Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Draft Proposal for Threat Catalog and Control Catalog Taxonomy #153

Open
wants to merge 25 commits into
base: main
Choose a base branch
from
Open

Draft Proposal for Threat Catalog and Control Catalog Taxonomy #153

Show file tree
Hide file tree
Changes from 18 commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
8eb34e3
Add in ccc whitepaper oscal control catalog example
mlysaght2017 Mar 21, 2024
7d6012c
Formatting yaml
mlysaght2017 Mar 21, 2024
0f940ec
Add in threat catalog example for object storage service
mlysaght2017 Mar 22, 2024
4bd0f12
Add in mitre hyperlinks
mlysaght2017 Mar 22, 2024
a28a9fe
Add in control catalog with first object storage example
mlysaght2017 Mar 22, 2024
88451b6
Shift migration from threat to control catalog
mlysaght2017 Mar 22, 2024
a66d7f7
Add in object ransomware threat
mlysaght2017 Mar 22, 2024
54ec5f3
Add in ransomware control
mlysaght2017 Mar 26, 2024
c5d8fb3
Update to transpose threat and control catalog tables
mlysaght2017 Mar 28, 2024
191a98c
Fix broken link
mlysaght2017 Mar 28, 2024
8662419
Add in new impair defenses threat for storage service
mlysaght2017 Mar 28, 2024
1af7831
Add in new control to prevent public access to storage bucket
mlysaght2017 Mar 28, 2024
51f5c64
Fix broken href
mlysaght2017 Mar 28, 2024
09377cf
Add in mitre mitigation
mlysaght2017 Mar 28, 2024
681e4b8
Update threat to make more generic
mlysaght2017 Mar 28, 2024
64e4335
Improve description of impair defenses threat
mlysaght2017 Mar 28, 2024
e6658ed
Add in new folders
mlysaght2017 Mar 28, 2024
66e358b
fixing small typo - CCC.OS.C2 -> CCC.OS.C3
damienjburks Apr 2, 2024
d6296e3
Fix header
mlysaght2017 Apr 6, 2024
04aa77c
Remove change to header
mlysaght2017 Apr 9, 2024
1170a01
Merge branch 'main' of https://github.com/mlysaght2017/common-cloud-c…
mlysaght2017 Apr 9, 2024
e740917
Revert to original formatting of oscal files
mlysaght2017 Apr 9, 2024
ea20e65
Move catalogs into services directory
mlysaght2017 Apr 9, 2024
9a9cba2
Fix header
mlysaght2017 Apr 9, 2024
95d79c3
Merge branch 'finos:main' into main
mlysaght2017 Apr 26, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions control-catalog/storage/object/controls.md
View file
Open in desktop
mlysaght2017 marked this conversation as resolved.
Show resolved Hide resolved
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
| Control Id | Objective | Description | Test | Service Taxonomy Id | NIST CF | MITRE ATT&CK Mitigations | Threats |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Regarding the Test column:

In our taxonomy work, @smendis-scottlogic and I proposed keeping taxonomy tests in a parallel gherkin file for each service.

I like the idea of keeping things simple in one place, but I'm not sure how well it reads in this format. Curious to hear feedback on whether Test should be included here.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Regarding the NIST CF column:

Do we anticipate that any controls will fall outside of the Protect category?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is an interesting question. On Detect, I can see benefit in assessing the CSP's native threat detection capabilities (as well as basic audit logging of specific APIs) for a given service - e.g. data stores exposed outside of given data perimeters - here we'd also have the option of mapping to MITRE ATT&CK Data Sources e.g. for Cloud Storage: https://attack.mitre.org/datasources/DS0010/

However...this would naturally be a lot more work...It feels like our priority should be on maturing our thinking on Protect with more Protect examples within and across the services and continuing to think/experiment on Detect? Feels like an early decision for steerco too.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Totally agree that the Test values in Gherkin don't read well in that format. We can shift to a separate gherkin file as you suggest.

|------------|-----------|-------------|------|---------------------|---------|--------------------------|---------|
| CCC.OS.C1 | Prevent unencrypted requests to object storage bucket | Block all unencrypted requests to the object storage bucket you own | GIVEN you own the object storage bucket; WHEN an unencrypted HTTP request is made to the bucket; THEN the request should be denied | CCC-020115 | Protect | [M1041](https://attack.mitre.org/mitigations/M1041) | CCC.OS.T1 |
| CCC.OS.C2 | Prevent object storage data encrypted for impact | Block data plane requests with untrusted KMS keys to the object storage bucket you own | GIVEN you own the object storage bucket; WHEN a data plane request with an untrusted KMS key is made to the object storage bucket; THEN the request should be denied | CCC-020114 | Protect | None | CCC.OS.T2 |
| CCC.OS.C3 | Prevent the granting of direct public access to the object storage bucket you own | Block the creation or update of buckets with public access | GIVEN you own the object storage bucket; WHEN the access controls on the bucket are updated to grant public access to the bucket; THEN the request should be denied | CCC-020116 | Protect | [M1022](https://attack.mitre.org/mitigations/M1022/)| CCC.OS.T3 |
156 changes: 78 additions & 78 deletions src/oscal/examples/catalog/yaml/OSCAL_CCC_Catalog_option1.yaml
View file
Open in desktop
eddie-knight marked this conversation as resolved.
Show resolved Hide resolved
Original file line number Diff line number Diff line change
Expand Up @@ -8,86 +8,86 @@ catalog:
version: 0.0.1
oscal-version: 1.1.1
props:
- name: keywords
value: "control, cloud, security, risk"
- name: keywords
value: "control, cloud, security, risk"
roles:
- id: publisher
title: FINOS
- id: author
title: FINOS
- id: contact
title: Contact
- id: publisher
title: FINOS
- id: author
title: FINOS
- id: contact
title: Contact
parties:
- uuid: 4bc82884-5a0c-486b-94d5-cc5195615ad3
type: organization
name: FINOS
addresses:
- addr-lines:
- FINOS
- some address
- more address
country: UK
- uuid: 4bc82884-5a0c-486b-94d5-cc5195615ad3
type: organization
name: FINOS
addresses:
- addr-lines:
- FINOS
- some address
- more address
country: UK
responsible-parties:
- role-id: publisher
party-uuids:
- 4bc82884-5a0c-486b-94d5-cc5195615ad3
- role-id: author
party-uuids:
- 4bc82884-5a0c-486b-94d5-cc5195615ad3
- role-id: contact
party-uuids:
- 4bc82884-5a0c-486b-94d5-cc5195615ad3
- role-id: publisher
party-uuids:
- 4bc82884-5a0c-486b-94d5-cc5195615ad3
- role-id: author
party-uuids:
- 4bc82884-5a0c-486b-94d5-cc5195615ad3
- role-id: contact
party-uuids:
- 4bc82884-5a0c-486b-94d5-cc5195615ad3
groups:
- id: M10
title: Threat Mitigations
controls:
- id: M1047
class: mitigation
title: Audit
parts:
- id: M1047_stm
name: statement
prose: Frequently check permissions on cloud storage to ensure proper permissions are set to deny open or unprivileged access to resources.
- id: M1041
class: mitigation
title: Encrypt Sensitive Information
parts:
- id: M1041_stm
name: statement
prose: Encrypt data stored at rest in cloud storage.
- id: M1047_gdn
name: guidance
prose: |-
Managed encryption keys can be rotated by most providers.
- id: M10
title: Threat Mitigations
controls:
- id: M1047
class: mitigation
title: Audit
parts:
- id: M1047_stm
name: statement
prose: Frequently check permissions on cloud storage to ensure proper permissions are set to deny open or unprivileged access to resources.
- id: M1041
class: mitigation
title: Encrypt Sensitive Information
parts:
- id: M1041_stm
name: statement
prose: Encrypt data stored at rest in cloud storage.
- id: M1047_gdn
name: guidance
prose: |-
Managed encryption keys can be rotated by most providers.

At minimum ensure an incident response plan to storage breach includes rotating the keys and test for impact on client applications.
- id: M1032
class: p1-mitigations
title: Multi-factor Authentication
parts:
- id: M1032_stm
name: statement
prose: "Use two or more pieces of evidence to authenticate to a system, such as username and password in addition to a token from a physical smart card or token generator."
- id: M1026
class: p1-mitigations
title: Privileged Account Management
parts:
- id: M1026_stm
name: statement
prose: "Manage the creation, modification, use, and permissions associated to privileged accounts."
- id: M1018
class: p1-mitigations
title: User Account Management
parts:
- id: M1018_stm
name: statement
prose: "Manage the creation, modification, use, and permissions associated to non-privileged user accounts."
- id: CCC
title: Policy name and identification
controls:
- id: CCC.M1
class: p1-mitigations
title: Organization level Authorization Origin Policy
parts:
- name: statement
prose: Define actions that are allowed for cloud accounts subscribed to an organization. Ensure policy set to enforce MFA for console and API actions for IAM principles.
At minimum ensure an incident response plan to storage breach includes rotating the keys and test for impact on client applications.
- id: M1032
class: p1-mitigations
title: Multi-factor Authentication
parts:
- id: M1032_stm
name: statement
prose: "Use two or more pieces of evidence to authenticate to a system, such as username and password in addition to a token from a physical smart card or token generator."
- id: M1026
class: p1-mitigations
title: Privileged Account Management
parts:
- id: M1026_stm
name: statement
prose: "Manage the creation, modification, use, and permissions associated to privileged accounts."
- id: M1018
class: p1-mitigations
title: User Account Management
parts:
- id: M1018_stm
name: statement
prose: "Manage the creation, modification, use, and permissions associated to non-privileged user accounts."
- id: CCC
title: Policy name and identification
controls:
- id: CCC.M1
class: p1-mitigations
title: Organization level Authorization Origin Policy
parts:
- name: statement
prose: Define actions that are allowed for cloud accounts subscribed to an organization. Ensure policy set to enforce MFA for console and API actions for IAM principles.
5 changes: 5 additions & 0 deletions threat-catalog/storage/object/threats.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
| Threat Id | Name | Description | Service Taxonomy Id | MITRE ATT&CK TTPs |
|-----------|------|-------------|---------------------|-------------------|
| CCC.OS.T1 | Attacker intercepts data in transit to a bucket | The object storage service allows communication over HTTP. An attacker can intercept the traffic you send to bucket, in order to read or modify the data. | CCC-020115 | [TA009](https://attack.mitre.org/tactics/TA0009/) [T1557](https://attack.mitre.org/techniques/T1557/) |
| CCC.OS.T2 | Attacker encrypts objects for ransomware | The object storage service provides several types of encryption where the key is not operated by the CSP. An attacker can encrypt all the data stored in the bucket to ransom the data owner to get the decryption key. Alternatively, an attacker can change the default encryption key, for a similar effect on any new data uploaded. | CCC-020114 | [TA0040](https://attack.mitre.org/tactics/TA0040/) [T1486](https://attack.mitre.org/techniques/T1486/)
| CCC.OS.T3 | Attacker grants bucket access to untrusted principals | The bucket access controls (e.g. ACLs, bucket policies) can enable access to objects owned by the bucket. An attacker (or someone by negligence) can change (i.e., impair) the bucket access controls and make the content accessible to untrusted principals (via public endpoints, cross-account VPC endpoints, or cross-account access point). | CCC-020116 | [TA0005](https://attack.mitre.org/tactics/TA0005/) [T1562](https://attack.mitre.org/techniques/T1562/) |