T1602.002 Network Device Configuration Dump

Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of the device. The device typically stores an in-memory copy of the configuration while operating, and a separate configuration on non-volatile storage to load after device reset. Adversaries can inspect the configuration files to reveal information about the target network and its layout, the network device and its software, or identifying legitimate accounts and credentials for later use.

Adversaries can use common management tools and protocols, such as Simple Network Management Protocol (SNMP) and Smart Install (SMI), to access network configuration files.(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks) These tools may be used to query specific data from a configuration repository or configure the device to export the configuration for later analysis.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
DE.AE-02.01 Event analysis and detection Mitigates T1602.002 Network Device Configuration Dump
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
    PR.PS-01.01 Configuration baselines Mitigates T1602.002 Network Device Configuration Dump
    Comments
    This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
    References
      PR.PS-01.02 Least functionality Mitigates T1602.002 Network Device Configuration Dump
      Comments
      This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
      References
        PR.PS-02.01 Patch identification and application Mitigates T1602.002 Network Device Configuration Dump
        Comments
        This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, keeping system images and software updated and migrating to SNMPv3 can help prevent adversary access of network configuration files.
        References
          PR.PS-01.06 Encryption management practices Mitigates T1602.002 Network Device Configuration Dump
          Comments
          This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats of Network Device Configuration Dump, configure SNMPv3 to use the highest level of security (authPriv) available.
          References
            PR.PS-01.03 Configuration deviation Mitigates T1602.002 Network Device Configuration Dump
            Comments
            This diagnostic statement provides protection from Data from Configuration Repository: Network Device Configuration Dump through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configurations that include allowlist MIB objects and implement SNMP Views, and keeping system images and software up to date can help protect against adversaries attempting to leverage information repositories.
            References
              PR.PS-01.07 Cryptographic keys and certificates Mitigates T1602.002 Network Device Configuration Dump
              Comments
              This diagnostic statement protects against Data from Configuration Repository: Network Device Configuration Dump through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes over networks, limitations to specific accounts along with access control mechanisms provides protection against network device configuration dump.
              References
                PR.IR-01.01 Network segmentation Mitigates T1602.002 Network Device Configuration Dump
                Comments
                This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employ network segmentation to segregate traffic to provide protection against adversaries attempting to obtain data from configuration repositories.
                References
                  PR.IR-04.01 Utilization monitoring Mitigates T1602.002 Network Device Configuration Dump
                  Comments
                  This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
                  References
                    PR.IR-01.02 Network device configurations Mitigates T1602.002 Network Device Configuration Dump
                    Comments
                    This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Employing extended ACLs to block unauthorized protocols can mitigate adversary access to data in configuration repositories.
                    References
                      PR.IR-01.03 Network communications integrity and availability Mitigates T1602.002 Network Device Configuration Dump
                      Comments
                      This diagnostic statement protects against Network Device Configuration Dump through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
                      References
                        PR.IR-01.06 Production environment segregation Mitigates T1602.002 Network Device Configuration Dump
                        Comments
                        This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
                        References
                          PR.PS-01.05 Encryption standards Mitigates T1602.002 Network Device Configuration Dump
                          Comments
                          This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats of Network Device Configuration Dump, configure SNMPv3 to use the highest level of security (authPriv) available.
                          References
                            PR.PS-01.08 End-user device protection Mitigates T1602.002 Network Device Configuration Dump
                            Comments
                            This diagnostic statement protects against Network Device Configuration Dump through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
                            References

                              NIST 800-53 Mappings

                              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                              CA-07 Continuous Monitoring mitigates T1602.002 Network Device Configuration Dump
                              CM-06 Configuration Settings mitigates T1602.002 Network Device Configuration Dump
                              AC-17 Remote Access mitigates T1602.002 Network Device Configuration Dump
                              AC-19 Access Control for Mobile Devices mitigates T1602.002 Network Device Configuration Dump
                              IA-04 Identifier Management mitigates T1602.002 Network Device Configuration Dump
                              SC-28 Protection of Information at Rest mitigates T1602.002 Network Device Configuration Dump
                              SC-04 Information in Shared System Resources mitigates T1602.002 Network Device Configuration Dump
                              SI-12 Information Management and Retention mitigates T1602.002 Network Device Configuration Dump
                              SC-03 Security Function Isolation mitigates T1602.002 Network Device Configuration Dump
                              IA-03 Device Identification and Authentication mitigates T1602.002 Network Device Configuration Dump
                              CM-08 System Component Inventory mitigates T1602.002 Network Device Configuration Dump
                              SC-08 Transmission Confidentiality and Integrity mitigates T1602.002 Network Device Configuration Dump
                              SI-10 Information Input Validation mitigates T1602.002 Network Device Configuration Dump
                              SI-15 Information Output Filtering mitigates T1602.002 Network Device Configuration Dump
                              SI-03 Malicious Code Protection mitigates T1602.002 Network Device Configuration Dump
                              SI-07 Software, Firmware, and Information Integrity mitigates T1602.002 Network Device Configuration Dump
                              AC-16 Security and Privacy Attributes mitigates T1602.002 Network Device Configuration Dump
                              AC-18 Wireless Access mitigates T1602.002 Network Device Configuration Dump
                              AC-20 Use of External Systems mitigates T1602.002 Network Device Configuration Dump
                              CM-02 Baseline Configuration mitigates T1602.002 Network Device Configuration Dump
                              CM-07 Least Functionality mitigates T1602.002 Network Device Configuration Dump
                              SI-04 System Monitoring mitigates T1602.002 Network Device Configuration Dump
                              AC-03 Access Enforcement mitigates T1602.002 Network Device Configuration Dump
                              AC-04 Information Flow Enforcement mitigates T1602.002 Network Device Configuration Dump
                              SC-07 Boundary Protection mitigates T1602.002 Network Device Configuration Dump

                              VERIS Mappings

                              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                              action.hacking.variety.Scan network Enumerating the state of the network related-to T1602.002 Network Device Configuration Dump
                              attribute.confidentiality.data_disclosure None related-to T1602.002 Network Device Configuration Dump

                              Azure Mappings

                              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                              azure_network_security_groups Azure Network Security Groups technique_scores T1602.002 Network Device Configuration Dump
                              Comments
                              Can limit access to client management interfaces or configuration databases
                              References
                              azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics technique_scores T1602.002 Network Device Configuration Dump
                              Comments
                              This control can detect collection from configuration repositories.
                              References

                              AWS Mappings

                              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                              amazon_virtual_private_cloud Amazon Virtual Private Cloud technique_scores T1602.002 Network Device Configuration Dump
                              Comments
                              Can limit access to client management interfaces or configuration databases.
                              References