{"description": "Enterprise techniques mitigated by Multi-factor Authentication, ATT&CK mitigation M1032 (v1.1)", "name": "Multi-factor Authentication (M1032)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1098", "comment": "Use multi-factor authentication for user and privileged accounts.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1098.001", "comment": "Use multi-factor authentication for user and privileged accounts. Consider enforcing multi-factor authentication for the CreateKeyPair and ImportKeyPair API calls through IAM policies.(Citation: Expel IO Evil in AWS)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1098.002", "comment": "Use multi-factor authentication for user and privileged accounts.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1098.003", "comment": "Use multi-factor authentication for user and privileged accounts.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1098.005", "comment": "Require multi-factor authentication to register devices in Entra ID.(Citation: Microsoft - Device Registration) Configure multi-factor authentication systems to disallow enrolling new devices for inactive accounts.(Citation: CISA MFA PrintNightmare) When first enrolling MFA, use conditional access policies to restrict device enrollment to trusted locations or devices, and consider using temporary access passes as an initial MFA solution to enroll a device.(Citation: Mandiant APT29 Microsoft 365 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1098.006", "comment": "Require multi-factor authentication for user accounts integrated into container clusters through cloud deployments or via authentication protocols such as LDAP or SAML. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1110", "comment": "Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1110.001", "comment": "Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1110.002", "comment": "Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1110.003", "comment": "Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1110.004", "comment": "Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1136", "comment": "Use multi-factor authentication for user and privileged accounts.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1136.001", "comment": "Use multi-factor authentication for user and privileged accounts.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1136.002", "comment": "Use multi-factor authentication for user and privileged accounts.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1136.003", "comment": "Use multi-factor authentication for user and privileged accounts.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1485", "comment": "Implement multi-factor authentication (MFA) delete for cloud storage resources, such as AWS S3 buckets, to prevent unauthorized deletion of critical data and infrastructure. MFA delete requires additional authentication steps, making it significantly more difficult for adversaries to destroy data without proper credentials. This additional security layer helps protect against the impact of data destruction in cloud environments by ensuring that only authenticated actions can irreversibly delete storage or machine images.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1530", "comment": "Consider using multi-factor authentication to restrict access to resources and cloud storage APIs.(Citation: Amazon S3 Security, 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1213", "comment": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1213.003", "comment": "Use multi-factor authentication for logons to code repositories.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1114", "comment": "Use of multi-factor authentication for public-facing webmail servers is a recommended best practice to minimize the usefulness of usernames and passwords to adversaries.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1114.002", "comment": "Use of multi-factor authentication for public-facing webmail servers is a recommended best practice to minimize the usefulness of usernames and passwords to adversaries.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1133", "comment": "Use strong two-factor or multi-factor authentication for remote service accounts to mitigate an adversary's ability to leverage stolen credentials, but be aware of [Multi-Factor Authentication Interception](https://attack.mitre.org/techniques/T1111) techniques for some two-factor authentication implementations.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1556", "comment": "Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs. ", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1556.001", "comment": "Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1556.003", "comment": "Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1556.004", "comment": "Use multi-factor authentication for user and privileged accounts. Most embedded network devices support TACACS+ and/or RADIUS.  Follow vendor prescribed best practices for hardening access control. (Citation: Cisco IOS Software Integrity Assurance - TACACS)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1556.006", "comment": "Ensure that MFA and MFA policies and requirements are properly implemented for existing and deactivated or dormant accounts and devices. If possible, consider configuring MFA solutions to \"fail closed\" rather than grant access in case of serious errors.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1556.007", "comment": "Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1601", "comment": "Use multi-factor authentication for user and privileged accounts. Most embedded network devices support TACACS+ and/or RADIUS.  Follow vendor prescribed best practices for hardening access control.(Citation: Cisco IOS Software Integrity Assurance - TACACS)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1601.001", "comment": "Use multi-factor authentication for user and privileged accounts. Most embedded network devices support TACACS+ and/or RADIUS.  Follow vendor prescribed best practices for hardening access control.(Citation: Cisco IOS Software Integrity Assurance - TACACS)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1601.002", "comment": "Use multi-factor authentication for user and privileged accounts. Most embedded network devices support TACACS+ and/or RADIUS.  Follow vendor prescribed best practices for hardening access control.(Citation: Cisco IOS Software Integrity Assurance - TACACS)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1621", "comment": "Implement more secure 2FA/MFA mechanisms in replacement of simple push or one-click 2FA/MFA options. For example, having users enter a one-time code provided by the login screen into the 2FA/MFA application or utilizing other out-of-band 2FA/MFA mechanisms (such as rotating code-based hardware tokens providing rotating codes that need an accompanying user pin) may be more secure. Furthermore, change default configurations and implement limits upon the maximum number of 2FA/MFA request prompts that can be sent to users in period of time.(Citation: MFA Fatigue Attacks - PortSwigger)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1599", "comment": "Use multi-factor authentication for user and privileged accounts. Most embedded network devices support TACACS+ and/or RADIUS.  Follow vendor prescribed best practices for hardening access control.(Citation: Cisco IOS Software Integrity Assurance - TACACS)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1599.001", "comment": "Use multi-factor authentication for user and privileged accounts. Most embedded network devices support TACACS+ and/or RADIUS.  Follow vendor prescribed best practices for hardening access control. (Citation: Cisco IOS Software Integrity Assurance - TACACS)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1040", "comment": "Use multi-factor authentication wherever possible.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1021", "comment": "Use multi-factor authentication on remote service logons where possible.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1021.001", "comment": "Use multi-factor authentication for remote logins.(Citation: Berkley Secure)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021.004", "comment": "Require multi-factor authentication for SSH connections wherever possible, such as password protected SSH keys.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021.007", "comment": "Use multi-factor authentication on cloud services whenever possible.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1072", "comment": "Ensure proper system and access isolation for critical network systems through use of multi-factor authentication.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1539", "comment": "Deploy hardware-based token (e.g., YubiKey or FIDO key), which incorporates the target login domain as part of the negotiation protocol, will prevent session cookie theft through proxy methods.\n\nImplement Conditional Access policies to only allow logins from trusted devices, such as those enrolled in Intune or joined via Hybrid/Entra. This mitigates the risk of session cookie replay attacks by ensuring that stolen tokens cannot be reused on unauthorized devices.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1199", "comment": "Require MFA for all delegated administrator accounts.(Citation: Microsoft Nobelium Admin Privileges)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1078", "comment": "Implement multi-factor authentication (MFA) across all account types, including default, local, domain, and cloud accounts, to prevent unauthorized access, even if credentials are compromised. MFA provides a critical layer of security by requiring multiple forms of verification beyond just a password. This measure significantly reduces the risk of adversaries abusing valid accounts to gain initial access, escalate privileges, maintain persistence, or evade defenses within your network.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1078.001", "comment": "Implement multi-factor authentication (MFA) for default accounts whenever possible to prevent unauthorized access, even if credentials for these accounts are compromised. MFA adds an additional layer of security that requires more than just a username and password, making it significantly harder for adversaries to exploit these accounts for initial access or lateral movement.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1078.002", "comment": "Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1078.003", "comment": "Enable multi-factor authentication (MFA) for local accounts to add an extra layer of protection against credential theft and misuse. MFA can be implemented using methods like mobile-based authenticators or hardware tokens, even in environments that do not rely on domain controllers or cloud services. This additional security measure can help reduce the risk of adversaries gaining unauthorized access to local systems and resources.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1078.004", "comment": "Use multi-factor authentication for cloud accounts, especially privileged accounts. This can be implemented in a variety of forms (e.g. hardware, virtual, SMS), and can also be audited using administrative reporting features.(Citation: AWS - IAM Console Best Practices)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1669", "comment": "Harden access requirements for Wi-Fi networks through using two or more pieces of evidence to authenticate, such as a username and password in addition to a token from a physical smart card or token generator.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "mitigated by Multi-factor Authentication", "color": "#66b1ff"}]}