Cloud Firewall provides various features to defend against Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) threats, such as vulnerabilities, brute-force attacks, mining activities, and data leaks. Its protection rules cover six ATT&CK tactic categories: initial access, execution, persistence, defense evasion, discovery, and command and control (C2). Each rule targets a specific attack technique — from supply chain attacks and script execution to DNS over HTTPS (DoH) tunneling and remote access software.
By default, rules run in Monitor mode or Disable mode to avoid false positives across diverse workloads and environments. Change rule modes based on your security posture and compliance requirements to maximize protection coverage.
Configuring custom basic protection policies and virtual patching policies requires Cloud Firewall Enterprise Edition or Ultimate Edition.
ATT&CK coverage
The following table shows which attack techniques each ATT&CK tactic covers and what Cloud Firewall does to block them.
| ATT&CK tactic | Attack technique | Protection action |
|---|---|---|
| Initial access | Supply chain attacks | Enable supply chain downloading or install a monitoring plug-in |
| Execution | Script-based scheduled tasks and jobs | Disable script downloading |
| Persistence | Script-based scheduled tasks and jobs | Disable script downloading |
| Defense evasion | File/directory permission changes via scripts | Disable script downloading |
| File hiding via scripts | Disable script downloading | |
| Historical record clearing via scripts | Disable script downloading | |
| File deletion via scripts | Disable script downloading | |
| Discovery | Web service scanning via illegal tools | Disable installation of illegal tools |
| Security software discovery (e.g., Security Center agent removal) | Disable uninstallation of cloud security software | |
| Critical system information leaks | Block system information exposure | |
| Command and control | Non-application layer protocol attacks | Disable cloud-based remote debugging |
| Proxy-based attacks | Disable proxies | |
| Remote access software attacks | Disable remote control software | |
| Tunneling protocol attacks via DNS over HTTPS (DoH) | Disable DNS over HTTPS (DoH) | |
| Web service-based attacks | Disable access to public services |
Disclaimer
The Best practices of Cloud Firewall based on ATT&CK topics describe rules that may apply to both legitimate business workloads and potentially unauthorized operations.
Scope of individual rules: The rule that prohibits the installation of illegal tools is not equivalent to a rule that prohibits the installation of all illegal tools, nor is it equivalent to a rule that allows only the items specified on the Prevention Configuration page. Each rule targets specific techniques; review the scope of each rule before enabling it.
Requesting additional rules: If the built-in rules don't meet your requirements for a specific scenario, submit a ticket to contact after-sales service. Cloud Firewall engineers will evaluate your feedback and publish rules that meet your requirements.