Skip to content

Hide Navigation Hide TOC

Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0)

Multi-Factor Authentication (MFA) enhances security by requiring users to provide at least two forms of verification to prove their identity before granting access. These factors typically include:

  • Something you know: Passwords, PINs.
  • Something you have: Physical tokens, smartphone authenticator apps.
  • Something you are: Biometric data such as fingerprints, facial recognition, or retinal scans.

Implementing MFA across all critical systems and services ensures robust protection against account takeover and unauthorized access. This mitigation can be implemented through the following measures:

Identity and Access Management (IAM):

  • Use IAM solutions like Azure Active Directory, Okta, or AWS IAM to enforce MFA policies for all user logins, especially for privileged roles.
  • Enable conditional access policies to enforce MFA for risky sign-ins (e.g., unfamiliar devices, geolocations).
  • Enable Conditional Access policies to only allow logins from trusted devices, such as those enrolled in Intune or joined via Hybrid/Entra.

Authentication Tools and Methods:

  • Use authenticator applications such as Google Authenticator, Microsoft Authenticator, or Authy for time-based one-time passwords (TOTP).
  • Deploy hardware-based tokens like YubiKey, RSA SecurID, or smart cards for additional security.
  • Enforce biometric authentication for compatible devices and applications.

Secure Legacy Systems:

  • Integrate MFA solutions with older systems using third-party tools like Duo Security or Thales SafeNet.
  • Enable RADIUS/NPS servers to facilitate MFA for VPNs, RDP, and other network logins.

Monitoring and Alerting:

  • Use SIEM tools to monitor failed MFA attempts, login anomalies, or brute-force attempts against MFA systems.
  • Implement alerts for suspicious MFA activities, such as repeated failed codes or new device registrations.

Training and Policy Enforcement:

  • Educate employees on the importance of MFA and secure authenticator usage.
  • Enforce policies that require MFA on all critical systems, especially for remote access, privileged accounts, and cloud applications.
Cluster A Galaxy A Cluster B Galaxy B Level
Cloud Accounts - T1078.004 (f232fa7a-025c-4d43-abc7-318e81a73d65) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Downgrade System Image - T1601.002 (fc74ba38-dc98-461f-8611-b3dbf9978e3d) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Remote Email Collection - T1114.002 (b4694861-542c-48ea-9eb1-10d356e7140a) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Hybrid Identity - T1556.007 (54ca26f3-c172-4231-93e5-ccebcac2161f) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern 1
Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action Network Address Translation Traversal - T1599.001 (4ffc1794-ec3b-45be-9e52-42dbcb2af2de) Attack Pattern 1
Data from Cloud Storage - T1530 (3298ce88-1628-43b1-87d9-0b5336b193d7) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Cloud Services - T1021.007 (8861073d-d1b8-4941-82ce-dce621d398f0) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Multi-Factor Authentication - T1556.006 (b4409cd8-0da9-46e1-a401-a241afd4d1cc) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action Device Registration - T1098.005 (7decb26c-715c-40cf-b7e0-026f7d7cc215) Attack Pattern 1
Additional Cloud Credentials - T1098.001 (8a2f40cf-8325-47f9-96e4-b1ca4c7389bd) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action Default Accounts - T1078.001 (6151cbea-819b-455a-9fa6-99a1cc58797d) Attack Pattern 1
Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6) Attack Pattern 1
External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action Software Deployment Tools - T1072 (92a78814-b191-47ca-909c-1ccfe3777414) Attack Pattern 1
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Multi-Factor Authentication Request Generation - T1621 (954a1639-f2d6-407d-aef3-4917622ca493) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Code Repositories - T1213.003 (cff94884-3b1c-4987-a70b-6d5643c621c3) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Pluggable Authentication Modules - T1556.003 (06c00069-771a-4d57-8ef5-d3718c1a8771) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action Wi-Fi Networks - T1669 (fde016f6-211a-41c8-a4ab-301f1e419c62) Attack Pattern 1
Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 1
Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2) Attack Pattern 1
Data Destruction - T1485 (d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern 1
Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 1
Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern 1
Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f) Attack Pattern 1
Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action Network Device Authentication - T1556.004 (fa44a152-ac48-441e-a524-dd7b04b8adcd) Attack Pattern 1
Additional Email Delegate Permissions - T1098.002 (e74de37c-a829-446c-937d-56a44f0e9306) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Credential Stuffing - T1110.004 (b2d03cea-aec1-45ca-9744-9ee583c1e1cc) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action Steal Web Session Cookie - T1539 (10ffac09-e42d-4f56-ab20-db94c67d76ff) Attack Pattern 1
Network Boundary Bridging - T1599 (b8017880-4b1e-42de-ad10-ae7ac6705166) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action Additional Cloud Roles - T1098.003 (2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3) Attack Pattern 1
Additional Container Cluster Roles - T1098.006 (35d30338-5bfa-41b0-a170-ec06dfd75f64) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action Domain Controller Authentication - T1556.001 (d4b96d2c-1032-4b22-9235-2b5b649d0605) Attack Pattern 1
Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action Cloud Account - T1136.003 (a009cb25-4801-4116-9105-80a91cf15c1b) Attack Pattern 1
Password Guessing - T1110.001 (09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action Password Cracking - T1110.002 (1d24cdee-9ea2-4189-b08e-af110bf2435d) Attack Pattern 1
Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action Network Sniffing - T1040 (3257eb21-f9a7-4430-8de1-d8b6e288f529) Attack Pattern 1
Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action Trusted Relationship - T1199 (9fa07bef-9c81-421e-a8e5-ad4366c5a925) Attack Pattern 1
Password Spraying - T1110.003 (692074ae-bb62-4a5e-a735-02cb6bde458c) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Modify System Image - T1601 (ae7f3575-0a5e-427e-991b-fe03ad44c754) Attack Pattern Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action 1
Multi-factor Authentication - M1032 (b045d015-6bed-4490-bd38-56b41ece59a0) Course of Action Patch System Image - T1601.001 (d245808a-7086-4310-984a-a84aaaa43f8f) Attack Pattern 1
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Cloud Accounts - T1078.004 (f232fa7a-025c-4d43-abc7-318e81a73d65) Attack Pattern 2
Modify System Image - T1601 (ae7f3575-0a5e-427e-991b-fe03ad44c754) Attack Pattern Downgrade System Image - T1601.002 (fc74ba38-dc98-461f-8611-b3dbf9978e3d) Attack Pattern 2
Remote Email Collection - T1114.002 (b4694861-542c-48ea-9eb1-10d356e7140a) Attack Pattern Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern 2
Hybrid Identity - T1556.007 (54ca26f3-c172-4231-93e5-ccebcac2161f) Attack Pattern Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 2
Network Boundary Bridging - T1599 (b8017880-4b1e-42de-ad10-ae7ac6705166) Attack Pattern Network Address Translation Traversal - T1599.001 (4ffc1794-ec3b-45be-9e52-42dbcb2af2de) Attack Pattern 2
Cloud Services - T1021.007 (8861073d-d1b8-4941-82ce-dce621d398f0) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
Multi-Factor Authentication - T1556.006 (b4409cd8-0da9-46e1-a401-a241afd4d1cc) Attack Pattern Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 2
Device Registration - T1098.005 (7decb26c-715c-40cf-b7e0-026f7d7cc215) Attack Pattern Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 2
Additional Cloud Credentials - T1098.001 (8a2f40cf-8325-47f9-96e4-b1ca4c7389bd) Attack Pattern Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 2
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Default Accounts - T1078.001 (6151cbea-819b-455a-9fa6-99a1cc58797d) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6) Attack Pattern 2
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern 2
Code Repositories - T1213.003 (cff94884-3b1c-4987-a70b-6d5643c621c3) Attack Pattern Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern 2
Pluggable Authentication Modules - T1556.003 (06c00069-771a-4d57-8ef5-d3718c1a8771) Attack Pattern Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 2
Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern 2
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2) Attack Pattern 2
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f) Attack Pattern 2
Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern Network Device Authentication - T1556.004 (fa44a152-ac48-441e-a524-dd7b04b8adcd) Attack Pattern 2
Additional Email Delegate Permissions - T1098.002 (e74de37c-a829-446c-937d-56a44f0e9306) Attack Pattern Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 2
Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd) Attack Pattern Credential Stuffing - T1110.004 (b2d03cea-aec1-45ca-9744-9ee583c1e1cc) Attack Pattern 2
Additional Cloud Roles - T1098.003 (2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3) Attack Pattern Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 2
Additional Container Cluster Roles - T1098.006 (35d30338-5bfa-41b0-a170-ec06dfd75f64) Attack Pattern Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 2
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern Domain Controller Authentication - T1556.001 (d4b96d2c-1032-4b22-9235-2b5b649d0605) Attack Pattern 2
Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern Cloud Account - T1136.003 (a009cb25-4801-4116-9105-80a91cf15c1b) Attack Pattern 2
Password Guessing - T1110.001 (09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119) Attack Pattern Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd) Attack Pattern 2
Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd) Attack Pattern Password Cracking - T1110.002 (1d24cdee-9ea2-4189-b08e-af110bf2435d) Attack Pattern 2
Password Spraying - T1110.003 (692074ae-bb62-4a5e-a735-02cb6bde458c) Attack Pattern Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd) Attack Pattern 2
Modify System Image - T1601 (ae7f3575-0a5e-427e-991b-fe03ad44c754) Attack Pattern Patch System Image - T1601.001 (d245808a-7086-4310-984a-a84aaaa43f8f) Attack Pattern 2