T0137 - Weak authentication methods
Weak authentication methods are a common attack technique used by threat actors to gain unauthorized access to cloud environments or code repositories. This attack technique relies on exploiting vulnerabilities in the authentication methods used to control access to resources.
In cloud security, weak authentication methods can be exploited through several vectors, such as stolen credentials, brute force attacks, and password spraying.
Threat actors can also take advantage of misconfigured security groups or network access control lists (ACLs) to bypass authentication and gain access to cloud resources.
In code security, weak authentication methods can be exploited through vulnerabilities in source code management platforms, such as Git repositories.
For instance, if developers use weak passwords or if the authentication protocols used by the repository are vulnerable, attackers can steal source code or inject malicious code into the codebase.
ID: T0137
Type:
Technique
Tactic:
Initial Access
Summary:
Weak authentication methods
State:
draft
Mitigations
id
type
summary
description
M1130
Mitigation
Implement password rotation
If a user account has been compromised, immediately change the password for the affected account.
Ensure that the new password is strong, unique, and not used elsewhere. Encourage users to use password managers to generate and store strong, unique passwords for each account.
M1132
Mitigation
Enable MFA for user accounts
Enable MFA for all user accounts, which adds an additional layer of security beyond passwords.
This can help prevent unauthorized access even if the user account credentials are compromised.
M1550
Mitigation
Implement strict access control for clouds
Limit access to cloud resources to only authorized users and ensure that proper authentication and authorization mechanisms are in place.
M1860
Mitigation
Implement strong authentication mechanisms
Authentication is the process of verifying the identity of a user or entity accessing the SCM system.
Strong authentication typically involves using multiple factors to verify the user's identity, beyond just a username and password.
This may include factors such as something the user knows (e.g., password), something the user has (e.g., smart card or token), and something the user is (e.g., biometric data like fingerprint or facial recognition).
Multi-factor authentication (MFA) can significantly enhance the security of SCM systems by adding an additional layer of protection against unauthorized access.
M1861
Mitigation
Implement strong authorization mechanisms
Strong authorization ensures that users only have access to the resources and actions that are necessary for their job functions and responsibilities, and nothing more.
This can be achieved through proper access controls, such as role-based access control (RBAC) or attribute-based access control (ABAC), which define fine-grained permissions and privileges for users, groups, and repositories in the SCM system.
Regularly review user permissions and remove all unnecessary permissions for specific users.
Detections
id
type
summary
description
D1261
Detection
Implement penetration testing
Penetration testing, also known as ethical hacking or vulnerability assessment, is a proactive approach to mitigating cybersecurity risks.
It involves simulating real-world cyber attacks on a system, network, or application in a controlled and authorized manner to identify vulnerabilities and weaknesses that could be exploited by malicious actors.
D1510
Detection
Implement Intrusion Detection System and anti-malware
An intrusion detection system (IDS) is a security tool designed to detect and alert on unauthorized access to a computer system or network.
Implementing intrusion detection systems (IDS) and anti-malware software can help to identify and block malicious activity.
IDS is a critical security tool that helps organizations to detect and respond to security incidents in a timely manner.
By providing real-time monitoring and analysis of network traffic, IDS can help organizations to stay ahead of potential threats and reduce the risk of a security breach.
D1520
Detection
Implement endpoint detection and response system
An endpoint detection and response (EDR) system is a security tool designed to detect and respond to security incidents on endpoints, such as desktops, laptops, servers, and mobile devices.
There are several reasons why an EDR system is essential for maintaining the security of endpoints:
1. Threat Detection: EDR can detect and alert on a wide range of threats, including malware, ransomware, and other types of attacks that may not be detected by traditional antivirus software.
2. Rapid Incident Response: EDR can help security teams to rapidly detect, investigate, and respond to security incidents on endpoints. EDR systems can provide detailed information about the scope and impact of an attack, enabling security personnel to respond quickly and effectively.
3. Behavioral Analysis: EDR can monitor endpoint behavior to detect and alert on suspicious or anomalous activity. This helps security teams to identify and respond to threats that may be missed by traditional signature-based detection.
4. Endpoint Visibility: EDR provides visibility into endpoint activity, including processes, network connections, and file activity. This helps security teams to identify potential attack vectors and take proactive measures to prevent future incidents.