This whitepaper is for historical reference only. Some content might be outdated and some links might not be available.
Delivery
During the Delivery phase in the intrusion method, attackers transmit their weapon to the intended victim. Some examples of delivery mechanisms include phishing emails, malicious email attachments, and drive-by download sites.
Control Objective – Detect
The objective of the Detect control in the Delivery phase is to “discover or discern the existence, presence, or fact of an intrusion into information systems.” **
| Control Names | Descriptions |
|---|---|
|
(ID: Sec.Det.1) |
Detects reconnaissance activity, such as unusual API activity, intra-VPC port scanning, unusual patterns of failed login requests, or unblocked port probing from a known bad IP address. |
|
AWS WAF, WAF Managed Rules + Automation (ID: Sec.Inf.2) |
Malicious sources scan and probe internet-facing web applications for vulnerabilities. They send a series of requests that generate HTTP 4xx error codes. You can use this history to help identify and block malicious source IP addresses. |
|
(ID: Sec.Inf.13) |
This control defends against most common, frequently occurring network and transport layer DDoS attacks that target your website or applications. |
|
Amazon VPC Flow Logs + Amazon CloudWatch Alarms (ID: Sec.Det.8) |
These controls capture and monitor information about the IP traffic going to and from your Amazon VPC. |
|
(ID: Sec.Det.11) |
Amazon Detective makes it easy to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities. Amazon Detective automatically collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data that enables you to easily conduct faster and more efficient security investigations. |
|
AWS IoT Device Defender + AWS IoT SiteWise (ID: Sec.Det.9) |
Detects and provides analytics capabilities for anomalous behavior in IoT Things |
|
Amazon CloudWatch Logs + Amazon Lookout for Metrics (ID: Sec.Det.10) |
Detects and provides analytics capabilities for anomalous behavior in assets and services which send logs to CloudWatch Logs (subject to level of detail of logs being gathered) |
Control Objective – Deny
The objective of the Deny control in the Delivery phase is to “prevent the adversary from accessing and using critical information, systems, and services.” **
| Control Names | Descriptions |
|---|---|
|
Amazon Virtual Private Cloud (VPC) (ID: Sec.Inf.3) |
Amazon VPC can help prevent attackers from scanning network resources during reconnaissance. Amazon VPC Black Hole Routes operate as an allow list or deny list of network reachable assets, before Security Groups or NACLs. |
|
Amazon Virtual Private Cloud VPN Gateway + AWS Direct Connect (ID: Sec.Inf.4) |
These controls establish private connectivity to multiple Amazon VPCs. |
|
(ID: Sec.Inf.5) |
This control is a virtual firewall that controls inbound and outbound traffic to your network resources and Amazon EC2 instance. |
|
(ID: Sec.Inf.6) |
This control is a virtual Access Control List that controls inbound and outbound traffic to your network resources and Amazon EC2 instance. |
|
(ID: Sec.Inf.13) |
This control defends against most common, frequently occurring network and transport layer DDoS attacks that target your website or applications. |
|
AWS Identity and Access Management (IAM) + IAM Policies and Policies Boundaries (ID: Sec.IAM.2) |
These controls implement strong, least-privilege and need-to-know security principles for both users and services that access your resources. |
|
AWS Organizations + Service Control Policies (SCPs) + AWS Accounts (ID: Sec.IAM.4) |
These controls provide strong, least-privilege and need-to-know security principles for both users and services across a multi-account structure. You can control administrators privileges in child accounts. |
|
Amazon Simple Storage Service (Amazon S3) Bucket Policies, Object Policies (ID: Sec.DP.6) |
These controls specify access privileges to objects and prevent the upload of that malicious objects into the bucket. |
|
(ID: Sec.IAM.5) |
This control provides temporary, limited-privilege AWS credentials to allow access to other AWS services. |
|
Amazon EC2: Linux: SELinux – Mandatory Access Control (ID: Sec.Inf.17) |
This control is a system policy that cannot be overridden, which mediates access to files, devices, sockets, other processes, and API calls. |
|
Amazon EC2 – FreeBSD Trusted BSD – Mandatory Access Control (ID: Sec.Inf.18) |
This control is a system policy that cannot be overridden, which mediates access to files, devices, sockets, other processes, and API calls. |
|
Amazon EC2 – Linux, FreeBSD – Hardening and Minimization (ID: Sec.Inf.19) |
These controls disable or remove unused services and packages. |
|
Amazon EC2 – Linux – Role-Based Access Control (RBAC) and Discretionary Access Control (DAC) (ID: Sec.Inf.23) |
This control implements least-privilege account profiles. |
|
Microsoft Windows Security Baselines (ID: Sec.Inf.24) |
This control allows you to harden system and user configurations. |
|
AWS Physical & Operational Security Policies & Processes (ID: Platform.5) |
AWS data centers are secure by design and our controls make that possible. We spend countless hours considering potential threats and designing, implementing, and testing controls to ensure the systems, technology, and people we deploy counteract risks. |
|
(ID: Sec.Inf.32) |
This control provides a minimized OS environment capable of running and managing containers, which provides no extraneous listeners or services. |
|
(ID: Sec.Inf.30) |
Provides deep-packet inspection filtering of VPC network traffic using Suricata-syntax rules |
|
(ID: Sec.DP.5) |
Provides an isolated execution environment for signed code to handle sensitive data, accessible only by local virtual network socket interface |
|
Amazon Simple Email Service (Amazon SES) (ID: Sec.Inf.31) |
Supports content filtering on inbound and outbound email |
Control Objective – Disrupt
The objective of the Disrupt control in the Delivery phase is to “break or interrupt the flow of information.” **
| Control Names | Descriptions |
|---|---|
|
Amazon Virtual Private Cloud (Amazon VPC) (ID: Sec.Inf.3) |
Amazon VPC can help prevent attackers from scanning network resources during reconnaissance. Amazon VPC Black Hole Routes operate as an allow list or deny list of network reachable assets, before Security Groups or NACLs. |
|
(ID: Sec.Inf.5) |
This control is a virtual firewall that controls inbound and outbound traffic to your network resources and Amazon EC2 instance. |
|
(ID: Sec.Inf.6) |
This control is a virtual Access Control List that controls inbound and outbound traffic to your network resources and Amazon EC2 instance. |
|
(ID: Sec.Inf.13) |
This control defends against most common, frequently occurring network and transport layer DDoS attacks that target your website or applications. |
|
Immutable Infrastructure – Short-Lived Environments (ID: Ops.2) |
Rebuilt or refresh your environments periodically to make it more difficult for an attack payload to persist. |
|
(ID: Sec.Inf.30) |
Provides deep-packet inspection filtering of VPC network traffic using Suricata-syntax rules |
|
AWS IoT Device Defender + AWS IoT SiteWise (ID: Sec.Det.9) |
Detects and provides analytics capabilities and customizable response automation for anomalous behavior in IoT Things |
|
Amazon CloudWatch Logs + Amazon Lookout for Metrics (ID: Sec.Det.10) |
Detects and provides analytics capabilities for anomalous behavior in assets and services which send logs to CloudWatch Logs (subject to level of detail of logs being gathered) |
Control Objective – Degrade
The objective of the Degrade control in the Delivery phase is to “reduce the effectiveness or efficiency of adversary command and control (C2) or communications systems, and information collection efforts or means.” **
| Control Names | Descriptions |
|---|---|
|
(ID: Sec.IR.1) |
These controls detect reconnaissance activities and modify security configurations to degrade or block traffic associated with an attack. |
|
(ID: Sec.Inf.13) |
This control defends against most common, frequently occurring network and transport layer DDoS attacks that target your website or applications. |
|
(ID: Sec.Inf.8) |
With this control, before an attacker can consistently communicate with your resources, all the instances included in the load-balanced service need to be compromised by the attack. If one or more instances has not been compromised, the load balancer switches to an unaffected instance, which degrades the attack. |
|
Immutable Infrastructure - Short-Lived Environments (ID: Ops.2) |
Rebuilt or refresh your environments periodically to make it more difficult for an attack payload to persist. |
Control Objective – Deceive
The objective of the Deceive control in the Delivery phase is to “cause a person to believe what is not true. MILDEC [military deception] seeks to mislead adversary decision makers by manipulating their perception of reality.” **
| Control Names | Descriptions |
|---|---|
|
Honeypot and Honeynet Environments (ID: Sec.IR.10) |
These controls help to degrade, detect, and contain attacks. |
|
(ID: Sec.IR.11) |
When an attacker attempts to use stolen, false credentials, these controls help to detect and contain the attack, so you can recover faster. |
|
(ID: Sec.IR.2) |
These controls trap endpoints to detect content scrapers and bad bots. When the endpoint is accessed a function adds the source IP address to a blocked list. |
Control Objective – Contain
The objective of the Contain control in the Delivery phase is the “action of keeping something harmful under control or within limits.” **
| Control Names | Descriptions |
|---|---|
|
(ID: Sec.Inf.1) |
This control helps to protect your network from common web exploits that could affect application availability, compromise security, or consume excessive resources. |
|
Amazon Virtual Private Cloud (Amazon VPC) (ID: Sec.Inf.3) |
Amazon VPC can help prevent attackers from scanning network resources during reconnaissance. Amazon VPC Black Hole Routes operate as an allow list or deny list of network reachable assets, before Security Groups or NACLs. |
|
(ID: Sec.Inf.5) |
This control is a virtual firewall that controls inbound and outbound traffic to your network resources and Amazon EC2 instance. |
|
(ID: Sec.Inf.6) |
This control is a virtual Access Control List that controls inbound and outbound traffic to your network resources and Amazon EC2 instance. |
|
AWS Organizations + Service Control Policies (SCPs) + AWS Accounts (ID: Sec.IAM.4) |
These controls provide strong, least-privilege and need-to-know security principles for both users and services across a multi-account structure. You can control administrators privileges in child accounts. |
|
AWS Lambda, Amazon Simple Queue Service (Amazon SQS), AWS Step Functions (ID: Platform.2) |
These services provide orchestration mechanisms for containment. |
|
(ID: Sec.DP.5) |
Provides an isolated execution environment for signed code to handle sensitive data, accessible only by local virtual network socket interface |
Control Objective – Respond
The objective of the Respond control in the Delivery phase is to provide “capabilities that help to react quickly to an adversary’s or others’ IO attack or intrusion.” **
| Control Names | Descriptions |
|---|---|
|
AWS Systems Manager State Manager (ID: Sec.Inf.14) |
This control helps you to define and maintain consistent OS configurations. |
|
AWS Partner Offerings – File Integrity Monitoring (ID: Sec.IR.13) |
These controls help you to maintain the integrity of operating system and application files. |
|
(ID: Sec.IR.2) |
These controls trap endpoints to detect content scrapers and bad bots. When the endpoint is accessed, a function adds the source IP address to a blocked list. |
|
(ID: Sec.IR.3) |
These controls are a complement to AWS WAF. |
|
(ID: Sec.IR.5) |
These rules are a configurable set of functions that trigger when an environment configuration change is registered. |
|
Amazon CloudWatch Events + Lambda (ID: Sec.IR.6) |
These controls are a configurable set of functions that trigger when an environment configuration change is registered. |
|
(ID: Ops.3) |
AWS Managed Services monitors the overall health of your infrastructure resources, and handles the daily activities of investigating and resolving alarms or incidents. |
|
AWS IoT Device Defender + AWS IoT SiteWise (ID: Sec.Det.9) |
Detects and provides analytics capabilities and customizable response automation for anomalous behavior in IoT Things |
|
Amazon CloudWatch Logs + Amazon Lookout for Metrics + Lambda (ID: Sec.Det.10) |
Detects and provides analytics and response capabilities for anomalous behavior in assets and services which send logs to CloudWatch Logs (subject to level of detail of logs being gathered) |
Control Objective – Restore
The objective of the Restore control in the Delivery phase is to “bring information and information systems back to their original state.” **
| Control Names | Descriptions |
|---|---|
|
AWS Systems Manager State Manager (ID: Sec.Inf.14) |
This control helps you to define and maintain consistent OS configurations. |
|
CloudFormation + Service Catalog (ID: Ops.1) |
These controls help you to provision your infrastructure in an automated and secure manner. The CloudFormation template file serves as the single source of truth for your cloud environment. |
|
Immutable Infrastructure – Short-Lived Environments (ID: Ops.2) |
Rebuilt or refresh your environments periodically to make it more difficult for an attack payload to persist. |
