Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.
Authentication processes generally require a valid identity (e.g., username) along with one or more authentication factors (e.g., password, pin, physical smart card, token generator, etc.). Alternate authentication material is legitimately generated by systems after a user or application successfully authenticates by providing a valid identity and the required authentication factor(s). Alternate authentication material may also be generated during the identity creation process.(Citation: NIST Authentication)(Citation: NIST MFA)
Caching alternate authentication material allows the system to verify an identity has successfully authenticated without asking the user to reenter authentication factor(s). Because the alternate authentication must be maintained by the system—either in memory or on disk—it may be at risk of being stolen through Credential Access techniques. By stealing alternate authentication material, adversaries are able to bypass system access controls and authenticate to systems without knowing the plaintext password or any additional authentication factors.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| IAM-16 | Authorization Mechanisms | mitigates | T1550 | Use Alternate Authentication Material |
Comments
This control requires both CSP and CSC to independently enforce formal approval processes for user access, implement dynamic and explicit authorization mechanisms. The guidance focuses on implementing technical measures to verify authorization and prevent unauthorized access and execution.
References
|
| IAM-15 | Passwords Management | mitigates | T1550 | Use Alternate Authentication Material |
Comments
This control requires both CSP and CSC to independently enforce strong password management practices to protect authentication credentials and reduce the risk of unauthorized access. For example, credential access protection mitigation focuses on implementing measures to prevent adversaries from obtaining credentials, such as passwords, hashes, tokens, or keys, that could be used for unauthorized access.
References
|
| I&S-05 | Production and Non-Production Environments | mitigates | T1550 | Use Alternate Authentication Material |
Comments
This control maintains separation of production and non-production environments, which can prevent the introduction of exploitable weaknesses and avoid exposure of sensitive information. Restricting the use of authentication material outside of expected contexts can help prevent adversary misuse of alternate authentication material.
References
|
| DSP-07 | Data Protection by Design and Default | mitigates | T1550 | Use Alternate Authentication Material |
Comments
Data protection by design and default is emphasized in this control, requiring proactive integration of security and privacy measures at every stage of the SDLC and across all components. Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls. In terms of mitigation, consider implementing token binding strategies that cryptographically bind a token to a secret. This may prevent the token from being used without knowledge of the secret or possession of the device the token is tied to
References
|
| AIS-04 | Secure Application Design and Development | mitigates | T1550 | Use Alternate Authentication Material |
Comments
This control requires both Cloud Service Providers and customers to implement a Secure Software Development Lifecycle (SSDLC) with security practices throughout the entire application development process to protect cloud-based applications from cyber threats. By stealing alternate authentication material, adversaries are able to bypass system access controls and authenticate to systems without knowing the plaintext password or any additional authentication factors. The use of secure coding techniques to implement token binding allows applications and services to cryptographically bind their security tokens to the TLS layer to mitigate token theft.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1550.004 | Web Session Cookie | 5 |
| T1550.001 | Application Access Token | 9 |