessary or unauthorized traffic.
M1282
Mitigation
Mitigation Secure default configurations Configure network security groups, firewalls, and other network components with secure default settings.
Avoid overly permissive settings that allow unrestricted access and default configurations that may be susceptible to attacks.
M1550
Mitigation
Mitigation Implement strict access control for clouds Limit access to cloud resources to only authorized users and ensure that proper authentication and authorization mechanisms are in place.
Mitigation Implement strict access control for clouds Limit access to cloud resources to only authorized users and ensure that proper authentication and authorization mechanisms are in place.
Detections
ID
TYPE
SUMMARY
DESCRIPTION
D1260
Detection
Detection Implement regular security audit and review Conduct regular security audits and vulnerability assessments of your systems and storages configurations to identify and address any potential misconfigurations or vulnerabilities that could lead to exposed storage.
This includes reviewing access controls, encryption settings, and other security configurations to ensure they are aligned with best practices and organizational security policies.
D1261
Detection
Detection Implement penetration testing Penetration testing, also known as ethical hacking or vulnerability assessment, is a proactive approach to mitigating cybersecurity risks.
It involves simulating real-world cyber attacks on a system, network, or application in a controlled and authorized manner to identify vulnerabilities and weaknesses that could be exploited by malicious actors.
D1262
Detection
Detection Implement vulnerability assesment Vulnerability assessment is a proactive approach to mitigating cybersecurity risks by systematically identifying, evaluating, and prioritizing vulnerabilities in a system, network, or application.
It involves conducting regular assessments to identify potential weaknesses that could be exploited by attackers, and taking appropriate actions to remediate or mitigate those vulnerabilities.
D1510
Detection
Detection Implement Intrusion Detection System and anti-malware An intrusion detection system (IDS) is a security tool designed to detect and alert on unauthorized access to a computer system or network.
Implementing intrusion detection systems (IDS) and anti-malware software can help to identify and block malicious activity. IDS is a critical security tool that helps organizations to detect and respond to security incidents in a timely manner. By providing real-time monitoring and analysis of network traffic, IDS can help organizations to stay ahead of potential threats and reduce the risk of a security breach.
AppSec teams are overwhelmed by useless alerts, managing numerous applications with vulnerabilities across various kill-chain stages, making them increasingly susceptible to successful attacks.
