src/main/resources/threats-library/default-threats-library.yml

name: Default Threats Library
version: 1.0.0

rules:
  - information-disclosure-in-transit
    title: Information Disclosure and Tampering in Transit for {flow.name}
    severity: Medium
    categories: information-disclosure, tampering
    owasp: cryptographic-failures
    expression: (flow.encryption == no) or (flow.encryption == undefined)
    exclude: flow.inScope == false
    description: In network eavesdropping attacks, hackers look for weak connections between clients and servers. By exploiting these weak connections, hackers intercept data packets traversing the network. Any network, web or email traffic, if not encrypted, can be read by the hacker.
    remediation: Ensure strong TLS is configured for the {flow.name} connection

  - information-disclosure-at-rest
    title: Information Disclosure and Tampering at Rest for {target.name}
    severity: High
    categories: information-disclosure, tampering
    owasp: cryptographic-failures
    expression: (target.type == database) and ((target.storedAssets contain sensitive) or (target.storedAssets contain undefined))
    exclude: flow.inScope == false
    description: In case if an attacker can access lost, stolen, or inappropriately decommissioned hardware, or copy the entire filesystem from the server and run it on its own hardware, as a result the sensitive assets stored in {target.name} will be compromised
    remediation: 1. Ensure sensitive information is encrypted at rest level in {target.name} using recommended algorithms 2. Ensure encryption keys are properly protected (for example, stored at Vault)

  - database-broad-development-team-access
    title: {target.name} broad development team access
    severity: Medium
    categories: information-disclosure, tampering
    owasp: broken-access-control
    expression: target.type == database
    exclude: flow.inScope == false
    description: In case if broad product development team has unrestricted access to the production environment, the chances of sensitive information disclosure or the whole system compromise are increasing
    remediation: 1. Ensure only limited number of trusted employees has access to the production environment 2. Consider transfering the production support to the special dedicated team 3. Consider usage of the solutions like Bastion Hosts and privilege access management systems for the production env access

  - anonymous-access
    title: Anonymous access to {target.name}
    severity: High
    categories: spoofing, information-disclosure
    owasp: broken-access-control
    expression: (flow.authenticationMethod == anonymous) or (flow.authenticationMethod == undefined)
    exclude: flow.inScope == false
    description: In case of if anonymous access to {target.name} is enabled, a potential attacker can gather additional information about the target using this public-available source
    remediation: 1. Enumerate all the publicly-accessible entrypoints on {target.name} 2. Consider access-control protection for the entrypoints with unwanted anonymous access

  - weak-authentication-method
    title: Weak authentication method for {target.name} access
    severity: High
    categories: spoofing
    owasp: identification-and-authentication-failures
    expression: flow.authenticationMethod == undefined
    exclude: flow.inScope == false
    description: In case of weak authentication for {target.name} connection, a potential attacker can easily spoof another users identity or gain access to any accounts credentials
    remediation: Consider usage of strong authentication method for {target.name} access (OpenID, Kerberos, etc)

  - ntlm-protocol-usage
    title: NTLM protocol usage for {target.name} access
    severity: Medium
    categories: spoofing
    owasp: identification-and-authentication-failures
    expression: flow.authenticationMethod == ntlm
    exclude: flow.inScope == false
    description: The challenge with having NTLM in your network is that it is easily exploitable and puts an organization at risk for a breach
    remediation: 1. Ensure LM and NTLMv1 are disabled completely, allowing only the safer NTLMv2 (at least it mitigates some of the replay attacks) or use Kerberos if it is possible 2. If you cant disable the protocol, start with auditing all NTLM traffic, followed by analysis of servers and users that use NTLM, and ultimately determining which uses can be abandoned and which should be set as an exception after restricting NTLM

  - credentials-brute-force
    title: {target.name} credentials brute-force
    severity: High
    categories: spoofing
    owasp: identification-and-authentication-failures
    expression: (flow.authenticationMethod == credentials) or (flow.authenticationMethod == basic)
    exclude: (flow.inScope == false) or (target.type == database)
    description: In case of basic or simple password authentication on {target.name} side, a potential attacker can brute-force weak credentials and hijack any account
    remediation: 1. Consider usage of rate-limit protection on {target.name} side 2. (If applicable) Consider usage of MFA on {target.name} side

  - default-account-disabling
    title: {target.name} default account disabling
    severity: High
    categories: spoofing, elevation-of-privilege
    owasp: security-misconfiguration
    expression: target.type == database
    exclude: flow.inScope == false
    description: A default account for {target.name} (for example, admin, root, sa, postgre, etc) may be used by an attacker to gain access to the information and assets stored in the storage
    remediation: Ensure the default account is not used or disabled/locked-out on {target.name} side

  - admin-access-hijacking
    title: {target.name} administrative access hijacking
    severity: High
    categories: spoofing, elevation-of-privilege
    owasp: broken-access-control, identification-and-authentication-failures
    expression: flow.authorization == admin
    exclude: flow.inScope == false
    description: In case if potential attacker can hijack administrative account to {target.name} or compromise it, he will gain an unlimited access to {target.name} data and functional assets
    remediation: 1. Consider protection of administrative accounts with MFA on {target.name} side if it is possible 2. Consider administrative account lockout, replacement by least-privilege account or permissions limitation

  - excessive-permissions
    title: {target.name} access with excessive permissions
    severity: Medium
    categories: elevation-of-privilege
    owasp: broken-access-control
    expression: (flow.authorization == admin) or (flow.authorization == readWrite)
    exclude: (flow.inScope == false) or (source.type == proxyServer) or (target.type == proxyServer)
    description: If {source.name} has excessive permissions (admin, root, etc) for {target.name} connection, in case of {source.name} compromise, a potential attacker can gain access to an extra permissions on {target.name}
    remediation: 1. Ensure least-privilege account (for example, read-only) is used by {target.name} for {source.name} connection with fine-grained access only to the required operations and assets 2. Ensure deny by default principle is followed

  - local-account-management
    title: Local account management on {target.name}
    severity: Medium
    categories: spoofing, elevation-of-privilege
    owasp: identification-and-authentication-failures
    expression: (flow.accountManagement == localAccount) or (flow.accountManagement == undefined)
    exclude: (flow.inScope == false) or (source within demilitarized-zone) or (source within closed-perimeter)
    description: In case of inappropriate account management on {target.name} side (for example, if account credentials are stored at {target.name} configuration file), it can lead to weak password complexity or rotation issues, that can be used by an attacker to brute force the credentials or for accounts enumeration
    remediation: Consider transferring the responsibility of account management to centralized SSO or Identity and Access Management system

  - storage-in-dmz
    title: {target.name} in DMZ
    severity: High
    categories: elevation-of-privilege, information-disclosure, tampering
    owasp: insecure-design
    expression: (target.type == database) and (target within demilitarized-zone)
    exclude: flow.inScope == false
    description: In case the storage with sensitive information is located in a DMZ, it can be easily discovered and attacked by an internal as well as an external threat agent
    remediation: Consider placing {target.name} in a secure isolated from internet access segment or in a internal private sub-net

  - storage-broad-company-network-access
    title: Broad {target.name} access from the Company network
    severity: Medium
    categories: elevation-of-privilege, information-disclosure, tampering
    owasp: insecure-design
    expression: (target.type == database) and (source within corporate-network)
    exclude: flow.inScope == false
    description: In case if there are no restrictions for {target.name} connection from the whole Company internal network, the chances of sensitive information disclosure in {target.name} or the whole system compromise are increasing due to insider or rogue employee threat
    remediation: Whitelist connection to {target.name} with firewall rules or Network ACL to restrict access to storage by anyone and from anywhere within the internal Company network

  - storage-access-from-the-internet
    title: {target.name} exposed to the Internet
    severity: High
    categories: elevation-of-privilege, information-disclosure, tampering
    owasp: insecure-design
    expression: (target.type == database) and (source within global-network)
    exclude: flow.inScope == false
    description: In case if {target.name} exposed to the Internet, it can be easily discovered by an attacker that usually lead to sensitive information disclosure or the whole system compromise
    remediation: 1. Do not expose {target.name} to the Internet directly if it is possible 2. Consider placing {target.name} in a secure isolated from internet access segment or in a internal private sub-net

  - dos-attack
    title: {target.name} Denial-of-Service (DoS) attack possibility
    severity: Medium
    categories: denial-of-service
    owasp: insecure-design
    expression: ((target.type == proxyServer) or (target.type == webServer)) and (source within global-network)
    exclude: flow.inScope == false
    description: A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network, making it inaccessible to its intended users. DoS attacks accomplish this by flooding the target with traffic, or sending it information that triggers a crash
    remediation: 1. Create a DoS Response Plan 2. Continuous monitor the Network Traffic 3. Consider usage a specialized solutions like Cloudflare, AWS Shield, etc

  - sql-nosql-injection
    title: {target.name} (No)SQL Injection
    severity: High
    categories: information-disclosure, tampering
    owasp: injection
    expression: (target.type == database) and (source.type == webServer)
    exclude: flow.inScope == false
    description: Successful SQLi attacks allow attackers to modify database information, access sensitive data, execute admin tasks on the database, and recover files from the system. In some cases attackers can issue commands to the underlying database operating system.
    remediation: 1. If {source.name} application is developed by you, review that Object Relational Mapping Tools (ORMs) usage best practices are followed, sanitize user-provided input for special chars and use positive server-side input validation 2. In case {source.name} application is provided and maintained by 3rd-party Vendor, request the Vendor for the actual security and audit report to be sure that the application is developed according to the industry security best practices

  - ldap-injection
    title: LDAP Injection
    severity: High
    categories: information-disclosure, tampering
    owasp: injection
    expression: flow.authenticationMethod == ldap
    exclude: flow.inScope == false
    description: Successful LDAP injection attacks could result in the granting of permissions to unauthorized queries, and content modification inside the LDAP tree.
    remediation: 1. If the application is developed by you, review that you escape all variables using the right LDAP encoding function or use a framework (like LINQtoLDAP) that escapes automatically  2. In case the application is provided and maintained by 3rd-party Vendor, request the Vendor for the actual security and audit report to be sure that the application is developed according to the industry security best practices

  - cross-site-scripting
    title: {target.name} Cross-site scripting
    severity: High
    categories: information-disclosure, tampering
    owasp: injection
    expression: target.type == webServer
    exclude: flow.inScope == false
    description: Cross-site scripting vulnerabilities normally allow an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform, and to access any of the user's data. If the victim user has privileged access within the application, then the attacker might be able to gain full control over all of the application's functionality and data.
    remediation: 1. If {target.name} application is developed by you, use a framework santitization mechanism to be sure that you escape all output channels where user-provided input reflection is possible 2. Be sure that mandatory Browser Security Headers like X-XSS-Protection and Content-Security-Policy are set 3. Ensure session cookies have httpOnly flag were it is possible 4. In case the application is provided and maintained by 3rd-party Vendor, request the Vendor for the actual security and audit report to be sure that the application is developed according to the industry security best practices

  - api-abuse
    title: {target.name} API abuse
    severity: High
    categories: spoofing, tampering, repudiation, information-disclosure, denial-of-service, elevation-of-privilege
    owasp: insecure-design, broken-access-control
    expression: target.type == webServer
    exclude: flow.inScope == false
    description: Successful attack on API could result in unauthorized access to app;ocatopm functions and data, information leakage or remote code execution
    remediation: 1. If the application is developed by you, ensure {target.name} API is followed OWASP API Security TOP 10 recommendations  2. In case the application is provided and maintained by 3rd-party Vendor, request the Vendor for the actual security and audit report to be sure that the application is developed according to the industry security best practices

  - supply-chain-attack
    title: Supply chain attack on {target.name}
    severity: High
    categories: spoofing, tampering, repudiation, information-disclosure, denial-of-service, elevation-of-privilege
    owasp: software-and-data-integrity-failures
    expression: (target.type == externalService) or (target.type == internalService)
    exclude: flow.inScope == false
    description: Supply chain attacks are designed to exploit trust relationships between an organization and external parties. These relationships could include partnerships, vendor relationships, or the use of third-party software. Cyber threat actors will compromise one organization and then move up the supply chain, taking advantage of these trusted relationships to gain access to other organizations environments.
    remediation: 1. Request {target.name} Vendor for the actual security and audit report to be sure that the service is developed according to the industry security best practices

  - logging-file-sensitive-information-leakage
    title: {target.name} logging file sensitive information leakage
    severity: Medium
    categories: information-disclosure
    owasp: security-logging-and-monitoring-failures
    expression: (target.type == webServer) or (target.type == process)
    exclude: flow.inScope == false
    description: Logging files is a potential place for information leakage - they are often shared between different teams and, in case of sensitive information logging (credentials, tokens, PII, etc.), it can be used by Threat Actor
    remediation: 1. If {target.name} application is developed by you, ensure {target.name} logging file contains no sensitive information logged (users credentials, tokens, cookies, PII, etc.) 2. In case the application is provided and maintained by 3rd-party Vendor, request the Vendor for the actual security and audit report to be sure that the application is developed according to the industry security best practices

  - configuration-file-secrets-leakage
    title: {target.name} configuration file secrets leakage
    severity: Medium
    categories: information-disclosure
    owasp: security-misconfiguration
    expression: (target.type == webServer) or (target.type == process)
    exclude: flow.inScope == false
    description: Configuration files is a potential place for information leakage - they are often shared between different teams and, in case the file contains any passwords or secrets to database, services, private keys, etc these secrets will be compromised
    remediation: 1. If {target.name} application is developed by you, consider storage of {target.name} secrets in a Secret Management System or Secrets Vault 2. In case the application is provided and maintained by 3rd-party Vendor, request the Vendor for the actual security and audit report to be sure that the application is developed according to the industry security best practices

  - process-compromise
    title: {target.name} compromise
    severity: Medium
    categories: elevation-of-privilege
    owasp: security-misconfiguration
    expression: target.type == process
    exclude: flow.inScope == false
    description: In case if {target.name} runs under root or admin service account and it will be compromised, it may allow an attacker to gain access to any operation or asset with administrative permissions
    remediation: 1. Consider running {target.name} under dedicated service account with limited permissions

  - security-misconfiguration
    title: {target.name} Security misconfiguration
    severity: High
    categories: spoofing, tampering, repudiation, information-disclosure, denial-of-service, elevation-of-privilege
    owasp: security-misconfiguration
    expression: (target.type == webServer) or (target.type == proxyServer) or (target.type == database)
    exclude: flow.inScope == false
    description: In case if {target.name} unproperly configured (for example, unused vulnerable feature is enabled or unnecessary port is opened), it can be used by an attacker to gain access to the organization's data or secrets
    remediation: 1. Consider hardening {target.name} according to the internationally recognized security standards (for example, follow CIS Benchmark guideline for your database or webserver)

  - insecure-implementation
    title: {target.name} Insecure implementation
    severity: High
    categories: spoofing, tampering, repudiation, information-disclosure, denial-of-service, elevation-of-privilege
    owasp: insecure-design
    expression: (target.type == webServer) or (target.type == process)
    exclude: flow.inScope == false
    description: Mistakes or security coding standards non-compliance during {target.name} development process (for example, weak encryption or hashing alghorithms is used) may lead to the application's data or secrets compromise
    remediation: 1. If {target.name} application is developed by you, consider following recognized guidelines or coding practices (for example, OWASP Secure Coding Practices guide) and regular application scan by Static Application Security Testing (SAST) tool  2. In case the application is provided and maintained by 3rd-party Vendor, request the Vendor for the actual security and audit report to be sure that the application is developed according to the industry security best practices

  - vulnerable-outdated-components
    title: {target.name} Vulnerable or Outdated components or libraries
    severity: High
    categories: spoofing, tampering, repudiation, information-disclosure, denial-of-service, elevation-of-privilege
    owasp: vulnerable-and-outdated-components, software-and-data-integrity-failures
    expression: (target.type == webServer) or (target.type == process)
    exclude: flow.inScope == false
    description: Open source components or libraries used by {target.name} application tends to have vulnerabilities that might impact your data and organization. These are weak or vulnerable code that allows attackers to conduct malicious attacks or perform unintended actions that are not authorized
    remediation: 1. If {target.name} application is developed by you, consider usage only trusted external open source libraries during development process and regular scan with Software Composition Analysis (SCA) tool 2. In case the application is provided and maintained by 3rd-party Vendor, request the Vendor for the actual security and audit report to be sure that the application is developed according to the industry security best practices

  - audit-logging-and-monitoring-failures
    title: {target.name} Audit logging and Monitoring Failures
    severity: Medium
    categories: repudiation
    owasp: security-logging-and-monitoring-failures
    expression: (source.type == externalService) or (source.type == internalService) or (source.type == interactor)
    exclude: flow.inScope == false
    description: Without audit logging and monitoring, attacks and breaches cannot be detected, furthermore it is impossible to perform the forensic if the risk will be realized
    remediation: 1. Ensure {target.name} performs audit logging of {source.name} actions in a seprate file and ships it to Security information and event management (SIEM) system 2. Ensure important auditable events, such as logins, failed logins, and high-value transactions, are logged 3. Ensure audit logs are protected properly with authorization and integrity checks

  - server-side-request-forgery
    title: {target.name} Server-Side Request Forgery
    severity: Medium
    categories: spoofing, information-disclosure, elevation-of-privilege
    owasp: server-side-request-forgery
    expression: target.type == webServer
    exclude: flow.inScope == false
    description: In a typical SSRF attack, the attacker might cause the server to make a connection to internal-only services within the organization's infrastructure. In other cases, they may be able to force the server to connect to arbitrary external systems, potentially leaking sensitive data such as authorization credentials. The severity of SSRF is becoming higher due to cloud services and the complexity of architectures.
    remediation: 1. If {target.name} application is developed by you, that the application sanitize and validate all client-supplied input data, enforces the URL schema, port, and destination with a positive allow list and doesn't send raw responses to clients  2. In case the application is provided and maintained by 3rd-party Vendor, request the Vendor for the actual security and audit report to be sure that the application is developed according to the industry security best practices

  - infrastructure-security-misconfiguration
    title: Application Infrastructure Security Misconfiguration
    severity: High
    categories: spoofing, tampering, repudiation, information-disclosure, denial-of-service, elevation-of-privilege
    owasp: insecure-design, security-misconfiguration
    expression: (source within global-network) and ((target within demilitarized-zone) or (target within corporate-network) or (target within closed-perimeter))
    exclude: flow.inScope == false
    description: In case if the application environment unproperly configured (for example, unnecessary port is opened or unused vulnerable services are enabled), these weakneses can be used by an attacker to gather additional information about application components or to gain full access to the application's data or secrets in the worst case
    remediation: 1. If the application is hosted on-prem, consider hardening the application machines and the infrastructure according to the industry security best practice (for example, use CIS Benchmarks for Windows, Linux application machines or CIS Benchmark for Docker, Kubernetes for containerized environment)  2. If the application is hosted on-cloud, consider following the security best practices for your type of Cloud (for example, CIS Benchmark for AWS, GCP or Azure)