Mitigations represent security concepts and classes of technologies that can be used to prevent a technique or sub-technique from being successfully executed.
|Account Use Policies
|Configure features related to account use like login attempt lockouts, specific login times, etc.
|Active Directory Configuration
|Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.
|Use signatures or heuristics to detect malicious software.
|Application Developer Guidance
|This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.
|Application Isolation and Sandboxing
|Restrict execution of code to a virtual environment on or in transit to an endpoint system.
|Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.
|Behavior Prevention on Endpoint
|Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.
|Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.
|Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.
|Credential Access Protection
|Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.
|Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.
|Data Loss Prevention
|Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.
|Disable or Remove Feature or Program
|Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.
|Do Not Mitigate
|This category is to associate techniques that mitigation might increase risk of compromise and therefore mitigation is not recommended.
|Encrypt Sensitive Information
|Protect sensitive information with strong encryption.
|Environment Variable Permissions
|Prevent modification of environment variables by unauthorized users and groups.
Block execution of code on a system through application control, and/or script blocking.
|Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.
|Filter Network Traffic
|Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.
|Limit Access to Resource Over Network
|Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.
|Limit Hardware Installation
|Block users or groups from installing or using unapproved hardware on systems, including USB devices.
|Limit Software Installation
|Block users or groups from installing unapproved software.
|Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.
|Network Intrusion Prevention
|Use intrusion detection signatures to block traffic at network boundaries.
|Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.
|Operating System Configuration
|Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.
|Set and enforce secure password policies for accounts.
|This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.
|Privileged Account Management
|Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.
|Privileged Process Integrity
|Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.
|Remote Data Storage
|Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.
|Restrict File and Directory Permissions
|Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.
|Restrict Library Loading
|Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.
|Restrict Registry Permissions
|Restrict the ability to modify certain hives or keys in the Windows Registry.
|Restrict Web-Based Content
|Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.
|Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.
|Threat Intelligence Program
|A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.
|Perform regular software updates to mitigate exploitation risk.
|User Account Control
|Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.
|User Account Management
|Manage the creation, modification, use, and permissions associated to user accounts.
|Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.
|Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.