Skip to content

Hide Navigation Hide TOC

Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0)

Multi-Factor Authentication (MFA) enhances security by requiring users to provide at least two forms of verification to prove their identity before granting access. These factors typically include:

  • Something you know: Passwords, PINs.
  • Something you have: Physical tokens, smartphone authenticator apps.
  • Something you are: Biometric data such as fingerprints, facial recognition, or retinal scans.

Implementing MFA across all critical systems and services ensures robust protection against account takeover and unauthorized access. This mitigation can be implemented through the following measures:

Identity and Access Management (IAM):

  • Use IAM solutions like Azure Active Directory, Okta, or AWS IAM to enforce MFA policies for all user logins, especially for privileged roles.
  • Enable conditional access policies to enforce MFA for risky sign-ins (e.g., unfamiliar devices, geolocations).
  • Enable Conditional Access policies to only allow logins from trusted devices, such as those enrolled in Intune or joined via Hybrid/Entra.

Authentication Tools and Methods:

  • Use authenticator applications such as Google Authenticator, Microsoft Authenticator, or Authy for time-based one-time passwords (TOTP).
  • Deploy hardware-based tokens like YubiKey, RSA SecurID, or smart cards for additional security.
  • Enforce biometric authentication for compatible devices and applications.

Secure Legacy Systems:

  • Integrate MFA solutions with older systems using third-party tools like Duo Security or Thales SafeNet.
  • Enable RADIUS/NPS servers to facilitate MFA for VPNs, RDP, and other network logins.

Monitoring and Alerting:

  • Use SIEM tools to monitor failed MFA attempts, login anomalies, or brute-force attempts against MFA systems.
  • Implement alerts for suspicious MFA activities, such as repeated failed codes or new device registrations.

Training and Policy Enforcement:

  • Educate employees on the importance of MFA and secure authenticator usage.
  • Enforce policies that require MFA on all critical systems, especially for remote access, privileged accounts, and cloud applications.
Cluster A Galaxy A Cluster B Galaxy B Level
Remote Email Collection - T1114.002 (b4694861-542c-48ea-9eb1-10d356e7140a) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action Data from Cloud Storage - T1530 (3298ce88-1628-43b1-87d9-0b5336b193d7) Attack Pattern 1
Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern 1
Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action Network Address Translation Traversal - T1599.001 (4ffc1794-ec3b-45be-9e52-42dbcb2af2de) Attack Pattern 1
Cloud Services - T1021.007 (8861073d-d1b8-4941-82ce-dce621d398f0) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Multi-Factor Authentication - T1556.006 (b4409cd8-0da9-46e1-a401-a241afd4d1cc) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action Device Registration - T1098.005 (7decb26c-715c-40cf-b7e0-026f7d7cc215) Attack Pattern 1
Additional Cloud Credentials - T1098.001 (8a2f40cf-8325-47f9-96e4-b1ca4c7389bd) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d) Attack Pattern 1
Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action Default Accounts - T1078.001 (6151cbea-819b-455a-9fa6-99a1cc58797d) Attack Pattern 1
SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action Software Deployment Tools - T1072 (92a78814-b191-47ca-909c-1ccfe3777414) Attack Pattern 1
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Multi-Factor Authentication Request Generation - T1621 (954a1639-f2d6-407d-aef3-4917622ca493) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Code Repositories - T1213.003 (cff94884-3b1c-4987-a70b-6d5643c621c3) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Pluggable Authentication Modules - T1556.003 (06c00069-771a-4d57-8ef5-d3718c1a8771) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action Wi-Fi Networks - T1669 (fde016f6-211a-41c8-a4ab-301f1e419c62) Attack Pattern 1
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Data Destruction - T1485 (d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern 1
Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 1
Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f) Attack Pattern 1
Network Device Authentication - T1556.004 (fa44a152-ac48-441e-a524-dd7b04b8adcd) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Additional Email Delegate Permissions - T1098.002 (e74de37c-a829-446c-937d-56a44f0e9306) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Steal Web Session Cookie - T1539 (10ffac09-e42d-4f56-ab20-db94c67d76ff) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Network Boundary Bridging - T1599 (b8017880-4b1e-42de-ad10-ae7ac6705166) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Additional Container Cluster Roles - T1098.006 (35d30338-5bfa-41b0-a170-ec06dfd75f64) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Additional Cloud Roles - T1098.003 (2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action Domain Controller Authentication - T1556.001 (d4b96d2c-1032-4b22-9235-2b5b649d0605) Attack Pattern 1
Cloud Account - T1136.003 (a009cb25-4801-4116-9105-80a91cf15c1b) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Network Sniffing - T1040 (3257eb21-f9a7-4430-8de1-d8b6e288f529) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Password Guessing - T1110.001 (09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action Password Cracking - T1110.002 (1d24cdee-9ea2-4189-b08e-af110bf2435d) Attack Pattern 1
Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action Trusted Relationship - T1199 (9fa07bef-9c81-421e-a8e5-ad4366c5a925) Attack Pattern 1
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Password Spraying - T1110.003 (692074ae-bb62-4a5e-a735-02cb6bde458c) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Modify System Image - T1601 (ae7f3575-0a5e-427e-991b-fe03ad44c754) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action Credential Stuffing - T1110.004 (b2d03cea-aec1-45ca-9744-9ee583c1e1cc) Attack Pattern 1
Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action Patch System Image - T1601.001 (d245808a-7086-4310-984a-a84aaaa43f8f) Attack Pattern 1
Cloud Accounts - T1078.004 (f232fa7a-025c-4d43-abc7-318e81a73d65) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Downgrade System Image - T1601.002 (fc74ba38-dc98-461f-8611-b3dbf9978e3d) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action Hybrid Identity - T1556.007 (54ca26f3-c172-4231-93e5-ccebcac2161f) Attack Pattern 1
Remote Email Collection - T1114.002 (b4694861-542c-48ea-9eb1-10d356e7140a) Attack Pattern Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern 2
Network Boundary Bridging - T1599 (b8017880-4b1e-42de-ad10-ae7ac6705166) Attack Pattern Network Address Translation Traversal - T1599.001 (4ffc1794-ec3b-45be-9e52-42dbcb2af2de) Attack Pattern 2
Cloud Services - T1021.007 (8861073d-d1b8-4941-82ce-dce621d398f0) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
Multi-Factor Authentication - T1556.006 (b4409cd8-0da9-46e1-a401-a241afd4d1cc) Attack Pattern Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 2
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern Device Registration - T1098.005 (7decb26c-715c-40cf-b7e0-026f7d7cc215) Attack Pattern 2
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern Additional Cloud Credentials - T1098.001 (8a2f40cf-8325-47f9-96e4-b1ca4c7389bd) Attack Pattern 2
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Default Accounts - T1078.001 (6151cbea-819b-455a-9fa6-99a1cc58797d) Attack Pattern 2
SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern 2
Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern Code Repositories - T1213.003 (cff94884-3b1c-4987-a70b-6d5643c621c3) Attack Pattern 2
Pluggable Authentication Modules - T1556.003 (06c00069-771a-4d57-8ef5-d3718c1a8771) Attack Pattern Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 2
Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern 2
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f) Attack Pattern 2
Network Device Authentication - T1556.004 (fa44a152-ac48-441e-a524-dd7b04b8adcd) Attack Pattern Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 2
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern Additional Email Delegate Permissions - T1098.002 (e74de37c-a829-446c-937d-56a44f0e9306) Attack Pattern 2
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern Additional Container Cluster Roles - T1098.006 (35d30338-5bfa-41b0-a170-ec06dfd75f64) Attack Pattern 2
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern Additional Cloud Roles - T1098.003 (2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3) Attack Pattern 2
Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern Domain Controller Authentication - T1556.001 (d4b96d2c-1032-4b22-9235-2b5b649d0605) Attack Pattern 2
Cloud Account - T1136.003 (a009cb25-4801-4116-9105-80a91cf15c1b) Attack Pattern Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern 2
Password Guessing - T1110.001 (09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119) Attack Pattern Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd) Attack Pattern 2
Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd) Attack Pattern Password Cracking - T1110.002 (1d24cdee-9ea2-4189-b08e-af110bf2435d) Attack Pattern 2
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
Password Spraying - T1110.003 (692074ae-bb62-4a5e-a735-02cb6bde458c) Attack Pattern Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd) Attack Pattern 2
Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2) Attack Pattern Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern 2
Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd) Attack Pattern Credential Stuffing - T1110.004 (b2d03cea-aec1-45ca-9744-9ee583c1e1cc) Attack Pattern 2
Modify System Image - T1601 (ae7f3575-0a5e-427e-991b-fe03ad44c754) Attack Pattern Patch System Image - T1601.001 (d245808a-7086-4310-984a-a84aaaa43f8f) Attack Pattern 2
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Cloud Accounts - T1078.004 (f232fa7a-025c-4d43-abc7-318e81a73d65) Attack Pattern 2
Modify System Image - T1601 (ae7f3575-0a5e-427e-991b-fe03ad44c754) Attack Pattern Downgrade System Image - T1601.002 (fc74ba38-dc98-461f-8611-b3dbf9978e3d) Attack Pattern 2
Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern Hybrid Identity - T1556.007 (54ca26f3-c172-4231-93e5-ccebcac2161f) Attack Pattern 2