From 486025cd3f4a2599ac551f68ebb8ea2cb1eff13a Mon Sep 17 00:00:00 2001 From: ianwalkersmithciticom Date: Fri, 6 Dec 2024 10:08:51 -0300 Subject: [PATCH 1/7] sorting out titles and the backup threat --- services/database/relational/threats.yaml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/services/database/relational/threats.yaml b/services/database/relational/threats.yaml index b1d93293..e9bbec7b 100644 --- a/services/database/relational/threats.yaml +++ b/services/database/relational/threats.yaml @@ -13,7 +13,7 @@ common_threats: threats: - id: CCC.RDMS.TH01 - title: Unauthorized Access to Database + title: Unauthorized access to database description: | A threat actor gains unauthorized access to the cloud relational database by using a compromised role or using default administrative credentials. @@ -25,7 +25,7 @@ threats: - T1552 - id: CCC.RDMS.TH02 - title: Unauthorized Cross Organization Snapshot Collection + title: Unauthorized cross organization snapshot collection description: | A threat actor initiates a snapshot collection activity using a privileged role and copies the snapshot outside of the organization, which allows for data exfiltration and theft. @@ -38,7 +38,7 @@ threats: - T1530 - id: CCC.RDMS.TH03 - title: Disabled Logging & Monitoring + title: Disabled logging & monitoring description: | A threat actor disables the logging and monitoring of the relational database, which allows evasion and removes traces of malicious actions. @@ -50,7 +50,7 @@ threats: - T1562 - id: CCC.RDMS.TH04 - title: Unauthorized Configuration Modification + title: Unauthorized configuration modification description: A threat actor attempts to make changes to the configuration of the cloud RDMS with a malicious role. features: - CCC.RDMS.F01 # SQL Support @@ -61,7 +61,7 @@ threats: - T1548 - id: CCC.RDMS.TH05 - title: Unencrypted Connection To Database + title: Unencrypted connection to database description: | An end-user connects to the database over HTTP, which is susceptible to network sniffing attacks and other exploits. @@ -73,7 +73,7 @@ threats: - T1040 - id: CCC.RDMS.TH06 - title: Snapshot Collection with Unauthorized Encryption Key + title: Snapshot collection with unauthorized encryption key description: | A threat actor attempts to perform snapshot collection using a non-default encryption key associated with the RDMS. @@ -101,7 +101,7 @@ threats: - T1485 - id: CCC.RDMS.TH15 - title: brute force attack against the database + title: Brute force attack against the database description: | threat actor uses brute force attack to discover database user password, threat actor then has access to the @@ -112,9 +112,9 @@ threats: - T1110 - id: CCC.RDMS.TH16 - title: backups stopped + title: Database backups stopped description: | - threat actor stops backups from occuring + Threat actor stops database backups from occuring to inhibit system recovery. features: - CCC.F11 mitre_technique: From e51f886ea9c9431946873966d095e65d5e3990aa Mon Sep 17 00:00:00 2001 From: ianwalkersmithciticom Date: Mon, 16 Dec 2024 20:54:24 -0300 Subject: [PATCH 2/7] snapshot controls --- services/database/relational/controls.yaml | 40 +++++++++++++++++++++- 1 file changed, 39 insertions(+), 1 deletion(-) diff --git a/services/database/relational/controls.yaml b/services/database/relational/controls.yaml index a1a4fd92..529c7c2d 100644 --- a/services/database/relational/controls.yaml +++ b/services/database/relational/controls.yaml @@ -11,7 +11,7 @@ common_controls: controls: - id: CCC.RDMS.C01 - title: backup database to alternative trust-zone + title: Backup database to alternative trust-zone objective: | Ensure that databases are backed up and the backup is outside of the applications trust-zone control_family: Data @@ -29,3 +29,41 @@ controls: tlp_levels: - tlp_red - tlp_amber + - id: CCC.RDMS.C02 + title: DB admin passwords must be change from default AND password correctly managed + objective: | + DB Admin passwords must be change from their default values and approporatly managed by password or secret + managers. + control_family: Data + threats: + - CCC.RDMS.TH01 # Unauthorized Access to Database + nist_csf: PR.AA-01 + control_mappings: + NIST_800_53: + - + test_requirements: + - id: CCC.RDMS.C01.TR02 + text: | + Login to the DB using a default password, it must fail + tlp_levels: + - tlp_red + - tlp_amber + - id: CCC.RDMS.C03 + title: Restrict snapshot sharing to authorized accounts + objective: | + Ensure snapshots are only shared with explicitly authorized account to limit data exposure and reduce data + exfiltration + control_family: data + threats: + - CCC.RDMS.TH02 + nist_csf: PR.DS-10 + control_mappings: + NIST_800_53: + - AC-4 + test_requirements: + - id: CCC.RDMS.C03.TR01 + text: | + Attempt to share snapshot with unauthorized account and attempt is denied + tlp_levels: + - tlp_red + - tlp_amber \ No newline at end of file From b88a465cd2c768ed7210da2c7331c6235589cce9 Mon Sep 17 00:00:00 2001 From: ianwalkersmithciticom Date: Wed, 18 Dec 2024 09:02:03 -0300 Subject: [PATCH 3/7] clean-up and nist ref --- services/database/relational/controls.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/database/relational/controls.yaml b/services/database/relational/controls.yaml index 529c7c2d..b423124d 100644 --- a/services/database/relational/controls.yaml +++ b/services/database/relational/controls.yaml @@ -30,7 +30,7 @@ controls: - tlp_red - tlp_amber - id: CCC.RDMS.C02 - title: DB admin passwords must be change from default AND password correctly managed + title: DB admin passwords must be change from default and the password correctly managed objective: | DB Admin passwords must be change from their default values and approporatly managed by password or secret managers. @@ -40,7 +40,7 @@ controls: nist_csf: PR.AA-01 control_mappings: NIST_800_53: - - + - AC-2 test_requirements: - id: CCC.RDMS.C01.TR02 text: | From 2c1b8a8182e743487988d148655bd7e4a9ef8b30 Mon Sep 17 00:00:00 2001 From: ianwalkersmithciticom Date: Wed, 18 Dec 2024 09:04:00 -0300 Subject: [PATCH 4/7] white-space clean --- services/database/relational/controls.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/services/database/relational/controls.yaml b/services/database/relational/controls.yaml index b423124d..cfa2010e 100644 --- a/services/database/relational/controls.yaml +++ b/services/database/relational/controls.yaml @@ -29,6 +29,7 @@ controls: tlp_levels: - tlp_red - tlp_amber + - id: CCC.RDMS.C02 title: DB admin passwords must be change from default and the password correctly managed objective: | @@ -48,10 +49,11 @@ controls: tlp_levels: - tlp_red - tlp_amber + - id: CCC.RDMS.C03 title: Restrict snapshot sharing to authorized accounts objective: | - Ensure snapshots are only shared with explicitly authorized account to limit data exposure and reduce data + Ensure snapshots are only shared with explicitly authorized account to limit data exposure and reduce data exfiltration control_family: data threats: @@ -66,4 +68,4 @@ controls: Attempt to share snapshot with unauthorized account and attempt is denied tlp_levels: - tlp_red - - tlp_amber \ No newline at end of file + - tlp_amber From 801480c763db4d3080ac5cf52724921422e20c38 Mon Sep 17 00:00:00 2001 From: ianwalkersmithciticom Date: Wed, 18 Dec 2024 09:07:02 -0300 Subject: [PATCH 5/7] white-space clean --- services/database/relational/controls.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/database/relational/controls.yaml b/services/database/relational/controls.yaml index cfa2010e..29387cfb 100644 --- a/services/database/relational/controls.yaml +++ b/services/database/relational/controls.yaml @@ -29,7 +29,7 @@ controls: tlp_levels: - tlp_red - tlp_amber - + - id: CCC.RDMS.C02 title: DB admin passwords must be change from default and the password correctly managed objective: | From 243de61ec0d190b16fdb5e2b9ab4632bbdb3bd38 Mon Sep 17 00:00:00 2001 From: Eddie Knight Date: Mon, 20 Jan 2025 05:33:01 -0800 Subject: [PATCH 6/7] Apply suggestions from code review --- services/database/relational/controls.yaml | 6 +++--- services/database/relational/threats.yaml | 16 ++++++++-------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/services/database/relational/controls.yaml b/services/database/relational/controls.yaml index 29387cfb..c71de1f0 100644 --- a/services/database/relational/controls.yaml +++ b/services/database/relational/controls.yaml @@ -11,7 +11,7 @@ common_controls: controls: - id: CCC.RDMS.C01 - title: Backup database to alternative trust-zone + title: Backup Database to Alternative Trust-Zone objective: | Ensure that databases are backed up and the backup is outside of the applications trust-zone control_family: Data @@ -31,7 +31,7 @@ controls: - tlp_amber - id: CCC.RDMS.C02 - title: DB admin passwords must be change from default and the password correctly managed + title: Password Management objective: | DB Admin passwords must be change from their default values and approporatly managed by password or secret managers. @@ -51,7 +51,7 @@ controls: - tlp_amber - id: CCC.RDMS.C03 - title: Restrict snapshot sharing to authorized accounts + title: Restrict Snapshot Sharing to Authorized Accounts objective: | Ensure snapshots are only shared with explicitly authorized account to limit data exposure and reduce data exfiltration diff --git a/services/database/relational/threats.yaml b/services/database/relational/threats.yaml index e9bbec7b..d71af7ae 100644 --- a/services/database/relational/threats.yaml +++ b/services/database/relational/threats.yaml @@ -13,7 +13,7 @@ common_threats: threats: - id: CCC.RDMS.TH01 - title: Unauthorized access to database + title: Unauthorized Access to Database description: | A threat actor gains unauthorized access to the cloud relational database by using a compromised role or using default administrative credentials. @@ -25,7 +25,7 @@ threats: - T1552 - id: CCC.RDMS.TH02 - title: Unauthorized cross organization snapshot collection + title: Unauthorized Cross Organization Snapshot Collection description: | A threat actor initiates a snapshot collection activity using a privileged role and copies the snapshot outside of the organization, which allows for data exfiltration and theft. @@ -38,7 +38,7 @@ threats: - T1530 - id: CCC.RDMS.TH03 - title: Disabled logging & monitoring + title: Disabled Logging & Monitoring description: | A threat actor disables the logging and monitoring of the relational database, which allows evasion and removes traces of malicious actions. @@ -50,7 +50,7 @@ threats: - T1562 - id: CCC.RDMS.TH04 - title: Unauthorized configuration modification + title: Unauthorized Configuration Modification description: A threat actor attempts to make changes to the configuration of the cloud RDMS with a malicious role. features: - CCC.RDMS.F01 # SQL Support @@ -61,7 +61,7 @@ threats: - T1548 - id: CCC.RDMS.TH05 - title: Unencrypted connection to database + title: Unencrypted Connection To Database description: | An end-user connects to the database over HTTP, which is susceptible to network sniffing attacks and other exploits. @@ -73,7 +73,7 @@ threats: - T1040 - id: CCC.RDMS.TH06 - title: Snapshot collection with unauthorized encryption key + title: Snapshot Collection with Unauthorized Encryption Key description: | A threat actor attempts to perform snapshot collection using a non-default encryption key associated with the RDMS. @@ -101,7 +101,7 @@ threats: - T1485 - id: CCC.RDMS.TH15 - title: Brute force attack against the database + title: Brute Force Attack Against the Database description: | threat actor uses brute force attack to discover database user password, threat actor then has access to the @@ -112,7 +112,7 @@ threats: - T1110 - id: CCC.RDMS.TH16 - title: Database backups stopped + title: Database Backups Stopped description: | Threat actor stops database backups from occuring to inhibit system recovery. features: From a356c25a4dc25bdb91128215eb1d72153ab72d3c Mon Sep 17 00:00:00 2001 From: Eddie Knight Date: Mon, 20 Jan 2025 08:00:34 -0600 Subject: [PATCH 7/7] corrected control IDs Signed-off-by: Eddie Knight --- services/database/relational/controls.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/database/relational/controls.yaml b/services/database/relational/controls.yaml index 1362df10..b3381373 100644 --- a/services/database/relational/controls.yaml +++ b/services/database/relational/controls.yaml @@ -87,7 +87,7 @@ controls: - tlp_red - tlp_amber - - id: CCC.RDMS.C02 + - id: CCC.RDMS.C04 title: Password Management objective: | DB Admin passwords must be change from their default values and approporatly managed by password or secret @@ -107,7 +107,7 @@ controls: - tlp_red - tlp_amber - - id: CCC.RDMS.C03 + - id: CCC.RDMS.C05 title: Restrict Snapshot Sharing to Authorized Accounts objective: | Ensure snapshots are only shared with explicitly authorized account to limit data exposure and reduce data