MITRE ATT&CK vulnerability spotlight: Forced authentication


The ATT&CK framework is a product of MITRE, one of the federally funded research and development centers (FFRDCs) designed to support the U.S. government in general and the Department of Defense (DoD) in particular. MITRE’s duties include performing research and development and trusted third-party assessments and evaluations for the U.S. government.

The ATT&CK framework is a tool designed by MITRE to aid discussion and education connected to cybersecurity topics. The ATT&CK framework breaks the life cycle of a cyberattack into its component stages and describes the various means that each stage could be accomplished by an attacker. These descriptions include affected systems and ways to detect and mitigate the particular tactic.

The ATT&CK framework has a variety of different applications. It helps with discussion of cybersecurity topics by standardizing language and understanding of certain attack vectors. It can also be applied to the design of cyber defenses and penetration testing by providing a framework to which efforts can be mapped.

What is forced authentication?

One of the stages in the cyberattack life cycle described in the MITRE ATT&CK framework is credential access. This stage covers all of the various ways that an attacker can steal user credentials. These credentials can then be used to gain initial access to a system or elevate an attacker’s privileges on a compromised system.

One of the tactics within the credential access stage of an attack is forced authentication. This tactic describes the exploitation of the Server Message Block (SMB) protocol on Windows machines to send user credentials to an attacker-controlled machine.

The SMB protocol is designed to authenticate with remote systems. This is useful for file sharing, and Windows’ integrated automatic authentication means that this can be performed transparently to the user. When trying to access a resource on a remote (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Howard Poston. Read the original post at: