IA-5: Authenticator Management
From NIST's SP800-53:
Manage system authenticators by: a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator; b. Establishing initial authenticator content for any authenticators issued by the organization; c. Ensuring that authenticators have sufficient strength of mechanism for their intended use; d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators; e. Changing default authenticators prior to first use; f. Changing or refreshing authenticators [Assignment: organization-defined time period by authenticator type] or when [Assignment: organization-defined events] occur; g. Protecting authenticator content from unauthorized disclosure and modification; h. Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and i. Changing authenticators for group or role accounts when membership to those accounts changes.
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
SP800-53 Control Mapped to NIST Cyber Security Framework
Generated from NISTs SP800-53/CSF Crosswalk mappings.
| Control ID | Description |
|---|---|
| PR.AC-6 | Identities are proofed and bound to credentials and asserted in interactions |
| PR.AC-7 | Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks) |
| PR.AC-1 | Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes |
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1072 | Software Deployment Tools | Execution, Lateral Movement |
| T1110.001 | Password Guessing | Credential Access |
| T1558.004 | AS-REP Roasting | Credential Access |
| T1528 | Steal Application Access Token | Credential Access |
| T1599 | Network Boundary Bridging | Defense Evasion |
| T1599.001 | Network Address Translation Traversal | Defense Evasion |
| T1563.001 | SSH Hijacking | Lateral Movement |
| T1098.003 | Additional Cloud Roles | Persistence, Privilege Escalation |
| T1098.002 | Additional Email Delegate Permissions | Persistence, Privilege Escalation |
| T1552.006 | Group Policy Preferences | Credential Access |
| T1110.002 | Password Cracking | Credential Access |
| T1552 | Unsecured Credentials | Credential Access |
| T1098.004 | SSH Authorized Keys | Persistence, Privilege Escalation |
| T1003.001 | LSASS Memory | Credential Access |
| T1558.001 | Golden Ticket | Credential Access |
| T1550.003 | Pass the Ticket | Defense Evasion, Lateral Movement |
| T1555.001 | Keychain | Credential Access |
| T1555.005 | Password Managers | Credential Access |
| T1003 | OS Credential Dumping | Credential Access |
| T1021 | Remote Services | Lateral Movement |
| T1530 | Data from Cloud Storage | Collection |
| T1558.003 | Kerberoasting | Credential Access |
| T1003.006 | DCSync | Credential Access |
| T1098.001 | Additional Cloud Credentials | Persistence, Privilege Escalation |
| T1552.004 | Private Keys | Credential Access |
| T1114 | Email Collection | Collection |
| T1601.002 | Downgrade System Image | Defense Evasion |
| T1003.004 | LSA Secrets | Credential Access |
| T1003.003 | NTDS | Credential Access |
| T1110.004 | Credential Stuffing | Credential Access |
| T1621 | Multi-Factor Authentication Request Generation | Credential Access |
| T1003.008 | /etc/passwd and /etc/shadow | Credential Access |
| T1078.004 | Cloud Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1136.001 | Local Account | Persistence |
| T1556.001 | Domain Controller Authentication | Credential Access, Defense Evasion, Persistence |
| T1552.002 | Credentials in Registry | Credential Access |
| T1021.001 | Remote Desktop Protocol | Lateral Movement |
| T1556 | Modify Authentication Process | Credential Access, Defense Evasion, Persistence |
| T1111 | Multi-Factor Authentication Interception | Credential Access |
| T1556.004 | Network Device Authentication | Credential Access, Defense Evasion, Persistence |
| T1649 | Steal or Forge Authentication Certificates | Credential Access |
| T1555.004 | Windows Credential Manager | Credential Access |
| T1003.005 | Cached Domain Credentials | Credential Access |
| T1003.007 | Proc Filesystem | Credential Access |
| T1558.002 | Silver Ticket | Credential Access |
| T1078 | Valid Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1114.002 | Remote Email Collection | Collection |
| T1558 | Steal or Forge Kerberos Tickets | Credential Access |
| T1556.005 | Reversible Encryption | Credential Access, Defense Evasion, Persistence |
| T1552.001 | Credentials In Files | Credential Access |
| T1110.003 | Password Spraying | Credential Access |
| T1133 | External Remote Services | Initial Access, Persistence |
| T1601.001 | Patch System Image | Defense Evasion |
| T1555.002 | Securityd Memory | Credential Access |
| T1555 | Credentials from Password Stores | Credential Access |
| T1003.002 | Security Account Manager | Credential Access |
| T1040 | Network Sniffing | Credential Access, Discovery |
| T1136 | Create Account | Persistence |
| T1078.002 | Domain Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1601 | Modify System Image | Defense Evasion |
| T1539 | Steal Web Session Cookie | Credential Access |
| T1136.003 | Cloud Account | Persistence |
| T1021.004 | SSH | Lateral Movement |
| T1110 | Brute Force | Credential Access |
| T1136.002 | Domain Account | Persistence |
| T1556.003 | Pluggable Authentication Modules | Credential Access, Defense Evasion, Persistence |