Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of the device. The device typically stores an in-memory copy of the configuration while operating, and a separate configuration on non-volatile storage to load after device reset. Adversaries can inspect the configuration files to reveal information about the target network and its layout, the network device and its software, or identifying legitimate accounts and credentials for later use.
Adversaries can use common management tools and protocols, such as Simple Network Management Protocol (SNMP) and Smart Install (SMI), to access network configuration files.(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks) These tools may be used to query specific data from a configuration repository or configure the device to export the configuration for later analysis.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1602.002 | Network Device Configuration Dump |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1602.002 | Network Device Configuration Dump |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
|
| PR.PS-01.02 | Least functionality | Mitigates | T1602.002 | Network Device Configuration Dump |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
References
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1602.002 | Network Device Configuration Dump |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, keeping system images and software updated and migrating to SNMPv3 can help prevent adversary access of network configuration files.
References
|
| PR.PS-01.06 | Encryption management practices | Mitigates | T1602.002 | Network Device Configuration Dump |
Comments
This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats of Network Device Configuration Dump, configure SNMPv3 to use the highest level of security (authPriv) available.
References
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1602.002 | Network Device Configuration Dump |
Comments
This diagnostic statement provides protection from Data from Configuration Repository: Network Device Configuration Dump through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configurations that include allowlist MIB objects and implement SNMP Views, and keeping system images and software up to date can help protect against adversaries attempting to leverage information repositories.
References
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1602.002 | Network Device Configuration Dump |
Comments
This diagnostic statement protects against Data from Configuration Repository: Network Device Configuration Dump through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes over networks, limitations to specific accounts along with access control mechanisms provides protection against network device configuration dump.
References
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1602.002 | Network Device Configuration Dump |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employ network segmentation to segregate traffic to provide protection against adversaries attempting to obtain data from configuration repositories.
References
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1602.002 | Network Device Configuration Dump |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
References
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1602.002 | Network Device Configuration Dump |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Employing extended ACLs to block unauthorized protocols can mitigate adversary access to data in configuration repositories.
References
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1602.002 | Network Device Configuration Dump |
Comments
This diagnostic statement protects against Network Device Configuration Dump through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
References
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1602.002 | Network Device Configuration Dump |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
References
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1602.002 | Network Device Configuration Dump |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats of Network Device Configuration Dump, configure SNMPv3 to use the highest level of security (authPriv) available.
References
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1602.002 | Network Device Configuration Dump |
Comments
This diagnostic statement protects against Network Device Configuration Dump through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Scan network | Enumerating the state of the network | related-to | T1602.002 | Network Device Configuration Dump | |
| attribute.confidentiality.data_disclosure | None | related-to | T1602.002 | Network Device Configuration Dump |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| azure_network_security_groups | Azure Network Security Groups | technique_scores | T1602.002 | Network Device Configuration Dump |
Comments
Can limit access to client management interfaces or configuration databases
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | technique_scores | T1602.002 | Network Device Configuration Dump |
Comments
This control can detect collection from configuration repositories.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| amazon_virtual_private_cloud | Amazon Virtual Private Cloud | technique_scores | T1602.002 | Network Device Configuration Dump |
Comments
Can limit access to client management interfaces or configuration databases.
References
|