Multi-factor Authentication, Mitigation M1032 - Enterprise

<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href='/theme/favicon.ico' type='image/x-icon'> <title>Multi-factor Authentication, Mitigation M1032 - Enterprise | MITRE ATT&CK®</title>   <link rel='stylesheet' href='/theme/style/bootstrap.min.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-tourist.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-select.min.css' />  <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1">  <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href='/'><img src="/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/groups">Groups</a> <a class="dropdown-item" href="/software">Software</a> <a class="dropdown-item" href="/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/resources/">Get Started</a> <a class="dropdown-item" href="/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>  <img src="/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1">  <div class="col px-0">   <div class="container-fluid banner-message"> ATT&CK v16 has been released! Check out the <a href='https://medium.com/mitre-attack/attack-v16-561c76af94cf'>blog post</a> for more information. </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0">   <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div>  <div id="sidebars"></div>  </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/">Home</a></li> <li class="breadcrumb-item"><a href="/mitigations">Mitigations</a></li> <li class="breadcrumb-item">Multi-factor Authentication</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1> Multi-factor Authentication </h1> <div class="row"> <div class="col-md-8"> <div class="description-body"> <p>Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.</p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="card-data"><span class="h5 card-title">ID:</span> M1032</div> <div class="card-data"><span class="h5 card-title">Version:</span> 1.0</div> <div class="card-data"><span class="h5 card-title">Created: </span>10 June 2019</div> <div class="card-data"><span class="h5 card-title">Last Modified: </span>21 October 2022</div> </div> </div> <div class="text-center pt-2 version-button live"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of M1032" href="/versions/v16/mitigations/M1032/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of M1032" href="/versions/v16/mitigations/M1032/" data-test-ignore="true">Live Version</a> </div> </div> </div> </div>  <div class="dropdown h3 mt-3 float-right"> <button class="btn btn-navy dropdown-toggle" type="button" id="dropdownMenuButton" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>ATT&CK<sup>®</sup> Navigator Layers</b> </button> <div class="dropdown-menu" aria-labelledby="dropdownMenuButton"> <h6 class="dropdown-header">Enterprise Layer</h6> <a class="dropdown-item" href="/mitigations/M1032/M1032-enterprise-layer.json" download target="_blank">download</a>  <a class="dropdown-item" href="#" id="view-layer-on-navigator-enterprise" target="_blank">view <img width="10" src="/theme/images/external-site-dark.jpeg"></a> <script src="/theme/scripts/settings.js"></script> <script> if (window.location.protocol == "https:") { //view on navigator only works when this site is hosted on HTTPS var layerURL = window.location.protocol + "//" + window.location.host + base_url + "mitigations/M1032/M1032-enterprise-layer.json"; document.getElementById("view-layer-on-navigator-enterprise").href = "https://mitre-attack.github.io/attack-navigator//#layerURL=" + encodeURIComponent(layerURL); } else { //hide button document.getElementById("view-layer-on-navigator-enterprise").classList.add("d-none"); } </script> </div> </div>  <h2 class="pt-3 mb-2" id="techniques">Techniques Addressed by Mitigation</h2> <div class="tables-mobile"> <table class="table techniques-used background table-bordered"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Use</th> </tr> </thead> <tbody> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1098">T1098</a> </td> <td> <a href="/techniques/T1098">Account Manipulation</a> </td> <td> <p>Use multi-factor authentication for user and privileged accounts.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1098/001">.001</a> </td> <td> <a href="/techniques/T1098/001">Additional Cloud Credentials</a> </td> <td> <p>Use multi-factor authentication for user and privileged accounts. Consider enforcing multi-factor authentication for the <code>CreateKeyPair</code> and <code>ImportKeyPair</code> API calls through IAM policies.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020."data-reference="Expel IO Evil in AWS"><sup><a href="https://expel.io/blog/finding-evil-in-aws/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1098/002">.002</a> </td> <td> <a href="/techniques/T1098/002">Additional Email Delegate Permissions</a> </td> <td> <p>Use multi-factor authentication for user and privileged accounts.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1098/003">.003</a> </td> <td> <a href="/techniques/T1098/003">Additional Cloud Roles</a> </td> <td> <p>Use multi-factor authentication for user and privileged accounts.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1098/005">.005</a> </td> <td> <a href="/techniques/T1098/005">Device Registration</a> </td> <td> <p>Require multi-factor authentication to register devices in Entra ID.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Microsoft 365 Defender Threat Intelligence Team. (2022, January 26). Evolved phishing: Device registration trick adds to phishers’ toolbox for victims without MFA. Retrieved March 4, 2022."data-reference="Microsoft - Device Registration"><sup><a href="https://www.microsoft.com/security/blog/2022/01/26/evolved-phishing-device-registration-trick-adds-to-phishers-toolbox-for-victims-without-mfa" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span> Configure multi-factor authentication systems to disallow enrolling new devices for inactive accounts.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Cybersecurity and Infrastructure Security Agency. (2022, March 15). Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and "PrintNightmare" Vulnerability. Retrieved March 16, 2022."data-reference="CISA MFA PrintNightmare"><sup><a href="https://www.cisa.gov/uscert/ncas/alerts/aa22-074a" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span> When first enrolling MFA, use conditional access policies to restrict device enrollment to trusted locations or devices, and consider using temporary access passes as an initial MFA solution to enroll a device.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Douglas Bienstock. (2022, August 18). You Can’t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023."data-reference="Mandiant APT29 Microsoft 365 2022"><sup><a href="https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1098/006">.006</a> </td> <td> <a href="/techniques/T1098/006">Additional Container Cluster Roles</a> </td> <td> <p>Require multi-factor authentication for user accounts integrated into container clusters through cloud deployments or via authentication protocols such as LDAP or SAML. </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1110">T1110</a> </td> <td> <a href="/techniques/T1110">Brute Force</a> </td> <td> <p>Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1110/001">.001</a> </td> <td> <a href="/techniques/T1110/001">Password Guessing</a> </td> <td> <p>Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1110/002">.002</a> </td> <td> <a href="/techniques/T1110/002">Password Cracking</a> </td> <td> <p>Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1110/003">.003</a> </td> <td> <a href="/techniques/T1110/003">Password Spraying</a> </td> <td> <p>Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1110/004">.004</a> </td> <td> <a href="/techniques/T1110/004">Credential Stuffing</a> </td> <td> <p>Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1136">T1136</a> </td> <td> <a href="/techniques/T1136">Create Account</a> </td> <td> <p>Use multi-factor authentication for user and privileged accounts.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1136/001">.001</a> </td> <td> <a href="/techniques/T1136/001">Local Account</a> </td> <td> <p>Use multi-factor authentication for user and privileged accounts.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1136/002">.002</a> </td> <td> <a href="/techniques/T1136/002">Domain Account</a> </td> <td> <p>Use multi-factor authentication for user and privileged accounts.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1136/003">.003</a> </td> <td> <a href="/techniques/T1136/003">Cloud Account</a> </td> <td> <p>Use multi-factor authentication for user and privileged accounts.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1485">T1485</a> </td> <td> <a href="/techniques/T1485">Data Destruction</a> </td> <td> <p>Implement multi-factor authentication (MFA) delete for cloud storage resources, such as AWS S3 buckets, to prevent unauthorized deletion of critical data and infrastructure. MFA delete requires additional authentication steps, making it significantly more difficult for adversaries to destroy data without proper credentials. This additional security layer helps protect against the impact of data destruction in cloud environments by ensuring that only authenticated actions can irreversibly delete storage or machine images.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1530">T1530</a> </td> <td> <a href="/techniques/T1530">Data from Cloud Storage</a> </td> <td> <p>Consider using multi-factor authentication to restrict access to resources and cloud storage APIs.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Amazon. (2019, May 17). How can I secure the files in my Amazon S3 bucket?. Retrieved October 4, 2019."data-reference="Amazon S3 Security, 2019"><sup><a href="https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1213">T1213</a> </td> <td> <a href="/techniques/T1213">Data from Information Repositories</a> </td> <td> <p>Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1213/003">.003</a> </td> <td> <a href="/techniques/T1213/003">Code Repositories</a> </td> <td> <p>Use multi-factor authentication for logons to code repositories.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1114">T1114</a> </td> <td> <a href="/techniques/T1114">Email Collection</a> </td> <td> <p>Use of multi-factor authentication for public-facing webmail servers is a recommended best practice to minimize the usefulness of usernames and passwords to adversaries.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1114/002">.002</a> </td> <td> <a href="/techniques/T1114/002">Remote Email Collection</a> </td> <td> <p>Use of multi-factor authentication for public-facing webmail servers is a recommended best practice to minimize the usefulness of usernames and passwords to adversaries.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1133">T1133</a> </td> <td> <a href="/techniques/T1133">External Remote Services</a> </td> <td> <p>Use strong two-factor or multi-factor authentication for remote service accounts to mitigate an adversary's ability to leverage stolen credentials, but be aware of <a href="/techniques/T1111">Multi-Factor Authentication Interception</a> techniques for some two-factor authentication implementations.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1556">T1556</a> </td> <td> <a href="/techniques/T1556">Modify Authentication Process</a> </td> <td> <p>Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs. </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1556/001">.001</a> </td> <td> <a href="/techniques/T1556/001">Domain Controller Authentication</a> </td> <td> <p>Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs. </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1556/003">.003</a> </td> <td> <a href="/techniques/T1556/003">Pluggable Authentication Modules</a> </td> <td> <p>Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1556/004">.004</a> </td> <td> <a href="/techniques/T1556/004">Network Device Authentication</a> </td> <td> <p>Use multi-factor authentication for user and privileged accounts. Most embedded network devices support TACACS+ and/or RADIUS. Follow vendor prescribed best practices for hardening access control. <span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Cisco. (n.d.). Cisco IOS Software Integrity Assurance - TACACS. Retrieved October 19, 2020."data-reference="Cisco IOS Software Integrity Assurance - TACACS"><sup><a href="https://tools.cisco.com/security/center/resources/integrity_assurance.html#39" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1556/006">.006</a> </td> <td> <a href="/techniques/T1556/006">Multi-Factor Authentication</a> </td> <td> <p>Ensure that MFA and MFA policies and requirements are properly implemented for existing and deactivated or dormant accounts and devices. If possible, consider configuring MFA solutions to "fail closed" rather than grant access in case of serious errors.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1556/007">.007</a> </td> <td> <a href="/techniques/T1556/007">Hybrid Identity</a> </td> <td> <p>Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs. </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1601">T1601</a> </td> <td> <a href="/techniques/T1601">Modify System Image</a> </td> <td> <p>Use multi-factor authentication for user and privileged accounts. Most embedded network devices support TACACS+ and/or RADIUS. Follow vendor prescribed best practices for hardening access control.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Cisco. (n.d.). Cisco IOS Software Integrity Assurance - TACACS. Retrieved October 19, 2020."data-reference="Cisco IOS Software Integrity Assurance - TACACS"><sup><a href="https://tools.cisco.com/security/center/resources/integrity_assurance.html#39" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1601/001">.001</a> </td> <td> <a href="/techniques/T1601/001">Patch System Image</a> </td> <td> <p>Use multi-factor authentication for user and privileged accounts. Most embedded network devices support TACACS+ and/or RADIUS. Follow vendor prescribed best practices for hardening access control.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Cisco. (n.d.). Cisco IOS Software Integrity Assurance - TACACS. Retrieved October 19, 2020."data-reference="Cisco IOS Software Integrity Assurance - TACACS"><sup><a href="https://tools.cisco.com/security/center/resources/integrity_assurance.html#39" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1601/002">.002</a> </td> <td> <a href="/techniques/T1601/002">Downgrade System Image</a> </td> <td> <p>Use multi-factor authentication for user and privileged accounts. Most embedded network devices support TACACS+ and/or RADIUS. Follow vendor prescribed best practices for hardening access control.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Cisco. (n.d.). Cisco IOS Software Integrity Assurance - TACACS. Retrieved October 19, 2020."data-reference="Cisco IOS Software Integrity Assurance - TACACS"><sup><a href="https://tools.cisco.com/security/center/resources/integrity_assurance.html#39" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1621">T1621</a> </td> <td> <a href="/techniques/T1621">Multi-Factor Authentication Request Generation</a> </td> <td> <p>Implement more secure 2FA/MFA mechanisms in replacement of simple push or one-click 2FA/MFA options. For example, having users enter a one-time code provided by the login screen into the 2FA/MFA application or utilizing other out-of-band 2FA/MFA mechanisms (such as rotating code-based hardware tokens providing rotating codes that need an accompanying user pin) may be more secure. Furthermore, change default configurations and implement limits upon the maximum number of 2FA/MFA request prompts that can be sent to users in period of time.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Jessica Haworth. (2022, February 16). MFA fatigue attacks: Users tricked into allowing device access due to overload of push notifications. Retrieved March 31, 2022."data-reference="MFA Fatigue Attacks - PortSwigger"><sup><a href="https://portswigger.net/daily-swig/mfa-fatigue-attacks-users-tricked-into-allowing-device-access-due-to-overload-of-push-notifications" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1599">T1599</a> </td> <td> <a href="/techniques/T1599">Network Boundary Bridging</a> </td> <td> <p>Use multi-factor authentication for user and privileged accounts. Most embedded network devices support TACACS+ and/or RADIUS. Follow vendor prescribed best practices for hardening access control.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Cisco. (n.d.). Cisco IOS Software Integrity Assurance - TACACS. Retrieved October 19, 2020."data-reference="Cisco IOS Software Integrity Assurance - TACACS"><sup><a href="https://tools.cisco.com/security/center/resources/integrity_assurance.html#39" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1599/001">.001</a> </td> <td> <a href="/techniques/T1599/001">Network Address Translation Traversal</a> </td> <td> <p>Use multi-factor authentication for user and privileged accounts. Most embedded network devices support TACACS+ and/or RADIUS. Follow vendor prescribed best practices for hardening access control. <span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Cisco. (n.d.). Cisco IOS Software Integrity Assurance - TACACS. Retrieved October 19, 2020."data-reference="Cisco IOS Software Integrity Assurance - TACACS"><sup><a href="https://tools.cisco.com/security/center/resources/integrity_assurance.html#39" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1040">T1040</a> </td> <td> <a href="/techniques/T1040">Network Sniffing</a> </td> <td> <p>Use multi-factor authentication wherever possible.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1021">T1021</a> </td> <td> <a href="/techniques/T1021">Remote Services</a> </td> <td> <p>Use multi-factor authentication on remote service logons where possible.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1021/001">.001</a> </td> <td> <a href="/techniques/T1021/001">Remote Desktop Protocol</a> </td> <td> <p>Use multi-factor authentication for remote logins.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="Berkeley Security, University of California. (n.d.). Securing Remote Desktop for System Administrators. Retrieved November 4, 2014."data-reference="Berkley Secure"><sup><a href="https://security.berkeley.edu/node/94" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1021/004">.004</a> </td> <td> <a href="/techniques/T1021/004">SSH</a> </td> <td> <p>Require multi-factor authentication for SSH connections wherever possible, such as password protected SSH keys.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1021/007">.007</a> </td> <td> <a href="/techniques/T1021/007">Cloud Services</a> </td> <td> <p>Use multi-factor authentication on cloud services whenever possible.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1072">T1072</a> </td> <td> <a href="/techniques/T1072">Software Deployment Tools</a> </td> <td> <p>Ensure proper system and access isolation for critical network systems through use of multi-factor authentication.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1539">T1539</a> </td> <td> <a href="/techniques/T1539">Steal Web Session Cookie</a> </td> <td> <p>A physical second factor key that uses the target login domain as part of the negotiation protocol will prevent session cookie theft through proxy methods.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="Gretzky, K.. (2018, July 26). Evilginx 2 - Next Generation of Phishing 2FA Tokens. Retrieved October 14, 2019."data-reference="Evilginx 2 July 2018"><sup><a href="https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a></sup></span></p><p>Implement Conditional Access policies with Token Protection to bind session tokens to their originating device and user. This reduces the risk of session cookie theft by ensuring that stolen tokens cannot be reused from unauthorized locations or devices.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1199">T1199</a> </td> <td> <a href="/techniques/T1199">Trusted Relationship</a> </td> <td> <p>Require MFA for all delegated administrator accounts.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved January 31, 2022."data-reference="Microsoft Nobelium Admin Privileges"><sup><a href="https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1078">T1078</a> </td> <td> <a href="/techniques/T1078">Valid Accounts</a> </td> <td> <p>Implement multi-factor authentication (MFA) across all account types, including default, local, domain, and cloud accounts, to prevent unauthorized access, even if credentials are compromised. MFA provides a critical layer of security by requiring multiple forms of verification beyond just a password. This measure significantly reduces the risk of adversaries abusing valid accounts to gain initial access, escalate privileges, maintain persistence, or evade defenses within your network.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1078/001">.001</a> </td> <td> <a href="/techniques/T1078/001">Default Accounts</a> </td> <td> <p>Implement multi-factor authentication (MFA) for default accounts whenever possible to prevent unauthorized access, even if credentials for these accounts are compromised. MFA adds an additional layer of security that requires more than just a username and password, making it significantly harder for adversaries to exploit these accounts for initial access or lateral movement.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1078/002">.002</a> </td> <td> <a href="/techniques/T1078/002">Domain Accounts</a> </td> <td> <p>Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1078/003">.003</a> </td> <td> <a href="/techniques/T1078/003">Local Accounts</a> </td> <td> <p>Enable multi-factor authentication (MFA) for local accounts to add an extra layer of protection against credential theft and misuse. MFA can be implemented using methods like mobile-based authenticators or hardware tokens, even in environments that do not rely on domain controllers or cloud services. This additional security measure can help reduce the risk of adversaries gaining unauthorized access to local systems and resources.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1078/004">.004</a> </td> <td> <a href="/techniques/T1078/004">Cloud Accounts</a> </td> <td> <p>Use multi-factor authentication for cloud accounts, especially privileged accounts. This can be implemented in a variety of forms (e.g. hardware, virtual, SMS), and can also be audited using administrative reporting features.<span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="Moncur, Rob. (2020, July 5). New Information in the AWS IAM Console Helps You Follow IAM Best Practices. Retrieved August 4, 2020."data-reference="AWS - IAM Console Best Practices"><sup><a href="https://aws.amazon.com/blogs/security/newly-updated-features-in-the-aws-iam-console-help-you-adhere-to-iam-best-practices/" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a></sup></span></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://expel.io/blog/finding-evil-in-aws/" target="_blank"> A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://www.microsoft.com/security/blog/2022/01/26/evolved-phishing-device-registration-trick-adds-to-phishers-toolbox-for-victims-without-mfa" target="_blank"> Microsoft 365 Defender Threat Intelligence Team. (2022, January 26). Evolved phishing: Device registration trick adds to phishers’ toolbox for victims without MFA. Retrieved March 4, 2022. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://www.cisa.gov/uscert/ncas/alerts/aa22-074a" target="_blank"> Cybersecurity and Infrastructure Security Agency. (2022, March 15). Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability. Retrieved March 16, 2022. </a> </span> </span> </li> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft" target="_blank"> Douglas Bienstock. (2022, August 18). You Can’t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/" target="_blank"> Amazon. (2019, May 17). How can I secure the files in my Amazon S3 bucket?. Retrieved October 4, 2019. </a> </span> </span> </li> <li> <span id="scite-6" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-6" href="https://tools.cisco.com/security/center/resources/integrity_assurance.html#39" target="_blank"> Cisco. (n.d.). Cisco IOS Software Integrity Assurance - TACACS. Retrieved October 19, 2020. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="7.0"> <li> <span id="scite-7" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-7" href="https://portswigger.net/daily-swig/mfa-fatigue-attacks-users-tricked-into-allowing-device-access-due-to-overload-of-push-notifications" target="_blank"> Jessica Haworth. (2022, February 16). MFA fatigue attacks: Users tricked into allowing device access due to overload of push notifications. Retrieved March 31, 2022. </a> </span> </span> </li> <li> <span id="scite-8" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-8" href="https://security.berkeley.edu/node/94" target="_blank"> Berkeley Security, University of California. (n.d.). Securing Remote Desktop for System Administrators. Retrieved November 4, 2014. </a> </span> </span> </li> <li> <span id="scite-9" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-9" href="https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/" target="_blank"> Gretzky, K.. (2018, July 26). Evilginx 2 - Next Generation of Phishing 2FA Tokens. Retrieved October 14, 2019. </a> </span> </span> </li> <li> <span id="scite-10" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-10" href="https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks" target="_blank"> Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved January 31, 2022. </a> </span> </span> </li> <li> <span id="scite-11" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-11" href="https://aws.amazon.com/blogs/security/newly-updated-features-in-the-aws-iam-console-help-you-adhere-to-iam-best-practices/" target="_blank"> Moncur, Rob. (2020, July 5). New Information in the AWS IAM Console Helps You Follow IAM Best Practices. Retrieved August 4, 2020. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div>   <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner">  <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">×</div> </div> </div>  <div id="search-body" class="search-body"> <div class="results" id="search-results">  </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1">  <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&CK content v16.1Website v4.2.1">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> © 2015 - 2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div>  </div>  <script src="/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/theme/scripts/popper.min.js"></script> <script src="/theme/scripts/bootstrap-select.min.js"></script> <script src="/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/theme/scripts/site.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/search_bundle.js"></script>  <script src="/theme/scripts/resizer.js"></script>  <script src="/theme/scripts/sidebar-load-all.js"></script> </body> </html>

CINXE.COM

Multi-factor Authentication, Mitigation M1032 - Enterprise | MITRE ATT&CK®