Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0015: Analytic 0015

From a defender’s perspective, suspicious bridging is observed when network devices begin allowing traffic that contradicts existing segmentation or access policies. Observable behaviors include sudden modifications to ACLs or firewall rules, unusual cross-boundary traffic flows (e.g., east-west communications across separated VLANs), or simultaneous ingress/egress anomalies. Multi-event correlation is key: configuration changes on a router/firewall followed by unexpected traffic patterns, especially from unusual sources, is a strong indicator of compromise.

EnterpriseAN0015AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because suspicious bridging can indicate that network segmentation is no longer enforcing the boundaries the business depends on. For leaders, the key issue is not just a network configuration change; it is whether routers, firewalls, or similar network devices have begun permitting traffic that violates intended access policies between separated environments.

Executive priority

Prioritize validation where segmentation supports business resilience, compliance evidence, or containment assumptions. Executives should ask whether security and network teams can prove that ACL or firewall rule changes are authorized, reviewed, and correlated with traffic flow changes. If segmentation is relied on for audit scope reduction, incident containment, or protection of sensitive operations, this behavior should be treated as a control-assurance and incident-readiness issue.

Technical view

For SOC, detection engineering, and IR teams, the supplied analytic points to multi-event correlation on Network Devices: configuration changes to ACLs or firewall rules followed by unexpected cross-boundary traffic, such as east-west flows across separated VLANs or simultaneous ingress and egress anomalies. Validation should focus on whether network-device configuration telemetry and traffic-flow evidence can be joined by device, time, source, destination, and policy boundary. Because no official detection logic is provided, teams should develop environment-specific baselines for authorized segmentation paths and approved change windows.

Likely telemetry

  • Network device configuration change logs
  • ACL and firewall rule modification records
  • Router and firewall administrative audit logs
  • Traffic flow records between segmented networks or VLANs
  • Ingress and egress traffic anomaly data

Detection direction

  • Validate that ACL and firewall rule changes are logged with sufficient time, device, administrator, and policy context.
  • Correlate network-device configuration changes with subsequent cross-boundary traffic patterns rather than alerting on either signal alone.
  • Baseline expected east-west communications across segmented VLANs or zones to reduce false positives from approved architecture changes.
  • Compare observed traffic against documented segmentation and access policies to identify contradictions.
  • Account for legitimate maintenance windows, emergency changes, and planned firewall rule deployments before escalating.

Mitigation priorities

  • Maintain documented segmentation and access policies so observed traffic can be evaluated against an authoritative baseline.
  • Enforce change control for ACL and firewall rule updates, including approval, logging, and post-change validation.
  • Ensure network-device configuration logs and traffic-flow telemetry are retained and available to SOC and IR teams.
  • Regularly test that segmentation boundaries still behave as intended after network changes.
  • Use incident response procedures that include rapid review of recent network-device configuration changes when unexpected cross-boundary traffic appears.
Analyst notes and limits

This object is a detection analytic for Network Devices in ATT&CK enterprise, external ID AN0015, tied to suspicious bridging in DET0006. The strongest decision value is in correlating control-plane changes with data-plane behavior: rule or ACL modifications followed by traffic that contradicts segmentation intent.

The supplied ATT&CK object does not include official detection logic, tactics, labels, aliases, or relationship context. The take therefore avoids claims about specific adversaries, techniques, active exploitation, or guaranteed detection coverage. Local segmentation design, logging quality, and change-management evidence are required to operationalize this analytic.

Official MITRE ATT&CK definition

Analytic 0015

From a defender’s perspective, suspicious bridging is observed when network devices begin allowing traffic that contradicts existing segmentation or access policies. Observable behaviors include sudden modifications to ACLs or firewall rules, unusual cross-boundary traffic flows (e.g., east-west communications across separated VLANs), or simultaneous ingress/egress anomalies. Multi-event correlation is key: configuration changes on a router/firewall followed by unexpected traffic patterns, especially from unusual sources, is a strong indicator of compromise.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
bc9acd8695783ca7...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle bc9acd869578…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0015
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use