How To Kill Passwords: Does MITRE ATT&CK Framework Help or Hinder?

What is The MITRE Company's MITRE ATT&CK framework?

The MITRE ATT&CK framework was started back in 2013, as a means to understand, in detail, and with applicability to the real world, adversarial activity from the point of view of information asset protection. The framework is really a knowledge base of tactics, techniques and procedures (TTPs) that can be used in particular situations and against specific platforms or operations systems. The idea is that to build better defense strategies, you first need to understand how the attacker behaves: what they do, when, and why. It is essentially the hacker’s “how they do something” and “what they get out of it”. MITRE created a great eBook on the framework to get started in understanding the benefits.

The ATT&CK framework is represented as a visual matrix: with techniques across the horizontal (such as Initial Access or Collection and tactics assigned vertically, such as Phishing or Audio Capture).  So what has this to do with authentication and specifically passwordless?

How does authentication fit in?

Well clearly entity authentication plays a huge role in any cyber security defensive strategy. The Initial Access technique within ATT&CK is a good place to start when it comes to understanding where to analyze user access strategies as well as the Credential Access technique which is specifically focused on usernames and passwords. There are several other lower level tactics that are impacted by authentication choice too such as Valid Accounts, Modify Authentication Process, Use Alternative Authentication Method, Account Discovery and Password Policy Discovery.

Phishing - make it extinct by removing the impact 

Within Initial Access, the immediate attack tactic which has gained huge popularity in recent years is that of Phishing - typically sending spoof emails and directing a user to authenticate to a familiar looking, yet malicious site.  At which point, the attacker is able to perform a credential theft. Some mitigation strategies described within ATT&CK focus (quite rightly) on preventing the initial business email compromise event.  

But what about reducing the impact of phishing entirely, by leveraging an authentication mechanism that isn’t susceptible to it? This is a mitigation that isn’t immediately described, but if the consequences of phishing are made redundant by using challenge / response style authentication methods seen within many passwordless approaches, a malicious website, which the phishing email is essentially trying to get the victim to engage with, would be unable to even start the authentication process.  Rendering the attack dead before it started.  In a challenge / response style flow, the website needs to generate a challenge to send to the user’s browser or mobile device - typically requiring a public key and perhaps user identifier.  Whilst the public key could be compromised, the attacker would need to become much more sophisticated.

Account enumeration - move to mobile initiated login

What is account enumeration? Well under tactic Valid Accounts, an adversary, attempts to identify a list of valid accounts within a system.  With a valid list of accounts (and potentially passwords) they can attempt to perform automated login attacks by iterating over a list of accounts.  There are numerous ways an attacker can attempt to create such lists - but one which is pretty simple, is to capture the response from an application during the login process - does the response leak any valuable information?  If for example I attempt to login with user “jsmith123” and password “Passw0rd'' what message does the system respond with?  Something generic like “invalid credentials” or something specific such as “username invalid”, or “password incorrect”. Either of those latter responses provide valuable information to the attacker in determining if the user “jsmith123” actually exists.

A simple mitigation strategy is to perhaps start the authentication process via an out of band device such as a mobile phone. The mobile is bound to the end user during an enrollment event and can be later used to initiate the authentication process. This way the user no longer even needs to enter a username to start the login journey and in turn, the complexity of handling login information disclosure, again disappears.

Brute force - remove the target

Brute force attacks are one of the most common and probably well known of all attacks - where an adversary attempts to try every possible combination of passwords in order to login under an existing user account.  There are several well known mitigation methods - such as activity monitoring and throttling, promotion of the use of complex passwords making the brute force attack more difficult, the use of MFA - or multi factor authentication. Whilst many of those mitigation techniques are valid (and should really be in place by default, as they’re pretty well documented and “cheap” to implement from an effort and cost perspective), there should really be an attempt to remove the target entirely - by removing the reliance on password based authentication.

Whilst the ATT&CK framework does promote the use of MFA as a mitigation technique (and it’s interesting to see 34 attacks that could be impacted by the use of MFA), perhaps the removal of the reliance on passwords entirely is the better long term solution?

We’ve talked about ATT&CK - what about D3FEND?

Firstly, what is D3FEND? MITRE recently released a National Security Agency funded project that was specifically focused on developing a framework for defensive countermeasures. They call it D3FEND and it schematically fits well against the ATT&CK framework for adversarial activity.

The matrix this time focuses on a horizontal set of focus areas: Harden, Detect, Isolate, Deceive and Evict. It would be interesting to understand the relationship to some other defensive focus areas, such as those described in the NIST Cyber Security Framework with their Identify, Protect, Detect, Respond & Recovery methodology. 

With D3FEND and an authentication perspective, authentication appears in two focus areas: Credential Hardening (with Multi Factor Authentication, One Time Password and Strong Password Policy the specific countermeasure tactics) and under User Behaviour Analysis (with an interesting detection based authentication specific countermeasure focused upon Authentication Event Thresholding). 

The detection approach, however, is primarily based on the existing problem space of password based authentication - and monitoring the effectiveness of the countermeasures put in place to improve password based authentication.  For example capturing and analyzing login activity, timings, number of devices, simultaneous logins and logouts for example.

A movement towards a long term strategy for password replacements, cryptographic based challenge response authentication and mobile initiated authentication would not only make certain countermeasures redundant, but it would also allow a more effective and efficient monitoring and detection footprint.

Summary

The MITRE ATT&CK - and now also D3FEND - frameworks are an essential part of the cyber security architecture arsenal - by providing a well documented and broad set of adversarial techniques and tactics to help build cost effective and secure counter measures.  

However, a movement to a more progressive passwordless approach to authentication can start to remove some of the unnecessary and complex countermeasures that are essential to improve legacy password based login approaches.

To learn more on how passwordless MFA improves your security posture, contact us for a free demo.

About the author

Simon Moffatt is Founder & Analyst at The Cyber Hut - a global cyber security industry analyst firm. He is a published author with over 20 years experience within the cyber and identity and access management sectors and has contributed to standards at NIST and the IETF.  He is a CISSP, CCSP and CEH.  His latest book “Consumer Identity & Access Management: Design Fundamentals” is available on Amazon.

Contact him via: Email, Twitter or LinkedIn.