Blog

Prioritizing MITRE ATT&CK Techniques for Valid Accounts

6 minute read

  • Lior Tenne

The fourth in a five part series exploring how security teams can identify the most commonly exploited gaps in defenses and leverage their existing security tools to defend against real-world threats.

By Lior Tenne – Security Researcher

Overview: What is a MITRE ATT&CK Technique?

In the MITRE ATT&CK Matrix for Enterprise, techniques describe the methods an adversary uses to achieve a tactical objective through specific actions. With over 200 techniques and 435 sub-techniques, how should security teams prioritize them?

MITRE ATT&CK Technique Prioritization 

To help customers decide what techniques to prioritize, Nagomi analyzed the techniques used most frequently in groups and campaigns. We then cross-referenced the techniques, groups, and campaigns against defenses to pinpoint where security teams can make the most impact. Leveraging our vast dataset encompassing hundreds of campaigns and monitoring millions of assets, the analysis calculates and prioritizes techniques rooted in real-world threats coupled with insights into tool underutilization.  

Top MITRE ATT&CK Techniques with the Largest Security Tool Underutilization

Here are the most frequently used techniques with the biggest tool underutilization in cybersecurity today:

  1. Phishing
  2. Remote services
  3. Valid accounts
  4. OS credential dumping
  5. Command and scripting interpreter

Valid Accounts

What is Valid Accounts in MITRE ATT&CK Terminology?

Valid Accounts (T1078) refers to the use of legitimate credentials to gain unauthorized access and persist within a targeted system or network. Instead of using stolen or fabricated accounts, adversaries often hijack valid accounts – those belonging to real users – to avoid detection and blend in with regular user activity.

Once inside, attackers can leverage these valid accounts to escalate privileges, move laterally across the network, and maintain long-term access to systems and data. This allows them to operate under the radar, as the activities of compromised accounts often appear legitimate. Attackers may also exploit inactive or under-monitored accounts, further reducing the chance of detection.

Common methods for gaining access to valid accounts, such as usernames, passwords, or keys, include phishing, credential dumping, and brute-force attacks.

Example Group Leveraging Valid Accounts for Stealth Access: APT29

APT29, also known as The Dukes, Cozy Bear, or Nobelium, is a state-sponsored cyber espionage group primarily targeting government, diplomatic, and energy sectors since 2008. APT29 has been known to steal and reuse valid accounts from phishing campaigns which allows them to access sensitive systems without raising alarms.

To mitigate the risks posed by Valid Accounts, organizations should implement a robust Identity and Access Management (IAM) defense strategy. Start by deploying advanced policies that focus on detecting unusual account activity and behavioral anomalies. Complement this with lockout protections against unsuccessful login attempts and enforce a strong password policy.

** Valid Accounts technique on the Nagomi platform **

Ways to Defend Against Valid Accounts Using Existing Security Tools

The following section outlines three ways to improve your defense against a Valid Accounts technique using the tools you may already have. For each, we’ll start by describing the defensive mechanism and then provide a detailed example.

1. Deploying Advanced Policies for Monitoring and Securing User Accounts

Azure Active Directory Identity Protection user risk policies detect the likelihood that a user account has been compromised. Implementing Conditional Access Policies helps restrict access and prevent unusual account activity.

Example: Restrict High User Risk Access in Microsoft Entra 

Enhance security by requiring users to change their password or blocking access when their user risk is detected to be high based on anomalous or suspicious behavior. Microsoft Entra ID P2 license is needed.

Creating a High User Risk Access Conditional Access Policy in Microsoft Entra:

  1. Sign in to the Microsoft Entra admin center with Conditional Access Administrator permissions.
  2. Navigate to Protection > Conditional Access and select New policy.
  3. Name your policy and configure it under Assignments:
    • Include: All users
    • Exclude: Emergency access or break-glass accounts
  4. Under Target resources, select All cloud apps.
  5. In Conditions, enable User risk and set it to High.
  6. Under Access controls, select Grant and choose Require multi-factor authentication.
  7. Set Session to Sign-in frequency and select Every time.
  8. Confirm settings, set the policy to Report-only, and create it. After verification, switch the policy to On.

Conditional Access Policy – Restrict High User Risk Accees

Example: Enforce MFA for Privileged Accounts in Microsoft Entra 

Multi-Factor Authentication (MFA) is a fundamental security measure that enhances account security by requiring users to authenticate through multiple factors. Enabling MFA, especially for admin users, is crucial.The policy covers MFA activation for all admin accounts, applications, and client types, without applying any filters to the mentioned categories.

Creating a Insufficient Multi-Factor Authentication (MFA) for Privileged Accounts Conditional Access Policy in Microsoft Entra:

  1. Sign in to the Microsoft Entra admin center as a Conditional Access Administrator.
  2. Navigate to Protection > Conditional Access > Policies.
  3. Select Create new policy from template and choose Require multi-factor authentication for admins.
  4. Click Review + Create, and after confirming the settings using report-only mode, move the Enable policy toggle from Report-only to On.

Conditional Access Policy – Insufficient Multi-Factor Authentication (MFA) for Privileged Accounts

To safeguard against attackers re-entering the network with previously used passwords, as seen in APT29 attacks, implement the following measures:

2. Enforcing User Lockouts for Unsuccessful Login Attempts

Implementing user lockout policies is crucial for protecting against unauthorized access attempts. By enforcing lockouts after a specified number of failed login attempts, you can mitigate the risk of brute-force attacks and reduce the likelihood of credential compromise. 

Example: In Microsoft Entra:

  1. Sign in to the Microsoft Entra admin center with Authentication Administrator permissions.
  2. Navigate to Protection > Authentication methods > Password protection.
  3. Locate the Lockout threshold setting.
  4. Configure the Lockout threshold to a value less than 10, based on your organization’s policy for failed sign-ins before account lockout.
  5. Save the changes to apply the policy.

User Lockouts Setting – Microsoft Entra

Example: In Okta

  1. Access your Okta Admin Console.
  2. Navigate to Security:
    • For Classic Engine: Go to Authentication.
    • For Identity Engine: Go to Authenticators.
  3. Modify or create a password policy:
    • Classic Engine: Click the Password tab.
    • Identity Engine: Click the Actions button next to the Password factor, then select Edit.
  4. Enable the lockout option: Ensure Lockout users after 10 or fewer unsuccessful attempts is enabled.
  5. Save your changes.

User Lockouts Setting – Okta

3. Enhancing Password Strength to Prevent Reuse of Compromised Credentials

Configuring strong password policies is essential to prevent attackers from re-entering the network using compromised or commonly used passwords.

Example: Restrict Use of Past Passwords

Prohibiting the use of past passwords ensures that users cannot reuse their recent passwords, thereby reducing the risk of unauthorized access from old credentials.

Configure restriction of using past passwords in Okta:

  1. Access your Okta Admin Console.
  2. Navigate to Security:
    • For Classic Engine: Go to Authentication.
    • For Identity Engine: Go to Authenticators.
  3. Modify or create a password policy:
    • Classic Engine: Click the Password tab.
    • Identity Engine: Click the Actions button next to the Password factor, then select Edit.
  4. Enable the lockout option: Ensure Lockout users after 10 or fewer unsuccessful attempts is enabled.
  5. Save your changes.

Restrict Use of Past Passwords – Okta

Example: Restrict Use of Common Passwords

Prohibiting the use of common passwords strengthens your security posture by ensuring that easily guessed passwords, like “123456,” “password,” or “admin,” are not allowed.

  1. Access your Okta Admin Console.
  2. Navigate to Security:
    • For Classic Engine: Go to Authentication.
    • For Identity Engine: Go to Authenticators.
  3. Modify or create a password policy:
    • Classic Engine: Click the Password tab.
    • Identity Engine: Click the Actions button next to the Password factor, then select Edit.
  4. Enable Restrict use of common passwords.
  5. Save your changes.

Restrict Use of Common Passwords – Okta

Summary

This blog series explores the importance of focusing on cybersecurity techniques that address real-world threats. As we’ve explored, attackers use valid credentials to blend in with normal activity, making detection challenging and increasing the risk of long-term breaches. Tackling this threat head-on can help organizations bolster their defenses and better manage their security resources.

Nagomi’s research reveals that weak policy enforcement continues to make Valid Accounts a preferred method for attackers. Enhancing your defenses with strong Identity and Access Management (IAM) practices, including conditional access and robust password policies, can significantly reduce the risk of such attacks.

To see how Nagomi can help you maximize the effectiveness of your tools, check out the Nagomi Proactive Defense Platform or book a demo.

Author

Cybersecurity News

More like this

Blog

Transforming Threat Intelligence: Nagomi Security and CrowdStrike Unite for Next-Level Defense

FacebookLinkedInTweetEmail According to Gartner, through 2028, more than 60% of security incidents will be traced to ...

Read the post: Transforming Threat Intelligence: Nagomi Security and CrowdStrike Unite for Next-Level Defense

Blog

Prioritizing MITRE ATT&CK Techniques for Remote Services

FacebookLinkedInTweetEmail The fifth, and final, in a five part series exploring how security teams can identify ...

Read the post: Prioritizing MITRE ATT&CK Techniques for Remote Services

Blog

Announcing the New “Threats in the News” Feature in Nagomi – Adding Context to Operationalize End-to-End Exposure Management

FacebookLinkedInTweetEmail Nagomi’s new “Threats in the News” feature is transforming the way cybersecurity teams manage and ...

Read the post: Announcing the New “Threats in the News” Feature in Nagomi – Adding Context to Operationalize End-to-End Exposure Management