Mitigations¶
M1036 Account Use Policies¶
This mitigation is not covered by the language. We do model the lockout from account aspect mentioned, but only if the attacker is able to deny all of the Credentials associated associated with an Identity. Location and device restrictions on logins are beyond the scope of the language.
M1015 Active Directory Configuration¶
Generally, this is too implementation specific for coreLang. However, we can represent many of the concepts in a high-level fashion through IAM assets, such as Identity, Group, and Privileges. The notPresent defense on these assets can be used to reason about restricting certain permissions or roles.
M1049 Antivirus/Antimalware¶
Antivirus or antimalware tools are explicitly represented in the language by the IDPS asset that is used to safeguard applications from software vulnerabilities and unsafe user activity that was induced by the attacker through social engineering.
M1013 Application Developer Guidance¶
This is not generally covered by the language as it is both too implementation specific and occurs outside of the actual attack timeline. However, the notPresent defense on SoftwareVulnerability can be used to reason about restricting particular vulnerabilities in software products or applications. The guidance that has to deal with principle of least privilege can be represented via the notPresent defense on IAM assets.
M1048 Application Isolation and Sandboxing¶
Applications can host other Applications in coreLang and this association represents any type of containerization, sandboxing, or isolation. If the attacker gains full access to the container they can attempt to connect to the host Application since they are assumed to be able to bypass some of the sandboxing mechanisms. However, they are still somewhat restricted and cannot perform any other actions unless they have some privileges on the host or are able to exploit a vulnerability. If the attacker gets low privilege access on the container the language still assumes that there might be convoluted situations where with considerable effort they can break the containerization and connect to the host application, but these are very unlikely.
M1047 Audit¶
The Audit mitigation does not have a straightforward equivalent in coreLang, since it is very specific to the various techniques it applies to. Generally, this mitigation suggests regular reviews looking for artifacts that indicate an attacker’s actions. It is generally covered by IDPS asset and attack steps which require additional effort to succeed, the implication being that the attacker needs to invest additional time to succeed in order to avoid detection.
M1040 Behavior Prevention on Endpoint¶
Behavior Prevention on Endpoint from coreLang’s perspective is very similar to the M1049 Antivirus/Antimalware mitigation, and can usually be modeled the same way. If a technique or scenario suggests that one of these mitigations should be more narrowly focused on a particular exploit avenue then the notPresent defense on the SoftwareVulnerability representing the vulnerable feature could also be used as a more precise way of restricting certain attack vectors.
M1046 Boot Integrity¶
Many of the techniques that suggest this mitigation could use the same mechanisms that were described for M1045 Code Signing, with the binary Data representing the system, BIOS, or EFI image and the Application being the operating system or firmware.
If the boot integrity check is done by specialized hardware the hardwareModificationsProtection defense on the Hardware asset can be used to represent the boot integrity check.
M1045 Code Signing¶
The Signing Credentials association between Credentials and Data can be used to represent signing of any type of Data. The signed Data cannot be overwritten by the attacker unless they were able to compromise the signing Credentials.
Often this signing mitigation is suggested for release binaries or source code. For these situations the Data can then be specified as containing a SoftwareProduct designated as the software package used by one or more Applications.
If the Data being signed do not represent a software package in binary or source code form they can be specified as a dependence for the Application instead.
M1043 Credential Access Protection¶
There are two separate facets that this mitigation entails. First, restricting the security context in which certain drivers are executed to limit the impacts of successful attacker exploitation. This behavior is very similar to the other mitigations that deal with the least privilege principle, such as M1026 Privileged Account Management and M1024 Restrict Registry Permissions. Second, making sure that password storing is encrypted, which is very similar to M1041 Encrypt Sensitive Information.
M1053 Data Backup¶
The Replica association between Information and Data was specifically introduced during the validation process to implement this mitigation. An attacker that is able to read a replica is granted read on all other replicas since they contain the same information. However, for the Information to suffer a write, delete, or deny all of its replicas need to have been impacted by write, delete, or deny, respectively. The language assumes that any of the replicas can be used to recover the information. This means that it does not cover more intricate scenarios, such as gradual poisoning of the backups or exploiting voting system mechanisms.
M1057 Data Loss Prevention¶
This mitigation comprises of two separate components. First, restricting access to the data is functionally similar to M1022 Restrict File and Directory Permissions. Second, restricting the ability of the attacker to exfiltrate the data if they have accessed it is covered by the payloadInspection defense on the ConnectionRule asset as detailed in the M1031 Network Intrusion Prevention mitigation.
These two aspects match how exfiltration requires both access and network connectivity as discussed in Exfiltration.
M1042 Disable or Remove Feature or Program¶
This is more of a structural mitigation, but the notPresent defense on Application is an explicit way to reason about it.
M1055 Do Not Mitigate¶
Not covered by the language as it is an indication of when not to apply other mitigations.
M1041 Encrypt Sensitive Information¶
This can be represent in coreLang by using Credentials to encrypt the relevant Data. The encrypted Data cannot be read, overwritten, deleted by the attacker unless they were able to compromise the encryption Credentials. However, the Data can still be denied.
M1039 Environment Variable Permissions¶
This mitigation is just a more specific application of M1022 Restrict File and Directory Permissions. If the environment variables can be used to hijack the execution of an Application the Data representing them can be defined as a dependence for it.
M1038 Execution Prevention¶
A large number of facets are encompassed by this mitigation, as the name would imply. Any mechanism that could restrict the ability of the attacker to gain execution is included. As such, these have already been covered in other mitigations, for example M1045 Code Signing, M1049 Antivirus/Antimalware, M1042 Disable or Remove Feature or Program, and M1022 Restrict File and Directory Permissions.
M1050 Exploit Protection¶
From coreLang’s perspective this is functionally identical to M1049 Antivirus/Antimalware.
M1037 Filter Network Traffic¶
Protocol-based traffic filtering is implemented in coreLang by using the restricted defense on ConnectionRule or by changing the model structure and removing ConnectionRules. The restricted defense stops all traffic through the asset. This makes the ConnectionRule behave as if it were not present in the model, which is in line with the structural approach of simply removing the asset. However, restricted is assumed to be imperfect and that the attacker may find ways to bypass the filtering with substantial effort.
M1035 Limit Access to Resource Over Network¶
Many of the implementations suggested by this mitigation have to do with restricting particular connections based on certain protocols, ports, or configurations. All of these can be implemented using the same mechanisms that were mentioned for M1037 Filter Network Traffic. The scenarios where remote desktop gateways or virtual private networks are suggested can utilise an Identity and Credentials pair. Where the Identity represents the security context on the Application endpoints of the communication and the Credentials represent the keys used to authenticate and encrypt Data traversing the tunnel.
M1034 Limit Hardware Installation¶
The hardwareModificationsProtection defense on the Hardware asset prevents unsafe user actions on the hardware system.
M1033 Limit Software Installation¶
Due to the fact that the attacker cannot introduce new assets into the model as a result of triggering attack steps software installation is generally not covered by the language. However, the suggestions for M1042 Disable or Remove Feature or Program are applicable to this mitigation as well, as they are alike.
M1032 Multi-factor Authentication¶
The Conditional Authentication association between Credentials is used to represent multi-factor authentication in coreLang. This protects the primary Credentials from being compromised unless the additional factors specified have also been compromised by the attacker. This association can be nested and multiple required factors can be specified for the same Credentials.
Furthermore, three defenses on the Credentials asset exist that allow the modeler to define its characteristics, notGuessable, unique, and notPhishable. These allow Credentials to represent a variety of authentication mechanisms, from biometrics to one-time passwords.
M1031 Network Intrusion Prevention¶
Payload based filtering in coreLang is implemented via the payloadInspection defense on the ConnectionRule asset. This defense prevents the attacker from being able to exploit vulnerabilities or induce unsafe user actions on the Applications they reach via inspected Connection Rules, as the payload inspection is expected to detect the anomalous patterns and filter the traffic out. However, the adversary would still be able to utilize legitimate Credentials to authenticate since these would not stand out as atypical.
The adversaryInTheMiddleDefense defense on the Network asset can also be used to protect Data that transit the Network from Adversary-in-the-Middle attacks.
M1030 Network Segmentation¶
From coreLang’s viewpoint this mitigation is equivalent to M1037 Filter Network Traffic.
M1028 Operating System Configuration¶
This is a more specific application of the same mechanisms described for M1054 Software Configuration.
This mitigation defines a specific place, the operating system, where security improvements can be made. From coreLang’s perspective the operating system is simply an Application. Usually, it will host other Applications running on it and sometimes the Hardware it runs on will also be represented.
M1027 Password Policies¶
In addition to the notGuessable, unique, and notPhishable defenses on Credentials already mentioned by M1032 Multi-factor Authentication, the language also makes assumptions regarding the password strength based on the User’s security awareness.
If a Credentials asset is guessable(it does not have the notGuessable defense enabled) and it has an Identity associated with it, which in turn has a User associated with it, the security awareness of that User will determine how easy it is to guess the Credentials.
M1056 Pre-compromise¶
The aspects of the attack before the actual compromise are beyond the scope of coreLang.
M1026 Privileged Account Management¶
Privileged Account Management is a more targeted instance of M1018 User Account Management, it places the emphasis on the access control roles that are very impactful, such as SYSTEM and root.
M1025 Privileged Process Integrity¶
This mitigation highlights the importance of protecting software processes, mentioned in M1038 Execution Prevention, with a particular emphasis on the M1045 Code Signing aspects for Windows systems, for elevated privileges processes.
In coreLang a privileged process would be one which is executed in an elevated security context, represented by one of the IAM assets(Identity, Group, or Privileges) with Execution Privileges Access on the Application depicting the process, that also has Execution Privileges Access or High Privileges Access on other Applications.
M1029 Remote Data Storage¶
Much of this technique has to do with structural improvements where the Data the attacker is seeking to attain are not present on systems that are deemed more vulnerable. Other aspects are creating backups, covered by M1053 Data Backup, and encrypting sensitive data, discussed in M1041 Encrypt Sensitive Information.
M1022 Restrict File and Directory Permissions¶
Read, Write, and Delete privileges can be defined for IAM assets(Identity, Group, or Privileges) to designate their permissions on Data, which is how files and directories are represented in coreLang.
This mitigation suggests structural changes to the models by removing extraneous privileges. The notPresent defense on the IAM assets can be used to speculate about the attack vectors that removing these permission would thwart. Privileges are a good candidate for modeling these scenarios since they can be associated with either an Identity or a Group as Subprivileges to represent that those Privileges act as a subset of permissions available to those roles. Therefore the unnecessary permissions can be represented as Subprivileges of the Identity or Group.
M1044 Restrict Library Loading¶
From coreLang’s viewpoint this is a more specific example of M1050 Exploit Protection.
M1024 Restrict Registry Permissions¶
This is similar to M1039 Environment Variable Permissions.
M1021 Restrict Web-Based Content¶
Most of the restrictions suggested are applied on the host side, which would match M1050 Exploit Protection.
M1054 Software Configuration¶
Most of the implementations suggested by this mitigation for various techniques are covered by other mitigations, they are just usually part of software configurations. See M1050 Exploit Protection, M1042 Disable or Remove Feature or Program, M1034 Limit Hardware Installation, M1045 Code Signing, M1026 Privileged Account Management, and M1022 Restrict File and Directory Permissions.
M1020 SSL/TLS Inspection¶
This is not possible in coreLang. If the Connection Rule’s Payload Inspection defense is bypassed due encrypted Data traversing the ConnectionRule there is no mechanism through which the inspection can be restored.
M1019 Threat Intelligence Program¶
The aspects described are beyond the scope of coreLang modeling.
M1051 Update Software¶
This can be represented in the same way as the M1050 Exploit Protection.
M1052 User Account Control¶
This mitigation has to do with the configuration of the Windows User Access Control feature to reduce the risks of privilege escalation. It can be implemented by removing, or enabling the notPresent defense on, the SoftwareVulnerability described in the Exploitation for Privilege Escalation technique.
M1018 User Account Management¶
This mitigation is analogous to M1022 Restrict File and Directory Permissions.
Execution, High, and Low privileges can be defined for IAM assets(Identity, Group, or Privileges) to designate their permissions for Applications.
IAM assets can also be granted management privileges on other IAM assets.
This mitigation suggests structural changes to the models by removing extraneous privileges. The notPresent defense on the IAM assets can be used to speculate about the attack vectors that removing these permissions would thwart. Privileges are a good candidate for modeling these scenarios since they can be associated with either an Identity or a Group as Subprivileges to represent that those Privileges act as a subset of permissions available to those roles. Therefore the unnecessary permissions can be represented as Subprivileges of the Identity or Group.
M1017 User Training¶
The principle way to represent this technique in coreLang is the Security Awareness defense on the User. This defense prevents a variety of disruptions enabled by Social Engineering, such as phishing the user for Credentials or tricking them into performing unsafe user actions on Applications.
Additionally, two separate more specialized defenses, also exist on the User. No Passoward Reuse specifies if a particular User will use the same Credentials for multiple purposes. No Removable Media Usage defines if a User will spread attacks that propagate through removable media drives.
M1016 Vulnerability Scanning¶
This can be represented in the same way as the M1050 Exploit Protection.