MITRE ATT&CK and MITRE D3FEND are complementary frameworks that identify adversary tactics, techniques, and procedures (TTPs) observed in real-world cyberattacks, and the defensive countermeasures used to combat them.
MITRE ATT&CK is built around 14 tactics (e.g., the attacker’s goals) and hundreds of corresponding techniques and sub-techniques (e.g., how those goals are achieved). MITRE D3FEND describes defensive techniques to counter those attacker actions. There are 6 defensive categories in MITRE D3FEND.
Organizations use these frameworks for threat modeling and defensive gap analysis; to design SIEM/SOAR detection rules and SOC workflows; simulate attacks; and align threat intelligence reporting.
Residential Proxies: A Growing Threat
Residential proxy traffic is a growing and expensive problem for organizations to solve. Research from SC Media shows an 830% increase in residential proxy observations since 2023. Not only is the usage of residential proxies increasing, but the costs to remediate from attacks perpetuated through residential proxy traffic are increasing, amounting to an estimated $13 billion in account takeover (ATO) costs alone in 2023 according to Fintech Weekly.
Organizations must take more proactive action to better secure their environments against residential proxy-based attacks. This post identifies the key tactics to watch for and the essential techniques and subtechniques to implement to align with MITRE best practices.
How to Use IP and Session Intelligence to Address MITRE D3FEND Framework Recommendations
NOTE: The tactics, techniques, and subtechniques in this section are summaries, with text attributed to MITRE.
ATT&CK Techniques and Subtechniques
Before we identify the key D3FEND countermeasures, let’s examine attacker techniques related to residential proxies. There are two primary tactics that identify risks associated with residential proxies – Command and Control, and Lateral Movement. See the information below for relevant techniques and subtechniques.
Tactic: Command and Control (TA0011)
Describes how adversaries communicate with compromised systems.
Technique: Proxy – T1090: Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command-and-control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Proxy – T1090 Subtechniques:
- T-1090.002 – External Proxy: Adversaries may use an external proxy to act as an intermediary for network communications to a command-and-control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths to avoid suspicion.
- T1090.003 – Multi-hop Proxy: Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.
Tactic: Lateral Movement (TA0008)
Describes how adversaries move from one system to another after initial compromise.
Technique: Remote Services – T1021: Adversaries may use Valid Accounts to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.
Remote Services – T1021 Subtechnique:
- T1021.001 – Remote Desktop Protocol: Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
D3FEND Defensive Categories
There are two primary categories that examine controls for defending against residential proxy activity – Isolate and Detect. The information below examines controls and offers best practices guidance to address the control requirements.
Category: Isolate
Creates logical or physical barriers in a system which reduces opportunities for adversaries to create further accesses.
Network Isolation: D3-NI
Network Isolation techniques prevent network hosts from accessing non-essential system network resources.
D3-NTF: Network Traffic Filtering
- Definition: Restricting network traffic originating from any location.
- Best Practice: Maintain a feed of known anonymization services (e.g., VPNs, datacenter proxies, residential proxies, etc.) and other infrastructure used by attackers. By ingesting these feeds into network traffic filtering systems (e.g., next-gen firewalls, IDS/IPS, network proxies), you can block or alert on traffic originating from or destined to IPs flagged by Spur as suspicious. Data should include enriched context (such as service type and proxy classification), so you can use the data to inform blocking rules or tag network flows for further investigation.
D3-NTF: Inbound Traffic Filtering
- Definition: Restricting network traffic originating from untrusted networks destined towards a private host or enclave.
- Best Practice: Leverage enriched IP data to identify inbound sessions that originate from anonymized infrastructure which are often used by attackers to hide their origin. Integrate the data into your edge/cloud DDoS mitigation, web application firewall (WAF), or remote access gateway to flag or block inbound connections from high-risk IPs. If flagged as “residential proxy,” you can implement rules to block or require extra authentication.
D3-OTF: Outbound Traffic Filtering
- Definition: Restricting network traffic originating from a private host or enclave destined towards untrusted networks.
- Best Practice: Many C2 channels and exfiltration operations use anonymization or proxy infrastructure to conceal destinations or sources. Use IP enrichment data to identify known anonymized services that internal hosts are connecting to. By integrating with your egress firewall or proxy, you can block or raise alerts for outbound flows to IPs flagged as residential proxies, hijacked infrastructure, etc. This capability helps to enforce egress policies, for example where outbound traffic is only allowed for known/approved services, while outbound to “unknown/anonymizer” destinations are denied or inspected.
Access Mediation: D3-AMED
Access mediation is the process of granting or denying specific requests to: 1) obtain and use information and related information processing services; and 2) enter specific physical facilities (e.g., Federal buildings, military establishments, border crossing entrances). Access mediation decisions should enforce least privilege by granting access for scoped durations to prevent privilege creep and, where applicable, implement just-in-time (JIT) access. Denial decisions may prevent initial access or terminate access that has already been granted, ensuring continuous enforcement of security policies.
D3-PBWSAM: Proxy-based Web Server Access Mediation
- Definition: Proxy-based Web Server Access Mediation involves controlling access to web servers via proxy servers, which act as intermediaries between users and web resources. This approach can enhance security by anonymizing user requests, filtering content, and enforcing access policies. Examples include using corporate proxies to access external websites or services.
- Best Practice: Enrich IPs and identify user sessions with “proxy/residential proxy/datacenter” classifications and anonymizer status. This data can then be used to define policies that allow, block, or apply friction when a user is connecting via a suspicious IP.
D3-WSAM: Web Session Access Mediation
- Definition: Web session access mediation secures user sessions in web applications by employing robust authentication and integrity validation, along with adaptive threat mitigation techniques, to ensure that access to web resources is authorized and protected from session-related attacks.
- Best Practice: In interactive web sessions (login portals, SaaS, banking platforms), inspect the session’s IP, checking whether the session is via a VPN/ residential proxy, and classifying risk in real time. Based on the classification, you can enforce additional risk controls such as step-up authentication, MFA, session termination, or blocking.
Category: Detect
Used to identify adversary access to or unauthorized activity on computer networks.
Identifier Analysis: D3-ID
Analyzing identifier artifacts such as IP address, domain names, or URL(I)s.
D3-IPRA: IP Reputation Analysis
- Definition: Analyzing the reputation of an IP address.
- Best Practice: Maintain data for active anonymization services, ensuring coverage of all active IP addresses, and refresh them regularly. You can incorporate this enrichment into your SIEM, IDS/IPS, or threat-intelligence platform to feed IP reputation decisions.
Network Traffic Analysis: D3-NTA
Analyzing intercepted or summarized computer network traffic to detect unauthorized activity.
D3-ANAA: Administrative Network Activity Analysis
- Definition: Detection of unauthorized use of administrative network protocols by analyzing network activity against a baseline.
- Best Practice: Use IP geolocation and anonymizer detection capabilities to identify if an admin is logging in from a residential proxy or from a different country than usual.
D3-CAA Connection Attempt Analysis
- Definition: Analyzing failed connections in a network to detect unauthorized activity.
- Best Practice: Analyze each connection attempt’s source IP for anonymity/proxy classification and geolocation context. You can feed this enriched data into your analytics engine to spot patterns, for example if a large number of connection attempts from IPs flagged as residential proxies or newly observed anonymous services it could indicate scanning via anonymization infrastructure.
User Behavior Analysis: D3-UBA
User behavior analytics (“UBA”) as defined by Gartner, is a cybersecurity process about detection of insider threats, targeted attacks, and financial fraud. UBA solutions look at patterns of human behavior and then apply algorithms and statistical analysis to detect meaningful anomalies from those patterns-anomalies that indicate potential threats.’ Instead of tracking devices or security events, UBA tracks a system’s users. Big data platforms are increasing UBA functionality by allowing them to analyze petabytes worth of data to detect insider threats and advanced persistent threats.
D3-UGLPA: User Geolocation Logon Pattern Analysis
- Definition: Monitoring geolocation data of user logon attempts and comparing it to a baseline user behavior profile to identify anomalies in logon location.
- Best Practice: Use high-fidelity geolocation, mapping IPs to precise regions with strong accuracy. With this geolocation data and classification of whether the IP is a proxy/anonymizer, you can: detect a user logging on from a location far away from their normal ones (impossible travel); detect a user logging on via a proxy/residential anonymizer IP (higher risk); and feed into your identity-analytics / user-behavior platform to reduce false positives (due to poor geo data) and sharpen detection of suspicious logins.
How Spur Helps
MITRE ATT&CK and MITRE D3FEND provide comprehensive frameworks for understanding attacker tactics and implementing defensive measures. Because residential proxies are increasingly leveraged for attacks, it’s essential that security teams understand key defensive controls and the technologies to enable them. That’s where Spur can help.
Spur delivers the highest-fidelity IP intelligence available to detect anonymized, proxied, or otherwise obscured internet traffic, empowering you to stop fraud, fake users, and threats.
What differentiates Spur from other providers?
- Breadth of Coverage: Spur delivers more comprehensive detection than anyone else in the market, covering 1,000+ active VPN and proxy services.
- Depth of Attributes: Spur provides more than 20 attributes, including geo location, ASN, proxy/VPN status and attribution, device type, connection type, tunnel entry/exit context — not opaque scoring (more than a number).
- Residential Proxy: Spur is the only source that delivers insights into residential proxies, mobile IPs, and botnets where traditional providers fall short.
- High-Fidelity Data: Spur delivers real-time data that is accurate, fresh, and actionable, focusing on transparency and trust with low false-positive.
- Historical Data Access: Delivers access to historical records dating back to 2020.
- Results in Minutes: Spur delivers fast onboarding, clear documentation, and responsive support for engineers and analysts.
To experience our high-fidelity IP intelligence in action, sign up for a free trial or contact us for pricing today.
