Adversaries may use Patch System Image to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.
Modify System Image may include implanted code to the operating system for network devices to provide access for adversaries using a specific password. The modification includes a specific password which is implanted in the operating system image via the patch. Upon authentication attempts, the inserted code will first check to see if the user input is the password. If so, access is granted. Otherwise, the implanted code will pass the credentials on for verification of potentially valid credentials.(Citation: Mandiant - Synful Knock)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.IR-01.05 | Remote access protection | Mitigates | T1556.004 | Network Device Authentication |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1556.004 | Network Device Authentication |
Comments
This diagnostic statement protects against Network Device Authentication through the use of privileged account management and the use of multi-factor authentication.
References
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1556.004 | Network Device Authentication |
Comments
This diagnostic statement protects against Network Device Authentication through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
References
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1556.004 | Network Device Authentication |
Comments
This diagnostic statement protects against Modify Authentication Process through the use of revocation of keys and key management. Employing key protection strategies and key management for key material used in managing and signing images, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to modify or patch network device authentication processes in those system images.
References
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1556.004 | Network Device Authentication |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
References
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1556.004 | Network Device Authentication |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
References
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1556.004 | Network Device Authentication |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1556.004 | Network Device Authentication |
Comments
This diagnostic statement protects against Network Device Authentication through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| attribute.integrity.variety.Modify configuration | Modified configuration or services | related-to | T1556.004 | Network Device Authentication | |
| attribute.integrity.variety.Modify privileges | Modified privileges or permissions | related-to | T1556.004 | Network Device Authentication |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| advanced_protection_program | Advanced Protection Program | technique_scores | T1556.004 | Network Device Authentication |
Comments
Advanced Protection Program enables the use of a security key for multi-factor authentication. Integrating multi-factor authentication as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information.
References
|