T1098 Account Manipulation

This control requires both CSP and CSC to independently enforce formal approval processes for user access, implement dynamic and explicit authorization mechanisms. The guidance focuses on implementing technical measures to verify authorization and prevent unauthorized access and execution.

This control requires both CSP and CSC to independently enforce multi-factor authentication (MFA) for all non-console administrative, remote, sensitive data, and third-party access, implement secure centralized authentication systems and digital certificates, protect credentials, monitor authentication activity, and ensure strong, risk-based authentication measures are consistently applied and reviewed.

This control requires both CSP and CSC to independently assign unique, cryptographically secure identifiers to users, ensure traceability and accountability for all access, including shared accounts, implement strong access controls, encryption for user identity data. These techniques focus on mitigating attacker techniques against user services or machine accounts within cloud environments or identity management system.

This control requires both CSP and CSC to collaboratively identify high-risk data and privileged roles, enforce formal CSC approval workflows for CSP user access, use secure PAM systems, and implement comprehensive monitoring and reporting to ensure privileged access to sensitive CSC data is tightly controlled and traceable. Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.This mitigation can be implemented through account permissions and roles, PAM solutions, or just-In-Time access.

This control requires both CSP and CSC to independently manage privileged access by enforcing time-bound approvals, formal request and justification processes, automated revocation, session restrictions, credential vaulting and rotation, continuous monitoring, and periodic reviews, ensuring privileged access is tightly controlled, monitored, and limited to only what is necessary for specific roles and timeframes. Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.This mitigation can be implemented through account permissions and roles, PAM solutions, or just-In-Time access.

This control describes the periodic, risk-based, and reviews of privileged accounts and high-risk access configurations, ensuring these are accounts are managed and scrutinized to prevent unauthorized access or excessive privileges. Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.This mitigation can be implemented through account permissions and roles, PAM solutions, or just-In-Time access.

This control describes the implementation of a secure and controlled user access provisioning process. Proper user account management reduces the attack surface by limiting unauthorized access to data, assets, and systems. Managing account access authorizations can reduce the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions.

This control implements secure configuration best practices for hardening cloud platforms to mitigate adversary exploitation and abuse of system functionality. Configuring access to critical servers by limiting unnecessary protocols and services and removing unnecessary and potentially abusable authentication and authorization mechanisms can mitigate account manipulation.

This control provides for appropriately segmented and segregated cloud environments. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level) to filter traffic based on security rules. Limiting access to critical systems and domain controllers can mitigate adversary use of account manipulation to maintain and/or elevate access to systems.

This control provides for the implementation of best practices for endpoint management. Proper security configurations and limited system access can help prevent adversaries from manipulating accounts to maintain and/or elevate access.

This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level) to filter traffic based on security rules. Limiting access to critical systems and domain controllers can mitigate adversary use of account manipulation to maintain and/or elevate access to systems.

This control includes account management controls such as enabling multi-factor authentication (MFA), which can help prevent adversaries from creating or manipulating accounts.

This control focuses on the secure deprovisioning of user access by automating account removal, detecting and revoking inactive accounts. These mitigative actions reduce the risk of lingering or inappropriate access following employee termination, role changes, or security incidents.

This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data. For this technique, in terms of mitigation, ensure that ensure that low-privileged user accounts do not have permissions to modify accounts or account-related policies.

This control requires the CSP to enforce strong password management practices, implement protections against brute-force attacks, and support secure password reset processes. For this technique, in order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. In terms of mitigation, use multi-factor authentication for user and privileged accounts.

This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, adversaries may add adversary-controlled credentials to a cloud account to move production data throughout the cloud environment. In terms of mitigation, consider configuring access controls and firewalls to limit which accounts have access to production critical systems and domain controllers. Most cloud environments support separate virtual private cloud (VPC) instances that enable further segmentation of cloud systems from production and non-production environments.

This control provides for the implementation of best practices for third-party endpoint management. Proper security configurations and limited system access can help prevent adversaries from manipulating accounts to maintain and/or elevate access.