Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of the device. The device typically stores an in-memory copy of the configuration while operating, and a separate configuration on non-volatile storage to load after device reset. Adversaries can inspect the configuration files to reveal information about the target network and its layout, the network device and its software, or identifying legitimate accounts and credentials for later use.
Adversaries can use common management tools and protocols, such as Simple Network Management Protocol (SNMP) and Smart Install (SMI), to access network configuration files.(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks) These tools may be used to query specific data from a configuration repository or configure the device to export the configuration for later analysis.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| I&S-03 | Network Security | mitigates | T1602.002 | Network Device Configuration Dump |
Comments
This control provides for monitoring, encrypting, and restricting communications between environments. Configuring SNMPv3 to use the highest level of security (authPriv) available and applying extended ACLs to block unauthorized protocols outside the trusted network can protect configuration repositories. In addition, network intrusion prevention devices can be configured to block SNMP queries and commands from unauthorized sources.
References
|
| I&S-06 | Segmentation and Segregation | mitigates | T1602.002 | Network Device Configuration Dump |
Comments
This control provides for appropriately segmented and segregated cloud environments. Access controls, firewalls, and cloud-based segmentation can be used to isolate and protect configuration repositories. In addition, network intrusion prevention devices can be configured to block SNMP queries and commands from unauthorized sources.
References
|
| I&S-09 | Network Defense | mitigates | T1602.002 | Network Device Configuration Dump |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Access controls, firewalls, and cloud-based segmentation can be used to isolate and protect configuration repositories. In addition, network intrusion prevention devices can be configured to block SNMP queries and commands from unauthorized sources.
References
|