T1136 Create Account

This control requires both CSP and CSC to independently enforce formal approval processes for user access, implement dynamic and explicit authorization mechanisms. The guidance focuses on implementing technical measures to verify authorization and prevent unauthorized access and execution.

This control requires both CSP and CSC to independently enforce multi-factor authentication (MFA) for all non-console administrative, remote, sensitive data, and third-party access, implement secure centralized authentication systems and digital certificates, protect credentials, monitor authentication activity, and ensure strong, risk-based authentication measures are consistently applied and reviewed.

This control implements secure configuration best practices for hardening cloud platforms to mitigate adversary exploitation and abuse of system functionality. Configuring access to critical servers and systems used to create and manage accounts can prevent adversaries from creating accounts.

This control provides for appropriately segmented and segregated cloud environments. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Restricting access to domain controllers and systems used for account creation and management through access controls, firewalls, and separate VPC instances mitigates the ability of adversaries to create unauthorized accounts.

This control provides for the implementation of best practices for endpoint management. Proper security configurations and limited system access can help prevent adversaries from creating accounts to maintain access.

This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Restricting access to domain controllers and systems used for account creation and management through access controls, firewalls, and separate VPC instances mitigates the ability of adversaries to create unauthorized accounts.

This control describes how the CSP must actively maintain and review a comprehensive inventory of all system identities (users, services, applications, roles, groups) with access to cloud resources. In relation to this technique, default accounts may be created on a system after initial setup by connecting or integrating it with another application. Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. A dynamic inventory of permitted identities may aid in flagging the creation of any unauthorized identities.

This control provides for the implementation of best practices for third-party endpoint management. Proper security configurations and limited system access can help prevent adversaries from creating accounts to maintain access.