m1031-network-intrusion-prevention

# M1031 — Network Intrusion Prevention ## Visão Geral *Fonte: [MITRE ATT&CK — M1031](https://attack.mitre.org/mitigations/M1031)* ## Descrição Use intrusion detection signatures to block traffic at network boundaries. Um sistema de prevenção de intrusões (IPS) monitora ativamente o tráfego de rede em busca de padrões maliciosos conhecidos — como tentativas de exploração, beaconing de C2, tunelamento de protocolo e exfiltração — bloqueando-os automaticamente em tempo real antes que atinjam o destino. A eficácia depende da atualização contínua de assinaturas e da integração com feeds de threat intelligence. ```mermaid graph TB A["🌐 Tráfego de rede entrando / saindo"] --> B["🔎 IPS inline inspeção de pacotes DPI"] B --> C{"Assinatura conhecida?"} C -->|Sim| D["🚫 Bloquear pacote + gerar alerta"] C -->|Não| E["🧠 Análise heurística + correlação TI feeds"] E --> F{"Anomalia detectada?"} F -->|Sim| D F -->|Não| G["✅ Tráfego permitido"] ``` ## Técnicas Mitigadas | ID | Técnica | |---|---------| | T1568 | [[t1568-dynamic-resolution\|T1568 — Dynamic Resolution]] | | T1542.005 | [[t1542-005-tftp-boot\|T1542.005 — TFTP Boot]] | | T1008 | [[t1008-fallback-channels\|T1008 — Fallback Channels]] | | T1572 | [[t1572-protocol-tunneling\|T1572 — Protocol Tunneling]] | | T1071 | [[t1071-application-layer-protocol\|T1071 — Application Layer Protocol]] | | T1048.003 | [[t1048-003-exfiltration-over-unencrypted-non-c2-protocol\|T1048.003 — Exfiltration Over Unencrypted Non-C2 Protocol]] | | T1105 | [[t1105-ingress-tool-transfer\|T1105 — Ingress Tool Transfer]] | | T1132 | [[t1132-data-encoding\|T1132 — Data Encoding]] | | T1568.002 | [[t1568-002-domain-generation-algorithms\|T1568.002 — Domain Generation Algorithms]] | | T1102 | [[t1102-web-service\|T1102 — Web Service]] | | T1041 | [[t1041-exfiltration-over-c2-channel\|T1041 — Exfiltration Over C2 Channel]] | | T1104 | [[t1104-multi-stage-channels\|T1104 — Multi-Stage Channels]] | | T1090.002 | [[t1090-002-external-proxy\|T1090.002 — External Proxy]] | | T1095 | [[t1095-non-application-layer-protocol\|T1095 — Non-Application Layer Protocol]] | | T1204.005 | [[t1204-005-malicious-library\|T1204.005 — Malicious Library]] | | T1048.002 | [[t1048-002-exfiltration-over-asymmetric-encrypted-non-c2-protocol\|T1048.002 — Exfiltration Over Asymmetric Encrypted Non-C2 Protocol]] | | T1048.001 | [[t1048-001-exfiltration-over-symmetric-encrypted-non-c2-protocol\|T1048.001 — Exfiltration Over Symmetric Encrypted Non-C2 Protocol]] | | T1557.002 | [[t1557-002-arp-cache-poisoning\|T1557.002 — ARP Cache Poisoning]] | | T1573.001 | [[t1573-001-symmetric-cryptography\|T1573.001 — Symmetric Cryptography]] | | T1046 | [[t1046-network-service-discovery\|T1046 — Network Service Discovery]] | | T1557.001 | [[t1557-001-llmnrnbt-ns-poisoning-and-smb-relay\|T1557.001 — LLMNR/NBT-NS Poisoning and SMB Relay]] | | T1570 | [[t1570-lateral-tool-transfer\|T1570 — Lateral Tool Transfer]] | | T1557.004 | [[t1557-004-evil-twin\|T1557.004 — Evil Twin]] | | T1204.001 | [[t1204-001-malicious-link\|T1204.001 — Malicious Link]] | | T1566 | [[t1566-phishing\|T1566 — Phishing]] | | T1071.003 | [[t1071-003-mail-protocols\|T1071.003 — Mail Protocols]] | | T1204.004 | [[t1204-004-malicious-copy-and-paste\|T1204.004 — Malicious Copy and Paste]] | | T1557.003 | [[t1557-003-dhcp-spoofing\|T1557.003 — DHCP Spoofing]] | | T1566.001 | [[t1566-001-spearphishing-attachment\|T1566.001 — Spearphishing Attachment]] | | T1048 | [[t1048-exfiltration-over-alternative-protocol\|T1048 — Exfiltration Over Alternative Protocol]] | | T1204.003 | [[t1204-003-malicious-image\|T1204.003 — Malicious Image]] | | T1001.001 | [[t1001-001-junk-data\|T1001.001 — Junk Data]] | | T1001 | [[t1001-data-obfuscation\|T1001 — Data Obfuscation]] | | T1090.001 | [[t1090-001-internal-proxy\|T1090.001 — Internal Proxy]] | | T1204 | [[t1204-user-execution\|T1204 — User Execution]] | | T1557 | [[t1557-adversary-in-the-middle\|T1557 — Adversary-in-the-Middle]] | | T1602.002 | [[t1602-002-network-device-configuration-dump\|T1602.002 — Network Device Configuration Dump]] | | T1602.001 | [[t1602-001-snmp-mib-dump\|T1602.001 — SNMP (MIB Dump)]] | | T1029 | [[t1029-scheduled-transfer\|T1029 — Scheduled Transfer]] | | T1102.001 | [[t1102-001-dead-drop-resolver\|T1102.001 — Dead Drop Resolver]] | | T1030 | [[t1030-data-transfer-size-limits\|T1030 — Data Transfer Size Limits]] | | T1221 | [[t1221-template-injection\|T1221 — Templaté Injection]] | | T1573.002 | [[t1573-002-asymmetric-cryptography\|T1573.002 — Asymmetric Cryptography]] | | T1071.002 | [[t1071-002-file-transfer-protocols\|T1071.002 — File Transfer Protocols]] | | T1071.001 | [[t1071-001-web-protocols\|T1071.001 — Web Protocols]] | | T1573 | [[t1573-encrypted-channel\|T1573 — Encrypted Channel]] | | T1001.002 | [[t1001-002-steganography\|T1001.002 — Steganography]] | | T1602 | [[t1602-data-from-configuration-repository\|T1602 — Data from Configuration Repository]] | | T1001.003 | [[t1001-003-protocol-or-service-impersonation\|T1001.003 — Protocol or Service Impersonation]] | | T1071.004 | [[t1071-004-dns\|T1071.004 — DNS]] | | T1102.003 | [[t1102-003-one-way-communication\|T1102.003 — One-Way Commúnication]] | | T1090 | [[t1090-proxy\|T1090 — Proxy]] | | T1219 | [[t1219-remote-access-tools\|T1219 — Remote Access Tools]] | | T1542.004 | [[t1542-004-rommonkit\|T1542.004 — ROMMONkit]] | | T1571 | [[t1571-non-standard-port\|T1571 — Non-Standard Port]] | | T1071.005 | [[t1071-005-publishsubscribe-protocols\|T1071.005 — Publish/Subscribe Protocols]] | | T1132.001 | [[t1132-001-standard-encoding\|T1132.001 — Standard Encoding]] | | T1132.002 | [[t1132-002-non-standard-encoding\|T1132.002 — Non-Standard Encoding]] | | T1102.002 | [[t1102-002-bidirectional-communication\|T1102.002 — Bidirectional Commúnication]] | --- ## Contexto LATAM > [!globe] Relevância Regional > A prevenção de intrusões de rede (IPS) é amplamente utilizada em grandes organizações brasileiras, especialmente no setor financeiro e telcos, geralmente como componente de firewalls NGFW (Palo Alto, Fortinet, Check Point). A eficácia depende criticamente da atualização de assinaturas e da integração com feeds de threat intelligence regionais como o CERT.br. Grupos de ransomware como [[lockbit]] e atores de espionagem utilizando domain fronting ([[t1090-004-domain-fronting|T1090.004]]) e DGA ([[t1568-002-domain-generation-algorithms|T1568.002]]) são ameaças relevantes mitigadas por IPS bem configurado no contexto brasileiro. > - Adocao em SOCs brasileiros: alto (médias e grandes empresas) > - Regulamentacoes relevantes: BACEN 4893/2021, PCI-DSS v4.0 (Req. 10 e 11), LGPD (medidas técnicas de proteção) > - Desafios regionais: alto volume de falsos positivos exigindo tuning contínuo, custo de licenciamento de feeds de assinatura premium, e dificuldade de inspecionar tráfego criptografado sem SSL inspection complementar