Skip to content

M0937 Filter Network Traffic

Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic. Perform inline allow/denylisting of network messages based on the application layer (OSI Layer 7) protocol, especially for automation protocols. Application allowlists are beneficial when there are well-defined communication sequences, types, rates, or patterns needed during expected system operations. Application denylists may be needed if all acceptable communication sequences cannot be defined, but instead a set of known malicious uses can be denied (e.g., excessive communication attempts, shutdown messages, invalid commands). Devices performing these functions are often referred to as deep-packet inspection (DPI) firewalls, context-aware firewalls, or firewalls blocking specific automation/SCADA protocol aware firewalls. 1

Item Value
ID M0937
Version 1.0
Created 11 June 2019
Last Modified 30 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Addressed by Mitigation

Domain ID Name Use
ics T0800 Activate Firmware Update Mode Filter for protocols and payloads associated with firmware activation or updating activity.
ics T0806 Brute Force I/O Allow/denylists can be used to block access when excessive I/O connections are detected from a system or device during a specified time period.
ics T0884 Connection Proxy Traffic to known anonymity networks and C2 infrastructure can be blocked through the use of network allow and block lists. It should be noted that this kind of blocking may be circumvented by other techniques likeDomain Fronting.
ics T0868 Detect Operating Mode Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages.
ics T0816 Device Restart/Shutdown Application denylists can be used to block automation protocol functions used to initiate device shutdowns or restarts, such as DNP3’s 0x0D function code, or vulnerabilities that can be used to trigger device shutdowns (e.g., CVE-2014-9195, CVE-2015-5374).
ics T0839 Module Firmware Filter for protocols and payloads associated with firmware activation or updating activity.
ics T0861 Point & Tag Identification Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages.
ics T0843 Program Download Filter for protocols and payloads associated with program download activity to prevent unauthorized device configurations.
ics T0845 Program Upload Filter for protocols and payloads associated with program upload activity to prevent unauthorized access to device configurations.
ics T0886 Remote Services Filter application-layer protocol messages for remote services to block any unauthorized activity.
ics T0848 Rogue Master Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid reporting messages.
ics T0856 Spoof Reporting Message Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid reporting messages.
ics T0857 System Firmware Filter for protocols and payloads associated with firmware activation or updating activity.
ics T0855 Unauthorized Command Message Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages.
ics T0859 Valid Accounts Consider using IP allowlisting along with user account management to ensure that data access is restricted not only to valid users but only from expected IP ranges to mitigate the use of stolen credentials to access data.

References