T0114 - Compromised service account

In this type of attack, the attacker gains access to a legitimate service account, which is typically used by an application or service to access cloud resources or manage infrastructure. The attacker can use the compromised service account to perform actions that are authorized for the service account, such as reading, modifying, or deleting data. This can result in data theft, unauthorized access to sensitive resources, and the ability to launch further attacks on other resources within the cloud environment.

ID: T0114
Type: Technique
Tactic: Initial Access
Summary: Compromised service account
State: draft

Mitigations

id

type

summary

description

M1130
Mitigation
Implement password rotation
If a user account has been compromised, immediately change the password for the affected account. Ensure that the new password is strong, unique, and not used elsewhere. Encourage users to use password managers to generate and store strong, unique passwords for each account.
M1131
Mitigation
Disable or lock compromised accounts
Disable or lock the compromised user account to prevent further unauthorized access. This can be done through an administrative action, such as disabling the account in the user management console or contacting the service provider or IT department to take appropriate action.
M1240
Mitigation
Enable data encryption at rest
Encryption at rest is essential for preventing data breaches, complying with data privacy regulations, and protecting sensitive data. Organizations must identify which data needs encryption, select appropriate encryption algorithms and key management strategies, and regularly audit and assess their encryption at rest implementation. Check your cloud provider documentation for more details on how to enable data encryption at rest.
M1550
Mitigation
Implement strict access control for clouds
Limit access to cloud resources to only authorized users and ensure that proper authentication and authorization mechanisms are in place.
M1661
Mitigation
Revoke user permissions
Remove permissions granted on the SCM repository from users that do not need them. Limit access to configuration files. Only grant access to users who need it to modify the configuration files.

Detections

id

type

summary

description

D1130
Detection
Implement monitoring mechanisms that track and analyze account activity, such as changes to permissions, creation or deletion of resources, or modifications to critical settings. Regularly review and analyze account activity logs to detect any unauthorized or suspicious activities that may indicate a compromised user account.
D1131
Detection
Implement SIEM
Implement a SIEM system to centralize and analyze logs and events from various sources, including user account-related activities. Use SIEM rules or correlation rules to detect any abnormal or suspicious user account-related activities, such as multiple failed login attempts, changes to account settings outside of normal patterns, or simultaneous login attempts from different locations.
D1510
Detection
Implement Intrusion Detection System and anti-malware
An intrusion detection system (IDS) is a security tool designed to detect and alert on unauthorized access to a computer system or network. Implementing intrusion detection systems (IDS) and anti-malware software can help to identify and block malicious activity. IDS is a critical security tool that helps organizations to detect and respond to security incidents in a timely manner. By providing real-time monitoring and analysis of network traffic, IDS can help organizations to stay ahead of potential threats and reduce the risk of a security breach.

References

  1. https://stackoverflow.blog/2021/01/25/a-deeper-dive-into-our-may-2019-security-incident/