DET0006 Detection Strategy for Network Boundary Bridging

Item	Value
ID	DET0006
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1599 (Network Boundary Bridging)

Analytics

Network Devices

AN0015

From a defender’s perspective, suspicious bridging is observed when network devices begin allowing traffic that contradicts existing segmentation or access policies. Observable behaviors include sudden modifications to ACLs or firewall rules, unusual cross-boundary traffic flows (e.g., east-west communications across separated VLANs), or simultaneous ingress/egress anomalies. Multi-event correlation is key: configuration changes on a router/firewall followed by unexpected traffic patterns, especially from unusual sources, is a strong indicator of compromise.

Log Sources

Data Component	Name	Channel
Network Traffic Flow (DC0078)	NSM:Flow	Unexpected flows between segmented networks or prohibited ports
Network Traffic Content (DC0085)	networkdevice:syslog	ACL/Firewall rule modification or new route injection

Mutable Elements

Field	Description
TimeWindow	Correlation window between configuration changes and abnormal traffic; tuned to match expected administrative change cycles.
ApprovedChangeList	Known authorized ACL/firewall changes; suppresses noise from legitimate maintenance.
GeoLocation	Geographic origin of new traffic patterns; helps distinguish benign remote offices from suspicious foreign access.
TrafficVolumeThreshold	Volume of cross-segment traffic; tuned to detect large-scale lateral flows without flagging small test connections.