common-cloud-controls/services/common-threats.yaml at c1c3a53e128273575bad406cac38204f42676cb6 · mlysaght2017/common-cloud-controls · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
threats:
  - id: CCC.TH01
    title: Access Control is Misconfigured
    description: |
      Misconfigured access controls may grant excessive privileges or fail to
      restrict unauthorized access to sensitive resources. This could result in
      unintended data exposure or unauthorized actions being performed within
      the system.
    features:
      - CCC.F06 # Identity Based Access Control
    mitre_technique:
      - T1078 # Valid Accounts
      - T1548 # Abuse Elevation Control Mechanism
      - T1203 # Exploitation for Credential Access
      - T1098 # Account Manipulation
      - T1484 # Domain or Tenant Policy Modification
      - T1546 # Event Triggered Execution
      - T1537 # Transfer Data to Cloud Account
      - T1567 # Exfiltration Over Web Services
      - T1048 # Exfiltration Over Alternative Protocol
      - T1485 # Data Destruction
      - T1565 # Data Manipulation
      - T1027 # Obfuscated Files or Information

  - id: CCC.TH02
    title: Data is Intercepted in Transit
    description: |
      Data transmitted between clients and the service may be susceptible to
      interception or modification in transit if encrypted communication is not
      properly implemented. This could result in unauthorized access to
      sensitive information or unintended data alterations.
    features:
      - CCC.F01 # Encryption in Transit Enabled by Default
    mitre_technique:
      - T1557 # Adversary-in-the-Middle
      - T1040 # Network Sniffing

  - id: CCC.TH03
    title: Deployment Region Network is Untrusted
    description: |
      Deploying a service in an untrusted, unstable, or insecure location,
      the network may be susceptible to unauthorized access or data
      interception due to privileged network exposure or physical
      vulnerabilities. This could result in unintended data disclosure or
      compromised system integrity.
    features:
      - CCC.F08 # Multi-zone Deployment
    mitre_technique:
      - T1040 # Network Sniffing
      - T1110 # Brute Force
      - T1105 # Ingress Tool Transfer
      - T1583 # Acquire Infrastructure
      - T1557 # Adversary-in-the-Middle

  - id: CCC.TH04
    title: Data is Replicated to Untrusted or External Locations
    description: |
      Data may be replicated to untrusted or external locations if replication
      configurations are not properly restricted. This could result
      in unintended data leakage or exposure outside the organization's trusted
      perimeter.
    features:
      - CCC.F21 # Replication
    mitre_technique:
      - T1565 # Data Manipulation

  - id: CCC.TH05
    title: Data is Corrupted During Replication
    description: |
      Data may become corrupted, delayed, or deleted during replication
      processes across regions or availability zones due to misconfigurations
      or unintended disruptions. This could lead to compromised data integrity
      and availability, potentially affecting recovery processes and system
      reliability.
    features:
      - CCC.F08 # Multi-zone Deployment
      - CCC.F12 # Recovery
      - CCC.F21 # Replication
    mitre_technique:
      - T1485 # Data Destruction
      - T1565 # Data Manipulation
      - T1491 # Defacement
      - T1490 # Inhibit System Recovery

  - id: CCC.TH06
    title: Data is Lost or Corrupted
    description: |
      Data loss or corruption may occur due to accidental deletion, or
      misconfiguration. This can result in the loss of critical data, service
      disruption, or unintended exposure of sensitive information.
    features:
      - CCC.F11 # Backup
      - CCC.F18 # Versioning
    mitre_technique:
      - T1485 # Data Destruction
      - T1565 # Data Manipulation
      - T1491 # Defacement
      - T1490 # Inhibit System Recovery

  - id: CCC.TH07
    title: Logs are Tampered With or Deleted
    description: |
      Logs may be tampered with or deleted due to inadequate access controls,
      or misconfigurations. This can make it difficult to identify security
      incidents, disrupt forensic investigations, and affect the accuracy of
      audit trails.
    features:
      - CCC.F03 # Access/Activity Logs
      - CCC.F10 # Logging
    mitre_technique:
      - T1070 # Indicator Removal on Host
      - T1565 # Data Manipulation (for altering log entries)
      - T1027 # Obfuscated Files or Information

  - id: CCC.TH08
    title: Cost Management Data is Manipulated
    description: |
      Cost management data may be changed due to misconfigurations, or
      unauthorized access. This might result in inaccurate resource usage
      reporting, budget exhaustion, financial losses, and hinder incident
      detection.
    features:
      - CCC.F15 # Cost Management
    mitre_technique:
      - T1565 # Data Manipulation
      - T1070 # Indicator Removal on Host

  - id: CCC.TH09
    title: Logs or Monitoring Data are Read by Unauthorized Users
    description: |
      Unauthorized access to logs or monitoring data may expose valuable
      information about the system's configuration, operations, and security
      mechanisms. This could allow for the identification of vulnerabilities,
      enable the planning of attacks, or hinder the detection of ongoing
      incidents.
    features:
      - CCC.F03 # Access/Activity Logs
      - CCC.F09 # Monitoring
    mitre_technique:
      - T1003 # Credential Dumping
      - T1007 # System Service Discovery
      - T1018 # Remote System Discovery
      - T1033 # System Owner/User Discovery
      - T1046 # Network Service Discovery
      - T1057 # Process Discovery
      - T1069 # Permission Groups Discovery
      - T1070 # Indicator Removal
      - T1082 # System Information Discovery
      - T1120 # Peripheral Device Discovery
      - T1124 # System Time Discovery
      - T1497 # Virtualization/Sandbox Evasion
      - T1518 # Software Discovery

  - id: CCC.TH10
    title: Alerts are Intercepted
    description: |
      Event notifications may be intercepted due to misconfigurations,
      inadequate security measures, or unauthorized access. This could expose
      information about sensitive operations or access patterns, potentially
      impacting system security and integrity.
    features:
      - CCC.F03 # Access/Activity Logs
      - CCC.F07 # Event Notifications
      - CCC.F09 # Monitoring
      - CCC.F17 # Alerting
    mitre_technique:
      - T1057 # Process Discovery
      - T1049 # System Network Connections Discovery
      - T1083 # File and Directory Discovery

  - id: CCC.TH11
    title: Event Notifications are Incorrectly Triggered
    description: |
      Event notifications may be triggered incorrectly due to misconfigurations,
      or unauthorized access. This could result in sensitive operations being
      triggered unintentionally, obfuscate other issues, or overwhelm the
      system, potentially disrupting legitimate operations.
    features:
      - CCC.F07 # Event Notifications
      - CCC.F17 # Alerting
    mitre_technique:
      - T1205 # Traffic Signaling
      - T1001.001 # Data Obfuscation: Junk Data
      - T1491.001 # Defacement: Internal Defacement

  - id: CCC.TH12
    title: Resource Constraints are Exhausted
    description: |
      Resource constraints, such as memory, CPU, or storage, may be exhausted
      due to misconfigurations, or excessive resource consumption. This could
      disrupt service availability, deny access to users, or impact other
      systems within the same scope. Exhaustion may occur through repeated
      requests, resource-intensive operations, or lowering rate/budget limits.
    features:
      - CCC.F04 # Transaction Rate Limits
      - CCC.F16 # Budgeting
      - CCC.F19 # Auto-scaling
    mitre_technique:
      - T1496 # Resource Hijacking
      - T1499 # Endpoint Denial of Service
      - T1498 # Network Denial of Service

  - id: CCC.TH13
    title: Resource Tags are Manipulated
    description: |
      Resource tags may be altered, leading to changes in organizational
      policies, billing disruptions, or unintended exposure of sensitive data.
      This could result in mismanaged resources, financial misuse, or security
      vulnerabilities.
    features:
      - CCC.F20 # Tagging
    mitre_technique:
      - T1565 # Data Manipulation

  - id: CCC.TH14
    title: Older Resource Versions are Exploited
    description: |
      Older versions of resources may contain vulnerabilities due to deprecated
      or insecure configurations. Without proper version control and monitoring,
      outdated versions could lead to security measures bypass, potentially
      leading to security risks or operational disruptions.
    features:
      - CCC.F18 # Versioning
    mitre_technique:
      - T1027 # Obfuscated Files or Information
      - T1485 # Data Destruction
      - T1565 # Data Manipulation
      - T1489 # Service Stop
      - T1562.01 # Impair Defenses: Downgrade Attack
      - T1027 # Obfuscated Files or Information
      - T1485 # Data Destruction
      - T1565 # Data Manipulation
      - T1489 # Service Stop

  - id: CCC.TH15
    title: Automated Enumeration and Reconnaissance by Non-human Entities
    description: |
      Automated processes or bots may be used to perform reconnaissance by
      enumerating resources such as APIs, file systems, or directories. These
      activities can reveal potential vulnerabilities, misconfigurations, or
      unsecured resources, which might result in unauthorized access or data
      exposure.
    features:
      - CCC.F14 # API Access
    mitre_technique:
      - T1580 # Cloud Infrastructure Discovery

  - id: CCC.TH16
    title: Logging and Monitoring are Disabled
    description: |
      Logging and monitoring may be disabled, potentially hindering the
      detection of security events and reducing visibility into system
      activities. This condition can impact the organization's ability
      to investigate incidents and maintain operational integrity.
    features:
      - CCC.F10 # Logging
      - CCC.F09 # Monitoring
    mitre_technique:
      - T1562 # Impair Defenses

  - id: CCC.TH17
    title: Unauthorized Network Access via Misconfigured Rules
    description: |
      Improperly configured or overly permissive network access rules
      such as security groups can allow unauthorized inbound connections
      to the service. This could result in unauthorized access to sensitive
      resources or data and disruption to service availability.
    features:
      - CCC.F23 # Network Access Rules
    mitre_technique:
      - T1046 # Network Service Scanning
      - T1133 # External Remote Services