T1491.002: External Defacement
An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. External Defacement may ultimately cause users to distrust the systems and to question/discredit the system’s integrity. Externally-facing websites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda. External Defacement may be used as a catalyst to trigger events, or as a response to actions taken by an organization or government. Similarly, website defacement may also be used as setup, or a precursor, for future attacks such as Drive-by Compromise.
Positive Technologies products that cover the technique
Detection
PT AF can prevent the defacement of websites by providing comprehensive protection. Rules from different groups are used for this, such as "Injection," "Bots," "Exploitation of CVE-listed vulnerabilities," "File upload," "HTTP violation," "Malicious file execution," "IP address reputation," and others.
Detection
ID | DS0029 | Data source and component | Network Traffic: Network Traffic Content | Description | Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). |
---|
ID | DS0015 | Data source and component | Application Log: Application Log Content | Description | Monitor for third-party application logging, messaging, and/or other artifacts that may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. |
---|
ID | DS0022 | Data source and component | File: File Modification | Description | Monitor external websites for unplanned content changes. |
---|
ID | DS0022 | Data source and component | File: File Creation | Description | Monitor for newly constructed files that may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. |
---|
Mitigation
ID | M1053 | Name | Data Backup | Description | Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data. Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery. |
---|