T0131 - Overprivileged user account
The overprivileged user account attack is a technique of lateral movement tactic in which an attacker gains access to a user account with excessive privileges and uses that account to move laterally within a network, accessing resources and systems that they are not authorized to access.
It may affects Cloud, CI/CD accounts, an attacker can potentially manipulate the CI/CD pipeline or Cloud configuration to introduce malicious code into the software build or deployment process.
This could lead to the deployment of compromised software, which can result in data breaches, malware infections, or other security incidents.
ID: T0131
Type:
Technique
Tactic:
Lateral Movement
Summary:
Overprivileged user account
State:
draft
Mitigations
id
type
summary
description
M1310
Mitigation
Implement least privilege principle
Follow the POLP, which involves granting users the minimum necessary privileges to perform their job functions, and avoid assigning excessive privileges to user accounts.
Regularly review and update user privileges based on the principle of least privilege, and remove unnecessary privileges to reduce the risk of overprivileged accounts.
M1311
Mitigation
Implement multi-factor authentication
Require multi-factor authentication (MFA) for user accounts, especially for privileged accounts.
MFA adds an additional layer of security and can help prevent unauthorized access to user accounts, reducing the risk of overprivileged accounts being compromised.
M1550
Mitigation
Implement strict access control for clouds
Limit access to cloud resources to only authorized users and ensure that proper authentication and authorization mechanisms are in place.
M1661
Mitigation
Revoke user permissions
Remove permissions granted on the SCM repository from users that do not need them.
Limit access to configuration files. Only grant access to users who need it to modify the configuration files.
Detections
id
type
summary
description
D1261
Detection
Implement penetration testing
Penetration testing, also known as ethical hacking or vulnerability assessment, is a proactive approach to mitigating cybersecurity risks.
It involves simulating real-world cyber attacks on a system, network, or application in a controlled and authorized manner to identify vulnerabilities and weaknesses that could be exploited by malicious actors.
D1310
Detection
Monitor user access logs
Regularly review and analyze user access logs, including authentication logs, authorization logs, and privilege change logs.
Look for any unusual or suspicious activities, such as users attempting to access resources or systems that they are not authorized to access, or privilege changes that are not in line with the principle of least privilege.
D1510
Detection
Implement Intrusion Detection System and anti-malware
An intrusion detection system (IDS) is a security tool designed to detect and alert on unauthorized access to a computer system or network.
Implementing intrusion detection systems (IDS) and anti-malware software can help to identify and block malicious activity.
IDS is a critical security tool that helps organizations to detect and respond to security incidents in a timely manner.
By providing real-time monitoring and analysis of network traffic, IDS can help organizations to stay ahead of potential threats and reduce the risk of a security breach.
D1590
Detection
Implement continuous monitoring and logging of the CI/CD process
Continuous monitoring and logging of the CI/CD process can help organizations detect any unusual activities or deviations from the standard workflow.
This can include monitoring the pipeline for unusual resource requests or unauthorized access attempts, as well as analyzing logs for unusual activity that may indicate a potential security breach.
By establishing a baseline of normal behavior and regularly comparing it to current activity, organizations can quickly identify and respond to any anomalous behavior.
Implementing automated alerts and notifications for suspicious activity can also help security teams respond promptly to potential threats.