This whitepaper is for historical reference only. Some content might be outdated and some links might not be available.
Exploitation
In the Exploitation phase, after the weapon has been delivered to the target, the weapon tries to exploit the weakness it was designed for. This could be the exploitation of a vulnerability or misconfiguration in an operating system, web browser, or other application. An exploit can also be designed to trick people into making poor trust decisions, which is also known as social engineering. Another weakness that attackers typically try to exploit is weak, leaked, or stolen passwords.
Control Objective – Detect
The objective of the Detect control in the Exploitation phase is to “discover or discern the existence, presence, or fact of an intrusion into information systems.” **
| Control Names | Descriptions |
|---|---|
|
(ID: Sec.Det.1) |
This control detects reconnaissance activity, such as unusual API activity, intra-VPC port scanning, unusual patterns of failed login requests, or unblocked port probing from a known, bad IP address. |
|
(ID: Sec.Det.11) |
Amazon Detective makes it easy to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities. Amazon Detective automatically collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data that enables you to easily conduct faster and more efficient security investigations.” |
|
AWS WAF, WAF Managed Rules + Automation (ID: Sec.Inf.2) |
Malicious sources scan and probe internet-facing web applications for vulnerabilities. They send a series of requests that generate HTTP 4xx error codes. You can use this history to help identify and block malicious source IP addresses. |
|
Amazon Virtual Private Cloud (Amazon VPC) (ID: Sec.Inf.3) |
Amazon VPC can help prevent attackers from scanning network resources during reconnaissance. Amazon VPC Black Hole Routes operate as an allow list or deny list of network reachable assets, before Security Groups or NACLs. |
|
(ID: Sec.Det.5) |
With this control, you can assess, audit, and evaluate the configurations of your AWS resources. |
|
Third-party container security tools and services (ID: Sec.IR.14 and 35) |
These controls complement to the security properties of containers solutions. |
|
Third-Party Security Tools for AWS Lambda Functions (ID: Sec.IR.15) |
This control implements advanced security protection and behavioral security solutions for Lambda functions. |
|
AWS Partner Offerings – Anti-Malware Protection (ID: Sec.IR.12) |
These controls help to detect and block malicious payloads. |
|
(ID: Sec.Inf.27) |
These controls are a complement to the security properties of Lambda functions. |
|
AWS IoT Device Defender + AWS IoT SiteWise (ID: Sec.Det.9) |
Detects and provides analytics capabilities for anomalous behavior in IoT Things |
|
Amazon CloudWatch Logs + Amazon Lookout for Metrics (ID: Sec.Det.10) |
Detects and provides analytics capabilities for anomalous behavior in assets and services which send logs to CloudWatch Logs (subject to level of detail of logs being gathered) |
Control Objective – Deny
The objective of the Deny control in the Exploitation phase is to “prevent the adversary from accessing and using critical information, systems, and services.” **
| Control Names | Descriptions |
|---|---|
|
(ID: Sec.IAM.1) |
These controls help deny or contain the blast radius of attacks. |
|
Amazon Simple Storage Service (Amazon S3) Bucket Policies, Object Policies (ID: Sec.DP.6) |
These controls manage access to objects and prevent upload of malicious objects into the S3 bucket. |
|
(ID: Sec.DP.7) |
This control protects the secrets needed to access your applications, services, and IT resources. |
|
Amazon – EC2 Linux, SELinux – Mandatory Access Control (ID: Sec.Inf.17) |
This control is a system policy that cannot be overridden, which mediates access to files, devices, sockets, other processes, and API calls. |
|
Amazon EC2 – FreeBSD Trusted BSD – Mandatory Access Control (ID: Sec.Inf.18) |
This control is a system policy that cannot be overridden, which mediates access to files, devices, sockets, other processes, and API calls. |
|
Amazon EC2 – Linux, FreeBSD – Hardening and Minimization (ID: Sec.Inf.19) |
These controls disable or remove unused services and packages. |
|
Amazon EC2 – Linux, Windows, FreeBSD – Address Space Layout Randomization (ASLR) (ID: Sec.Inf.20) |
ASLR is a technology that helps prevent shellcode from being successful. |
|
Amazon EC2 – Linux, Windows, FreeBSD – Data Execution Prevention (DEP) (ID: Sec.Inf.21) |
DEP is a memory safety feature that makes it more difficult for malware to run. |
|
Amazon EC2 – Windows – User Account Control (UAC) (ID: Sec.Inf.22) |
UACs make it more difficult for malware to install and run. |
|
Amazon EC2 – Linux – Role-Based Access Control (RBAC) and Discretionary Access Control (DAC) (ID: Sec.Inf.23) |
This control implements least-privilege account profiles. |
|
Microsoft Windows Security Baselines (ID: Sec.Inf.24) |
This control hardens system and user configurations. |
|
Third-Party Security Tools for Containers (ID: Sec.IR.14) |
This control implements advanced security protection and behavioral security solutions for Containers. |
|
Third-Party Security Tools for AWS Lambda Functions (ID: Sec.IR.15) |
This control implements advanced security protection and behavioral security solutions for Lambda functions. |
|
AWS Partner Offerings – Anti-Malware Protection (ID: Sec.IR.12) |
This control helps to detect and blocks malicious payloads. |
|
(ID: Sec.Inf.27) |
This control is a complement to the security properties of Lambda functions. |
|
(ID: Sec.Inf.28) |
This control is a complement to the security properties of containers solutions. |
|
Amazon Simple Email Service Spam and Virus Protection (ID: Platform.3) |
This control prevents mail from known spammers, or containing malware, from entering the system. |
|
(ID: Sec.Inf.32) |
This control provides a minimised OS environment capable of running and managing containers, which provides no extraneous listeners or services. |
|
AWS Key Management Service (AWS KMS) + AWS CloudHSM (ID: Sec.DP.1) |
These services deny access to clear text of encryption keys. |
|
(ID: Sec.DP.5) |
Provides an isolated execution environment for signed code to handle sensitive data, accessible only by local virtual network socket interface. |
Control Objective – Disrupt
The objective of the Disrupt control in the Exploitation phase is to “break or interrupt the flow of information.” **
| Control Names | Descriptions |
|---|---|
|
AWS WAF, WAF Managed Rules + Automation (ID: Sec.Inf.2) |
Malicious sources scan and probe internet-facing web applications for vulnerabilities. They send a series of requests that generate HTTP 4xx error codes. You can use this history to help identify and block malicious source IP addresses. |
|
Amazon Simple Storage Service (Amazon S3) Bucket Policies, Object Policies (ID: Sec.DP.6) |
These controls manage access to objects and prevent uploads of malicious objects into the bucket. |
|
(ID: Sec.DP.7) |
This control protects the secrets needed to access your applications, services, and IT resources. |
|
Amazon EC2 – Linux, SELinux – Mandatory Access Control (ID: Sec.Inf.17) |
This control is a system policy that cannot be overridden, which mediates access to files, devices, sockets, other processes, and API calls. |
|
Amazon EC2 – FreeBSD Trusted BSD – Mandatory Access Control (ID: Sec.Inf.18) |
This control is a system policy that cannot be overridden, which mediates access to files, devices, sockets, other processes, and API calls. |
|
Amazon EC2 – Linux, Windows, FreeBSD – Address Space Layout Randomization (ASLR) (ID: Sec.Inf.20) |
ASLR is a technology that helps prevent shellcode from being successful. |
|
Amazon EC2 – Linux, Windows, FreeBSD – Data Execution Prevention (DEP) (ID: Sec.Inf.21) |
DEP is a memory safety feature that makes it more difficult for malware to run. |
|
Amazon EC2 – Windows – User Account Control (UAC) (ID: Sec.Inf.22) |
UACs make it more difficult for malware to install and run. |
|
Amazon EC2 – Linux – Role-Based Access Control (RBAC) and Discretionary Access Control (DAC) (ID: Sec.Inf.23) |
This control implements least-privilege account profiles. |
|
Third-Party Security Tools for Containers (ID: Sec.IR.14) |
This control implements advanced security protection and behavioral security solutions for containers. |
|
Third-Party Security Tools for AWS Lambda Functions (ID: Sec.IR.15) |
This control implements advanced security protection and behavioral security solutions for Lambda functions. |
|
AWS Partner Offerings – Anti-Malware Protection (ID: Sec.IR.12) |
This control helps to detect and block malicious payloads. |
|
Immutable Infrastructure – Short-Lived Environments (ID: Ops.2) |
This control rebuilds or refreshes environments periodically to make it more difficult for attack payloads to persist. |
|
(ID: Sec.DP.5) |
Provides an isolated execution environment for signed code to handle sensitive data, accessible only by local virtual network socket interface. |
|
(ID: Sec.Inf.30) |
Provides deep-packet inspection filtering of VPC network traffic using Suricata-syntax rules. |
Control Objective – Degrade
The objective of the Degrade control in the Exploitation phase is to “reduce the effectiveness or efficiency of adversary command and control (C2) or communications systems, and information collection efforts or means.” **
| Control Names | Descriptions |
|---|---|
|
(ID: Sec.IR.1) |
These controls detect reconnaissance activities and modify security configurations to degrade or block traffic associated with an attack. |
|
(ID: Sec.Inf.1) |
This control helps to protect you from common web exploits that could affect application availability, compromise security, or consume excessive resources. |
|
(ID: Sec.Inf.8) |
With this control, before an attacker can consistently communicate with your resources, all the instances included in the load-balanced service need to be compromised by the attack. If one or more instances has not been compromised, the load balancer switches to an unaffected instance, which degrades the attack. |
|
Immutable Infrastructure – Short-Lived Environments (ID: Ops.2) |
These controls rebuild or refresh your environments periodically to make it more difficult for an attack payload to persist. |
|
(ID: Sec.Inf.30) |
Provides deep-packet inspection filtering of VPC network traffic using Suricata-syntax rules |
Control Objective – Deceive
The objective of the Deceive control in the Exploitation phase is to “cause a person to believe what is not true. MILDEC [military deception] seeks to mislead adversary decision makers by manipulating their perception of reality.”**
| Control Names | Descriptions |
|---|---|
|
Honeypot and Honeynet Environments (ID: Sec.IR.10) |
These controls help to degrade, detect, and contain attacks. |
|
(ID: Sec.IR.11) |
When an attacker attempts to use stolen, false credentials, these controls help to detect and contain the attack, so you can recover faster. |
|
(ID: Sec.IR.2) |
These controls trap endpoints to detect content scrapers and bad bots. When the endpoint is accessed, a function adds the source IP address to a blocked list. |
Control Objective – Contain
The objective of the Contain control in the Exploitation phase is the “action of keeping something harmful under control or within limits.” **
| Control Names | Descriptions |
|---|---|
|
(ID: Sec.IAM.1) |
These controls help you to deny or contain the blast radius of attacks. |
|
AWS Organizations + Service Control Policies (SCPs) + AWS Accounts (ID: Sec.IAM.4) |
These controls provide strong, least-privilege and need-to-know security principles for both users and services across a multi-account structure. You can control administrators privileges in child accounts. |
|
Amazon EC2 – Linux, SELinux – Mandatory Access Control (ID: Sec.Inf.17) |
This control is a system policy that cannot be overridden, which mediates access to files, devices, sockets, other processes, and API calls. |
|
Amazon EC2 – FreeBSD Trusted BSD – Mandatory Access Control (ID: Sec.Inf.18) |
This control is a system policy that cannot be overridden, which mediates access to files, devices, sockets, other processes, and API calls. |
|
Amazon EC2 – Linux, FreeBSD – Hardening and Minimization (ID: Sec.Inf.19) |
These controls disable or remove unused services and packages. |
|
Amazon EC2 – Linux – Role-Based Access Control (RBAC) and Discretionary Access Control (DAC) (ID: Sec.Inf.23) |
This control implements least-privilege account profiles. |
|
Linux cgroups, namespaces, SELinux (ID: Sec.Inf.25) |
These controls enforce capability profiles, which prevent running processes from accessing files, network sockets, and other processes. |
|
Third-Party Security Tools for Containers (ID: Sec.IR.14) |
This control implements advanced security protection and behavioral security solutions for Containers. |
|
Third-Party Security Tools for AWS Lambda Functions (ID: Sec.IR.15) |
This control implements advanced security protection and behavioral security solutions for Lambda functions. |
|
AWS Container and Abstract Services (ID: Platform.1) |
These controls can help you prevent access to underlying infrastructure by your customers and threat actors, and segregate your service instances. |
|
Hypervisor-Level Guest-To-Guest and Guest-To-Host Separation (ID: Platform.4) |
This control leverages the string isolation capabilities provided by the AWS hypervisor. |
|
(ID: Sec.DP.5) |
Provides an isolated execution environment for signed code to handle sensitive data, accessible only by local virtual network socket interface |
Control Objective – Respond
The objective of the Respond control in the Exploitation phase is to provide “Capabilities that help to react quickly to an adversary’s or others’ IO attack or intrusion.” **
| Control Names | Descriptions |
|---|---|
|
(ID: Sec.Det.2) |
These controls are a complement to Amazon GuardDuty. |
|
Third-Party Security Tools for Containers (ID: Sec.IR.14) |
This control implements advanced security protection and behavioral security solutions for containers. |
|
Third-Party Security Tools for AWS Lambda Functions (ID: Sec.IR.15) |
This control implements advanced security protection and behavioral security solutions for Lambda functions. |
|
AWS Partner Offerings – Behavioral Monitoring, Response Tools and Services (ID: Sec.Inf.29) |
These controls provide insights into the threats in your environment. |
|
(ID: Ops.3) |
AWS Managed Services monitors the overall health of your infrastructure resources, and handles the daily activities of investigating and resolving alarms or incidents. |
|
Amazon CloudWatch Logs + Amazon Lookout for Metrics + Lambda (ID: Sec.Det.10) |
Detects and provides analytics capabilities and response for anomalous behavior in assets and services which send logs to CloudWatch Logs (subject to level of detail of logs being gathered) |
Control Objective – Restore
The objective of the Restore control in the Exploitation phase is to “bring information and information systems back to their original state.” **
| Control Names | Descriptions |
|---|---|
|
(ID: Sec.Inf.9) |
This control adjusts capacity to maintain steady, predictable performance. |
|
AWS Systems Manager State Manager (ID: Sec.Inf.14) |
This control helps you to define and maintain consistent OS configurations. |
|
AWS Partner Offerings – File Integrity Monitoring (ID: Sec.IR.13) |
These controls help you to maintain the integrity of operating system and application files. |
|
CloudFormation + Service Catalog (ID: Ops.1) |
These controls help you to provision your infrastructure in an automated and secure manner. The CloudFormation template file serves as the single source of truth for your cloud environment. |
|
Immutable Infrastructure – Short-Lived Environments (ID: Ops.2) |
These controls rebuild or refresh your environments periodically to make it more difficult for an attack payload to persist. |
