| ID | Name |
|---|---|
| T1602.001 | SNMP (MIB Dump) |
| T1602.002 | Network Device Configuration Dump |
Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of the device. The device typically stores an in-memory copy of the configuration while operating, and a separate configuration on non-volatile storage to load after device reset. Adversaries can inspect the configuration files to reveal information about the target network and its layout, the network device and its software, or identifying legitimate accounts and credentials for later use.
Adversaries can use common management tools and protocols, such as Simple Network Management Protocol (SNMP) and Smart Install (SMI), to access network configuration files. [1] [2] These tools may be used to query specific data from a configuration repository or configure the device to export the configuration for later analysis.
| ID | Mitigation | Description |
|---|---|---|
| M1041 | Encrypt Sensitive Information |
Configure SNMPv3 to use the highest level of security (authPriv) available. [3] |
| M1037 | Filter Network Traffic |
Apply extended ACLs to block unauthorized protocols outside the trusted network. [3] |
| M1031 | Network Intrusion Prevention |
onfigure intrusion prevention devices to detect SNMP queries and commands from unauthorized sources. Create signatures to detect Smart Install (SMI) usage from sources other than trusted director. [1] |
| M1030 | Network Segmentation |
Segregate SNMP traffic on a separate management network [3] |
| M1054 | Software Configuration |
Allowlist MIB objects and implement SNMP views. Disable Smart Install (SMI) if not used. [4] [1] |
| M1051 | Update Software |
Keep system images and software updated and migrate to SNMPv3. [2] |
| ID | Data Source | Data Component |
|---|---|---|
| DS0029 | Network Traffic | Network Connection Creation |
| Network Traffic Content |
Identify network traffic sent or received by untrusted hosts or networks. Configure signatures to identify strings that may be found in a network device configuration. [5]