Multi-factor Authentication
Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.
Techniques Addressed by Mitigation
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1098 | Account Manipulation |
Use multi-factor authentication for user and privileged accounts. |
|
| .001 | Additional Cloud Credentials |
Use multi-factor authentication for user and privileged accounts. Consider enforcing multi-factor authentication for the |
||
| .002 | Exchange Email Delegate Permissions |
Use multi-factor authentication for user and privileged accounts. |
||
| .003 | Add Office 365 Global Administrator Role |
Use multi-factor authentication for user and privileged accounts. |
||
| Enterprise | T1110 | Brute Force |
Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services. |
|
| .001 | Password Guessing |
Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services. |
||
| .002 | Password Cracking |
Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services. |
||
| .003 | Password Spraying |
Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services. |
||
| .004 | Credential Stuffing |
Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services. |
||
| Enterprise | T1136 | Create Account |
Use multi-factor authentication for user and privileged accounts. |
|
| .001 | Local Account |
Use multi-factor authentication for user and privileged accounts. |
||
| .002 | Domain Account |
Use multi-factor authentication for user and privileged accounts. |
||
| .003 | Cloud Account |
Use multi-factor authentication for user and privileged accounts. |
||
| Enterprise | T1530 | Data from Cloud Storage Object |
Consider using multi-factor authentication to restrict access to resources and cloud storage APIs.[2] |
|
| Enterprise | T1213 | .003 | Data from Information Repositories: Code Repositories |
Use multi-factor authentication for logons to code repositories. |
| Enterprise | T1114 | Email Collection |
Use of multi-factor authentication for public-facing webmail servers is a recommended best practice to minimize the usefulness of usernames and passwords to adversaries. |
|
| .002 | Remote Email Collection |
Use of multi-factor authentication for public-facing webmail servers is a recommended best practice to minimize the usefulness of usernames and passwords to adversaries. |
||
| Enterprise | T1133 | External Remote Services |
Use strong two-factor or multi-factor authentication for remote service accounts to mitigate an adversary's ability to leverage stolen credentials, but be aware of Two-Factor Authentication Interception techniques for some two-factor authentication implementations. |
|
| Enterprise | T1556 | Modify Authentication Process |
Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs. |
|
| .001 | Domain Controller Authentication |
Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs. |
||
| .003 | Pluggable Authentication Modules |
Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. |
||
| .004 | Network Device Authentication |
Use multi-factor authentication for user and privileged accounts. Most embedded network devices support TACACS+ and/or RADIUS. Follow vendor prescribed best practices for hardening access control. [3] |
||
| Enterprise | T1601 | Modify System Image |
Use multi-factor authentication for user and privileged accounts. Most embedded network devices support TACACS+ and/or RADIUS. Follow vendor prescribed best practices for hardening access control.[3] |
|
| .001 | Patch System Image |
Use multi-factor authentication for user and privileged accounts. Most embedded network devices support TACACS+ and/or RADIUS. Follow vendor prescribed best practices for hardening access control.[3] |
||
| .002 | Downgrade System Image |
Use multi-factor authentication for user and privileged accounts. Most embedded network devices support TACACS+ and/or RADIUS. Follow vendor prescribed best practices for hardening access control.[3] |
||
| Enterprise | T1599 | Network Boundary Bridging |
Use multi-factor authentication for user and privileged accounts. Most embedded network devices support TACACS+ and/or RADIUS. Follow vendor prescribed best practices for hardening access control.[3] |
|
| .001 | Network Address Translation Traversal |
Use multi-factor authentication for user and privileged accounts. Most embedded network devices support TACACS+ and/or RADIUS. Follow vendor prescribed best practices for hardening access control. [3] |
||
| Enterprise | T1040 | Network Sniffing |
Use multi-factor authentication wherever possible. |
|
| Enterprise | T1021 | Remote Services |
Use multi-factor authentication on remote service logons where possible. |
|
| .001 | Remote Desktop Protocol |
Use multi-factor authentication for remote logins.[4] |
||
| .004 | SSH |
Require multi-factor authentication for SSH connections wherever possible, such as password protected SSH keys. |
||
| Enterprise | T1072 | Software Deployment Tools |
Ensure proper system and access isolation for critical network systems through use of multi-factor authentication. |
|
| Enterprise | T1539 | Steal Web Session Cookie |
A physical second factor key that uses the target login domain as part of the negotiation protocol will prevent session cookie theft through proxy methods.[5] |
|
| Enterprise | T1078 | .002 | Valid Accounts: Domain Accounts |
Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs. |
| .004 | Valid Accounts: Cloud Accounts |
Use multi-factor authentication for cloud accounts, especially privileged accounts. This can be implemented in a variety of forms (e.g. hardware, virtual, SMS), and can also be audited using administrative reporting features.[6] |
||
References
- Berkeley Security, University of California. (n.d.). Securing Remote Desktop for System Administrators. Retrieved November 4, 2014.
- Gretzky, K.. (2018, July 26). Evilginx 2 - Next Generation of Phishing 2FA Tokens. Retrieved October 14, 2019.
- Moncur, Rob. (2020, July 5). New Information in the AWS IAM Console Helps You Follow IAM Best Practices. Retrieved August 4, 2020.