| Tactic | Technique ID | Technique Name | Sub-Technique Name | Platforms | Permissions Required |
|---|---|---|---|---|---|
| Credential Access | T1110 | Brute Force | Password Spraying | Azure AD, Containers, Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS | User |
(P) Preparation
1. Patch asset vulnerabilities
2. Perform routine inspections of controls/weapons
3. Ensure that workstations and servers are loggingto a central location
4. Verify that authentication attempts to systems andapplications are being logged
5. Set up network segmentation and firewalls to limitaccess to systems and services
6. Make use of multi-factor authentication
7. Establish and enforce a secure password policy
Assign steps to individuals or teams to work concurrently, when possible; this playbook is not purely sequential. Use your best judgment.
TODO: Expand investigation steps, including key questions and strategies, for <Type of Incident>.
-
Monitor for:
a. Failed login attempts for default and common account names
b. Failed login attempts for the same account across multiple systems
c. Failed login attempts to multiple systems from the same source
-
Investigate and clear ALL alerts associated with the impacted assets
- Plan remediation events where these steps are launched together (or in coordinated fashion), with appropriate teams ready to respond to any disruption.
- Consider the timing and tradeoffs of remediation actions: your response has consequences.
TODO: Customize containment steps, tactical and strategic, for <Type of Incident>.
TODO: Specify tools and procedures for each step, below.
TODO: Consider automating containment measures using orchestration tools.
TODO: Customize eradication steps, tactical and strategic, for <Type of Incident>.
TODO: Specify tools and procedures for each step, below.
TODO: Specify financial, personnel, and logistical resources to accomplish remediation.
TODO: Customize communication steps for <Type of Incident>
TODO: Specify tools and procedures (including who must be involved) for each step, below, or refer to overall plan.
In addition to the general steps and guidance in the incident response plan:
TODO: Customize recovery steps for <Type of Incident>.
TODO: Specify tools and procedures for each step, below.
In addition to the general steps and guidance in the incident response plan:
TODO: Add items that will occur post recover.
- Perform routine cyber hygiene due diligence
- Engage external cybersecurity-as-a-service providers and response professionals
- "Title", Author Last Name (Date)