Following initial access, an attacker may attempt to create alternative means of access to the system that was infiltrated.
Since the initial access may use a temporary or temporary session token - a common adversary technique would be to create an access token which will persist the access to the system. For example, after getting an initail access by abusing a compromised 2FA backed session token an attacker created access tokens that allowed both persistance and lateral movement (Circle CI reference)
ID:T0165
Type:Technique
Tactic:Persistence
Summary:Create access token
State:Draft
Mitigations
ID
TYPE
SUMMARY
DESCRIPTION
M1310
Mitigation
Mitigation Implement least privilege principle Follow the POLP, which involves granting users the minimum necessary privileges to perform their job functions, and avoid assigning excessive privileges to user accounts.
Regularly review and update user privileges based on the principle of least privilege, and remove unnecessary privileges to reduce the risk of overprivileged accounts.
M1311
Mitigation
Mitigation Implement multi-factor authentication Require multi-factor authentication (MFA) for user accounts, especially for privileged accounts.
MFA adds an additional layer of security and can help prevent unauthorized access to user accounts, reducing the risk of overprivileged accounts being compromised.
M1450
Mitigation
Mitigation Implement zero trust Implementing a zero-trust security model can help organizations mitigate the risk of data exfiltration by ensuring that all traffic leaving the network is authenticated, authorized, and encrypted.
This model involves a layered approach to security that requires users and devices to be verified before accessing any resources.
M1451
Mitigation
Mitigation Use network segmentation Network segmentation is a technique that involves dividing a network into smaller segments or subnets to limit the spread of an attack if it occurs.
By segmenting the network and restricting communication between segments, organizations can minimize the impact of data exfiltration.
M1830
Mitigation
Mitigation Restrict access to short-lived tokens to only authorized users and components.
This can be achieved by using access controls and permissions within the CI/CD system.
Detections
ID
TYPE
SUMMARY
DESCRIPTION
D1650
Detection
Detection Audit rogue creation of API credentials Auditing the rogue creation of API credentials is the process of reviewing the creation process of security tokens to detect unauthorized or unapproved creation.
The process involves reviewing logs and access records, identifying any unauthorized credential creation, investigating the incident, and taking corrective measures to prevent future unauthorized access.
AppSec teams are overwhelmed by useless alerts, managing numerous applications with vulnerabilities across various kill-chain stages, making them increasingly susceptible to successful attacks.
