Encrypt Sensitive Information
Techniques Addressed by Mitigation |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1557 | Adversary-in-the-Middle |
Ensure that all wired and/or wireless traffic is encrypted appropriately. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS. |
|
| T1557.002 | ARP Cache Poisoning |
Ensure that all wired and/or wireless traffic is encrypted appropriately. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS. |
||
| Enterprise | T1119 | Automated Collection |
Encryption and off-system storage of sensitive information may be one way to mitigate collection of files, but may not stop an adversary from acquiring the information if an intrusion persists over a long period of time and the adversary is able to discover and access the data through other means. Strong passwords should be used on certain encrypted documents that use them to prevent offline cracking through Brute Force techniques. |
|
| Enterprise | T1020 | T1020.001 | Automated Exfiltration: Traffic Duplication |
Ensure that all wired and/or wireless traffic is encrypted appropriately. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS. |
| Enterprise | T1565 | Data Manipulation |
Consider encrypting important information to reduce an adversary’s ability to perform tailored data modifications. |
|
| T1565.001 | Stored Data Manipulation |
Consider encrypting important information to reduce an adversary’s ability to perform tailored data modifications. |
||
| T1565.002 | Transmitted Data Manipulation |
Encrypt all important data flows to reduce the impact of tailored modifications on data in transit. |
||
| Enterprise | T1530 | Data from Cloud Storage |
Encrypt data stored at rest in cloud storage.(Citation: Amazon S3 Security, 2019)(Citation: Microsoft Azure Storage Security, 2019) Managed encryption keys can be rotated by most providers. At a minimum, ensure an incident response plan to storage breach includes rotating the keys and test for impact on client applications.(Citation: Google Cloud Encryption Key Rotation) |
|
| Enterprise | T1602 | Data from Configuration Repository |
Configure SNMPv3 to use the highest level of security (authPriv) available.(Citation: US-CERT TA17-156A SNMP Abuse 2017) |
|
| T1602.001 | SNMP (MIB Dump) |
Configure SNMPv3 to use the highest level of security (authPriv) available.(Citation: US-CERT TA17-156A SNMP Abuse 2017) |
||
| T1602.002 | Network Device Configuration Dump |
Configure SNMPv3 to use the highest level of security (authPriv) available.(Citation: US-CERT TA17-156A SNMP Abuse 2017) |
||
| Enterprise | T1114 | Email Collection |
Use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages. |
|
| T1114.001 | Local Email Collection |
Use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages. |
||
| T1114.002 | Remote Email Collection |
Use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages. |
||
| T1114.003 | Email Forwarding Rule |
Use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages. |
||
| Enterprise | T1070 | Indicator Removal |
Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary. |
|
| T1070.001 | Clear Windows Event Logs |
Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary. |
||
| T1070.002 | Clear Linux or Mac System Logs |
Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary. |
||
| Enterprise | T1040 | Network Sniffing |
Ensure that all wired and/or wireless traffic is encrypted appropriately. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS. |
|
| Enterprise | T1003 | OS Credential Dumping |
Ensure Domain Controller backups are properly secured. |
|
| T1003.003 | NTDS |
Ensure Domain Controller backups are properly secured.(Citation: Metcalf 2015) |
||
| Enterprise | T1649 | Steal or Forge Authentication Certificates |
Ensure certificates as well as associated private keys are appropriately secured. Consider utilizing additional hardware credential protections such as trusted platform modules (TPM) or hardware security modules (HSM). Enforce HTTPS and enable Extended Protection for Authentication.(Citation: SpecterOps Certified Pre Owned) |
|
| Enterprise | T1558 | Steal or Forge Kerberos Tickets |
Enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.(Citation: AdSecurity Cracking Kerberos Dec 2015) |
|
| T1558.002 | Silver Ticket |
Enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.(Citation: AdSecurity Cracking Kerberos Dec 2015) |
||
| T1558.003 | Kerberoasting |
Enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.(Citation: AdSecurity Cracking Kerberos Dec 2015) |
||
| T1558.004 | AS-REP Roasting |
Enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.(Citation: AdSecurity Cracking Kerberos Dec 2015) |
||
| Enterprise | T1552 | Unsecured Credentials |
When possible, store keys on separate cryptographic hardware instead of on the local system. |
|
| T1552.004 | Private Keys |
When possible, store keys on separate cryptographic hardware instead of on the local system. |
||
| Enterprise | T1550 | T1550.001 | Use Alternate Authentication Material: Application Access Token |
File encryption should be enforced across email communications containing sensitive information that may be obtained through access to email services. |
References
- US-CERT. (2017, June 5). Reducing the Risk of SNMP Abuse. Retrieved October 19, 2020.
- Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory Domain. Retrieved March 22, 2018.
- Amazon. (2019, May 17). How can I secure the files in my Amazon S3 bucket?. Retrieved October 4, 2019.
- Amlekar, M., Brooks, C., Claman, L., et. al.. (2019, March 20). Azure Storage security guide. Retrieved October 4, 2019.
- Google. (n.d.). Key rotation. Retrieved October 18, 2019.
- Metcalf, S. (2015, January 19). Attackers Can Now Use Mimikatz to Implant Skeleton Key on Domain Controllers & BackDoor Your Active Directory Forest. Retrieved February 3, 2015.
- Schroeder, W. & Christensen, L. (2021, June 22). Certified Pre-Owned - Abusing Active Directory Certificate Services. Retrieved August 2, 2022.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.