| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-01.05 | Encryption standards | Mitigates | T1098.004 | SSH Authorized Keys |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. When it comes to cryptography and key management standards, for the SSH Authorized Keys technique, restricting user and application access to the authorized_keys file can be a mitigating factor for adversaries attempting to modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. When it comes to cryptography and key management standards, for the Unsecured Credentials technique, best practice dictates that when possible, store keys on separate cryptographic hardware instead of on the local system to mitigate data theft of credentials stored in unsecure locations.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1563.001 | SSH Hijacking |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. When it comes to cryptography and key management standards, for the SSH Hijacking technique, consider that SSH key pairs possess strong passwords and refrain from using key-store technologies such as ssh-agent unless they are properly protected.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1552.004 | Private Keys |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. When it comes to cryptography and key management standard as it applies to the Private Keys technique, when possible, consider storing keys on separate cryptographic hardware instead of on the local system. For example, on Windows systems use a TPM to secure keys and other sensitive credential material.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1558.004 | AS-REP Roasting |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the theft or forgery of kerberos tickets through AS-REP Roasting, enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1558.003 | Kerberoasting |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the theft or forgery of kerberos tickets with kerberoasting, enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1558.002 | Silver Ticket |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the theft or forgery of kerberos tickets with silver tickets, enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1649 | Steal or Forge Authentication Certificates |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the theft or forgery of authentication certificates, ensure certificates as well as associated private keys are appropriately secured.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1558 | Steal or Forge Kerberos Tickets |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the theft or forgery of kerberos tickets, enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1040 | Network Sniffing |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats of network sniffing, ensure that all wired and/or wireless traffic is encrypted appropriately. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1070.002 | Clear Linux or Mac System Logs |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the removal of Linux or Mac System Logs, obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1070.001 | Clear Windows Event Logs |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to windows event logs removal techniques, obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1070 | Indicator Removal |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to indicator removal techniques, obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1114.001 | Local Email Collection |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to email collection, the use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages. File encryption should be enforced across email communications containing sensitive information that may be obtained through access to email services.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1114.002 | Remote Email Collection |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to email collection, the use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages. File encryption should be enforced across email communications containing sensitive information that may be obtained through access to email services.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1114 | Email Collection |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to email collection, the use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1565.002 | Transmitted Data Manipulation |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to transmitted data manipulation, encrypt all important data flows to reduce the impact of tailored modifications on data in transit.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1565.001 | Stored Data Manipulation |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to stored data manipulation, consider encrypting important information to reduce an adversary’s ability to perform tailored data modifications.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1565 | Data Manipulation |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to data manipulation, consider encrypting important information to reduce an adversary’s ability to perform tailored data modifications.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1213 | Data from Information Repositories |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to data from information repositories, encrypt data stored at rest in databases.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1602.002 | Network Device Configuration Dump |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats of Network Device Configuration Dump, configure SNMPv3 to use the highest level of security (authPriv) available.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1602.001 | SNMP (MIB Dump) |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats of SNMP (MIB Dump), configure SNMPv3 to use the highest level of security (authPriv) available.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1602 | Data from Configuration Repository |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats of data collection from configuration repository, configure SNMPv3 to use the highest level of security (authPriv) available.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1530 | Data from Cloud Storage |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address data collection from cloud storage, encrypt data stored at rest in cloud storage. Managed encryption keys can be rotated by most providers. At a minimum, ensure an incident response plan to storage breach includes rotating the keys and test for impact on client applications.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1659 | Content Injection |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address Content Injection threats, ensure that all wired and wireless traffic is encrypted appropriately, employs best practices for authentication protocols such as Kerberos, and protects web traffic containing credentials using SSL/TLS.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1020.001 | Traffic Duplication |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address Automated Exfiltration: Traffic Duplication threats, ensure that all wired and wireless traffic is encrypted appropriately, employs best practices for authentication protocols such as Kerberos, and protects web traffic containing credentials using SSL/TLS.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1557.002 | ARP Cache Poisoning |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address ARP Cache Poisoning, ensure that all wired and wireless traffic is encrypted appropriately, employs best practices for authentication protocols such as Kerberos, and protects web traffic containing credentials using SSL/TLS.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1557 | Adversary-in-the-Middle |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address adversary-in-the-middle threats, the organization ensures that all wired and wireless traffic is encrypted appropriately, employs best practices for authentication protocols such as Kerberos, and protects web traffic containing credentials using SSL/TLS.
|