| ID | Name |
|---|---|
| T1491.001 | Internal Defacement |
| T1491.002 | External Defacement |
An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. Externally-facing websites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda.[1][2][3] External Defacement may be used as a catalyst to trigger events, or as a response to actions taken by an organization or government. Similarly, website defacement may also be used as setup, or a precursor, for future attacks such as Drive-by Compromise.[4]
| ID | Name | Description |
|---|---|---|
| G0034 | Sandworm Team |
Sandworm Team defaced approximately 15,000 websites belonging to Georgian government, non-government, and private sector organizations in 2019.[5][6] |
| ID | Mitigation | Description |
|---|---|---|
| M1053 | Data Backup |
Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.[7] Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery. |
| ID | Data Source | Data Component |
|---|---|---|
| DS0015 | Application Log | Application Log Content |
| DS0022 | File | File Creation |
| File Modification | ||
| DS0029 | Network Traffic | Network Traffic Content |
Monitor external websites for unplanned content changes. Monitor application logs for abnormal behavior that may indicate attempted or successful exploitation. Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection. Web Application Firewalls may detect improper inputs attempting exploitation.