MITRE ATT&CK vulnerability spotlight: Credentials in files


MITRE is a federally-funded research and development center (FFRDC) for the U.S. government. As part of its duties as an FFRDC, it performs research and development in a variety of different fields, including cybersecurity.

One of MITRE’s efforts in the field of cybersecurity is the development and maintenance of the MITRE ATT&CK matrix. This tool breaks down the life cycle of a standard cyberattack into phases and describes the different means by which an attacker could achieve the objectives of each phase.

Why are credentials in files?

The MITRE ATT&CK matrix breaks the cyberattack life cycle into phases, one of which is credential access. At this point in the attack, the hacker is attempting to gain access to user credentials that can then be used to gain access to accounts or escalate privileges on a system. One of the methods that an attacker can accomplish this stage of the attack is by searching for and extracting user credentials from files on a compromised system.

Best practice states that user credentials should be properly protected and stored in an encrypted fashion, not saved in plaintext in a file. However, user credentials can end up in unprotected files for a variety of different purposes:

  • End users: Some computer users don’t use or trust password managers and prefer to store their account passwords in a text file on their system
  • Credential stores: Groups of users may have shared credential stores for shared accounts or collections of individual accounts
  • Configuration files: Configuration files for applications may contain credentials, API keys and so on for communication with other programs or online accounts
  • Hard-coded credentials: Some applications may contain hard-coded credentials designed for interaction with accounts or other applications
  • Cloud computing: Credentials are frequently stored in configuration and credential files on the cloud deployment
  • (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Howard Poston. Read the original post at: