Adversaries may target the Management Information Base (MIB) to collect and/or mine valuable information in a network managed using Simple Network Management Protocol (SNMP).
The MIB is a configuration repository that stores variable information accessible via SNMP in the form of object identifiers (OID). Each OID identifies a variable that can be read or set and permits active management tasks, such as configuration changes, through remote modification of these variables. SNMP can give administrators great insight in their systems, such as, system information, description of hardware, physical location, and software packages(Citation: SANS Information Security Reading Room Securing SNMP Securing SNMP). The MIB may also contain device operational information, including running configuration, routing table, and interface details.
Adversaries may use SNMP queries to collect MIB content directly from SNMP-managed devices in order to collect network information that allows the adversary to build network maps and facilitate future targeted exploitation.(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device Attacks)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1602.001 | SNMP (MIB Dump) |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1602.001 | SNMP (MIB Dump) |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
|
| PR.PS-01.02 | Least functionality | Mitigates | T1602.001 | SNMP (MIB Dump) |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
References
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1602.001 | SNMP (MIB Dump) |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, keeping system images and software updated and migrating to SNMPv3 can help prevent adversaries from collecting MIB content directly from SNMP-managed devices.
References
|
| PR.PS-01.06 | Encryption management practices | Mitigates | T1602.001 | SNMP (MIB Dump) |
Comments
This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats of SNMP (MIB Dump), configure SNMPv3 to use the highest level of security (authPriv) available.
References
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1602.001 | SNMP (MIB Dump) |
Comments
This diagnostic statement provides protection from Data from Configuration Repository: SNMP (MIB Dump) through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configurations that include allowlist MIB objects and implement SNMP Views can help protect against adversaries attempting to leverage information repositories.
References
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1602.001 | SNMP (MIB Dump) |
Comments
This diagnostic statement protects against Data from Configuration Repository: SNMP (MIB Dump) through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes over networks, limitations to specific accounts along with access control mechanisms provides protection against MIB Dump.
References
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1602.001 | SNMP (MIB Dump) |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employ network segmentation to segregate traffic to provide protection against adversaries attempting to obtain data from configuration repositories.
References
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1602.001 | SNMP (MIB Dump) |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Employing extended ACLs to block unauthorized protocols can mitigate adversary access to data in configuration repositories.
References
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1602.001 | SNMP (MIB Dump) |
Comments
This diagnostic statement protects against SNMP (MIB Dump) through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
References
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1602.001 | SNMP (MIB Dump) |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
References
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1602.001 | SNMP (MIB Dump) |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats of SNMP (MIB Dump), configure SNMPv3 to use the highest level of security (authPriv) available.
References
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1602.001 | SNMP (MIB Dump) |
Comments
This diagnostic statement protects against SNMP (MIB Dump) through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Evade Defenses | Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. | related-to | T1602.001 | SNMP (MIB Dump) | |
| action.hacking.variety.Scan network | Enumerating the state of the network | related-to | T1602.001 | SNMP (MIB Dump) | |
| attribute.confidentiality.data_disclosure | None | related-to | T1602.001 | SNMP (MIB Dump) |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| azure_network_security_groups | Azure Network Security Groups | technique_scores | T1602.001 | SNMP (MIB Dump) |
Comments
Can limit access to client management interfaces or configuration databases
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | technique_scores | T1602.001 | SNMP (MIB Dump) |
Comments
This control can detect collection from configuration repositories.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| amazon_virtual_private_cloud | Amazon Virtual Private Cloud | technique_scores | T1602.001 | SNMP (MIB Dump) |
Comments
Can limit access to client management interfaces or configuration databases.
References
|