1. Home
  2. ATT&CK Techniques
  3. T1556.009 Conditional Access Policies

T1556.009 Conditional Access Policies

Adversaries may disable or modify conditional access policies to enable persistent access to compromised accounts. Conditional access policies are additional verifications used by identity providers and identity and access management systems to determine whether a user should be granted access to a resource.

For example, in Entra ID, Okta, and JumpCloud, users can be denied access to applications based on their IP address, device enrollment status, and use of multi-factor authentication.(Citation: Microsoft Conditional Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional Access Policies) In some cases, identity providers may also support the use of risk-based metrics to deny sign-ins based on a variety of indicators. In AWS and GCP, IAM policies can contain condition attributes that verify arbitrary constraints such as the source IP, the date the request was made, and the nature of the resources or regions being requested.(Citation: AWS IAM Conditions)(Citation: GCP IAM Conditions) These measures help to prevent compromised credentials from resulting in unauthorized access to data or resources, as well as limit user permissions to only those required.

By modifying conditional access policies, such as adding additional trusted IP ranges, removing Multi-Factor Authentication requirements, or allowing additional Unused/Unsupported Cloud Regions, adversaries may be able to ensure persistent access to accounts and circumvent defensive measures.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.AA-01.01 Identity and credential management Mitigates T1556.009 Conditional Access Policies
Comments
This diagnostic statement protects against Conditional Access Policies through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References

    NIST 800-53 Mappings

    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
    AC-02 Account Management mitigates T1556.009 Conditional Access Policies
    Comments
    Control AC-2 (Account Management) contains provisions for the monitoring of accounts for unusual activity and atypical usage as part of a dynamic account management approach. By monitoring these accounts, the system may be able to detect unauthorized changes to the accounts and take the necessary steps, either automatically or by alerting personnel, to remedy and mitigate the issue.
    References
      CM-06 Configuration Settings mitigates T1556.009 Conditional Access Policies
      CM-05 Access Restrictions for Change mitigates T1556.009 Conditional Access Policies
      IA-05 Authenticator Management mitigates T1556.009 Conditional Access Policies
      IA-13 Identity Providers and Authorization Servers mitigates T1556.009 Conditional Access Policies
      CM-08 System Component Inventory mitigates T1556.009 Conditional Access Policies
      SI-07 Software, Firmware, and Information Integrity mitigates T1556.009 Conditional Access Policies
      AC-16 Security and Privacy Attributes mitigates T1556.009 Conditional Access Policies
      IA-02 Identification and Authentication (Organizational Users) mitigates T1556.009 Conditional Access Policies
      CM-07 Least Functionality mitigates T1556.009 Conditional Access Policies
      SI-04 System Monitoring mitigates T1556.009 Conditional Access Policies
      AC-03 Access Enforcement mitigates T1556.009 Conditional Access Policies
      AC-05 Separation of Duties mitigates T1556.009 Conditional Access Policies
      AC-06 Least Privilege mitigates T1556.009 Conditional Access Policies

      VERIS Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1556.009 Conditional Access Policies
      attribute.integrity.variety.Modify privileges Modified privileges or permissions related-to T1556.009 Conditional Access Policies

      GCP Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      advanced_protection_program Advanced Protection Program technique_scores T1556.009 Conditional Access Policies
      Comments
      Advanced Protection Program enables the use of a security key for multi-factor authentication. Even in the event of compromised credentials, the lack of a security key would prevent an adversary from accessing the account. This leads to significant protection against the technique.
      References
      1. ['https://landing.google.com/advancedprotection/']