Multi-factor Authentication

Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.

ID: M1032
Version: 1.0
Created: 10 June 2019
Last Modified: 10 June 2019

Techniques Addressed by Mitigation

Domain ID Name Use
Enterprise T1098 Account Manipulation

Use multi-factor authentication for user and privileged accounts.

.001 Additional Azure Service Principal Credentials

Use multi-factor authentication for user and privileged accounts.

.002 Exchange Email Delegate Permissions

Use multi-factor authentication for user and privileged accounts.

.003 Add Office 365 Global Administrator Role

Use multi-factor authentication for user and privileged accounts.

Enterprise T1110 Brute Force

Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.

.001 Password Guessing

Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.

.002 Password Cracking

Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.

.003 Password Spraying

Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.

.004 Credential Stuffing

Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.

Enterprise T1136 Create Account

Use multi-factor authentication for user and privileged accounts.

.001 Local Account

Use multi-factor authentication for user and privileged accounts.

.002 Domain Account

Use multi-factor authentication for user and privileged accounts.

.003 Cloud Account

Use multi-factor authentication for user and privileged accounts.

Enterprise T1530 Data from Cloud Storage Object

Consider using multi-factor authentication to restrict access to resources and cloud storage APIs.[1]

Enterprise T1114 Email Collection

Use of multi-factor authentication for public-facing webmail servers is a recommended best practice to minimize the usefulness of usernames and passwords to adversaries.

.002 Remote Email Collection

Use of multi-factor authentication for public-facing webmail servers is a recommended best practice to minimize the usefulness of usernames and passwords to adversaries.

Enterprise T1133 External Remote Services

Use strong two-factor or multi-factor authentication for remote service accounts to mitigate an adversary's ability to leverage stolen credentials, but be aware of Two-Factor Authentication Interception techniques for some two-factor authentication implementations.

Enterprise T1556 Modify Authentication Process

Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs.

.001 Domain Controller Authentication

Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs.

.003 Pluggable Authentication Modules

Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information.

Enterprise T1040 Network Sniffing

Use multi-factor authentication wherever possible.

Enterprise T1021 Remote Services

Use multi-factor authentication on remote service logons where possible.

.001 Remote Desktop Protocol

Use multi-factor authentication for remote logins.[3]

.004 SSH

Require multi-factor authentication for SSH connections wherever possible.

Enterprise T1072 Software Deployment Tools

Ensure proper system and access isolation for critical network systems through use of multi-factor authentication.

Enterprise T1539 Steal Web Session Cookie

A physical second factor key that uses the target login domain as part of the negotiation protocol will prevent session cookie theft through proxy methods.[2]

Enterprise T1078 .002 Valid Accounts: Domain Accounts

Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs.

References