NIST 800-53 AC-7 Mappings

The need to limit unsuccessful logon attempts and take subsequent action when the maximum number of attempts is exceeded applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password, invoking a lockdown mode with limited user capabilities (instead of full lockout), allowing users to only logon from specified Internet Protocol (IP) addresses, requiring a CAPTCHA to prevent automated attacks, or applying user profiles such as location, time of day, IP address, device, or Media Access Control (MAC) address. If automatic system lockout or execution of a delay algorithm is not implemented in support of the availability objective, organizations consider a combination of other actions to help prevent brute force attacks. In addition to the above, organizations can prompt users to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need.

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-7 Unsuccessful Logon Attempts Protects T1021 Remote Services
AC-7 Unsuccessful Logon Attempts Protects T1021.001 Remote Desktop Protocol
AC-7 Unsuccessful Logon Attempts Protects T1021.004 SSH
AC-7 Unsuccessful Logon Attempts Protects T1078.002 Domain Accounts
AC-7 Unsuccessful Logon Attempts Protects T1078.004 Cloud Accounts
AC-7 Unsuccessful Logon Attempts Protects T1110 Brute Force
AC-7 Unsuccessful Logon Attempts Protects T1110.001 Password Guessing
AC-7 Unsuccessful Logon Attempts Protects T1110.002 Password Cracking
AC-7 Unsuccessful Logon Attempts Protects T1110.003 Password Spraying
AC-7 Unsuccessful Logon Attempts Protects T1110.004 Credential Stuffing
AC-7 Unsuccessful Logon Attempts Protects T1133 External Remote Services
AC-7 Unsuccessful Logon Attempts Protects T1530 Data from Cloud Storage Object
AC-7 Unsuccessful Logon Attempts Protects T1556 Modify Authentication Process
AC-7 Unsuccessful Logon Attempts Protects T1556.001 Domain Controller Authentication
AC-7 Unsuccessful Logon Attempts Protects T1556.003 Pluggable Authentication Modules
AC-7 Unsuccessful Logon Attempts Protects T1556.004 Network Device Authentication