What Is MITRE ATT&CK Credential Access (TA0006)?
The MITRE ATT&CK Framework is a set of tactics and techniques used by cyber adversaries organized into a robust knowledge base. This resource helps cybersecurity professionals better understand how adversaries achieve their objectives by improving their knowledge of the steps they take to do so.
The Credential Access tactic (TA0006) involves techniques that attackers use to steal credentials, including usernames and passwords. Once an attacker has valid credentials, they can use them to gain elevated privileges, move laterally within a network, access restricted data, or perform other malicious actions.
What Techniques are Included in the Credential Access Tactic?
- Brute Force (T1110)
- Attackers try multiple combinations of usernames and passwords to gain access.
- Examples: Password spraying (trying a few common passwords against many accounts) or traditional brute force (trying many passwords against one account).
- Credential Dumping (T1003)
- Obtaining credentials by reading from the operating system or software memory.
- Examples: Using tools like Mimikatz to extract plaintext passwords, hashes, pins, and Kerberos tickets from memory.
- Steal Web Session Cookie (T1539)
- Attackers capture web session cookies to impersonate victims and access web applications without needing a password.
- Examples: Sniffing cookies from an unencrypted HTTP session.
- Steal or Forge Kerberos Tickets (T1558)
- Leveraging Kerberos authentication tickets for unauthorized access.
- Examples: Golden Ticket attacks (forging a Ticket Granting Ticket) or Silver Ticket attacks (forging a service ticket).
- Unsecured Credentials (T1552)
- Attackers find credentials that are poorly protected or stored insecurely.
- Examples: Finding passwords stored in plaintext in configuration files or in the Windows registry.
- Input Capture (T1056)
- Capturing user input, commonly keystrokes, to gather credentials.
- Examples: Using keyloggers to capture usernames and passwords.
- Man-in-the-Middle (T1557)
- Interposing between two parties to capture or manipulate data, including credentials.
- Examples: ARP poisoning to intercept and capture credentials sent over a network.
- Use of Password Filter (T1174)
- Custom password filters can be installed on a domain controller to capture passwords.
- Two-Factor Authentication Interception (T1111)
- Attackers intercept or otherwise bypass two-factor authentication (2FA) mechanisms.
- Examples: Using phishing to capture not just the password but also the 2FA token.
Why is Credential Access Important?
For organizations, understanding these techniques is crucial. It enables them to tailor their defenses, monitor for specific suspicious activities, and respond effectively to potential breaches.
The "Credential Access" tactic and its associated techniques are crucial for several reasons:
- Pivotal Point in the Attack Lifecycle: Once an adversary gains initial access to a system, obtaining credentials is often a next critical step. This access can enable the attacker to move laterally across a network, escalate privileges, or maintain persistence. By securing and monitoring credential access points, defenders can often stop an attack from progressing.
- Access Elevation: With stolen credentials, an attacker can escalate from a low-privileged user to a high-privileged one, allowing them to take more significant actions on a network, such as disabling security controls, creating new accounts, or accessing sensitive data.
- Stealth and Impersonation: Using legitimate credentials allows attackers to blend in with normal users, making detection much more challenging. An attacker operating with valid credentials may not immediately raise red flags in security monitoring systems.
- Bypassing Traditional Defenses: Traditional defenses, like firewalls and intrusion prevention systems, may not detect or block activity from authenticated users. An attacker using valid credentials can bypass many of these defenses.
- Facilitates Lateral Movement: With valid credentials, especially administrative ones, attackers can move across a network, accessing multiple systems and data repositories. This lateral movement increases the potential impact of an attack.
- Persistence: Obtaining and leveraging multiple sets of credentials can allow adversaries to maintain access to a compromised environment even if one set of stolen credentials gets detected and revoked.
- Expensive Recovery: Once credentials are stolen, especially in large environments, remediation can be complex and costly. It might involve resetting passwords across the organization, investigating the extent of unauthorized access, or even rebuilding systems.
- Enables Further Attacks: Stolen credentials can be used for additional attacks, either against the same organization at a later time or against other entities where users might reuse passwords.
- Value on the Black Market: Credentials, especially those for high-value targets or systems, can be sold or shared in underground markets, furthering the spread of unauthorized access and potential breaches.
Given the central role that credentials play in both everyday operations and in cyberattacks, it's clear why the techniques associated with the "Credential Access" tactic are so critical. Properly defending against these techniques is paramount for organizations that aim to maintain a robust cybersecurity posture.
How do you Mitigate the Credential Access Tactic?
Mitigating the Credential Access tactic involves a multi-faceted approach. The goal is to protect credentials from theft, ensure they can't be easily guessed or cracked, and to detect any unusual or unauthorized use of credentials. Here are some strategies and controls to mitigate the risks associated with Credential Access:
- Strong Password Policies:
- Enforce the use of complex passwords.
- Use passphrases, which are longer and often more memorable than passwords.
- Set a reasonable maximum password age to ensure regular password changes.
- Prevent the reuse of previous passwords.
- Two-Factor Authentication (2FA):
- Implement 2FA for all critical systems, especially for remote access and administrative actions.
- This adds an additional layer of security even if passwords are compromised.
- Protect Domain Controllers and Authentication Servers:
- Harden these critical assets using best practices.
- Regularly monitor and audit their security.
- Limit Use of Privileged Accounts:
- Use the principle of least privilege (PoLP). Users should only have the permissions necessary to perform their tasks.
- Avoid using domain admin accounts for routine tasks. Instead, use separate accounts for administration.
- Secure Credential Storage:
- Never store passwords in plaintext.
- Ensure software and services hash and salt passwords.
- Regularly Monitor and Audit Logs:
- Check for unusual login times, login failures, or access from unusual locations.
- Tools like Security Information and Event Management (SIEM) systems can help automate this process.
- Credential Guard:
- For Windows environments, use features like Windows Defender Credential Guard to protect NTLM password hashes and Kerberos ticket-granting tickets.
- Training and Awareness:
- Educate users about the dangers of phishing, as this is a common method attackers use to steal credentials.
- Encourage users to report suspicious activities or messages.
- Limit Exposure:
- Reduce the number of places where credentials are stored or transmitted.
- Disable or restrict protocols known for transmitting credentials in plaintext, like Telnet or FTP.
- Secure Workstations:
- Use endpoint protection solutions to detect and prevent malware, especially keyloggers or memory dumpers.
- Regularly update and patch systems.
- Network Segmentation:
- Separate sensitive systems or data from the broader network, limiting the access that a compromised account might have.
- Protect Session Cookies:
- Use the "Secure" and "HttpOnly" flags for cookies.
- Ensure web applications employ strong session management.
- Password Managers:
- Encourage the use of password managers. These tools generate and store complex passwords, reducing the likelihood of weak or repeated passwords.
- Account Lockout Policies:
- Implement account lockout policies to deter brute-force attacks. However, be mindful of denial-of-service risks.
- Regularly Audit Accounts:
- Periodically review all accounts and disable those that are no longer needed.
- Look for anomalies such as accounts with unnecessary privileges.
Implementing these mitigations will significantly reduce the risk associated with Credential Access tactics. However, it's always important to maintain a layered defense approach, understanding that no single mitigation is foolproof. Regularly reviewing and updating your security posture in response to evolving threats is essential.
How NETCOUT Helps
Omnis Cyber Intelligence (OCI) can detect attempts at multiple Credential Access techniques, such as Brute Force. This detection helps ensure that enterprises are able to identify these attempts and take action to mitigate the threat. That knowledge can be leveraged in several ways, including strengthening security posture with measures such as 2FA, ensuring only the minimum access to resources, and more.