{"description": "ICS techniques mitigated by Filter Network Traffic, ATT&CK mitigation M0937 (v1.0)", "name": "Filter Network Traffic (M0937)", "domain": "ics-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T0800", "comment": "Filter for protocols and payloads associated with firmware activation or updating activity.\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0806", "comment": "Allow/denylists can be used to block access when excessive I/O connections are detected from a system or device during a specified time period.\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0884", "comment": "Traffic to known anonymity networks and C2 infrastructure can be blocked through the use of network allow and block lists. It should be noted that this kind of blocking may be circumvented by other techniques likeDomain Fronting.\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0868", "comment": "Perform inline allowlisting of automation protocol commands  to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages.\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0816", "comment": "Application denylists can be used to block automation protocol functions used to initiate device shutdowns or restarts, such as DNP3's 0x0D function code, or vulnerabilities that can be used to trigger device shutdowns (e.g., CVE-2014-9195, CVE-2015-5374).\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0839", "comment": "Filter for protocols and payloads associated with firmware activation or updating activity.\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0861", "comment": "Perform inline allowlisting of automation protocol commands  to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages.\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0843", "comment": "Filter for protocols and payloads associated with program download activity to prevent unauthorized device configurations.\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0845", "comment": "Filter for protocols and payloads associated with program upload activity to prevent unauthorized access to device configurations.\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0886", "comment": "Filter application-layer protocol messages for remote services to block any unauthorized activity.\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0848", "comment": "Perform inline allowlisting of automation protocol commands  to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid reporting messages.\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0856", "comment": "Perform inline allowlisting of automation protocol commands  to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid reporting messages.\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0857", "comment": "Filter for protocols and payloads associated with firmware activation or updating activity.\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0855", "comment": "Perform inline allowlisting of automation protocol commands  to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages.\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0859", "comment": "Consider using IP allowlisting along with user account management to ensure that data access is restricted not only to valid users but only from expected IP ranges to mitigate the use of stolen credentials to access data.\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "mitigated by Filter Network Traffic", "color": "#66b1ff"}]}