T0113 - Compromised user account
A compromised user account is a serious security threat, as attackers can use it to bypass security measures that are in place to protect an organization's assets. Attackers can gain access to legitimate user accounts in several ways, including brute-force attacks, phishing, malware, or social engineering. Once an attacker gains access to a user's account, they can access the cloud resources, artifact repository, infrastructure-as-code templates, or source code repository to steal or modify sensitive data or launch further attacks. In such case an attacker is able to modify the code and cloud resources, inject malware or backdoors, or replace legitimate artifacts. This can result in data breaches, system downtime, reputation damage, and financial losses.
Tactic: Initial Access
Summary: Compromised user account
Implement password rotation
If a user account has been compromised, immediately change the password for the affected account. Ensure that the new password is strong, unique, and not used elsewhere. Encourage users to use password managers to generate and store strong, unique passwords for each account.
Disable or lock compromised accounts
Disable or lock the compromised user account to prevent further unauthorized access. This can be done through an administrative action, such as disabling the account in the user management console or contacting the service provider or IT department to take appropriate action.
Enable MFA for user accounts
Enable MFA for all user accounts, which adds an additional layer of security beyond passwords. This can help prevent unauthorized access even if the user account credentials are compromised.
Implement zero trust
Implementing a zero-trust security model can help organizations mitigate the risk of data exfiltration by ensuring that all traffic leaving the network is authenticated, authorized, and encrypted. This model involves a layered approach to security that requires users and devices to be verified before accessing any resources.
Use network segmentation
Network segmentation is a technique that involves dividing a network into smaller segments or subnets to limit the spread of an attack if it occurs. By segmenting the network and restricting communication between segments, organizations can minimize the impact of data exfiltration.
Implement strict access control for clouds
Limit access to cloud resources to only authorized users and ensure that proper authentication and authorization mechanisms are in place.
Revoke user permissions
Remove permissions granted on the SCM repository from users that do not need them. Limit access to configuration files. Only grant access to users who need it to modify the configuration files.
Implement monitoring mechanisms that track and analyze account activity, such as changes to permissions, creation or deletion of resources, or modifications to critical settings. Regularly review and analyze account activity logs to detect any unauthorized or suspicious activities that may indicate a compromised user account.
Implement a SIEM system to centralize and analyze logs and events from various sources, including user account-related activities. Use SIEM rules or correlation rules to detect any abnormal or suspicious user account-related activities, such as multiple failed login attempts, changes to account settings outside of normal patterns, or simultaneous login attempts from different locations.
Implement Intrusion Detection System and anti-malware
An intrusion detection system (IDS) is a security tool designed to detect and alert on unauthorized access to a computer system or network. Implementing intrusion detection systems (IDS) and anti-malware software can help to identify and block malicious activity. IDS is a critical security tool that helps organizations to detect and respond to security incidents in a timely manner. By providing real-time monitoring and analysis of network traffic, IDS can help organizations to stay ahead of potential threats and reduce the risk of a security breach.
Implement endpoint detection and response system
An endpoint detection and response (EDR) system is a security tool designed to detect and respond to security incidents on endpoints, such as desktops, laptops, servers, and mobile devices. There are several reasons why an EDR system is essential for maintaining the security of endpoints: 1. Threat Detection: EDR can detect and alert on a wide range of threats, including malware, ransomware, and other types of attacks that may not be detected by traditional antivirus software. 2. Rapid Incident Response: EDR can help security teams to rapidly detect, investigate, and respond to security incidents on endpoints. EDR systems can provide detailed information about the scope and impact of an attack, enabling security personnel to respond quickly and effectively. 3. Behavioral Analysis: EDR can monitor endpoint behavior to detect and alert on suspicious or anomalous activity. This helps security teams to identify and respond to threats that may be missed by traditional signature-based detection. 4. Endpoint Visibility: EDR provides visibility into endpoint activity, including processes, network connections, and file activity. This helps security teams to identify potential attack vectors and take proactive measures to prevent future incidents.