This repository has been archived by the owner on Apr 3, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 63
/
AzureADMultiFactorAuthentication.yaml
75 lines (74 loc) · 3.15 KB
/
AzureADMultiFactorAuthentication.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
version: 1
ATT&CK version: 8.2
creation date: 03/20/2021
name: Azure AD Multi-Factor Authentication
contact: [email protected]
organization: Center for Threat Informed Defense (CTID)
platform: Azure
tags:
- Azure Active Directory
- Azure Security Center Recommendation
- Credentials
- Identity
- Passwords
- MFA
description: >-
Multi-factor authentication is a process where a user is prompted during the sign-in process for
an additional form of identification, such as to enter a code on their cellphone or to provide a
fingerprint scan.
If you only use a password to authenticate a user, it leaves an insecure vector for attack. If
the password is weak or has been exposed elsewhere, is it really the user signing in with the
username and password, or is it an attacker? When you require a second form of authentication,
security is increased as this additional factor isn't something that's easy for an attacker to
obtain or duplicate.
techniques:
- id: T1110
name: Brute Force
technique-scores:
- category: Protect
value: Significant
comments: >-
MFA provides significant protection against password compromises, requiring the adversary
to complete an additional authentication method before their access is permitted.
sub-techniques-scores:
- sub-techniques:
- id: T1110.001
name: Password Guessing
- id: T1110.003
name: Password Spraying
- id: T1110.004
name: Credential Stuffing
scores:
- category: Protect
value: Significant
comments: >-
MFA can significantly reduce the impact of a password compromise, requiring the
adversary to complete an additional authentication method before their access is permitted.
- id: T1078
name: Valid Accounts
technique-scores:
- category: Protect
value: Minimal
comments: >-
This control only protects cloud accounts and therefore its overall protection coverage is
Minimal.
sub-techniques-scores:
- sub-techniques:
- id: T1078.004
name: Cloud Accounts
scores:
- category: Protect
value: Partial
comments: >-
MFA can provide protection against an adversary that obtains valid credentials by
requiring the adversary to complete an additional authentication process before access
is permitted. This is an incomplete protection measure though as the adversary may
also have obtained credentials enabling bypassing the additional authentication
method.
comments: >-
Note that MFA that is triggered in response to privileged operations (such as assigning a user a
privileged role) are considered functionality of the Azure AD Privileged Identity Management
control. Consult the mapping for this control for the ATT&CK (sub-)techniques it maps to. This
mapping specifically deals with MFA when it is enabled as a security default.
references:
- 'https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks'