T1552 Unsecured Credentials

This control requires both CSP and CSC to independently enforce strong password management practices to protect authentication credentials and reduce the risk of unauthorized access. For example, credential access protection mitigation focuses on implementing measures to prevent adversaries from obtaining credentials, such as passwords, hashes, tokens, or keys, that could be used for unauthorized access.

This control implements secure configuration best practices for hardening cloud platforms to mitigate adversary exploitation and abuse of system functionality. Restricting access to sensitive sensitive data such as Cloud Formation templates and preventing a user's command history from being stored can prevent adversaries from obtaining insecurely stored credentials.

This control provides for implementation of endpoint storage encryption. Encryption ensures the confidentiality of data such as credentials, preventing unauthorized access. When possible, keys should be stored on separate cryptographic hardware instead of on the local system.

This control provides for the implementation of best practices for endpoint management. Endpoint exploit protection capabilities can be used to detect, block, and mitigate conditions indicative of exploits of public-facing applications.

This control requires organizations to implement technical measures that automatically detect and remove sensitive data from logs to prevent unauthorized exposure. Log Sanitization may help mitigate risks from Unsecured Credentials (T1552), where attackers target logs for sensitive information such as credentials or access tokens.

This control provides for the use of secure and encrypted communication channels when migrating to cloud environments. Encrypting data at all stages, from storage to transmission, ensures the confidentiality of data such as credentials, preventing unauthorized access.

This control provides cryptographic protection for data-at-rest within the cloud environment. Encryption ensures the confidentiality of data such as credentials, preventing unauthorized access. When possible, keys should be stored on separate cryptographic hardware instead of on the local system.

This control requires the CSP to encrypt communications using industry-standard protocols, securely manage API certificates and keys, and monitor/patch for vulnerabilities. The guidance for CSC requires it to classify API data, encrypt sensitive information during import/export, use secure protocols, and manage encryption keys independently to mitigate risks of data tampering, loss, or unauthorized access.

This control requires the Cloud Service Provider (CSP) to implement robust mitigative controls such as network segmentation and firewalling, encryption, access controls with multi-factor authentication and intrusion detection to ensure sensitive customer data is protected throughout its lifecycle. For this technique, adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations. In terms of mitigation, limit access to sensitive services, for example if it is necessary that a SaaS application must store credentials in some object storage, registry, or password store, then ensure the associated accounts have limited permissions so they cannot be abused if obtained by an adversary.

This control provides for the implementation of best practices for third-party endpoint management. Endpoint exploit protection capabilities can be used to detect, block, and mitigate conditions indicative of exploits of public-facing applications.

This control requires both Cloud Service Providers and customers to implement a Secure Software Development Lifecycle (SSDLC) with security practices throughout the entire application development process to protect cloud-based applications from cyber threats. Adversaries may query and search through compromised applications to find and obtain insecurely stored credentials. Secure coding practices and secure credential handling may prevent hardcoded/insecurely stored credentials and ensure the use of proper encryption for credentials and application data.

The control outlines several testing approaches, including the use of automated tools, to identify vulnerabilities throughout the software development lifecycle from development to production. It emphasizes testing for risks such as injection attacks and session hijacking, and recommends alignment with industry standards like the OWASP Top 10 to enhance application security. Adversaries may search compromised services or applications to find and obtain insecurely stored API keys for SaaS services or cloud storage encryption keys.