Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Threats reviewed and amended for RDMS #676

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Threats reviewed and amended for RDMS #676

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions services/database/relational/features.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ common_features:
- CCC.F10 # Logging
- CCC.F11 # Backup
- CCC.F12 # Recovery
- CCC.F13 # Infrastructure as Code
- CCC.F17 # Alerting
- CCC.F19 # On-Demand Scaling
- CCC.F20 # Tagging
Expand Down
52 changes: 13 additions & 39 deletions services/database/relational/threats.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,23 +10,11 @@ common_threats:
- CCC.TH10 # Alerts are Intercepted
- CCC.TH11 # Event Notifications are Incorrectly Triggered
- CCC.TH12 # Resource constraints are exhausted
- CCC.TH13 # Resource tags are manipulated
- CCC.TH15 # Automated enumeration and reconnaissance by non-human entities

threats:
- id: CCC.RDMS.TH01
title: Unauthorized Access to Database
description: |
Unauthorized access to a cloud relational database may
occur due to the use of compromised roles or default
administrative credentials. This condition could result in
data exposure, alteration, or disruption of database operations.
features:
- CCC.RDMS.F01 # SQL Support
- CCC.F06 # Identity Based Access Control
mitre_technique:
- TA0006
- T1552

- id: CCC.RDMS.TH02
title: Unauthorized Cross-Organization Snapshot Collection
description: |
Unauthorized snapshot collection using privileged roles may
Expand All @@ -41,7 +29,7 @@ threats:
- TA0009
- T1530

- id: CCC.RDMS.TH03
- id: CCC.RDMS.TH02
title: Disabled Logging and Monitoring
description: |
The logging and monitoring of a relational database may be disabled,
Expand All @@ -56,7 +44,7 @@ threats:
- TA0005
- T1562

- id: CCC.RDMS.TH04
- id: CCC.RDMS.TH03
title: Unauthorized Configuration Modification
description: |
Changes to the configuration of a cloud RDMS may be attempted using
Expand All @@ -70,21 +58,7 @@ threats:
- TA0004
- T1548

- id: CCC.RDMS.TH05
title: Unencrypted Connection to Database
description: |
Establishing a connection to a database over an unencrypted protocol,
such as HTTP, may expose data to interception and unauthorized access
during transmission. This condition increases the risk of data compromise
through network eavesdropping.
features:
- CCC.F01 # Encryption in Transit
- CCC.F02 # Encryption at Rest
mitre_technique:
- TA0006
- T1040

- id: CCC.RDMS.TH06
- id: CCC.RDMS.TH04
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@abikhuil @eddie-knight - This threat as its written sounds a little vague in terms of its impact. Would like to get your thoughts on how we can make it a little more clear - e.g. does it relate to Data Encrypted for Impact or is it more about the loss of confidentiality?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we're talking about Snapshot Collection with Unauthorized Encryption Key... that whole entry is confusing for me at the moment. I feel like there must be something technical I'm misunderstanding 🤔

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@zigmax - interested to get your views here and your feedback on the full threat list for RDMS please - thanks

title: Snapshot Collection with Unauthorized Encryption Key
description: |
Snapshot collection may be attempted using a non-default encryption
Expand All @@ -97,49 +71,49 @@ threats:
- TA0009
- T1530

- id: CCC.RDMS.TH13
- id: CCC.RDMS.TH05
title: Misconfigured Database User Authentication Mechanism
description: |
The database user authentication mechanism may be improperly configured,
potentially allowing unauthorized access or disrupting normal authentication
processes. This condition could weaken access controls and compromise
database security.
features:
- CCC.F06
- CCC.F06 # Identity Based Access Control
mitre_technique:
- T1556

- id: CCC.RDMS.TH14
- id: CCC.RDMS.TH06
title: Unintentional Database Backup Restoration
description: |
A database backup may be restored unintentionally, potentially
leading to the loss or overwrite of current data. This condition
could disrupt operations and result in data inconsistency or
corruption.
features:
- CCC.F11
- CCC.F11 # Backup
mitre_technique:
- T1485

- id: CCC.RDMS.TH15
- id: CCC.RDMS.TH07
title: Brute Force Attempts on Database Authentication
description: |
Repeated attempts to guess database user passwords may be made
through brute force techniques. This condition could result in
unauthorized access if successful, compromising database security
and sensitive information.
features:
- CCC.RDMS.F07
- CCC.RDMS.F07 # DB Self Managed Credentials
mitre_technique:
- T1110

- id: CCC.RDMS.TH16
- id: CCC.RDMS.TH08
title: Database Backups Stopped
description: |
Database backups may be halted, potentially impairing the organization's
ability to recover data and maintain business continuity. This condition
increases the risk of data loss and extended system downtime.
features:
- CCC.F11
- CCC.F11 # Backup
mitre_technique:
- T1490