generated from finos/standards-project-blueprint
-
Notifications
You must be signed in to change notification settings - Fork 23
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add in new impair defenses threat for storage service
- Loading branch information
1 parent
191a98c
commit 8662419
Showing
2 changed files
with
5 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,4 @@ | ||
| Control Id | Objective | Description | Test | Service Taxonomy Id | NIST CF | MITRE ATT&CK Mitigations | Threats | | ||
|------------|-----------|-------------|------|---------------------|---------|--------------------------|---------| | ||
| CCC.OS.C1 | Enforce encryption-in-transit | Block all unencrypted requests to the object storage bucket you control | GIVEN you own the object storage bucket; WHEN an unencrypted HTTP request is made to the bucket; THEN the request should be denied | CCC-020115 | Protect | [M1041](https://attack.mitre.org/mitigations/M1041) | CCC.OS.T1 | | ||
| CCC.OS.C2 | Block requests with KMS keys from unauthorized principals | Block requests with unauthorized principal providing the KMS key | GIVEN you own the object storage bucket; WHEN a request encrypted with a KMS key from an unauthorized principal is made to the bucket; THEN the request should be denied | CCC-020114 | Protect | None | CCC.OS.T2 | | ||
| CCC.OS.C1 | Prevent unencrypted requests to object storage bucket | Block all unencrypted requests to the object storage bucket you own | GIVEN you own the object storage bucket; WHEN an unencrypted HTTP request is made to the bucket; THEN the request should be denied | CCC-020115 | Protect | [M1041](https://attack.mitre.org/mitigations/M1041) | CCC.OS.T1 | | ||
| CCC.OS.C2 | Prevent object storage data encrypted for impact | Block data plane requests with untrusted KMS keys to the object storage bucket you own | GIVEN you own the object storage bucket; WHEN a data plane request with an untrusted KMS key is made to the object storage bucket; THEN the request should be denied | CCC-020114 | Protect | None | CCC.OS.T2 | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,5 @@ | ||
| Threat Id | Name | Description | Service Taxonomy Id | MITRE ATT&CK TTPs | | ||
|-----------|------|-------------|---------------------|-------------------| | ||
| CCC.OS.T1 | Intercept data in transit to an external bucket | The object storage service allows communication over HTTP. An attacker can intercept the traffic you send to an external bucket, in order to read or modify the data. | CCC-020115 | [TA009](https://attack.mitre.org/tactics/TA0009/) [T1557](https://attack.mitre.org/techniques/T1557/) | | ||
| CCC.OS.T2 | Objects encrypted for ransomware | The object storage service provides several types of encryption where the key is not operated by the CSP (e.g. SSE-KMS with Bring Your Own Key). An attacker can encrypt all the data stored in the bucket to ransom the data owner to get the decryption key. Alternatively, an attacker can change the default encryption key, for a similar effect on any new data uploaded. | CCC-020114 | [TA0040](https://attack.mitre.org/tactics/TA0040/) [T1486](https://attack.mitre.org/techniques/T1486/) | ||
| CCC.OS.T1 | Attacker intercepts data in transit to a bucket | The object storage service allows communication over HTTP. An attacker can intercept the traffic you send to bucket, in order to read or modify the data. | CCC-020115 | [TA009](https://attack.mitre.org/tactics/TA0009/) [T1557](https://attack.mitre.org/techniques/T1557/) | | ||
| CCC.OS.T2 | Attacker encrypts objects for ransomware | The object storage service provides several types of encryption where the key is not operated by the CSP (e.g. SSE-KMS with Bring Your Own Key). An attacker can encrypt all the data stored in the bucket to ransom the data owner to get the decryption key. Alternatively, an attacker can change the default encryption key, for a similar effect on any new data uploaded. | CCC-020114 | [TA0040](https://attack.mitre.org/tactics/TA0040/) [T1486](https://attack.mitre.org/techniques/T1486/) | ||
| CCC.OS.T3 | Attacker grants access to a bucket to untrusted principals | The bucket policy can enable access to objects owned by the bucket. An attacker (or someone by negligence) can change the bucket policy and make the content accessible (via public endpoints, cross-account VPC endpoints, or cross-account access point). | CCC-020116 | [TA0005](https://attack.mitre.org/tactics/TA0005/) [T1562] (https://attack.mitre.org/techniques/T1562/) | |