JUST RELEASED: ATT&CK for Industrial Control Systems

Password Policies

Set and enforce secure password policies for accounts.

ID: M1027
Version: 1.0
Created: 06 June 2019
Last Modified: 06 June 2019

Techniques Addressed by Mitigation

Domain ID Name Description
Enterprise T1110 Brute Force

Refer to NIST guidelines when creating password policies.[1]

Enterprise T1003 Credential Dumping

Ensure that local administrator accounts have complex, unique passwords across all systems on the network.

Enterprise T1503 Credentials from Web Browsers

Organizations may consider weighing the risk of storing credentials in web browsers. If web browser credential disclosure is a significant concern, technical controls, policy, and user training may be used to prevent storage of credentials in web browsers.

Enterprise T1081 Credentials in Files

Establish an organizational policy that prohibits password storage in files.

Enterprise T1214 Credentials in Registry

Do not store credentials within the Registry.

Enterprise T1187 Forced Authentication

Use strong passwords to increase the difficulty of credential hashes from being cracked if they are obtained.

Enterprise T1208 Kerberoasting

Ensure strong password length (ideally 25+ characters) and complexity for service accounts and that these passwords periodically expire. Also consider using Group Managed Service Accounts or another third party product such as password vaulting.[4]

Enterprise T1142 Keychain

The password for the user's login keychain can be changed from the user's login password. This increases the complexity for an adversary because they need to know an additional password.

Enterprise T1075 Pass the Hash

Ensure that built-in and created local administrator accounts have complex, unique passwords.

Enterprise T1097 Pass the Ticket

Ensure that local administrator accounts have complex, unique passwords.

Enterprise T1201 Password Policy Discovery

Ensure only valid password filters are registered. Filter DLLs must be present in Windows installation directory (C:\Windows\System32\ by default) of a domain controller and/or local computer with a corresponding entry in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages.[3]

Enterprise T1145 Private Keys

Use strong passphrases for private keys to make cracking difficult.

Enterprise T1184 SSH Hijacking

Ensure SSH key pairs have strong passwords and refrain from using key-store technologies such as ssh-agent unless they are properly protected.

Enterprise T1072 Third-party Software

Verify that account credentials that may be used to access deployment systems are unique and not used throughout the enterprise network.

Enterprise T1537 Transfer Data to Cloud Account

Consider rotating access keys within a certain number of days to reduce the effectiveness of stolen credentials.

Enterprise T1078 Valid Accounts

Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment. When possible, applications that use SSH keys should be updated periodically and properly secured. Ensure that local administrator accounts have complex, unique passwords across all systems on the network.

In cloud environments, consider rotating access keys within a certain number of days for reducing the effectiveness of stolen credentials.[2]

Enterprise T1077 Windows Admin Shares

Do not reuse local administrator account passwords across systems. Ensure password complexity and uniqueness such that the passwords cannot be cracked or guessed.

References