T1602.001 SNMP (MIB Dump)

Adversaries may target the Management Information Base (MIB) to collect and/or mine valuable information in a network managed using Simple Network Management Protocol (SNMP).

The MIB is a configuration repository that stores variable information accessible via SNMP in the form of object identifiers (OID). Each OID identifies a variable that can be read or set and permits active management tasks, such as configuration changes, through remote modification of these variables. SNMP can give administrators great insight in their systems, such as, system information, description of hardware, physical location, and software packages(Citation: SANS Information Security Reading Room Securing SNMP Securing SNMP). The MIB may also contain device operational information, including running configuration, routing table, and interface details.

Adversaries may use SNMP queries to collect MIB content directly from SNMP-managed devices in order to collect network information that allows the adversary to build network maps and facilitate future targeted exploitation.(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device Attacks)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
DE.AE-02.01 Event analysis and detection Mitigates T1602.001 SNMP (MIB Dump)
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
    PR.PS-01.01 Configuration baselines Mitigates T1602.001 SNMP (MIB Dump)
    Comments
    This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
    References
      PR.PS-01.02 Least functionality Mitigates T1602.001 SNMP (MIB Dump)
      Comments
      This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
      References
        PR.PS-02.01 Patch identification and application Mitigates T1602.001 SNMP (MIB Dump)
        Comments
        This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, keeping system images and software updated and migrating to SNMPv3 can help prevent adversaries from collecting MIB content directly from SNMP-managed devices.
        References
          PR.PS-01.06 Encryption management practices Mitigates T1602.001 SNMP (MIB Dump)
          Comments
          This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats of SNMP (MIB Dump), configure SNMPv3 to use the highest level of security (authPriv) available.
          References
            PR.PS-01.03 Configuration deviation Mitigates T1602.001 SNMP (MIB Dump)
            Comments
            This diagnostic statement provides protection from Data from Configuration Repository: SNMP (MIB Dump) through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configurations that include allowlist MIB objects and implement SNMP Views can help protect against adversaries attempting to leverage information repositories.
            References
              PR.PS-01.07 Cryptographic keys and certificates Mitigates T1602.001 SNMP (MIB Dump)
              Comments
              This diagnostic statement protects against Data from Configuration Repository: SNMP (MIB Dump) through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes over networks, limitations to specific accounts along with access control mechanisms provides protection against MIB Dump.
              References
                PR.IR-01.01 Network segmentation Mitigates T1602.001 SNMP (MIB Dump)
                Comments
                This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employ network segmentation to segregate traffic to provide protection against adversaries attempting to obtain data from configuration repositories.
                References
                  PR.IR-01.02 Network device configurations Mitigates T1602.001 SNMP (MIB Dump)
                  Comments
                  This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Employing extended ACLs to block unauthorized protocols can mitigate adversary access to data in configuration repositories.
                  References
                    PR.IR-01.03 Network communications integrity and availability Mitigates T1602.001 SNMP (MIB Dump)
                    Comments
                    This diagnostic statement protects against SNMP (MIB Dump) through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
                    References
                      PR.IR-01.06 Production environment segregation Mitigates T1602.001 SNMP (MIB Dump)
                      Comments
                      This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
                      References
                        PR.PS-01.05 Encryption standards Mitigates T1602.001 SNMP (MIB Dump)
                        Comments
                        This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats of SNMP (MIB Dump), configure SNMPv3 to use the highest level of security (authPriv) available.
                        References
                          PR.PS-01.08 End-user device protection Mitigates T1602.001 SNMP (MIB Dump)
                          Comments
                          This diagnostic statement protects against SNMP (MIB Dump) through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
                          References

                            NIST 800-53 Mappings

                            Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                            CA-07 Continuous Monitoring mitigates T1602.001 SNMP (MIB Dump)
                            CM-06 Configuration Settings mitigates T1602.001 SNMP (MIB Dump)
                            AC-17 Remote Access mitigates T1602.001 SNMP (MIB Dump)
                            AC-19 Access Control for Mobile Devices mitigates T1602.001 SNMP (MIB Dump)
                            IA-04 Identifier Management mitigates T1602.001 SNMP (MIB Dump)
                            SC-28 Protection of Information at Rest mitigates T1602.001 SNMP (MIB Dump)
                            SC-04 Information in Shared System Resources mitigates T1602.001 SNMP (MIB Dump)
                            SI-12 Information Management and Retention mitigates T1602.001 SNMP (MIB Dump)
                            SC-03 Security Function Isolation mitigates T1602.001 SNMP (MIB Dump)
                            IA-03 Device Identification and Authentication mitigates T1602.001 SNMP (MIB Dump)
                            CM-08 System Component Inventory mitigates T1602.001 SNMP (MIB Dump)
                            SC-08 Transmission Confidentiality and Integrity mitigates T1602.001 SNMP (MIB Dump)
                            SI-10 Information Input Validation mitigates T1602.001 SNMP (MIB Dump)
                            SI-15 Information Output Filtering mitigates T1602.001 SNMP (MIB Dump)
                            SI-03 Malicious Code Protection mitigates T1602.001 SNMP (MIB Dump)
                            SI-07 Software, Firmware, and Information Integrity mitigates T1602.001 SNMP (MIB Dump)
                            AC-16 Security and Privacy Attributes mitigates T1602.001 SNMP (MIB Dump)
                            AC-18 Wireless Access mitigates T1602.001 SNMP (MIB Dump)
                            AC-20 Use of External Systems mitigates T1602.001 SNMP (MIB Dump)
                            CM-02 Baseline Configuration mitigates T1602.001 SNMP (MIB Dump)
                            CM-07 Least Functionality mitigates T1602.001 SNMP (MIB Dump)
                            SI-04 System Monitoring mitigates T1602.001 SNMP (MIB Dump)
                            AC-03 Access Enforcement mitigates T1602.001 SNMP (MIB Dump)
                            AC-04 Information Flow Enforcement mitigates T1602.001 SNMP (MIB Dump)
                            SC-07 Boundary Protection mitigates T1602.001 SNMP (MIB Dump)

                            VERIS Mappings

                            Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                            action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1602.001 SNMP (MIB Dump)
                            action.hacking.variety.Scan network Enumerating the state of the network related-to T1602.001 SNMP (MIB Dump)
                            attribute.confidentiality.data_disclosure None related-to T1602.001 SNMP (MIB Dump)

                            Azure Mappings

                            Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                            azure_network_security_groups Azure Network Security Groups technique_scores T1602.001 SNMP (MIB Dump)
                            Comments
                            Can limit access to client management interfaces or configuration databases
                            References
                            azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics technique_scores T1602.001 SNMP (MIB Dump)
                            Comments
                            This control can detect collection from configuration repositories.
                            References

                            AWS Mappings

                            Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                            amazon_virtual_private_cloud Amazon Virtual Private Cloud technique_scores T1602.001 SNMP (MIB Dump)
                            Comments
                            Can limit access to client management interfaces or configuration databases.
                            References