Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users or services and used in lieu of login credentials.
Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used to access resources in cloud, container-based applications, and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019)
OAuth is one commonly implemented framework that issues tokens to users for access to systems. These frameworks are used collaboratively to verify the user and determine what actions the user is allowed to perform. Once identity is established, the token allows actions to be authorized, without passing the actual credentials of the user. Therefore, compromise of the token can grant the adversary access to resources of other sites through a malicious application.(Citation: okta)
For example, with a cloud-based email service, once an OAuth access token is granted to a malicious application, it can potentially gain long-term access to features of the user account if a "refresh" token enabling background access is awarded.(Citation: Microsoft Identity Platform Access 2019) With an OAuth access token an adversary can use the user-granted REST API to perform functions such as email searching and contact enumeration.(Citation: Staaldraad Phishing with OAuth 2017)
Compromised access tokens may be used as an initial step in compromising other services. For example, if a token grants access to a victim’s primary email, the adversary may be able to extend access to all other services which the target subscribes by triggering forgotten password routines. In AWS and GCP environments, adversaries can trigger a request for a short-lived access token with the privileges of another user account.(Citation: Google Cloud Service Account Credentials)(Citation: AWS Temporary Security Credentials) The adversary can then use this token to request data or perform actions the original account could not. If permissions for this feature are misconfigured – for example, by allowing all users to request a token for a particular account - an adversary may be able to gain initial access to a Cloud Account or escalate their privileges.(Citation: Rhino Security Labs Enumerating AWS Roles)
Direct API access through a token negates the effectiveness of a second authentication factor and may be immune to intuitive countermeasures like changing passwords. For example, in AWS environments, an adversary who compromises a user’s AWS API credentials may be able to use the sts:GetFederationToken API call to create a federated user session, which will have the same permissions as the original user but may persist even if the original user credentials are deactivated.(Citation: Crowdstrike AWS User Federation Persistence) Additionally, access abuse over an API channel can be difficult to detect even from the service provider end, as the access can still align well with a legitimate workflow.
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| IAM-08 | User Access Review | mitigates | T1550.001 | Application Access Token |
Comments
This control describes the periodic review and validation of user access by centralizing access management, automating review processes, and continuously monitoring for unauthorized activities. These mitigative actions ensure that access rights remain appropriate, obsolete or excessive privileges are removed, and potential security access risks are promptly identified and mitigated. For this technique, administrators should perform automated reviews of all cloud and container accounts to ensure that they are necessary and that the permissions granted to them are appropriate.
References
|
| I&S-05 | Production and Non-Production Environments | mitigates | T1550.001 | Application Access Token |
Comments
This control maintains separation of production and non-production environments, which can prevent the introduction of exploitable weaknesses and avoid exposure of sensitive information. Restricting the use of authentication material outside of expected contexts can help prevent adversary misuse of alternate authentication material.
References
|
| I&S-07 | Migration to Cloud Environments | mitigates | T1550.001 | Application Access Token |
Comments
This control provides for the use of secure and encrypted communication
channels when migrating to cloud environments. Encryption ensures the confidentiality and integrity of data, such as OAuth access tokens used in a cloud-based email service. File encryption across email communications containing sensitive information that may be obtained through access to email services can help prevent adversaries from stealing application access tokens.
References
|
| CEK-03 | Data Encryption | mitigates | T1550.001 | Application Access Token |
Comments
This control provides cryptographic protection for data-at-rest and data-in-transit within the cloud environment. Encryption ensures the confidentiality and integrity of data, such as OAuth access tokens used in a cloud-based email service. File encryption across email communications containing sensitive information that may be obtained through access to email services can help prevent adversaries from stealing application access tokens.
References
|
| DSP-10 | Sensitive Data Transfer | mitigates | T1550.001 | Application Access Token |
Comments
The control describes the implementation of strong technical and procedural safeguards, such as TLS with strong keys)to protect sensitive data during transfer and prevent unauthorized access or interception. For this technique, file encryption should be enforced across email communications containing sensitive information that may be obtained through access to email services. Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems.
References
|
| DSP-07 | Data Protection by Design and Default | mitigates | T1550.001 | Application Access Token |
Comments
Data protection by design and default is emphasized in this control, requiring proactive integration of security and privacy measures at every stage of the SDLC and across all components. Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. In terms of mitigation, consider implementing token binding strategies that cryptographically bind a token to a secret. This may prevent the token from being used without knowledge of the secret or possession of the device the token is tied to
References
|
| DSP-17 | Sensitive Data Protection | mitigates | T1550.001 | Application Access Token |
Comments
This control requires the Cloud Service Provider (CSP) to implement robust mitigative controls such as network segmentation and firewalling, encryption, access controls with multi-factor authentication and intrusion detection to ensure sensitive customer data is protected throughout its lifecycle.
For this technique, application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used to access resources in cloud, container-based applications, and software-as-a-service (SaaS). In terms of mitigation, where possible, consider restricting the use of access tokens outside of expected contexts. For example, in AWS environments, consider using data perimeters to prevent credential use outside of an expected network.
References
|
| UEM-08 | Storage Encryption | mitigates | T1550.001 | Application Access Token |
Comments
This control provides for implementation of endpoint storage encryption. Encryption ensures the confidentiality and integrity of data, such as OAuth access tokens used in a cloud-based email service. File encryption across email communications containing sensitive information that may be obtained through access to email services can help prevent adversaries from stealing application access tokens.
References
|
| AIS-04 | Secure Application Design and Development | mitigates | T1550.001 | Application Access Token |
Comments
This control requires both Cloud Service Providers and customers to implement a Secure Software Development Lifecycle (SSDLC) with security practices throughout the entire application development process to protect cloud-based applications from cyber threats. Adversaries can steal and use application access tokens as a means of acquiring credentials. Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications. The SSDLC process should ensure that applications APIs, and applications access tokens are securely designed, developed, and protected in their cloud environments.
References
|