MID-016: Least Functionality

Mitigation Tier: Foundational

Description

Removing all unnecessary programs or features can greatly limit the amount of tools available on a device for adversaries to potentially use. For example, by removing a compiler, unnecessary code, device drivers, or unnecessary binaries from a device, adversaries won’t be able to leverage that functionality into device exploits. If devices starve the threat actors of available tools, it will be more difficult for them to leverage capabilities into malicious activity.

Limitations: Many device functions that could be abused by a threat actor are necessary to support the device’s core operational or management functions and therefore cannot be removed.

IEC 62443 4-2 Mappings

• CR 7.7 - Least functionality

References

[1] CISA. “Identifying and Mitigating Living Off the Land Techniques.” cisa.gov. Accessed: Aug. 28, 2024. [Online.] Available: https://www.cisa.gov/sites/default/files/2024-02/Joint-Guidance-Identifying-and-Mitigating-LOTL_V3508c.pdf

[2] J. Phipps. “Living Off the Land Attacks: LOTL Definition & Prevention.” esecurityplanet.com. Accessed: Aug. 28, 2024. [Online.] Available: https://www.esecurityplanet.com/networks/living-off-the-land-attacks/#best-practices

[3] B. Lenaerts-Bergmans. “What Are Living Off the Land (LOTL) Attacks?.” crowdstrike.com. Accessed: Aug. 28, 2024. [Online.] Available: https://www.crowdstrike.com/cybersecurity-101/living-off-the-land-attacks-lotl/

MID-016