mapping_objects: - attack_object_id: T1176 attack_object_name: Software Extensions capability_description: Supply Chain Data Security Assessment capability_group: STA capability_id: STA-16 comments: "The mitigative applications of this control relate to (e) \"software\ \ supply chain risk management practices for ensuring software integrity, traceability,\ \ and provenance (e.g., software build practices, component management, and use\ \ of Software Bill of Materials (SBOMs))\" \nSBOMs are known to provide transparency\ \ into software components, which may enable the identification of vulnerable\ \ software libraries, components, or code and mitigate the injection or execution\ \ of vulnerable or malicious code. " mapping_type: mitigates references: [] - attack_object_id: T1195.002 attack_object_name: Compromise Software Supply Chain capability_description: Supply Chain Data Security Assessment capability_group: STA capability_id: STA-16 comments: "The mitigative applications of this control relate to (e) \"software\ \ supply chain risk management practices for ensuring software integrity, traceability,\ \ and provenance (e.g., software build practices, component management, and use\ \ of Software Bill of Materials (SBOMs))\" \nSBOMs are known to provide transparency\ \ into software components, which may enable the identification of vulnerable\ \ software libraries, components, or code and mitigate the injection or execution\ \ of vulnerable or malicious code. " mapping_type: mitigates references: [] - attack_object_id: T1195.001 attack_object_name: Compromise Software Dependencies and Development Tools capability_description: Supply Chain Data Security Assessment capability_group: STA capability_id: STA-16 comments: "The mitigative applications of this control relate to (e) \"software\ \ supply chain risk management practices for ensuring software integrity, traceability,\ \ and provenance (e.g., software build practices, component management, and use\ \ of Software Bill of Materials (SBOMs))\" \nSBOMs are known to provide transparency\ \ into software components, which may enable the identification of vulnerable\ \ software libraries, components, or code and mitigate the injection or execution\ \ of vulnerable or malicious code. " mapping_type: mitigates references: [] - attack_object_id: T1195 attack_object_name: Supply Chain Compromise capability_description: Supply Chain Data Security Assessment capability_group: STA capability_id: STA-16 comments: "The mitigative applications of this control relate to (e) \"software\ \ supply chain risk management practices for ensuring software integrity, traceability,\ \ and provenance (e.g., software build practices, component management, and use\ \ of Software Bill of Materials (SBOMs))\" \nSBOMs are known to provide transparency\ \ into software components, which may enable the identification of vulnerable\ \ software libraries, components, or code and mitigate the injection or execution\ \ of vulnerable or malicious code. " mapping_type: mitigates references: [] - attack_object_id: T1525 attack_object_name: Implant Internal Image capability_description: Supply Chain Risk Management capability_group: STA capability_id: STA-10 comments: "The mitigative applications of this control relate to:\n\"(c) documentation\ \ and testing of the specific technical controls implemented to support the product\ \ or service (e.g., identity and access management, network design and security)\"\ \n\"(e) software supply chain risk management practices for ensuring software\ \ integrity, traceability, and provenance (e.g., software build practices, component\ \ management, and use of Software Bill of Materials (SBOMs))\" \nCode Signing\ \ can ensure the authenticity and integrity of software by digitally signing executables,\ \ scripts, and other code artifacts." mapping_type: mitigates references: [] - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Supply Chain Risk Management capability_group: STA capability_id: STA-10 comments: "The mitigative applications of this control relate to:\n\"(c) documentation\ \ and testing of the specific technical controls implemented to support the product\ \ or service (e.g., identity and access management, network design and security)\"\ \n\"(e) software supply chain risk management practices for ensuring software\ \ integrity, traceability, and provenance (e.g., software build practices, component\ \ management, and use of Software Bill of Materials (SBOMs))\" \nSBOMs are known\ \ to provide transparency into software components, which may enable the identification\ \ of vulnerable software libraries, components, or code and mitigate the injection\ \ or execution of vulnerable or malicious code on public-facing applications or\ \ systems. " mapping_type: mitigates references: [] - attack_object_id: T1210 attack_object_name: Exploitation of Remote Services capability_description: Supply Chain Risk Management capability_group: STA capability_id: STA-10 comments: "The mitigative applications of this control relate to:\n\"(c) documentation\ \ and testing of the specific technical controls implemented to support the product\ \ or service (e.g., identity and access management, network design and security)\"\ \nNetwork design and security testing (segmentation, secure protocols, egress\ \ controls) limit an adversary\u2019s ability to move laterally or exfiltrate\ \ via compromised software components through SMB and RDP as well as applications\ \ that may be used within internal networks such as MySQL and web server services." mapping_type: mitigates references: [] - attack_object_id: T1176 attack_object_name: Software Extensions capability_description: Supply Chain Risk Management capability_group: STA capability_id: STA-10 comments: "The mitigative applications of this control relate to (e) \"software\ \ supply chain risk management practices for ensuring software integrity, traceability,\ \ and provenance (e.g., software build practices, component management, and use\ \ of Software Bill of Materials (SBOMs))\" \nSBOMs are known to provide transparency\ \ into software components, which may enable the identification of vulnerable\ \ software libraries, components, or code and mitigate the injection or execution\ \ of vulnerable or malicious code from known installed software extensions on\ \ endpoints. " mapping_type: mitigates references: [] - attack_object_id: T1195.001 attack_object_name: Compromise Software Dependencies and Development Tools capability_description: Supply Chain Risk Management capability_group: STA capability_id: STA-10 comments: "The mitigative applications of this control relate to (e) \"software\ \ supply chain risk management practices for ensuring software integrity, traceability,\ \ and provenance (e.g., software build practices, component management, and use\ \ of Software Bill of Materials (SBOMs))\" \nSBOMs are known to provide transparency\ \ into software components, which may enable the identification of vulnerable\ \ software libraries, components, or code and mitigate the injection or execution\ \ of vulnerable or malicious code. " mapping_type: mitigates references: [] - attack_object_id: T1204 attack_object_name: User Execution capability_description: API Security capability_group: AIS capability_id: AIS-08 comments: This control implements measures to secure APIs. Using application control and monitoring for and blocking malicious API calls can help prevent user execution of malware via APIs in cloud consoles. mapping_type: mitigates references: [] - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: API Security capability_group: AIS capability_id: AIS-08 comments: This control implements measures to secure APIs. Using application control and monitoring for and blocking malicious API calls can help prevent adversaries from abusing APIs to execute malicious commands. mapping_type: mitigates references: [] - attack_object_id: T1059.009 attack_object_name: Cloud API capability_description: API Security capability_group: AIS capability_id: AIS-08 comments: This control implements measures to secure APIs. Using application control and monitoring for and blocking malicious API calls can help prevent adversaries from abusing cloud APIs to execute malicious commands. mapping_type: mitigates references: [] - attack_object_id: T1567 attack_object_name: Exfiltration Over Web Service capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1490 attack_object_name: Inhibit System Recovery capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1486 attack_object_name: Data Encrypted for Impact capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1491.002 attack_object_name: External Defacement capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1485 attack_object_name: Data Destruction capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1531 attack_object_name: Account Access Removal capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1021.007 attack_object_name: Cloud Services capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1496.002 attack_object_name: Bandwidth Hijacking capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1496.001 attack_object_name: Compute Hijacking capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1496.004 attack_object_name: Cloud Service Hijacking capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1496 attack_object_name: Resource Hijacking capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1074.002 attack_object_name: Remote Data Staging capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1021.008 attack_object_name: Direct Cloud VM Connections capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1550 attack_object_name: Use Alternate Authentication Material capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1555 attack_object_name: Credentials from Password Stores capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1535 attack_object_name: Unused/Unsupported Cloud Regions capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1070 attack_object_name: Indicator Removal capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1564 attack_object_name: Hide Artifacts capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1070.008 attack_object_name: Clear Mailbox Data capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1136.003 attack_object_name: Cloud Account capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1136 attack_object_name: Create Account capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1546 attack_object_name: Event Triggered Execution capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1098.005 attack_object_name: Device Registration capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1098.004 attack_object_name: SSH Authorized Keys capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1098.002 attack_object_name: Additional Email Delegate Permissions capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1651 attack_object_name: Cloud Administration Command capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1204.003 attack_object_name: Malicious Image capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1606 attack_object_name: Forge Web Credentials capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1610 attack_object_name: Deploy Container capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1648 attack_object_name: Serverless Execution capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1098.003 attack_object_name: Additional Cloud Roles capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1098.001 attack_object_name: Additional Cloud Credentials capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1098.006 attack_object_name: Additional Container Cluster Roles capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1484 attack_object_name: Domain or Tenant Policy Modification capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1484.002 attack_object_name: Trust Modification capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1578.004 attack_object_name: Revert Cloud Instance capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1578.002 attack_object_name: Create Cloud Instance capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1578.001 attack_object_name: Create Snapshot capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1578.003 attack_object_name: Delete Cloud Instance capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1556.009 attack_object_name: Conditional Access Policies capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1602 attack_object_name: Data from Configuration Repository capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1530 attack_object_name: Data from Cloud Storage capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1213 attack_object_name: Data from Information Repositories capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1537 attack_object_name: Transfer Data to Cloud Account capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1485.001 attack_object_name: Lifecycle-Triggered Deletion capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1567.002 attack_object_name: Exfiltration to Cloud Storage capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1552.007 attack_object_name: Container API capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1562.001 attack_object_name: Disable or Modify Tools capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1562.008 attack_object_name: Disable or Modify Cloud Logs capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1578.005 attack_object_name: Modify Cloud Compute Configurations capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1562.007 attack_object_name: Disable or Modify Cloud Firewall capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1578 attack_object_name: Modify Cloud Compute Infrastructure capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1666 attack_object_name: Modify Cloud Resource Hierarchy capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1556 attack_object_name: Modify Authentication Process capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1080 attack_object_name: Taint Shared Content capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1552.005 attack_object_name: Cloud Instance Metadata API capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1671 attack_object_name: Cloud Application Integration capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1059.009 attack_object_name: Cloud API capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1548 attack_object_name: Abuse Elevation Control Mechanism capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1562 attack_object_name: Impair Defenses capability_description: Authorization Mechanisms capability_group: IAM capability_id: IAM-16 comments: "This control requires both CSP and CSC to independently enforce formal\ \ approval processes for user access, implement dynamic and explicit authorization\ \ mechanisms. The guidance focuses on implementing technical measures to verify\ \ authorization and prevent unauthorized access and execution. \n" mapping_type: mitigates references: [] - attack_object_id: T1078.003 attack_object_name: Local Accounts capability_description: Passwords Management capability_group: IAM capability_id: IAM-15 comments: 'This control requires both CSP and CSC to independently enforce strong password management practices to protect authentication credentials and reduce the risk of unauthorized access. For example, credential access protection mitigation focuses on implementing measures to prevent adversaries from obtaining credentials, such as passwords, hashes, tokens, or keys, that could be used for unauthorized access. ' mapping_type: mitigates references: [] - attack_object_id: T1078.004 attack_object_name: Cloud Accounts capability_description: Passwords Management capability_group: IAM capability_id: IAM-15 comments: 'This control requires both CSP and CSC to independently enforce strong password management practices to protect authentication credentials and reduce the risk of unauthorized access. For example, credential access protection mitigation focuses on implementing measures to prevent adversaries from obtaining credentials, such as passwords, hashes, tokens, or keys, that could be used for unauthorized access. ' mapping_type: mitigates references: [] - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Passwords Management capability_group: IAM capability_id: IAM-15 comments: 'This control requires both CSP and CSC to independently enforce strong password management practices to protect authentication credentials and reduce the risk of unauthorized access. For example, credential access protection mitigation focuses on implementing measures to prevent adversaries from obtaining credentials, such as passwords, hashes, tokens, or keys, that could be used for unauthorized access. ' mapping_type: mitigates references: [] - attack_object_id: T1110 attack_object_name: Brute Force capability_description: Passwords Management capability_group: IAM capability_id: IAM-15 comments: 'This control requires both CSP and CSC to independently enforce strong password management practices to protect authentication credentials and reduce the risk of unauthorized access. For example, credential access protection mitigation focuses on implementing measures to prevent adversaries from obtaining credentials, such as passwords, hashes, tokens, or keys, that could be used for unauthorized access. ' mapping_type: mitigates references: [] - attack_object_id: T1110.003 attack_object_name: Password Spraying capability_description: Passwords Management capability_group: IAM capability_id: IAM-15 comments: 'This control requires both CSP and CSC to independently enforce strong password management practices to protect authentication credentials and reduce the risk of unauthorized access. For example, credential access protection mitigation focuses on implementing measures to prevent adversaries from obtaining credentials, such as passwords, hashes, tokens, or keys, that could be used for unauthorized access. ' mapping_type: mitigates references: [] - attack_object_id: T1110.001 attack_object_name: Password Guessing capability_description: Passwords Management capability_group: IAM capability_id: IAM-15 comments: 'This control requires both CSP and CSC to independently enforce strong password management practices to protect authentication credentials and reduce the risk of unauthorized access. For example, credential access protection mitigation focuses on implementing measures to prevent adversaries from obtaining credentials, such as passwords, hashes, tokens, or keys, that could be used for unauthorized access. ' mapping_type: mitigates references: [] - attack_object_id: T1110.002 attack_object_name: Password Cracking capability_description: Passwords Management capability_group: IAM capability_id: IAM-15 comments: 'This control requires both CSP and CSC to independently enforce strong password management practices to protect authentication credentials and reduce the risk of unauthorized access. For example, credential access protection mitigation focuses on implementing measures to prevent adversaries from obtaining credentials, such as passwords, hashes, tokens, or keys, that could be used for unauthorized access. ' mapping_type: mitigates references: [] - attack_object_id: T1550 attack_object_name: Use Alternate Authentication Material capability_description: Passwords Management capability_group: IAM capability_id: IAM-15 comments: 'This control requires both CSP and CSC to independently enforce strong password management practices to protect authentication credentials and reduce the risk of unauthorized access. For example, credential access protection mitigation focuses on implementing measures to prevent adversaries from obtaining credentials, such as passwords, hashes, tokens, or keys, that could be used for unauthorized access. ' mapping_type: mitigates references: [] - attack_object_id: T1552.005 attack_object_name: Cloud Instance Metadata API capability_description: Passwords Management capability_group: IAM capability_id: IAM-15 comments: 'This control requires both CSP and CSC to independently enforce strong password management practices to protect authentication credentials and reduce the risk of unauthorized access. For example, credential access protection mitigation focuses on implementing measures to prevent adversaries from obtaining credentials, such as passwords, hashes, tokens, or keys, that could be used for unauthorized access. ' mapping_type: mitigates references: [] - attack_object_id: T1552.001 attack_object_name: Credentials In Files capability_description: Passwords Management capability_group: IAM capability_id: IAM-15 comments: 'This control requires both CSP and CSC to independently enforce strong password management practices to protect authentication credentials and reduce the risk of unauthorized access. For example, credential access protection mitigation focuses on implementing measures to prevent adversaries from obtaining credentials, such as passwords, hashes, tokens, or keys, that could be used for unauthorized access. ' mapping_type: mitigates references: [] - attack_object_id: T1552 attack_object_name: Unsecured Credentials capability_description: Passwords Management capability_group: IAM capability_id: IAM-15 comments: 'This control requires both CSP and CSC to independently enforce strong password management practices to protect authentication credentials and reduce the risk of unauthorized access. For example, credential access protection mitigation focuses on implementing measures to prevent adversaries from obtaining credentials, such as passwords, hashes, tokens, or keys, that could be used for unauthorized access. ' mapping_type: mitigates references: [] - attack_object_id: T1555.006 attack_object_name: Cloud Secrets Management Stores capability_description: Passwords Management capability_group: IAM capability_id: IAM-15 comments: 'This control requires both CSP and CSC to independently enforce strong password management practices to protect authentication credentials and reduce the risk of unauthorized access. For example, credential access protection mitigation focuses on implementing measures to prevent adversaries from obtaining credentials, such as passwords, hashes, tokens, or keys, that could be used for unauthorized access. ' mapping_type: mitigates references: [] - attack_object_id: T1555.003 attack_object_name: Credentials from Web Browsers capability_description: Passwords Management capability_group: IAM capability_id: IAM-15 comments: 'This control requires both CSP and CSC to independently enforce strong password management practices to protect authentication credentials and reduce the risk of unauthorized access. For example, credential access protection mitigation focuses on implementing measures to prevent adversaries from obtaining credentials, such as passwords, hashes, tokens, or keys, that could be used for unauthorized access. ' mapping_type: mitigates references: [] - attack_object_id: T1555.005 attack_object_name: Password Managers capability_description: Passwords Management capability_group: IAM capability_id: IAM-15 comments: 'This control requires both CSP and CSC to independently enforce strong password management practices to protect authentication credentials and reduce the risk of unauthorized access. For example, credential access protection mitigation focuses on implementing measures to prevent adversaries from obtaining credentials, such as passwords, hashes, tokens, or keys, that could be used for unauthorized access. ' mapping_type: mitigates references: [] - attack_object_id: T1555 attack_object_name: Credentials from Password Stores capability_description: Passwords Management capability_group: IAM capability_id: IAM-15 comments: 'This control requires both CSP and CSC to independently enforce strong password management practices to protect authentication credentials and reduce the risk of unauthorized access. For example, credential access protection mitigation focuses on implementing measures to prevent adversaries from obtaining credentials, such as passwords, hashes, tokens, or keys, that could be used for unauthorized access. ' mapping_type: mitigates references: [] - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Strong Authentication capability_group: IAM capability_id: IAM-14 comments: This control requires both CSP and CSC to independently enforce multi-factor authentication (MFA) for all non-console administrative, remote, sensitive data, and third-party access, implement secure centralized authentication systems and digital certificates, protect credentials, monitor authentication activity, and ensure strong, risk-based authentication measures are consistently applied and reviewed. mapping_type: mitigates references: [] - attack_object_id: T1136 attack_object_name: Create Account capability_description: Strong Authentication capability_group: IAM capability_id: IAM-14 comments: This control requires both CSP and CSC to independently enforce multi-factor authentication (MFA) for all non-console administrative, remote, sensitive data, and third-party access, implement secure centralized authentication systems and digital certificates, protect credentials, monitor authentication activity, and ensure strong, risk-based authentication measures are consistently applied and reviewed. mapping_type: mitigates references: [] - attack_object_id: T1098.005 attack_object_name: Device Registration capability_description: Strong Authentication capability_group: IAM capability_id: IAM-14 comments: This control requires both CSP and CSC to independently enforce multi-factor authentication (MFA) for all non-console administrative, remote, sensitive data, and third-party access, implement secure centralized authentication systems and digital certificates, protect credentials, monitor authentication activity, and ensure strong, risk-based authentication measures are consistently applied and reviewed. mapping_type: mitigates references: [] - attack_object_id: T1098.006 attack_object_name: Additional Container Cluster Roles capability_description: Strong Authentication capability_group: IAM capability_id: IAM-14 comments: This control requires both CSP and CSC to independently enforce multi-factor authentication (MFA) for all non-console administrative, remote, sensitive data, and third-party access, implement secure centralized authentication systems and digital certificates, protect credentials, monitor authentication activity, and ensure strong, risk-based authentication measures are consistently applied and reviewed. mapping_type: mitigates references: [] - attack_object_id: T1098.001 attack_object_name: Additional Cloud Credentials capability_description: Strong Authentication capability_group: IAM capability_id: IAM-14 comments: This control requires both CSP and CSC to independently enforce multi-factor authentication (MFA) for all non-console administrative, remote, sensitive data, and third-party access, implement secure centralized authentication systems and digital certificates, protect credentials, monitor authentication activity, and ensure strong, risk-based authentication measures are consistently applied and reviewed. mapping_type: mitigates references: [] - attack_object_id: T1098.003 attack_object_name: Additional Cloud Roles capability_description: Strong Authentication capability_group: IAM capability_id: IAM-14 comments: This control requires both CSP and CSC to independently enforce multi-factor authentication (MFA) for all non-console administrative, remote, sensitive data, and third-party access, implement secure centralized authentication systems and digital certificates, protect credentials, monitor authentication activity, and ensure strong, risk-based authentication measures are consistently applied and reviewed. mapping_type: mitigates references: [] - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Strong Authentication capability_group: IAM capability_id: IAM-14 comments: This control requires both CSP and CSC to independently enforce multi-factor authentication (MFA) for all non-console administrative, remote, sensitive data, and third-party access, implement secure centralized authentication systems and digital certificates, protect credentials, monitor authentication activity, and ensure strong, risk-based authentication measures are consistently applied and reviewed. mapping_type: mitigates references: [] - attack_object_id: T1078.002 attack_object_name: Domain Accounts capability_description: Strong Authentication capability_group: IAM capability_id: IAM-14 comments: This control requires both CSP and CSC to independently enforce multi-factor authentication (MFA) for all non-console administrative, remote, sensitive data, and third-party access, implement secure centralized authentication systems and digital certificates, protect credentials, monitor authentication activity, and ensure strong, risk-based authentication measures are consistently applied and reviewed. mapping_type: mitigates references: [] - attack_object_id: T1078.003 attack_object_name: Local Accounts capability_description: Strong Authentication capability_group: IAM capability_id: IAM-14 comments: This control requires both CSP and CSC to independently enforce multi-factor authentication (MFA) for all non-console administrative, remote, sensitive data, and third-party access, implement secure centralized authentication systems and digital certificates, protect credentials, monitor authentication activity, and ensure strong, risk-based authentication measures are consistently applied and reviewed. mapping_type: mitigates references: [] - attack_object_id: T1078.004 attack_object_name: Cloud Accounts capability_description: Strong Authentication capability_group: IAM capability_id: IAM-14 comments: This control requires both CSP and CSC to independently enforce multi-factor authentication (MFA) for all non-console administrative, remote, sensitive data, and third-party access, implement secure centralized authentication systems and digital certificates, protect credentials, monitor authentication activity, and ensure strong, risk-based authentication measures are consistently applied and reviewed. mapping_type: mitigates references: [] - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Strong Authentication capability_group: IAM capability_id: IAM-14 comments: This control requires both CSP and CSC to independently enforce multi-factor authentication (MFA) for all non-console administrative, remote, sensitive data, and third-party access, implement secure centralized authentication systems and digital certificates, protect credentials, monitor authentication activity, and ensure strong, risk-based authentication measures are consistently applied and reviewed. mapping_type: mitigates references: [] - attack_object_id: T1539 attack_object_name: Steal Web Session Cookie capability_description: Strong Authentication capability_group: IAM capability_id: IAM-14 comments: This control requires both CSP and CSC to independently enforce multi-factor authentication (MFA) for all non-console administrative, remote, sensitive data, and third-party access, implement secure centralized authentication systems and digital certificates, protect credentials, monitor authentication activity, and ensure strong, risk-based authentication measures are consistently applied and reviewed. mapping_type: mitigates references: [] - attack_object_id: T1556.007 attack_object_name: Hybrid Identity capability_description: Strong Authentication capability_group: IAM capability_id: IAM-14 comments: This control requires both CSP and CSC to independently enforce multi-factor authentication (MFA) for all non-console administrative, remote, sensitive data, and third-party access, implement secure centralized authentication systems and digital certificates, protect credentials, monitor authentication activity, and ensure strong, risk-based authentication measures are consistently applied and reviewed. mapping_type: mitigates references: [] - attack_object_id: T1556 attack_object_name: Modify Authentication Process capability_description: Strong Authentication capability_group: IAM capability_id: IAM-14 comments: This control requires both CSP and CSC to independently enforce multi-factor authentication (MFA) for all non-console administrative, remote, sensitive data, and third-party access, implement secure centralized authentication systems and digital certificates, protect credentials, monitor authentication activity, and ensure strong, risk-based authentication measures are consistently applied and reviewed. mapping_type: mitigates references: [] - attack_object_id: T1021.007 attack_object_name: Cloud Services capability_description: Strong Authentication capability_group: IAM capability_id: IAM-14 comments: This control requires both CSP and CSC to independently enforce multi-factor authentication (MFA) for all non-console administrative, remote, sensitive data, and third-party access, implement secure centralized authentication systems and digital certificates, protect credentials, monitor authentication activity, and ensure strong, risk-based authentication measures are consistently applied and reviewed. mapping_type: mitigates references: [] - attack_object_id: T1021 attack_object_name: Remote Services capability_description: Strong Authentication capability_group: IAM capability_id: IAM-14 comments: This control requires both CSP and CSC to independently enforce multi-factor authentication (MFA) for all non-console administrative, remote, sensitive data, and third-party access, implement secure centralized authentication systems and digital certificates, protect credentials, monitor authentication activity, and ensure strong, risk-based authentication measures are consistently applied and reviewed. mapping_type: mitigates references: [] - attack_object_id: T1072 attack_object_name: Software Deployment Tools capability_description: Strong Authentication capability_group: IAM capability_id: IAM-14 comments: This control requires both CSP and CSC to independently enforce multi-factor authentication (MFA) for all non-console administrative, remote, sensitive data, and third-party access, implement secure centralized authentication systems and digital certificates, protect credentials, monitor authentication activity, and ensure strong, risk-based authentication measures are consistently applied and reviewed. mapping_type: mitigates references: [] - attack_object_id: T1213 attack_object_name: Data from Information Repositories capability_description: Strong Authentication capability_group: IAM capability_id: IAM-14 comments: This control requires both CSP and CSC to independently enforce multi-factor authentication (MFA) for all non-console administrative, remote, sensitive data, and third-party access, implement secure centralized authentication systems and digital certificates, protect credentials, monitor authentication activity, and ensure strong, risk-based authentication measures are consistently applied and reviewed. mapping_type: mitigates references: [] - attack_object_id: T1530 attack_object_name: Data from Cloud Storage capability_description: Strong Authentication capability_group: IAM capability_id: IAM-14 comments: This control requires both CSP and CSC to independently enforce multi-factor authentication (MFA) for all non-console administrative, remote, sensitive data, and third-party access, implement secure centralized authentication systems and digital certificates, protect credentials, monitor authentication activity, and ensure strong, risk-based authentication measures are consistently applied and reviewed. mapping_type: mitigates references: [] - attack_object_id: T1564.002 attack_object_name: Hidden Users capability_description: Uniquely Identifiable Users capability_group: IAM capability_id: IAM-13 comments: "This control requires both CSP and CSC to independently assign unique,\ \ cryptographically secure identifiers to users, ensure traceability and accountability\ \ for all access, including shared accounts, implement strong access controls,\ \ encryption for user identity data. \n\nThese techniques focus on mitigating\ \ attacker techniques against user services or machine accounts within cloud environments\ \ or identity management system." mapping_type: mitigates references: [] - attack_object_id: T1036.010 attack_object_name: Masquerade Account Name capability_description: Uniquely Identifiable Users capability_group: IAM capability_id: IAM-13 comments: "This control requires both CSP and CSC to independently assign unique,\ \ cryptographically secure identifiers to users, ensure traceability and accountability\ \ for all access, including shared accounts, implement strong access controls,\ \ encryption for user identity data. \n\nThese techniques focus on mitigating\ \ attacker techniques against user services or machine accounts within cloud environments\ \ or identity management system." mapping_type: mitigates references: [] - attack_object_id: T1036 attack_object_name: Masquerading capability_description: Uniquely Identifiable Users capability_group: IAM capability_id: IAM-13 comments: "This control requires both CSP and CSC to independently assign unique,\ \ cryptographically secure identifiers to users, ensure traceability and accountability\ \ for all access, including shared accounts, implement strong access controls,\ \ encryption for user identity data. \n\nThese techniques focus on mitigating\ \ attacker techniques against user services or machine accounts within cloud environments\ \ or identity management system." mapping_type: mitigates references: [] - attack_object_id: T1556.007 attack_object_name: Hybrid Identity capability_description: Uniquely Identifiable Users capability_group: IAM capability_id: IAM-13 comments: "This control requires both CSP and CSC to independently assign unique,\ \ cryptographically secure identifiers to users, ensure traceability and accountability\ \ for all access, including shared accounts, implement strong access controls,\ \ encryption for user identity data. \n\nThese techniques focus on mitigating\ \ attacker techniques against user services or machine accounts within cloud environments\ \ or identity management system." mapping_type: mitigates references: [] - attack_object_id: T1585.003 attack_object_name: Cloud Accounts capability_description: Uniquely Identifiable Users capability_group: IAM capability_id: IAM-13 comments: "This control requires both CSP and CSC to independently assign unique,\ \ cryptographically secure identifiers to users, ensure traceability and accountability\ \ for all access, including shared accounts, implement strong access controls,\ \ encryption for user identity data. \n\nThese techniques focus on mitigating\ \ attacker techniques against user services or machine accounts within cloud environments\ \ or identity management system." mapping_type: mitigates references: [] - attack_object_id: T1087.004 attack_object_name: Cloud Account capability_description: Uniquely Identifiable Users capability_group: IAM capability_id: IAM-13 comments: "This control requires both CSP and CSC to independently assign unique,\ \ cryptographically secure identifiers to users, ensure traceability and accountability\ \ for all access, including shared accounts, implement strong access controls,\ \ encryption for user identity data. \n\nThese techniques focus on mitigating\ \ attacker techniques against user services or machine accounts within cloud environments\ \ or identity management system." mapping_type: mitigates references: [] - attack_object_id: T1586.003 attack_object_name: Cloud Accounts capability_description: Uniquely Identifiable Users capability_group: IAM capability_id: IAM-13 comments: "This control requires both CSP and CSC to independently assign unique,\ \ cryptographically secure identifiers to users, ensure traceability and accountability\ \ for all access, including shared accounts, implement strong access controls,\ \ encryption for user identity data. \n\nThese techniques focus on mitigating\ \ attacker techniques against user services or machine accounts within cloud environments\ \ or identity management system." mapping_type: mitigates references: [] - attack_object_id: T1078.004 attack_object_name: Cloud Accounts capability_description: Uniquely Identifiable Users capability_group: IAM capability_id: IAM-13 comments: "This control requires both CSP and CSC to independently assign unique,\ \ cryptographically secure identifiers to users, ensure traceability and accountability\ \ for all access, including shared accounts, implement strong access controls,\ \ encryption for user identity data. \n\nThese techniques focus on mitigating\ \ attacker techniques against user services or machine accounts within cloud environments\ \ or identity management system." mapping_type: mitigates references: [] - attack_object_id: T1098.003 attack_object_name: Additional Cloud Roles capability_description: Uniquely Identifiable Users capability_group: IAM capability_id: IAM-13 comments: "This control requires both CSP and CSC to independently assign unique,\ \ cryptographically secure identifiers to users, ensure traceability and accountability\ \ for all access, including shared accounts, implement strong access controls,\ \ encryption for user identity data. \n\nThese techniques focus on mitigating\ \ attacker techniques against user services or machine accounts within cloud environments\ \ or identity management system." mapping_type: mitigates references: [] - attack_object_id: T1098.001 attack_object_name: Additional Cloud Credentials capability_description: Uniquely Identifiable Users capability_group: IAM capability_id: IAM-13 comments: "This control requires both CSP and CSC to independently assign unique,\ \ cryptographically secure identifiers to users, ensure traceability and accountability\ \ for all access, including shared accounts, implement strong access controls,\ \ encryption for user identity data. \n\nThese techniques focus on mitigating\ \ attacker techniques against user services or machine accounts within cloud environments\ \ or identity management system." mapping_type: mitigates references: [] - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Uniquely Identifiable Users capability_group: IAM capability_id: IAM-13 comments: "This control requires both CSP and CSC to independently assign unique,\ \ cryptographically secure identifiers to users, ensure traceability and accountability\ \ for all access, including shared accounts, implement strong access controls,\ \ encryption for user identity data. \n\nThese techniques focus on mitigating\ \ attacker techniques against user services or machine accounts within cloud environments\ \ or identity management system." mapping_type: mitigates references: [] - attack_object_id: T1021.007 attack_object_name: Cloud Services capability_description: CSCs Approval for Agreed Privileged Access Roles capability_group: IAM capability_id: IAM-11 comments: "This control requires both CSP and CSC to collaboratively identify high-risk\ \ data and privileged roles, enforce formal CSC approval workflows for CSP user\ \ access, use secure PAM systems, and implement comprehensive monitoring and reporting\ \ to ensure privileged access to sensitive CSC data is tightly controlled and\ \ traceable.\n\n\nPrivileged Account Management focuses on implementing policies,\ \ controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root,\ \ or administrative accounts). This includes restricting access, limiting the\ \ scope of permissions, monitoring privileged account usage, and ensuring accountability\ \ through logging and auditing.This mitigation can be implemented through \n\ account permissions and roles, PAM solutions, or just-In-Time access." mapping_type: mitigates references: [] - attack_object_id: T1484 attack_object_name: Domain or Tenant Policy Modification capability_description: CSCs Approval for Agreed Privileged Access Roles capability_group: IAM capability_id: IAM-11 comments: "This control requires both CSP and CSC to collaboratively identify high-risk\ \ data and privileged roles, enforce formal CSC approval workflows for CSP user\ \ access, use secure PAM systems, and implement comprehensive monitoring and reporting\ \ to ensure privileged access to sensitive CSC data is tightly controlled and\ \ traceable.\n\n\nPrivileged Account Management focuses on implementing policies,\ \ controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root,\ \ or administrative accounts). This includes restricting access, limiting the\ \ scope of permissions, monitoring privileged account usage, and ensuring accountability\ \ through logging and auditing.This mitigation can be implemented through \n\ account permissions and roles, PAM solutions, or just-In-Time access.\n\n" mapping_type: mitigates references: [] - attack_object_id: T1078.003 attack_object_name: Local Accounts capability_description: CSCs Approval for Agreed Privileged Access Roles capability_group: IAM capability_id: IAM-11 comments: "This control requires both CSP and CSC to collaboratively identify high-risk\ \ data and privileged roles, enforce formal CSC approval workflows for CSP user\ \ access, use secure PAM systems, and implement comprehensive monitoring and reporting\ \ to ensure privileged access to sensitive CSC data is tightly controlled and\ \ traceable.\n\n\nPrivileged Account Management focuses on implementing policies,\ \ controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root,\ \ or administrative accounts). This includes restricting access, limiting the\ \ scope of permissions, monitoring privileged account usage, and ensuring accountability\ \ through logging and auditing.This mitigation can be implemented through \n\ account permissions and roles, PAM solutions, or just-In-Time access.\n\n" mapping_type: mitigates references: [] - attack_object_id: T1078.004 attack_object_name: Cloud Accounts capability_description: CSCs Approval for Agreed Privileged Access Roles capability_group: IAM capability_id: IAM-11 comments: "This control requires both CSP and CSC to collaboratively identify high-risk\ \ data and privileged roles, enforce formal CSC approval workflows for CSP user\ \ access, use secure PAM systems, and implement comprehensive monitoring and reporting\ \ to ensure privileged access to sensitive CSC data is tightly controlled and\ \ traceable.\n\nPrivileged Account Management focuses on implementing policies,\ \ controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root,\ \ or administrative accounts). This includes restricting access, limiting the\ \ scope of permissions, monitoring privileged account usage, and ensuring accountability\ \ through logging and auditing.This mitigation can be implemented through \n\ account permissions and roles, PAM solutions, or just-In-Time access.\n\n" mapping_type: mitigates references: [] - attack_object_id: T1555.006 attack_object_name: Cloud Secrets Management Stores capability_description: CSCs Approval for Agreed Privileged Access Roles capability_group: IAM capability_id: IAM-11 comments: "This control requires both CSP and CSC to collaboratively identify high-risk\ \ data and privileged roles, enforce formal CSC approval workflows for CSP user\ \ access, use secure PAM systems, and implement comprehensive monitoring and reporting\ \ to ensure privileged access to sensitive CSC data is tightly controlled and\ \ traceable.\n\nPrivileged Account Management focuses on implementing policies,\ \ controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root,\ \ or administrative accounts). This includes restricting access, limiting the\ \ scope of permissions, monitoring privileged account usage, and ensuring accountability\ \ through logging and auditing.This mitigation can be implemented through \n\ account permissions and roles, PAM solutions, or just-In-Time access.\n\n" mapping_type: mitigates references: [] - attack_object_id: T1556.007 attack_object_name: Hybrid Identity capability_description: CSCs Approval for Agreed Privileged Access Roles capability_group: IAM capability_id: IAM-11 comments: "This control requires both CSP and CSC to collaboratively identify high-risk\ \ data and privileged roles, enforce formal CSC approval workflows for CSP user\ \ access, use secure PAM systems, and implement comprehensive monitoring and reporting\ \ to ensure privileged access to sensitive CSC data is tightly controlled and\ \ traceable.\n\n\nPrivileged Account Management focuses on implementing policies,\ \ controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root,\ \ or administrative accounts). This includes restricting access, limiting the\ \ scope of permissions, monitoring privileged account usage, and ensuring accountability\ \ through logging and auditing.This mitigation can be implemented through \n\ account permissions and roles, PAM solutions, or just-In-Time access.\n\n" mapping_type: mitigates references: [] - attack_object_id: T1546 attack_object_name: Event Triggered Execution capability_description: CSCs Approval for Agreed Privileged Access Roles capability_group: IAM capability_id: IAM-11 comments: "This control requires both CSP and CSC to collaboratively identify high-risk\ \ data and privileged roles, enforce formal CSC approval workflows for CSP user\ \ access, use secure PAM systems, and implement comprehensive monitoring and reporting\ \ to ensure privileged access to sensitive CSC data is tightly controlled and\ \ traceable.\n\n\nPrivileged Account Management focuses on implementing policies,\ \ controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root,\ \ or administrative accounts). This includes restricting access, limiting the\ \ scope of permissions, monitoring privileged account usage, and ensuring accountability\ \ through logging and auditing.This mitigation can be implemented through \n\ account permissions and roles, PAM solutions, or just-In-Time access.\n\n" mapping_type: mitigates references: [] - attack_object_id: T1098.003 attack_object_name: Additional Cloud Roles capability_description: CSCs Approval for Agreed Privileged Access Roles capability_group: IAM capability_id: IAM-11 comments: "This control requires both CSP and CSC to collaboratively identify high-risk\ \ data and privileged roles, enforce formal CSC approval workflows for CSP user\ \ access, use secure PAM systems, and implement comprehensive monitoring and reporting\ \ to ensure privileged access to sensitive CSC data is tightly controlled and\ \ traceable.\n\n\nPrivileged Account Management focuses on implementing policies,\ \ controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root,\ \ or administrative accounts). This includes restricting access, limiting the\ \ scope of permissions, monitoring privileged account usage, and ensuring accountability\ \ through logging and auditing.This mitigation can be implemented through \n\ account permissions and roles, PAM solutions, or just-In-Time access.\n\n" mapping_type: mitigates references: [] - attack_object_id: T1098.001 attack_object_name: Additional Cloud Credentials capability_description: CSCs Approval for Agreed Privileged Access Roles capability_group: IAM capability_id: IAM-11 comments: "This control requires both CSP and CSC to collaboratively identify high-risk\ \ data and privileged roles, enforce formal CSC approval workflows for CSP user\ \ access, use secure PAM systems, and implement comprehensive monitoring and reporting\ \ to ensure privileged access to sensitive CSC data is tightly controlled and\ \ traceable.\n\n\nPrivileged Account Management focuses on implementing policies,\ \ controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root,\ \ or administrative accounts). This includes restricting access, limiting the\ \ scope of permissions, monitoring privileged account usage, and ensuring accountability\ \ through logging and auditing.This mitigation can be implemented through \n\ account permissions and roles, PAM solutions, or just-In-Time access.\n\n" mapping_type: mitigates references: [] - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: CSCs Approval for Agreed Privileged Access Roles capability_group: IAM capability_id: IAM-11 comments: "This control requires both CSP and CSC to collaboratively identify high-risk\ \ data and privileged roles, enforce formal CSC approval workflows for CSP user\ \ access, use secure PAM systems, and implement comprehensive monitoring and reporting\ \ to ensure privileged access to sensitive CSC data is tightly controlled and\ \ traceable.\n\n\nPrivileged Account Management focuses on implementing policies,\ \ controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root,\ \ or administrative accounts). This includes restricting access, limiting the\ \ scope of permissions, monitoring privileged account usage, and ensuring accountability\ \ through logging and auditing.This mitigation can be implemented through \n\ account permissions and roles, PAM solutions, or just-In-Time access.\n\n" mapping_type: mitigates references: [] - attack_object_id: T1484.002 attack_object_name: Trust Modification capability_description: CSCs Approval for Agreed Privileged Access Roles capability_group: IAM capability_id: IAM-11 comments: "This control requires both CSP and CSC to collaboratively identify high-risk\ \ data and privileged roles, enforce formal CSC approval workflows for CSP user\ \ access, use secure PAM systems, and implement comprehensive monitoring and reporting\ \ to ensure privileged access to sensitive CSC data is tightly controlled and\ \ traceable.\n\n\nPrivileged Account Management focuses on implementing policies,\ \ controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root,\ \ or administrative accounts). This includes restricting access, limiting the\ \ scope of permissions, monitoring privileged account usage, and ensuring accountability\ \ through logging and auditing.This mitigation can be implemented through \n\ account permissions and roles, PAM solutions, or just-In-Time access.\n\n" mapping_type: mitigates references: [] - attack_object_id: T1606 attack_object_name: Forge Web Credentials capability_description: CSCs Approval for Agreed Privileged Access Roles capability_group: IAM capability_id: IAM-11 comments: "This control requires both CSP and CSC to collaboratively identify high-risk\ \ data and privileged roles, enforce formal CSC approval workflows for CSP user\ \ access, use secure PAM systems, and implement comprehensive monitoring and reporting\ \ to ensure privileged access to sensitive CSC data is tightly controlled and\ \ traceable.\n\n\nPrivileged Account Management focuses on implementing policies,\ \ controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root,\ \ or administrative accounts). This includes restricting access, limiting the\ \ scope of permissions, monitoring privileged account usage, and ensuring accountability\ \ through logging and auditing.This mitigation can be implemented through \n\ account permissions and roles, PAM solutions, or just-In-Time access.\n\n" mapping_type: mitigates references: [] - attack_object_id: T1556.009 attack_object_name: Conditional Access Policies capability_description: CSCs Approval for Agreed Privileged Access Roles capability_group: IAM capability_id: IAM-11 comments: "This control requires both CSP and CSC to collaboratively identify high-risk\ \ data and privileged roles, enforce formal CSC approval workflows for CSP user\ \ access, use secure PAM systems, and implement comprehensive monitoring and reporting\ \ to ensure privileged access to sensitive CSC data is tightly controlled and\ \ traceable.\n\n\nPrivileged Account Management focuses on implementing policies,\ \ controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root,\ \ or administrative accounts). This includes restricting access, limiting the\ \ scope of permissions, monitoring privileged account usage, and ensuring accountability\ \ through logging and auditing.This mitigation can be implemented through \n\ account permissions and roles, PAM solutions, or just-In-Time access.\n\n" mapping_type: mitigates references: [] - attack_object_id: T1543 attack_object_name: Create or Modify System Process capability_description: CSCs Approval for Agreed Privileged Access Roles capability_group: IAM capability_id: IAM-11 comments: "This control requires both CSP and CSC to collaboratively identify high-risk\ \ data and privileged roles, enforce formal CSC approval workflows for CSP user\ \ access, use secure PAM systems, and implement comprehensive monitoring and reporting\ \ to ensure privileged access to sensitive CSC data is tightly controlled and\ \ traceable.\n\n\nPrivileged Account Management focuses on implementing policies,\ \ controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root,\ \ or administrative accounts). This includes restricting access, limiting the\ \ scope of permissions, monitoring privileged account usage, and ensuring accountability\ \ through logging and auditing.This mitigation can be implemented through \n\ account permissions and roles, PAM solutions, or just-In-Time access.\n\n" mapping_type: mitigates references: [] - attack_object_id: T1548 attack_object_name: Abuse Elevation Control Mechanism capability_description: Management of Privileged Access Roles capability_group: IAM capability_id: IAM-10 comments: "This control requires both CSP and CSC to independently manage privileged\ \ access by enforcing time-bound approvals, formal request and justification processes,\ \ automated revocation, session restrictions, credential vaulting and rotation,\ \ continuous monitoring, and periodic reviews, ensuring privileged access is tightly\ \ controlled, monitored, and limited to only what is necessary for specific roles\ \ and timeframes.\nPrivileged Account Management focuses on implementing policies,\ \ controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root,\ \ or administrative accounts). This includes restricting access, limiting the\ \ scope of permissions, monitoring privileged account usage, and ensuring accountability\ \ through logging and auditing.This mitigation can be implemented through \n\ account permissions and roles, PAM solutions, or just-In-Time access.\n\n" mapping_type: mitigates references: [] - attack_object_id: T1606 attack_object_name: Forge Web Credentials capability_description: Management of Privileged Access Roles capability_group: IAM capability_id: IAM-10 comments: "This control requires both CSP and CSC to independently manage privileged\ \ access by enforcing time-bound approvals, formal request and justification processes,\ \ automated revocation, session restrictions, credential vaulting and rotation,\ \ continuous monitoring, and periodic reviews, ensuring privileged access is tightly\ \ controlled, monitored, and limited to only what is necessary for specific roles\ \ and timeframes.\n\nPrivileged Account Management focuses on implementing policies,\ \ controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root,\ \ or administrative accounts). This includes restricting access, limiting the\ \ scope of permissions, monitoring privileged account usage, and ensuring accountability\ \ through logging and auditing.This mitigation can be implemented through \n\ account permissions and roles, PAM solutions, or just-In-Time access.\n\n" mapping_type: mitigates references: [] - attack_object_id: T1556.009 attack_object_name: Conditional Access Policies capability_description: Management of Privileged Access Roles capability_group: IAM capability_id: IAM-10 comments: "This control requires both CSP and CSC to independently manage privileged\ \ access by enforcing time-bound approvals, formal request and justification processes,\ \ automated revocation, session restrictions, credential vaulting and rotation,\ \ continuous monitoring, and periodic reviews, ensuring privileged access is tightly\ \ controlled, monitored, and limited to only what is necessary for specific roles\ \ and timeframes.\n\nPrivileged Account Management focuses on implementing policies,\ \ controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root,\ \ or administrative accounts). This includes restricting access, limiting the\ \ scope of permissions, monitoring privileged account usage, and ensuring accountability\ \ through logging and auditing.This mitigation can be implemented through \n\ account permissions and roles, PAM solutions, or just-In-Time access.\n\n" mapping_type: mitigates references: [] - attack_object_id: T1543 attack_object_name: Create or Modify System Process capability_description: Management of Privileged Access Roles capability_group: IAM capability_id: IAM-10 comments: "This control requires both CSP and CSC to independently manage privileged\ \ access by enforcing time-bound approvals, formal request and justification processes,\ \ automated revocation, session restrictions, credential vaulting and rotation,\ \ continuous monitoring, and periodic reviews, ensuring privileged access is tightly\ \ controlled, monitored, and limited to only what is necessary for specific roles\ \ and timeframes.\n\nPrivileged Account Management focuses on implementing policies,\ \ controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root,\ \ or administrative accounts). This includes restricting access, limiting the\ \ scope of permissions, monitoring privileged account usage, and ensuring accountability\ \ through logging and auditing.This mitigation can be implemented through \n\ account permissions and roles, PAM solutions, or just-In-Time access.\n\n" mapping_type: mitigates references: [] - attack_object_id: T1546 attack_object_name: Event Triggered Execution capability_description: Management of Privileged Access Roles capability_group: IAM capability_id: IAM-10 comments: "This control requires both CSP and CSC to independently manage privileged\ \ access by enforcing time-bound approvals, formal request and justification processes,\ \ automated revocation, session restrictions, credential vaulting and rotation,\ \ continuous monitoring, and periodic reviews, ensuring privileged access is tightly\ \ controlled, monitored, and limited to only what is necessary for specific roles\ \ and timeframes.\n\nPrivileged Account Management focuses on implementing policies,\ \ controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root,\ \ or administrative accounts). This includes restricting access, limiting the\ \ scope of permissions, monitoring privileged account usage, and ensuring accountability\ \ through logging and auditing.This mitigation can be implemented through \n\ account permissions and roles, PAM solutions, or just-In-Time access.\n\n" mapping_type: mitigates references: [] - attack_object_id: T1098.003 attack_object_name: Additional Cloud Roles capability_description: Management of Privileged Access Roles capability_group: IAM capability_id: IAM-10 comments: "This control requires both CSP and CSC to independently manage privileged\ \ access by enforcing time-bound approvals, formal request and justification processes,\ \ automated revocation, session restrictions, credential vaulting and rotation,\ \ continuous monitoring, and periodic reviews, ensuring privileged access is tightly\ \ controlled, monitored, and limited to only what is necessary for specific roles\ \ and timeframes.\n\nPrivileged Account Management focuses on implementing policies,\ \ controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root,\ \ or administrative accounts). This includes restricting access, limiting the\ \ scope of permissions, monitoring privileged account usage, and ensuring accountability\ \ through logging and auditing.This mitigation can be implemented through \n\ account permissions and roles, PAM solutions, or just-In-Time access.\n\n" mapping_type: mitigates references: [] - attack_object_id: T1098.001 attack_object_name: Additional Cloud Credentials capability_description: Management of Privileged Access Roles capability_group: IAM capability_id: IAM-10 comments: "This control requires both CSP and CSC to independently manage privileged\ \ access by enforcing time-bound approvals, formal request and justification processes,\ \ automated revocation, session restrictions, credential vaulting and rotation,\ \ continuous monitoring, and periodic reviews, ensuring privileged access is tightly\ \ controlled, monitored, and limited to only what is necessary for specific roles\ \ and timeframes.\n\nPrivileged Account Management focuses on implementing policies,\ \ controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root,\ \ or administrative accounts). This includes restricting access, limiting the\ \ scope of permissions, monitoring privileged account usage, and ensuring accountability\ \ through logging and auditing.This mitigation can be implemented through \n\ account permissions and roles, PAM solutions, or just-In-Time access.\n\n" mapping_type: mitigates references: [] - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Management of Privileged Access Roles capability_group: IAM capability_id: IAM-10 comments: "This control requires both CSP and CSC to independently manage privileged\ \ access by enforcing time-bound approvals, formal request and justification processes,\ \ automated revocation, session restrictions, credential vaulting and rotation,\ \ continuous monitoring, and periodic reviews, ensuring privileged access is tightly\ \ controlled, monitored, and limited to only what is necessary for specific roles\ \ and timeframes.\n\nPrivileged Account Management focuses on implementing policies,\ \ controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root,\ \ or administrative accounts). This includes restricting access, limiting the\ \ scope of permissions, monitoring privileged account usage, and ensuring accountability\ \ through logging and auditing.This mitigation can be implemented through \n\ account permissions and roles, PAM solutions, or just-In-Time access.\n\n" mapping_type: mitigates references: [] - attack_object_id: T1484.002 attack_object_name: Trust Modification capability_description: Management of Privileged Access Roles capability_group: IAM capability_id: IAM-10 comments: "This control requires both CSP and CSC to independently manage privileged\ \ access by enforcing time-bound approvals, formal request and justification processes,\ \ automated revocation, session restrictions, credential vaulting and rotation,\ \ continuous monitoring, and periodic reviews, ensuring privileged access is tightly\ \ controlled, monitored, and limited to only what is necessary for specific roles\ \ and timeframes.\n\nPrivileged Account Management focuses on implementing policies,\ \ controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root,\ \ or administrative accounts). This includes restricting access, limiting the\ \ scope of permissions, monitoring privileged account usage, and ensuring accountability\ \ through logging and auditing.This mitigation can be implemented through \n\ account permissions and roles, PAM solutions, or just-In-Time access.\n\n" mapping_type: mitigates references: [] - attack_object_id: T1484 attack_object_name: Domain or Tenant Policy Modification capability_description: Management of Privileged Access Roles capability_group: IAM capability_id: IAM-10 comments: "This control requires both CSP and CSC to independently manage privileged\ \ access by enforcing time-bound approvals, formal request and justification processes,\ \ automated revocation, session restrictions, credential vaulting and rotation,\ \ continuous monitoring, and periodic reviews, ensuring privileged access is tightly\ \ controlled, monitored, and limited to only what is necessary for specific roles\ \ and timeframes.\n\nPrivileged Account Management focuses on implementing policies,\ \ controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root,\ \ or administrative accounts). This includes restricting access, limiting the\ \ scope of permissions, monitoring privileged account usage, and ensuring accountability\ \ through logging and auditing.This mitigation can be implemented through \n\ account permissions and roles, PAM solutions, or just-In-Time access.\n\n" mapping_type: mitigates references: [] - attack_object_id: T1078.003 attack_object_name: Local Accounts capability_description: Management of Privileged Access Roles capability_group: IAM capability_id: IAM-10 comments: "This control requires both CSP and CSC to independently manage privileged\ \ access by enforcing time-bound approvals, formal request and justification processes,\ \ automated revocation, session restrictions, credential vaulting and rotation,\ \ continuous monitoring, and periodic reviews, ensuring privileged access is tightly\ \ controlled, monitored, and limited to only what is necessary for specific roles\ \ and timeframes.\n\nPrivileged Account Management focuses on implementing policies,\ \ controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root,\ \ or administrative accounts). This includes restricting access, limiting the\ \ scope of permissions, monitoring privileged account usage, and ensuring accountability\ \ through logging and auditing.This mitigation can be implemented through \n\ account permissions and roles, PAM solutions, or just-In-Time access.\n\n" mapping_type: mitigates references: [] - attack_object_id: T1078.004 attack_object_name: Cloud Accounts capability_description: Management of Privileged Access Roles capability_group: IAM capability_id: IAM-10 comments: "This control requires both CSP and CSC to independently manage privileged\ \ access by enforcing time-bound approvals, formal request and justification processes,\ \ automated revocation, session restrictions, credential vaulting and rotation,\ \ continuous monitoring, and periodic reviews, ensuring privileged access is tightly\ \ controlled, monitored, and limited to only what is necessary for specific roles\ \ and timeframes.\nPrivileged Account Management focuses on implementing policies,\ \ controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root,\ \ or administrative accounts). This includes restricting access, limiting the\ \ scope of permissions, monitoring privileged account usage, and ensuring accountability\ \ through logging and auditing.This mitigation can be implemented through \n\ account permissions and roles, PAM solutions, or just-In-Time access.\n\n" mapping_type: mitigates references: [] - attack_object_id: T1555.006 attack_object_name: Cloud Secrets Management Stores capability_description: Management of Privileged Access Roles capability_group: IAM capability_id: IAM-10 comments: "This control requires both CSP and CSC to independently manage privileged\ \ access by enforcing time-bound approvals, formal request and justification processes,\ \ automated revocation, session restrictions, credential vaulting and rotation,\ \ continuous monitoring, and periodic reviews, ensuring privileged access is tightly\ \ controlled, monitored, and limited to only what is necessary for specific roles\ \ and timeframes.\n\nPrivileged Account Management focuses on implementing policies,\ \ controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root,\ \ or administrative accounts). This includes restricting access, limiting the\ \ scope of permissions, monitoring privileged account usage, and ensuring accountability\ \ through logging and auditing.This mitigation can be implemented through \n\ account permissions and roles, PAM solutions, or just-In-Time access.\n\n" mapping_type: mitigates references: [] - attack_object_id: T1556.007 attack_object_name: Hybrid Identity capability_description: Management of Privileged Access Roles capability_group: IAM capability_id: IAM-10 comments: "This control requires both CSP and CSC to independently manage privileged\ \ access by enforcing time-bound approvals, formal request and justification processes,\ \ automated revocation, session restrictions, credential vaulting and rotation,\ \ continuous monitoring, and periodic reviews, ensuring privileged access is tightly\ \ controlled, monitored, and limited to only what is necessary for specific roles\ \ and timeframes.\n\nPrivileged Account Management focuses on implementing policies,\ \ controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root,\ \ or administrative accounts). This includes restricting access, limiting the\ \ scope of permissions, monitoring privileged account usage, and ensuring accountability\ \ through logging and auditing.This mitigation can be implemented through \n\ account permissions and roles, PAM solutions, or just-In-Time access.\n\n" mapping_type: mitigates references: [] - attack_object_id: T1021.007 attack_object_name: Cloud Services capability_description: Management of Privileged Access Roles capability_group: IAM capability_id: IAM-10 comments: "This control requires both CSP and CSC to independently manage privileged\ \ access by enforcing time-bound approvals, formal request and justification processes,\ \ automated revocation, session restrictions, credential vaulting and rotation,\ \ continuous monitoring, and periodic reviews, ensuring privileged access is tightly\ \ controlled, monitored, and limited to only what is necessary for specific roles\ \ and timeframes.\n\nPrivileged Account Management focuses on implementing policies,\ \ controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root,\ \ or administrative accounts). This includes restricting access, limiting the\ \ scope of permissions, monitoring privileged account usage, and ensuring accountability\ \ through logging and auditing.This mitigation can be implemented through \n\ account permissions and roles, PAM solutions, or just-In-Time access." mapping_type: mitigates references: [] - attack_object_id: T1548 attack_object_name: Abuse Elevation Control Mechanism capability_description: Segregation of Privileged Access Roles capability_group: IAM capability_id: IAM-09 comments: "This control describes the periodic, risk-based, and reviews of privileged\ \ accounts and high-risk access configurations, ensuring these are accounts are\ \ managed and scrutinized to prevent unauthorized access or excessive privileges.\n\ \nPrivileged Account Management focuses on implementing policies, controls, and\ \ tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative\ \ accounts). This includes restricting access, limiting the scope of permissions,\ \ monitoring privileged account usage, and ensuring accountability through logging\ \ and auditing.This mitigation can be implemented through \naccount permissions\ \ and roles, PAM solutions, or just-In-Time access.\n\n" mapping_type: mitigates references: [] - attack_object_id: T1606 attack_object_name: Forge Web Credentials capability_description: Segregation of Privileged Access Roles capability_group: IAM capability_id: IAM-09 comments: "This control describes the periodic, risk-based, and reviews of privileged\ \ accounts and high-risk access configurations, ensuring these are accounts are\ \ managed and scrutinized to prevent unauthorized access or excessive privileges.\n\ \nPrivileged Account Management focuses on implementing policies, controls, and\ \ tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative\ \ accounts). This includes restricting access, limiting the scope of permissions,\ \ monitoring privileged account usage, and ensuring accountability through logging\ \ and auditing.This mitigation can be implemented through \naccount permissions\ \ and roles, PAM solutions, or just-In-Time access.\n\n" mapping_type: mitigates references: [] - attack_object_id: T1556.009 attack_object_name: Conditional Access Policies capability_description: Segregation of Privileged Access Roles capability_group: IAM capability_id: IAM-09 comments: "This control describes the periodic, risk-based, and reviews of privileged\ \ accounts and high-risk access configurations, ensuring these are accounts are\ \ managed and scrutinized to prevent unauthorized access or excessive privileges.\n\ \nPrivileged Account Management focuses on implementing policies, controls, and\ \ tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative\ \ accounts). This includes restricting access, limiting the scope of permissions,\ \ monitoring privileged account usage, and ensuring accountability through logging\ \ and auditing.This mitigation can be implemented through \naccount permissions\ \ and roles, PAM solutions, or just-In-Time access.\n\n" mapping_type: mitigates references: [] - attack_object_id: T1543 attack_object_name: Create or Modify System Process capability_description: Segregation of Privileged Access Roles capability_group: IAM capability_id: IAM-09 comments: "This control describes the periodic, risk-based, and reviews of privileged\ \ accounts and high-risk access configurations, ensuring these are accounts are\ \ managed and scrutinized to prevent unauthorized access or excessive privileges.\n\ \nPrivileged Account Management focuses on implementing policies, controls, and\ \ tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative\ \ accounts). This includes restricting access, limiting the scope of permissions,\ \ monitoring privileged account usage, and ensuring accountability through logging\ \ and auditing.This mitigation can be implemented through \naccount permissions\ \ and roles, PAM solutions, or just-In-Time access.\n\n" mapping_type: mitigates references: [] - attack_object_id: T1546 attack_object_name: Event Triggered Execution capability_description: Segregation of Privileged Access Roles capability_group: IAM capability_id: IAM-09 comments: "This control describes the periodic, risk-based, and reviews of privileged\ \ accounts and high-risk access configurations, ensuring these are accounts are\ \ managed and scrutinized to prevent unauthorized access or excessive privileges.\n\ \nPrivileged Account Management focuses on implementing policies, controls, and\ \ tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative\ \ accounts). This includes restricting access, limiting the scope of permissions,\ \ monitoring privileged account usage, and ensuring accountability through logging\ \ and auditing.This mitigation can be implemented through \naccount permissions\ \ and roles, PAM solutions, or just-In-Time access.\n\n" mapping_type: mitigates references: [] - attack_object_id: T1098.003 attack_object_name: Additional Cloud Roles capability_description: Segregation of Privileged Access Roles capability_group: IAM capability_id: IAM-09 comments: "This control describes the periodic, risk-based, and reviews of privileged\ \ accounts and high-risk access configurations, ensuring these are accounts are\ \ managed and scrutinized to prevent unauthorized access or excessive privileges.\n\ \nPrivileged Account Management focuses on implementing policies, controls, and\ \ tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative\ \ accounts). This includes restricting access, limiting the scope of permissions,\ \ monitoring privileged account usage, and ensuring accountability through logging\ \ and auditing.This mitigation can be implemented through \naccount permissions\ \ and roles, PAM solutions, or just-In-Time access.\n\n" mapping_type: mitigates references: [] - attack_object_id: T1098.001 attack_object_name: Additional Cloud Credentials capability_description: Segregation of Privileged Access Roles capability_group: IAM capability_id: IAM-09 comments: "This control describes the periodic, risk-based, and reviews of privileged\ \ accounts and high-risk access configurations, ensuring these are accounts are\ \ managed and scrutinized to prevent unauthorized access or excessive privileges.\n\ \nPrivileged Account Management focuses on implementing policies, controls, and\ \ tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative\ \ accounts). This includes restricting access, limiting the scope of permissions,\ \ monitoring privileged account usage, and ensuring accountability through logging\ \ and auditing.This mitigation can be implemented through \naccount permissions\ \ and roles, PAM solutions, or just-In-Time access.\n\n" mapping_type: mitigates references: [] - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Segregation of Privileged Access Roles capability_group: IAM capability_id: IAM-09 comments: "This control describes the periodic, risk-based, and reviews of privileged\ \ accounts and high-risk access configurations, ensuring these are accounts are\ \ managed and scrutinized to prevent unauthorized access or excessive privileges.\n\ \nPrivileged Account Management focuses on implementing policies, controls, and\ \ tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative\ \ accounts). This includes restricting access, limiting the scope of permissions,\ \ monitoring privileged account usage, and ensuring accountability through logging\ \ and auditing.This mitigation can be implemented through \naccount permissions\ \ and roles, PAM solutions, or just-In-Time access.\n\n" mapping_type: mitigates references: [] - attack_object_id: T1484.002 attack_object_name: Trust Modification capability_description: Segregation of Privileged Access Roles capability_group: IAM capability_id: IAM-09 comments: "This control describes the periodic, risk-based, and reviews of privileged\ \ accounts and high-risk access configurations, ensuring these are accounts are\ \ managed and scrutinized to prevent unauthorized access or excessive privileges.\n\ \nPrivileged Account Management focuses on implementing policies, controls, and\ \ tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative\ \ accounts). This includes restricting access, limiting the scope of permissions,\ \ monitoring privileged account usage, and ensuring accountability through logging\ \ and auditing.This mitigation can be implemented through \naccount permissions\ \ and roles, PAM solutions, or just-In-Time access.\n\n" mapping_type: mitigates references: [] - attack_object_id: T1484 attack_object_name: Domain or Tenant Policy Modification capability_description: Segregation of Privileged Access Roles capability_group: IAM capability_id: IAM-09 comments: "This control describes the periodic, risk-based, and reviews of privileged\ \ accounts and high-risk access configurations, ensuring these are accounts are\ \ managed and scrutinized to prevent unauthorized access or excessive privileges.\n\ \nPrivileged Account Management focuses on implementing policies, controls, and\ \ tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative\ \ accounts). This includes restricting access, limiting the scope of permissions,\ \ monitoring privileged account usage, and ensuring accountability through logging\ \ and auditing.This mitigation can be implemented through \naccount permissions\ \ and roles, PAM solutions, or just-In-Time access.\n\n" mapping_type: mitigates references: [] - attack_object_id: T1078.003 attack_object_name: Local Accounts capability_description: Segregation of Privileged Access Roles capability_group: IAM capability_id: IAM-09 comments: "This control describes the periodic, risk-based, and reviews of privileged\ \ accounts and high-risk access configurations, ensuring these are accounts are\ \ managed and scrutinized to prevent unauthorized access or excessive privileges.\n\ \nPrivileged Account Management focuses on implementing policies, controls, and\ \ tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative\ \ accounts). This includes restricting access, limiting the scope of permissions,\ \ monitoring privileged account usage, and ensuring accountability through logging\ \ and auditing.This mitigation can be implemented through \naccount permissions\ \ and roles, PAM solutions, or just-In-Time access.\n\n" mapping_type: mitigates references: [] - attack_object_id: T1078.004 attack_object_name: Cloud Accounts capability_description: Segregation of Privileged Access Roles capability_group: IAM capability_id: IAM-09 comments: "This control describes the periodic, risk-based, and reviews of privileged\ \ accounts and high-risk access configurations, ensuring these are accounts are\ \ managed and scrutinized to prevent unauthorized access or excessive privileges.\n\ \nPrivileged Account Management focuses on implementing policies, controls, and\ \ tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative\ \ accounts). This includes restricting access, limiting the scope of permissions,\ \ monitoring privileged account usage, and ensuring accountability through logging\ \ and auditing.This mitigation can be implemented through \naccount permissions\ \ and roles, PAM solutions, or just-In-Time access.\n\n" mapping_type: mitigates references: [] - attack_object_id: T1555.006 attack_object_name: Cloud Secrets Management Stores capability_description: Segregation of Privileged Access Roles capability_group: IAM capability_id: IAM-09 comments: "This control describes the periodic, risk-based, and reviews of privileged\ \ accounts and high-risk access configurations, ensuring these are accounts are\ \ managed and scrutinized to prevent unauthorized access or excessive privileges.\n\ \nPrivileged Account Management focuses on implementing policies, controls, and\ \ tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative\ \ accounts). This includes restricting access, limiting the scope of permissions,\ \ monitoring privileged account usage, and ensuring accountability through logging\ \ and auditing.This mitigation can be implemented through \naccount permissions\ \ and roles, PAM solutions, or just-In-Time access.\n\n" mapping_type: mitigates references: [] - attack_object_id: T1556.007 attack_object_name: Hybrid Identity capability_description: Segregation of Privileged Access Roles capability_group: IAM capability_id: IAM-09 comments: "This control describes the periodic, risk-based, and reviews of privileged\ \ accounts and high-risk access configurations, ensuring these are accounts are\ \ managed and scrutinized to prevent unauthorized access or excessive privileges.\n\ \nPrivileged Account Management focuses on implementing policies, controls, and\ \ tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative\ \ accounts). This includes restricting access, limiting the scope of permissions,\ \ monitoring privileged account usage, and ensuring accountability through logging\ \ and auditing.This mitigation can be implemented through \naccount permissions\ \ and roles, PAM solutions, or just-In-Time access.\n\n" mapping_type: mitigates references: [] - attack_object_id: T1021.007 attack_object_name: Cloud Services capability_description: Segregation of Privileged Access Roles capability_group: IAM capability_id: IAM-09 comments: "This control describes the periodic, risk-based, and reviews of privileged\ \ accounts and high-risk access configurations, ensuring these are accounts are\ \ managed and scrutinized to prevent unauthorized access or excessive privileges.\n\ \nPrivileged Account Management focuses on implementing policies, controls, and\ \ tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative\ \ accounts). This includes restricting access, limiting the scope of permissions,\ \ monitoring privileged account usage, and ensuring accountability through logging\ \ and auditing.This mitigation can be implemented through \naccount permissions\ \ and roles, PAM solutions, or just-In-Time access." mapping_type: mitigates references: [] - attack_object_id: T1550.001 attack_object_name: Application Access Token capability_description: User Access Review capability_group: IAM capability_id: IAM-08 comments: This control describes the periodic review and validation of user access by centralizing access management, automating review processes, and continuously monitoring for unauthorized activities. These mitigative actions ensure that access rights remain appropriate, obsolete or excessive privileges are removed, and potential security access risks are promptly identified and mitigated. For this technique, administrators should perform automated reviews of all cloud and container accounts to ensure that they are necessary and that the permissions granted to them are appropriate. mapping_type: mitigates references: [] - attack_object_id: T1552.004 attack_object_name: Private Keys capability_description: User Access Review capability_group: IAM capability_id: IAM-08 comments: This control describes the periodic review and validation of user access by centralizing access management, automating review processes, and continuously monitoring for unauthorized activities. These mitigative actions ensure that access rights remain appropriate, obsolete or excessive privileges are removed, and potential security access risks are promptly identified and mitigated. For this technique, ensure only authorized keys are allowed access to critical resources and perform automated reviews of access lists regularly. mapping_type: mitigates references: [] - attack_object_id: T1528 attack_object_name: Steal Application Access Token capability_description: User Access Review capability_group: IAM capability_id: IAM-08 comments: This control describes the periodic review and validation of user access by centralizing access management, automating review processes, and continuously monitoring for unauthorized activities. These mitigative actions ensure that access rights remain appropriate, obsolete or excessive privileges are removed, and potential security access risks are promptly identified and mitigated. For this technique, administrators should perform automated reviews of all cloud and container accounts to ensure that they are necessary and that the permissions granted to them are appropriate. mapping_type: mitigates references: [] - attack_object_id: T1606 attack_object_name: Forge Web Credentials capability_description: User Access Review capability_group: IAM capability_id: IAM-08 comments: This control describes the periodic review and validation of user access by centralizing access management, automating review processes, and continuously monitoring for unauthorized activities. These mitigative actions ensure that access rights remain appropriate, obsolete or excessive privileges are removed, and potential security access risks are promptly identified and mitigated. For this technique, administrators should perform an automated review of all access lists and the permissions they have been granted to access web applications and services. This should be done extensively on all resources in order to establish a baseline, followed up on with periodic audits of new or updated resources. Suspicious accounts/credentials should be investigated and removed. mapping_type: mitigates references: [] - attack_object_id: T1530 attack_object_name: Data from Cloud Storage capability_description: User Access Review capability_group: IAM capability_id: IAM-08 comments: "This control describes the periodic review and validation of user access\ \ by centralizing access management, automating review processes, and continuously\ \ monitoring for unauthorized activities. These mitigative actions ensure that\ \ access rights remain appropriate, obsolete or excessive privileges are removed,\ \ and potential security access risks are promptly identified and mitigated. For\ \ this technique, conduct automated permissions reviewing on cloud storage to\ \ ensure proper permissions are set to deny open or unprivileged access to resources.\ \ \n\n" mapping_type: mitigates references: [] - attack_object_id: T1072 attack_object_name: Software Deployment Tools capability_description: User Access Provisioning capability_group: IAM capability_id: IAM-06 comments: 'This control describes the implementation of a secure and controlled user access provisioning process. Proper user account management reduces the attack surface by limiting unauthorized access to data, assets, and systems. Managing account access authorizations can reduce the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions. ' mapping_type: mitigates references: [] - attack_object_id: T1505 attack_object_name: Server Software Component capability_description: User Access Provisioning capability_group: IAM capability_id: IAM-06 comments: 'This control describes the implementation of a secure and controlled user access provisioning process. Proper user account management reduces the attack surface by limiting unauthorized access to data, assets, and systems. Managing account access authorizations can reduce the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions. ' mapping_type: mitigates references: [] - attack_object_id: T1648 attack_object_name: Serverless Execution capability_description: User Access Provisioning capability_group: IAM capability_id: IAM-06 comments: 'This control describes the implementation of a secure and controlled user access provisioning process. Proper user account management reduces the attack surface by limiting unauthorized access to data, assets, and systems. Managing account access authorizations can reduce the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions. ' mapping_type: mitigates references: [] - attack_object_id: T1021 attack_object_name: Remote Services capability_description: User Access Provisioning capability_group: IAM capability_id: IAM-06 comments: 'This control describes the implementation of a secure and controlled user access provisioning process. Proper user account management reduces the attack surface by limiting unauthorized access to data, assets, and systems. Managing account access authorizations can reduce the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions. ' mapping_type: mitigates references: [] - attack_object_id: T1021.001 attack_object_name: Remote Desktop Protocol capability_description: User Access Provisioning capability_group: IAM capability_id: IAM-06 comments: 'This control describes the implementation of a secure and controlled user access provisioning process. Proper user account management reduces the attack surface by limiting unauthorized access to data, assets, and systems. Managing account access authorizations can reduce the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions. ' mapping_type: mitigates references: [] - attack_object_id: T1021.004 attack_object_name: SSH capability_description: User Access Provisioning capability_group: IAM capability_id: IAM-06 comments: 'This control describes the implementation of a secure and controlled user access provisioning process. Proper user account management reduces the attack surface by limiting unauthorized access to data, assets, and systems. Managing account access authorizations can reduce the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions. ' mapping_type: mitigates references: [] - attack_object_id: T1021.008 attack_object_name: Direct Cloud VM Connections capability_description: User Access Provisioning capability_group: IAM capability_id: IAM-06 comments: 'This control describes the implementation of a secure and controlled user access provisioning process. Proper user account management reduces the attack surface by limiting unauthorized access to data, assets, and systems. Managing account access authorizations can reduce the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions. ' mapping_type: mitigates references: [] - attack_object_id: T1578 attack_object_name: Modify Cloud Compute Infrastructure capability_description: User Access Provisioning capability_group: IAM capability_id: IAM-06 comments: 'This control describes the implementation of a secure and controlled user access provisioning process. Proper user account management reduces the attack surface by limiting unauthorized access to data, assets, and systems. Managing account access authorizations can reduce the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions. ' mapping_type: mitigates references: [] - attack_object_id: T1484.002 attack_object_name: Trust Modification capability_description: User Access Provisioning capability_group: IAM capability_id: IAM-06 comments: 'This control describes the implementation of a secure and controlled user access provisioning process. Proper user account management reduces the attack surface by limiting unauthorized access to data, assets, and systems. Managing account access authorizations can reduce the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions. ' mapping_type: mitigates references: [] - attack_object_id: T1484.001 attack_object_name: Group Policy Modification capability_description: User Access Provisioning capability_group: IAM capability_id: IAM-06 comments: 'This control describes the implementation of a secure and controlled user access provisioning process. Proper user account management reduces the attack surface by limiting unauthorized access to data, assets, and systems. Managing account access authorizations can reduce the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions. ' mapping_type: mitigates references: [] - attack_object_id: T1484 attack_object_name: Domain or Tenant Policy Modification capability_description: User Access Provisioning capability_group: IAM capability_id: IAM-06 comments: 'This control describes the implementation of a secure and controlled user access provisioning process. Proper user account management reduces the attack surface by limiting unauthorized access to data, assets, and systems. Managing account access authorizations can reduce the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions. ' mapping_type: mitigates references: [] - attack_object_id: T1213.004 attack_object_name: Customer Relationship Management Software capability_description: User Access Provisioning capability_group: IAM capability_id: IAM-06 comments: 'This control describes the implementation of a secure and controlled user access provisioning process. Proper user account management reduces the attack surface by limiting unauthorized access to data, assets, and systems. Managing account access authorizations can reduce the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions. ' mapping_type: mitigates references: [] - attack_object_id: T1213.002 attack_object_name: Sharepoint capability_description: User Access Provisioning capability_group: IAM capability_id: IAM-06 comments: 'This control describes the implementation of a secure and controlled user access provisioning process. Proper user account management reduces the attack surface by limiting unauthorized access to data, assets, and systems. Managing account access authorizations can reduce the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions. ' mapping_type: mitigates references: [] - attack_object_id: T1213.001 attack_object_name: Confluence capability_description: User Access Provisioning capability_group: IAM capability_id: IAM-06 comments: 'This control describes the implementation of a secure and controlled user access provisioning process. Proper user account management reduces the attack surface by limiting unauthorized access to data, assets, and systems. Managing account access authorizations can reduce the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions. ' mapping_type: mitigates references: [] - attack_object_id: T1213 attack_object_name: Data from Information Repositories capability_description: User Access Provisioning capability_group: IAM capability_id: IAM-06 comments: 'This control describes the implementation of a secure and controlled user access provisioning process. Proper user account management reduces the attack surface by limiting unauthorized access to data, assets, and systems. Managing account access authorizations can reduce the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions. ' mapping_type: mitigates references: [] - attack_object_id: T1530 attack_object_name: Data from Cloud Storage capability_description: User Access Provisioning capability_group: IAM capability_id: IAM-06 comments: 'This control describes the implementation of a secure and controlled user access provisioning process. Proper user account management reduces the attack surface by limiting unauthorized access to data, assets, and systems. Managing account access authorizations can reduce the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions. ' mapping_type: mitigates references: [] - attack_object_id: T1555.005 attack_object_name: Password Managers capability_description: User Access Provisioning capability_group: IAM capability_id: IAM-06 comments: 'This control describes the implementation of a secure and controlled user access provisioning process. Proper user account management reduces the attack surface by limiting unauthorized access to data, assets, and systems. Managing account access authorizations can reduce the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions. ' mapping_type: mitigates references: [] - attack_object_id: T1555 attack_object_name: Credentials from Password Stores capability_description: User Access Provisioning capability_group: IAM capability_id: IAM-06 comments: 'This control describes the implementation of a secure and controlled user access provisioning process. Proper user account management reduces the attack surface by limiting unauthorized access to data, assets, and systems. Managing account access authorizations can reduce the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions. ' mapping_type: mitigates references: [] - attack_object_id: T1538 attack_object_name: Cloud Service Dashboard capability_description: User Access Provisioning capability_group: IAM capability_id: IAM-06 comments: 'This control describes the implementation of a secure and controlled user access provisioning process. Proper user account management reduces the attack surface by limiting unauthorized access to data, assets, and systems. Managing account access authorizations can reduce the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions. ' mapping_type: mitigates references: [] - attack_object_id: T1098.004 attack_object_name: SSH Authorized Keys capability_description: User Access Provisioning capability_group: IAM capability_id: IAM-06 comments: 'This control describes the implementation of a secure and controlled user access provisioning process. Proper user account management reduces the attack surface by limiting unauthorized access to data, assets, and systems. Managing account access authorizations can reduce the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions. ' mapping_type: mitigates references: [] - attack_object_id: T1098.003 attack_object_name: Additional Cloud Roles capability_description: User Access Provisioning capability_group: IAM capability_id: IAM-06 comments: 'This control describes the implementation of a secure and controlled user access provisioning process. Proper user account management reduces the attack surface by limiting unauthorized access to data, assets, and systems. Managing account access authorizations can reduce the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions. ' mapping_type: mitigates references: [] - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: User Access Provisioning capability_group: IAM capability_id: IAM-06 comments: 'This control describes the implementation of a secure and controlled user access provisioning process. Proper user account management reduces the attack surface by limiting unauthorized access to data, assets, and systems. Managing account access authorizations can reduce the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions. ' mapping_type: mitigates references: [] - attack_object_id: T1548.005 attack_object_name: Temporary Elevated Cloud Access capability_description: User Access Provisioning capability_group: IAM capability_id: IAM-06 comments: 'This control describes the implementation of a secure and controlled user access provisioning process. Proper user account management reduces the attack surface by limiting unauthorized access to data, assets, and systems. Managing account access authorizations can reduce the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions. ' mapping_type: mitigates references: [] - attack_object_id: T1548 attack_object_name: Abuse Elevation Control Mechanism capability_description: User Access Provisioning capability_group: IAM capability_id: IAM-06 comments: 'This control describes the implementation of a secure and controlled user access provisioning process. Proper user account management reduces the attack surface by limiting unauthorized access to data, assets, and systems. Managing account access authorizations can reduce the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions. ' mapping_type: mitigates references: [] - attack_object_id: T1204 attack_object_name: User Execution capability_description: OS Hardening and Base Controls capability_group: I&S capability_id: I&S-04 comments: This control implements secure configuration best practices for hardening cloud platforms to mitigate adversary exploitation and abuse of system functionality. Application controls can help prevent the running of executables masquerading as other files. mapping_type: mitigates references: [] - attack_object_id: T1080 attack_object_name: Taint Shared Content capability_description: OS Hardening and Base Controls capability_group: I&S capability_id: I&S-04 comments: This control implements secure configuration best practices for hardening cloud platforms to mitigate adversary exploitation and abuse of system functionality. Application controls to block unknown programs can limit adversaries from adding content to shared storage locations. mapping_type: mitigates references: [] - attack_object_id: T1562.001 attack_object_name: Disable or Modify Tools capability_description: OS Hardening and Base Controls capability_group: I&S capability_id: I&S-04 comments: This control implements secure configuration best practices for hardening cloud platforms to mitigate adversary exploitation and abuse of system functionality. Use of application control, especially regarding the execution of tools outside of security policies, and ensuring that only approved security applications are used can prevent adversaries from maliciously modifying an environment to hinder or disable security tools. mapping_type: mitigates references: [] - attack_object_id: T1562 attack_object_name: Impair Defenses capability_description: OS Hardening and Base Controls capability_group: I&S capability_id: I&S-04 comments: This control implements secure configuration best practices for hardening cloud platforms to mitigate adversary exploitation and abuse of system functionality. Use of application control, especially regarding the execution of tools outside of security policies, and ensuring that only approved security applications are used can prevent adversaries from maliciously modifying an environment to hinder or disable defensive mechanisms. mapping_type: mitigates references: [] - attack_object_id: T1059.009 attack_object_name: Cloud API capability_description: OS Hardening and Base Controls capability_group: I&S capability_id: I&S-04 comments: This control implements secure configuration best practices for hardening cloud platforms to mitigate adversary exploitation and abuse of system functionality. Use of application control and disabling or removing any unnecessary or unused shells or interpreters can mitigate adversary use of cloud APIs to execute malicious commands. mapping_type: mitigates references: [] - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: OS Hardening and Base Controls capability_group: I&S capability_id: I&S-04 comments: This control implements secure configuration best practices for hardening cloud platforms to mitigate adversary exploitation and abuse of system functionality. Use of application control and disabling or removing any unnecessary or unused shells or interpreters can mitigate adversary use of command and script interpreters to execute malicious commands. mapping_type: mitigates references: [] - attack_object_id: T1552 attack_object_name: Unsecured Credentials capability_description: OS Hardening and Base Controls capability_group: I&S capability_id: I&S-04 comments: This control implements secure configuration best practices for hardening cloud platforms to mitigate adversary exploitation and abuse of system functionality. Restricting access to sensitive sensitive data such as Cloud Formation templates and preventing a user's command history from being stored can prevent adversaries from obtaining insecurely stored credentials. mapping_type: mitigates references: [] - attack_object_id: T1556 attack_object_name: Modify Authentication Process capability_description: OS Hardening and Base Controls capability_group: I&S capability_id: I&S-04 comments: This control implements secure configuration best practices for hardening cloud platforms to mitigate adversary exploitation and abuse of system functionality. Restricting access to cloud resources and APIs can reduce the risk of adversaries modifying authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. mapping_type: mitigates references: [] - attack_object_id: T1490 attack_object_name: Inhibit System Recovery capability_description: OS Hardening and Base Controls capability_group: I&S capability_id: I&S-04 comments: This control implements secure configuration best practices for hardening cloud platforms to mitigate adversary exploitation and abuse of system functionality. Implement application controls and technical controls to prevent adversaries from disabling versioning and backup policies and deleting files involved in disaster recovery scenarios. mapping_type: mitigates references: [] - attack_object_id: T1136 attack_object_name: Create Account capability_description: OS Hardening and Base Controls capability_group: I&S capability_id: I&S-04 comments: This control implements secure configuration best practices for hardening cloud platforms to mitigate adversary exploitation and abuse of system functionality. Configuring access to critical servers and systems used to create and manage accounts can prevent adversaries from creating accounts. mapping_type: mitigates references: [] - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: OS Hardening and Base Controls capability_group: I&S capability_id: I&S-04 comments: This control implements secure configuration best practices for hardening cloud platforms to mitigate adversary exploitation and abuse of system functionality. Configuring access to critical servers by limiting unnecessary protocols and services and removing unnecessary and potentially abusable authentication and authorization mechanisms can mitigate account manipulation. mapping_type: mitigates references: [] - attack_object_id: T1548 attack_object_name: Abuse Elevation Control Mechanism capability_description: OS Hardening and Base Controls capability_group: I&S capability_id: I&S-04 comments: This control implements secure configuration best practices for hardening cloud platforms to mitigate adversary exploitation and abuse of system functionality. Secure system settings can help prevent adversaries from circumventing mechanisms designed to control elevate privileges and gain higher-level permissions. Performing regular software updates also mitigates exploitation risk. mapping_type: mitigates references: [] - attack_object_id: T1087 attack_object_name: Account Discovery capability_description: OS Hardening and Base Controls capability_group: I&S capability_id: I&S-04 comments: This control implements secure configuration best practices for hardening cloud platforms to mitigate adversary exploitation and abuse of system functionality. Preventing accounts from being enumerated and limiting accessible interfaces to obtain user lists can prevent adversaries from identifying valid email addresses and account names. mapping_type: mitigates references: [] - attack_object_id: T1040 attack_object_name: Network Sniffing capability_description: Network Security capability_group: I&S capability_id: I&S-03 comments: This control provides for monitoring, encrypting, and restricting communications between environments. Ensuring that all traffic is encrypted, using best practices for authentication protocols, and protecting web traffic with SSL/TLS can help prevent and adversary from capturing information, such as user credentials and network characteristics, through network sniffing. mapping_type: mitigates references: [] - attack_object_id: T1008 attack_object_name: Fallback Channels capability_description: Network Security capability_group: I&S capability_id: I&S-03 comments: This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware can be used to mitigate activity at the network level. mapping_type: mitigates references: [] - attack_object_id: T1008 attack_object_name: Fallback Channels capability_description: Segmentation and Segregation capability_group: I&S capability_id: I&S-06 comments: 'This control provides for appropriately segmented and segregated cloud environments. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to restrict external network access and mitigate adversary use of fallback or alternative communication channels. ' mapping_type: mitigates references: [] - attack_object_id: T1090.002 attack_object_name: External Proxy capability_description: Network Security capability_group: I&S capability_id: I&S-03 comments: This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or unexpected protocol standards and traffic flows can be used to mitigate activity at the network level. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate use of a connection proxy for communications. mapping_type: mitigates references: [] - attack_object_id: T1090.001 attack_object_name: Internal Proxy capability_description: Network Security capability_group: I&S capability_id: I&S-03 comments: This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or unexpected protocol standards and traffic flows can be used to mitigate activity at the network level. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate use of a connection proxy for communications. mapping_type: mitigates references: [] - attack_object_id: T1090 attack_object_name: Proxy capability_description: Network Security capability_group: I&S capability_id: I&S-03 comments: This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or unexpected protocol standards and traffic flows can be used to mitigate activity at the network level. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate use of a connection proxy for communications. mapping_type: mitigates references: [] - attack_object_id: T1090.003 attack_object_name: Multi-hop Proxy capability_description: Network Security capability_group: I&S capability_id: I&S-03 comments: This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or unexpected protocol standards and traffic flows can be used to mitigate activity at the network level. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate use of a connection proxy for communications. mapping_type: mitigates references: [] - attack_object_id: T1572 attack_object_name: Protocol Tunneling capability_description: Network Security capability_group: I&S capability_id: I&S-03 comments: This control provides for monitoring, encrypting, and restricting communications between environments. Configuring firewalls to filter network traffic to untrusted domains or hosts can prevent encapsulating a protocol within another protocol for communication. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware and unexpected protocol standards or traffic flows can be used to mitigate activity at the network level. mapping_type: mitigates references: [] - attack_object_id: T1095 attack_object_name: Non-Application Layer Protocol capability_description: Network Security capability_group: I&S capability_id: I&S-03 comments: This control provides for monitoring, encrypting, and restricting communications between environments. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Filtering network traffic to prevent use of protocols across the network boundary that are unnecessary can prevent the use of an OSI non-application layer protocol for communication. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware and uncommon patterns or flows can be used to mitigate activity at the network level. mapping_type: mitigates references: [] - attack_object_id: T1219 attack_object_name: Remote Access Tools capability_description: Network Security capability_group: I&S capability_id: I&S-03 comments: This control provides for monitoring, encrypting, and restricting communications between environments. Firewalls and proxies can be configured to limit outgoing traffic to sites and services used by remote access software. In addition, network intrusion detection and prevention systems that use network signatures may be able to prevent traffic to remote access services. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can also be used to limit traffic between systems and mitigate abuse of remote access tools. mapping_type: mitigates references: [] - attack_object_id: T1046 attack_object_name: Network Service Discovery capability_description: Network Security capability_group: I&S capability_id: I&S-03 comments: This control provides for monitoring, encrypting, and restricting communications between environments. This includes ensuring that unnecessary ports and services are closed to prevent risk of discovery and potential exploitation. In addition, network intrusion prevention devices can be configured to detect and prevent remote service scans. mapping_type: mitigates references: [] - attack_object_id: T1570 attack_object_name: Lateral Tool Transfer capability_description: Network Security capability_group: I&S capability_id: I&S-03 comments: 'This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or unusual data transfer over known tools and protocols can be used to mitigate activity at the network level. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate the transfer of tools or other files. ' mapping_type: mitigates references: [] - attack_object_id: T1029 attack_object_name: Scheduled Transfer capability_description: Network Security capability_group: I&S capability_id: I&S-03 comments: This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for adversary command and control infrastructure, unexpected network connections or traffic, and malware can be used to mitigate activity at the network level. mapping_type: mitigates references: [] - attack_object_id: T1132.001 attack_object_name: Standard Encoding capability_description: Network Security capability_group: I&S capability_id: I&S-03 comments: This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or uncommon data flows can be used to mitigate activity at the network level. mapping_type: mitigates references: [] - attack_object_id: T1571 attack_object_name: Non-Standard Port capability_description: Network Security capability_group: I&S capability_id: I&S-03 comments: This control provides for monitoring, encrypting, and restricting communications between environments. Configuring firewalls and proxies to limit outgoing traffic to only necessary ports for that particular network segment can prevent the use of a protocol and port pairing that are typically not associated for communication. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware and unexpected patterns or protocols can be used to mitigate activity at the network level. mapping_type: mitigates references: [] - attack_object_id: T1048.001 attack_object_name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol capability_description: Network Security capability_group: I&S capability_id: I&S-03 comments: This control provides for monitoring, encrypting, and restricting communications between environments. Configuring access controls, network firewalls, and IP-based restrictions for accessing cloud resources helps mitigate the risk of alternative exfiltration through cloud services. Also, network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate exfiltration activity at the network level. mapping_type: mitigates references: [] - attack_object_id: T1048.002 attack_object_name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol capability_description: Network Security capability_group: I&S capability_id: I&S-03 comments: This control provides for monitoring, encrypting, and restricting communications between environments. Configuring access controls, network firewalls, and IP-based restrictions for accessing cloud resources helps mitigate the risk of alternative exfiltration through cloud services. Also, network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate exfiltration activity at the network level. mapping_type: mitigates references: [] - attack_object_id: T1048 attack_object_name: Exfiltration Over Alternative Protocol capability_description: Network Security capability_group: I&S capability_id: I&S-03 comments: This control provides for monitoring, encrypting, and restricting communications between environments. Configuring access controls, network firewalls, and IP-based restrictions for accessing cloud resources helps mitigate the risk of alternative exfiltration through cloud services. Also, network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate exfiltration activity at the network level. mapping_type: mitigates references: [] - attack_object_id: T1132 attack_object_name: Data Encoding capability_description: Network Security capability_group: I&S capability_id: I&S-03 comments: This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or uncommon data flows can be used to mitigate activity at the network level. mapping_type: mitigates references: [] - attack_object_id: T1602.001 attack_object_name: SNMP (MIB Dump) capability_description: Network Security capability_group: I&S capability_id: I&S-03 comments: This control provides for monitoring, encrypting, and restricting communications between environments. Configuring SNMPv3 to use the highest level of security (authPriv) available and applying extended ACLs to block unauthorized protocols outside the trusted network can protect configuration repositories. In addition, network intrusion prevention devices can be configured to block SNMP queries and commands from unauthorized sources. mapping_type: mitigates references: [] - attack_object_id: T1602 attack_object_name: Data from Configuration Repository capability_description: Network Security capability_group: I&S capability_id: I&S-03 comments: This control provides for monitoring, encrypting, and restricting communications between environments. Configuring SNMPv3 to use the highest level of security (authPriv) available and applying extended ACLs to block unauthorized protocols outside the trusted network can protect configuration repositories. In addition, network intrusion prevention devices can be configured to block SNMP queries and commands from unauthorized sources. mapping_type: mitigates references: [] - attack_object_id: T1104 attack_object_name: Multi-Stage Channels capability_description: Network Security capability_group: I&S capability_id: I&S-03 comments: This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or uncommon data flows can be used to mitigate activity at the network level. mapping_type: mitigates references: [] - attack_object_id: T1048.003 attack_object_name: Exfiltration Over Unencrypted Non-C2 Protocol capability_description: Network Security capability_group: I&S capability_id: I&S-03 comments: This control provides for monitoring, encrypting, and restricting communications between environments. Configuring access controls, network firewalls, and IP-based restrictions for accessing cloud resources helps mitigate the risk of alternative exfiltration through cloud services. Also, network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate exfiltration activity at the network level. mapping_type: mitigates references: [] - attack_object_id: T1071 attack_object_name: Application Layer Protocol capability_description: Network Security capability_group: I&S capability_id: I&S-03 comments: This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware can be used to mitigate activity at the network level, such as adversary use of OSI application layer protocols to embed commands. mapping_type: mitigates references: [] - attack_object_id: T1071.004 attack_object_name: DNS capability_description: Network Security capability_group: I&S capability_id: I&S-03 comments: This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware can be used to mitigate activity at the network level, such as adversary use of the Domain Name System (DNS) application layer protocol to embed commands. mapping_type: mitigates references: [] - attack_object_id: T1071.003 attack_object_name: Mail Protocols capability_description: Network Security capability_group: I&S capability_id: I&S-03 comments: This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware can be used to mitigate activity at the network level, such as adversary use of application layer protocols associated with electronic mail delivery to embed commands. mapping_type: mitigates references: [] - attack_object_id: T1071.002 attack_object_name: File Transfer Protocols capability_description: Network Security capability_group: I&S capability_id: I&S-03 comments: This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware can be used to mitigate activity at the network level, such as adversary use of application layer protocols associated with transferring files to embed commands. mapping_type: mitigates references: [] - attack_object_id: T1071.001 attack_object_name: Web Protocols capability_description: Network Security capability_group: I&S capability_id: I&S-03 comments: This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware can be used to mitigate activity at the network level, such as adversary use of application layer protocols associated with web traffic to embed commands. mapping_type: mitigates references: [] - attack_object_id: T1132.002 attack_object_name: Non-Standard Encoding capability_description: Network Security capability_group: I&S capability_id: I&S-03 comments: This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or uncommon data flows can be used to mitigate activity at the network level. mapping_type: mitigates references: [] - attack_object_id: T1557 attack_object_name: Adversary-in-the-Middle capability_description: Network Security capability_group: I&S capability_id: I&S-03 comments: 'This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that can identify traffic patterns indicative of AiTM activity can be used to mitigate activity at the network level. Ensure that all traffic is encrypted appropriately to mitigate, or at least alleviate, the scope of AiTM activity. Network appliances and security software can be used to block network traffic that is not necessary within the environment, such as legacy protocols that may be leveraged for AiTM conditions. ' mapping_type: mitigates references: [] - attack_object_id: T1602.002 attack_object_name: Network Device Configuration Dump capability_description: Network Security capability_group: I&S capability_id: I&S-03 comments: This control provides for monitoring, encrypting, and restricting communications between environments. Configuring SNMPv3 to use the highest level of security (authPriv) available and applying extended ACLs to block unauthorized protocols outside the trusted network can protect configuration repositories. In addition, network intrusion prevention devices can be configured to block SNMP queries and commands from unauthorized sources. mapping_type: mitigates references: [] - attack_object_id: T1071.005 attack_object_name: Publish/Subscribe Protocols capability_description: Network Security capability_group: I&S capability_id: I&S-03 comments: This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware can be used to mitigate activity at the network level, such as adversary use of publish/subscribe (pub/sub) application layer protocols to embed commands. mapping_type: mitigates references: [] - attack_object_id: T1095 attack_object_name: Non-Application Layer Protocol capability_description: Segmentation and Segregation capability_group: I&S capability_id: I&S-06 comments: 'This control provides for appropriately segmented and segregated cloud environments. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Configuring firewalls and proxies to limit outgoing traffic to only necessary ports and through proper network gateway systems and also ensuring hosts are only provisioned to communicate over authorized interfaces can prevent the use of an OSI non-application layer protocol for communication. ' mapping_type: mitigates references: [] - attack_object_id: T1136 attack_object_name: Create Account capability_description: Segmentation and Segregation capability_group: I&S capability_id: I&S-06 comments: 'This control provides for appropriately segmented and segregated cloud environments. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Restricting access to domain controllers and systems used for account creation and management through access controls, firewalls, and separate VPC instances mitigates the ability of adversaries to create unauthorized accounts. ' mapping_type: mitigates references: [] - attack_object_id: T1046 attack_object_name: Network Service Discovery capability_description: Segmentation and Segregation capability_group: I&S capability_id: I&S-06 comments: This control provides for appropriately segmented and segregated cloud environments. This includes implementing cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level) to protect critical servers and devices from discovery and exploitation. In addition, network intrusion prevention devices can be configured to detect and prevent remote service scans. mapping_type: mitigates references: [] - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Segmentation and Segregation capability_group: I&S capability_id: I&S-06 comments: 'This control provides for appropriately segmented and segregated cloud environments. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Network proxies, gateways, and firewalls can be used to deny direct remote access to internal systems. ' mapping_type: mitigates references: [] - attack_object_id: T1199 attack_object_name: Trusted Relationship capability_description: Segmentation and Segregation capability_group: I&S capability_id: I&S-06 comments: This control provides for appropriately segmented and segregated cloud environments. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to isolate infrastructure components that do not require broad network access, limiting attacks that leverage trusted relationships. mapping_type: mitigates references: [] - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Segmentation and Segregation capability_group: I&S capability_id: I&S-06 comments: This control provides for appropriately segmented and segregated cloud environments. This includes using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). If an application is hosted on cloud-based infrastructure, VPC security perimeters can segment resources to further reduce access and operate in logically separate environments, limiting exposure. mapping_type: mitigates references: [] - attack_object_id: T1571 attack_object_name: Non-Standard Port capability_description: Segmentation and Segregation capability_group: I&S capability_id: I&S-06 comments: 'This control provides for appropriately segmented and segregated cloud environments. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Configuring firewalls and proxies to limit outgoing traffic to only necessary ports for that particular network segment can prevent the use of a protocol and port pairing that are typically not associated for communication. ' mapping_type: mitigates references: [] - attack_object_id: T1048.001 attack_object_name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol capability_description: Segmentation and Segregation capability_group: I&S capability_id: I&S-06 comments: 'This control provides for appropriately segmented and segregated cloud environments. Configuring access controls and network firewalls to enforce restrictions on accessing cloud resources, while allowing only essential ports and traffic, helps mitigate the risk of alternative exfiltration through cloud services. ' mapping_type: mitigates references: [] - attack_object_id: T1048.002 attack_object_name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol capability_description: Segmentation and Segregation capability_group: I&S capability_id: I&S-06 comments: 'This control provides for appropriately segmented and segregated cloud environments. Configuring access controls and network firewalls to enforce restrictions on accessing cloud resources, while allowing only essential ports and traffic, helps mitigate the risk of alternative exfiltration through cloud services. ' mapping_type: mitigates references: [] - attack_object_id: T1048 attack_object_name: Exfiltration Over Alternative Protocol capability_description: Segmentation and Segregation capability_group: I&S capability_id: I&S-06 comments: 'This control provides for appropriately segmented and segregated cloud environments. Configuring access controls and network firewalls to enforce restrictions on accessing cloud resources, while allowing only essential ports and traffic, helps mitigate the risk of alternative exfiltration through cloud services. ' mapping_type: mitigates references: [] - attack_object_id: T1602.001 attack_object_name: SNMP (MIB Dump) capability_description: Segmentation and Segregation capability_group: I&S capability_id: I&S-06 comments: This control provides for appropriately segmented and segregated cloud environments. Access controls, firewalls, and cloud-based segmentation can be used to isolate and protect configuration repositories. In addition, network intrusion prevention devices can be configured to block SNMP queries and commands from unauthorized sources. mapping_type: mitigates references: [] - attack_object_id: T1602 attack_object_name: Data from Configuration Repository capability_description: Segmentation and Segregation capability_group: I&S capability_id: I&S-06 comments: This control provides for appropriately segmented and segregated cloud environments. Access controls, firewalls, and cloud-based segmentation can be used to isolate and protect configuration repositories. In addition, network intrusion prevention devices can be configured to block SNMP queries and commands from unauthorized sources. mapping_type: mitigates references: [] - attack_object_id: T1136.003 attack_object_name: Cloud Account capability_description: Segmentation and Segregation capability_group: I&S capability_id: I&S-06 comments: 'This control provides for appropriately segmented and segregated cloud environments. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Restricting access to domain controllers and systems used for account creation and management through access controls, firewalls, and separate VPC instances mitigates the ability of adversaries to create unauthorized accounts. ' mapping_type: mitigates references: [] - attack_object_id: T1048.003 attack_object_name: Exfiltration Over Unencrypted Non-C2 Protocol capability_description: Segmentation and Segregation capability_group: I&S capability_id: I&S-06 comments: 'This control provides for appropriately segmented and segregated cloud environments. Configuring access controls and network firewalls to enforce restrictions on accessing cloud resources, while allowing only essential ports and traffic, helps mitigate the risk of alternative exfiltration through cloud services. ' mapping_type: mitigates references: [] - attack_object_id: T1040 attack_object_name: Network Sniffing capability_description: Segmentation and Segregation capability_group: I&S capability_id: I&S-06 comments: This control provides for appropriately segmented and segregated cloud environments. This includes implementing cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Segmentation can be implemented to deny direct access of broadcasts and multicast sniffing, and prevent information capture. mapping_type: mitigates references: [] - attack_object_id: T1098.001 attack_object_name: Additional Cloud Credentials capability_description: Segmentation and Segregation capability_group: I&S capability_id: I&S-06 comments: This control provides for appropriately segmented and segregated cloud environments. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level) to filter traffic based on security rules. Limiting access to critical systems and domain controllers can mitigate adversary use of account manipulation to maintain and/or elevate access to systems. mapping_type: mitigates references: [] - attack_object_id: T1557 attack_object_name: Adversary-in-the-Middle capability_description: Segmentation and Segregation capability_group: I&S capability_id: I&S-06 comments: This control provides for appropriately segmented and segregated cloud environments. Network segmentation can be used to isolate infrastructure components that do not require broad network access. This may mitigate, or at least alleviate, the scope of AiTM activity. mapping_type: mitigates references: [] - attack_object_id: T1602.002 attack_object_name: Network Device Configuration Dump capability_description: Segmentation and Segregation capability_group: I&S capability_id: I&S-06 comments: This control provides for appropriately segmented and segregated cloud environments. Access controls, firewalls, and cloud-based segmentation can be used to isolate and protect configuration repositories. In addition, network intrusion prevention devices can be configured to block SNMP queries and commands from unauthorized sources. mapping_type: mitigates references: [] - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Segmentation and Segregation capability_group: I&S capability_id: I&S-06 comments: This control provides for appropriately segmented and segregated cloud environments. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level) to filter traffic based on security rules. Limiting access to critical systems and domain controllers can mitigate adversary use of account manipulation to maintain and/or elevate access to systems. mapping_type: mitigates references: [] - attack_object_id: T1072 attack_object_name: Software Deployment Tools capability_description: Segmentation and Segregation capability_group: I&S capability_id: I&S-06 comments: This control provides for appropriately segmented and segregated cloud environments. Isolation of critical network systems through use of cloud-based segmentation, virtual private cloud (VPC) security groups, network access control lists (NACLs), and firewalls can mitigate abuse of centralized software suites. mapping_type: mitigates references: [] - attack_object_id: T1210 attack_object_name: Exploitation of Remote Services capability_description: Segmentation and Segregation capability_group: I&S capability_id: I&S-06 comments: This control provides for appropriately segmented and segregated cloud environments. This includes using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Segmenting networks and systems reduces access to critical systems and services, mitigating exploitation via remote services. mapping_type: mitigates references: [] - attack_object_id: T1090 attack_object_name: Proxy capability_description: Segmentation and Segregation capability_group: I&S capability_id: I&S-06 comments: This control provides for appropriately segmented and segregated cloud environments. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate use of a connection proxy for communications. mapping_type: mitigates references: [] - attack_object_id: T1090.003 attack_object_name: Multi-hop Proxy capability_description: Segmentation and Segregation capability_group: I&S capability_id: I&S-06 comments: This control provides for appropriately segmented and segregated cloud environments. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate use of a connection proxy for communications. mapping_type: mitigates references: [] - attack_object_id: T1572 attack_object_name: Protocol Tunneling capability_description: Segmentation and Segregation capability_group: I&S capability_id: I&S-06 comments: 'This control provides for appropriately segmented and segregated cloud environments. Configuring firewalls to filter network traffic to untrusted domains or hosts can prevent encapsulating a protocol within another protocol for communication. ' mapping_type: mitigates references: [] - attack_object_id: T1090.001 attack_object_name: Internal Proxy capability_description: Segmentation and Segregation capability_group: I&S capability_id: I&S-06 comments: This control provides for appropriately segmented and segregated cloud environments. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate use of a connection proxy for communications. mapping_type: mitigates references: [] - attack_object_id: T1570 attack_object_name: Lateral Tool Transfer capability_description: Segmentation and Segregation capability_group: I&S capability_id: I&S-06 comments: This control provides for appropriately segmented and segregated cloud environments. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate the transfer of tools or other files. mapping_type: mitigates references: [] - attack_object_id: T1090.002 attack_object_name: External Proxy capability_description: Segmentation and Segregation capability_group: I&S capability_id: I&S-06 comments: This control provides for appropriately segmented and segregated cloud environments. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate use of a connection proxy for communications. mapping_type: mitigates references: [] - attack_object_id: T1219 attack_object_name: Remote Access Tools capability_description: Segmentation and Segregation capability_group: I&S capability_id: I&S-06 comments: This control provides for appropriately segmented and segregated cloud environments. Firewalls and proxies can be configured to limit outgoing traffic to sites and services used by remote access software. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can also be used to limit traffic between systems and mitigate abuse of remote access tools. mapping_type: mitigates references: [] - attack_object_id: T1552.004 attack_object_name: Private Keys capability_description: Storage Encryption capability_group: UEM capability_id: UEM-08 comments: This control provides for implementation of endpoint storage encryption. Encryption ensures the confidentiality of data such as credentials, preventing unauthorized access. When possible, keys should be stored on separate cryptographic hardware instead of on the local system. mapping_type: mitigates references: [] - attack_object_id: T1552 attack_object_name: Unsecured Credentials capability_description: Storage Encryption capability_group: UEM capability_id: UEM-08 comments: This control provides for implementation of endpoint storage encryption. Encryption ensures the confidentiality of data such as credentials, preventing unauthorized access. When possible, keys should be stored on separate cryptographic hardware instead of on the local system. mapping_type: mitigates references: [] - attack_object_id: T1649 attack_object_name: Steal or Forge Authentication Certificates capability_description: Storage Encryption capability_group: UEM capability_id: UEM-08 comments: This control provides for implementation of endpoint storage encryption. Encryption ensures the confidentiality of data such as credentials, preventing unauthorized access. Ensuring certificates as well as associated private keys are appropriately secured and enforcing HTTPS can help prevent adversaries from stealing or forging certificates used for authentication. mapping_type: mitigates references: [] - attack_object_id: T1565.001 attack_object_name: Stored Data Manipulation capability_description: Storage Encryption capability_group: UEM capability_id: UEM-08 comments: "This control provides for implementation of endpoint storage encryption.\ \ Encryption ensures the confidentiality and integrity of data, preventing unauthorized\ \ access or tampering. Encrypting important information reduces an adversary\u2019\ s ability to perform tailored data modifications." mapping_type: mitigates references: [] - attack_object_id: T1565 attack_object_name: Data Manipulation capability_description: Storage Encryption capability_group: UEM capability_id: UEM-08 comments: "This control provides for implementation of endpoint storage encryption.\ \ Encryption ensures the confidentiality and integrity of data, preventing unauthorized\ \ access or tampering. Encrypting important information reduces an adversary\u2019\ s ability to perform tailored data modifications." mapping_type: mitigates references: [] - attack_object_id: T1119 attack_object_name: Automated Collection capability_description: Storage Encryption capability_group: UEM capability_id: UEM-08 comments: This control provides for implementation of endpoint storage encryption. Encryption and off-system storage of sensitive information ensures the confidentiality of data and can help to mitigate adversary use of automated techniques for automatically collecting data and files. mapping_type: mitigates references: [] - attack_object_id: T1213 attack_object_name: Data from Information Repositories capability_description: Storage Encryption capability_group: UEM capability_id: UEM-08 comments: This control provides for implementation of endpoint storage encryption. Encrypting data stored at rest in information repositories ensures the confidentiality of data and can mitigate adversary access to information of value, such as sensitive documents or data that may aid their further objectives. mapping_type: mitigates references: [] - attack_object_id: T1530 attack_object_name: Data from Cloud Storage capability_description: Storage Encryption capability_group: UEM capability_id: UEM-08 comments: 'This control provides for implementation of endpoint storage encryption. Encrypting data stored at rest in cloud storage can mitigate adversary access to data from cloud storage. ' mapping_type: mitigates references: [] - attack_object_id: T1204 attack_object_name: User Execution capability_description: Endpoint Management capability_group: UEM capability_id: UEM-05 comments: This control provides for the implementation of best practices for endpoint management. Malicious executables can be prevented from running by implementing application control, script blocking, and other execution prevention mechanisms. mapping_type: mitigates references: [] - attack_object_id: T1562.001 attack_object_name: Disable or Modify Tools capability_description: Endpoint Management capability_group: UEM capability_id: UEM-05 comments: This control provides for the implementation of best practices for endpoint management. Malicious modification or disabling of security tools can be mitigated by implementing application control, script blocking, and other execution prevention mechanisms. mapping_type: mitigates references: [] - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Endpoint Management capability_group: UEM capability_id: UEM-05 comments: This control provides for the implementation of best practices for endpoint management. The execution of unauthorized or malicious code on systems through abuse of command and script interpreters can be prevented by implementing application control, script blocking, and other execution prevention mechanisms. mapping_type: mitigates references: [] - attack_object_id: T1059.009 attack_object_name: Cloud API capability_description: Endpoint Management capability_group: UEM capability_id: UEM-05 comments: This control provides for the implementation of best practices for endpoint management. The execution of unauthorized or malicious code on systems through abuse of command and script interpreters can be prevented by implementing application control, script blocking, and other execution prevention mechanisms. mapping_type: mitigates references: [] - attack_object_id: T1080 attack_object_name: Taint Shared Content capability_description: Endpoint Management capability_group: UEM capability_id: UEM-05 comments: This control provides for the implementation of best practices for endpoint management. Endpoint exploit protection capabilities can be used to detect, block, and mitigate conditions indicative of exploits to taint content in shared storage locations. mapping_type: mitigates references: [] - attack_object_id: T1211 attack_object_name: Exploitation for Defense Evasion capability_description: Endpoint Management capability_group: UEM capability_id: UEM-05 comments: This control provides for the implementation of best practices for endpoint management. Endpoint exploit protection capabilities can be used to detect, block, and mitigate conditions indicative of exploits to bypass security features. mapping_type: mitigates references: [] - attack_object_id: T1552 attack_object_name: Unsecured Credentials capability_description: Endpoint Management capability_group: UEM capability_id: UEM-05 comments: This control provides for the implementation of best practices for endpoint management. Endpoint exploit protection capabilities can be used to detect, block, and mitigate conditions indicative of exploits of public-facing applications. mapping_type: mitigates references: [] - attack_object_id: T1562 attack_object_name: Impair Defenses capability_description: Endpoint Management capability_group: UEM capability_id: UEM-05 comments: This control provides for the implementation of best practices for endpoint management. Malicious modification of preventative defenses and detection capabilities can be mitigated by implementing application control, script blocking, and other execution prevention mechanisms. mapping_type: mitigates references: [] - attack_object_id: T1490 attack_object_name: Inhibit System Recovery capability_description: Endpoint Management capability_group: UEM capability_id: UEM-05 comments: This control provides for the implementation of best practices for endpoint management. Proper security configurations, limited system access, and application control can help mitigate the risk of adversaries deleting or removing built-in data and turning off services designed to aid in the recovery of a corrupted system. mapping_type: mitigates references: [] - attack_object_id: T1136 attack_object_name: Create Account capability_description: Endpoint Management capability_group: UEM capability_id: UEM-05 comments: This control provides for the implementation of best practices for endpoint management. Proper security configurations and limited system access can help prevent adversaries from creating accounts to maintain access. mapping_type: mitigates references: [] - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Endpoint Management capability_group: UEM capability_id: UEM-05 comments: This control provides for the implementation of best practices for endpoint management. Proper security configurations and limited system access can help prevent adversaries from manipulating accounts to maintain and/or elevate access. mapping_type: mitigates references: [] - attack_object_id: T1087 attack_object_name: Account Discovery capability_description: Endpoint Management capability_group: UEM capability_id: UEM-05 comments: This control provides for the implementation of best practices for endpoint management. Adjusting access to user lists can prevent abuse of system functionality and help prevent adversaries from getting a listing of valid accounts or usernames. mapping_type: mitigates references: [] - attack_object_id: T1548 attack_object_name: Abuse Elevation Control Mechanism capability_description: Endpoint Management capability_group: UEM capability_id: UEM-05 comments: This control provides for the implementation of best practices for endpoint management. Adjusting system settings and hardening default configurations can mitigate adversary exploitation of elevation control mechanisms and prevent abuse of system functionality. mapping_type: mitigates references: [] - attack_object_id: T1550.004 attack_object_name: Web Session Cookie capability_description: Endpoint Management capability_group: UEM capability_id: UEM-05 comments: This control provides for the implementation of best practices for endpoint management. Configuring applications to delete persistent web cookies to help mitigate the risk of adversaries using stolen session cookies. mapping_type: mitigates references: [] - attack_object_id: T1535 attack_object_name: Unused/Unsupported Cloud Regions capability_description: Endpoint Management capability_group: UEM capability_id: UEM-05 comments: This control provides for the implementation of best practices for endpoint management. Cloud service providers may allow customers to deactivate unused regions to help mitigate the risk of adversaries creating resources in unused regions. mapping_type: mitigates references: [] - attack_object_id: T1537 attack_object_name: Transfer Data to Cloud Account capability_description: Endpoint Management capability_group: UEM capability_id: UEM-05 comments: This control provides for the implementation of best practices for endpoint management. Configuring appropriate data sharing restrictions in cloud services can help mitigate the risk of adversaries exfiltrating data by transferring. mapping_type: mitigates references: [] - attack_object_id: T1666 attack_object_name: Modify Cloud Resource Hierarchy capability_description: Endpoint Management capability_group: UEM capability_id: UEM-05 comments: This control provides for the implementation of best practices for endpoint management. Securing resource groups and limiting permissions can help mitigate the risk of adversaries adding, deleting, or otherwise modifying hierarchical structures. mapping_type: mitigates references: [] - attack_object_id: T1562 attack_object_name: Impair Defenses capability_description: Endpoint Management capability_group: UEM capability_id: UEM-05 comments: This control provides for the implementation of best practices for endpoint management. Preventing insecure connections and ensuring proper permissions can help mitigate the risk of adversaries hindering or disabling preventative defenses. mapping_type: mitigates references: [] - attack_object_id: T1606.001 attack_object_name: Web Cookies capability_description: Endpoint Management capability_group: UEM capability_id: UEM-05 comments: This control provides for the implementation of best practices for endpoint management. Configuring applications to delete persistent web credentials and limiting privileges can help mitigate the risk of adversaries generating and using forged web cookies. mapping_type: mitigates references: [] - attack_object_id: T1213.004 attack_object_name: Customer Relationship Management Software capability_description: Endpoint Management capability_group: UEM capability_id: UEM-05 comments: This control provides for the implementation of best practices for endpoint management. Effectively securing information repositories and enforcing robust data retention policies can mitigate the risk of adversaries exploiting information repositories to access sensitive or valuable information. mapping_type: mitigates references: [] - attack_object_id: T1606 attack_object_name: Forge Web Credentials capability_description: Endpoint Management capability_group: UEM capability_id: UEM-05 comments: This control provides for the implementation of best practices for endpoint management. Configuring applications to delete persistent web credentials and limiting privileges can help mitigate the risk of adversaries generating and using forged web credentials. mapping_type: mitigates references: [] - attack_object_id: T1213 attack_object_name: Data from Information Repositories capability_description: Endpoint Management capability_group: UEM capability_id: UEM-05 comments: This control provides for the implementation of best practices for endpoint management. Effectively securing information repositories and enforcing robust data retention policies can mitigate the risk of adversaries exploiting information repositories to access sensitive or valuable information. mapping_type: mitigates references: [] - attack_object_id: T1590.002 attack_object_name: DNS capability_description: Software Firewall capability_group: UEM capability_id: UEM-10 comments: This control describes how CSPs and CSCs must install, update, and properly configure endpoint and software-defined firewalls, regularly review and approve firewall rule changes, and monitor traffic for anomalies and malicious code. These mitigative actions help prevent unauthorized access, block threats, and ensure only approved firewall rules are active. mapping_type: mitigates references: [] - attack_object_id: T1205.002 attack_object_name: Socket Filters capability_description: Software Firewall capability_group: UEM capability_id: UEM-10 comments: This control describes how CSPs and CSCs must install, update, and properly configure endpoint and software-defined firewalls, regularly review and approve firewall rule changes, and monitor traffic for anomalies and malicious code. These mitigative actions help prevent unauthorized access, block threats, and ensure only approved firewall rules are active. mapping_type: mitigates references: [] - attack_object_id: T1205.001 attack_object_name: Port Knocking capability_description: Software Firewall capability_group: UEM capability_id: UEM-10 comments: This control describes how CSPs and CSCs must install, update, and properly configure endpoint and software-defined firewalls, regularly review and approve firewall rule changes, and monitor traffic for anomalies and malicious code. These mitigative actions help prevent unauthorized access, block threats, and ensure only approved firewall rules are active. mapping_type: mitigates references: [] - attack_object_id: T1205 attack_object_name: Traffic Signaling capability_description: Software Firewall capability_group: UEM capability_id: UEM-10 comments: This control describes how CSPs and CSCs must install, update, and properly configure endpoint and software-defined firewalls, regularly review and approve firewall rule changes, and monitor traffic for anomalies and malicious code. These mitigative actions help prevent unauthorized access, block threats, and ensure only approved firewall rules are active. mapping_type: mitigates references: [] - attack_object_id: T1219.002 attack_object_name: Remote Desktop Software capability_description: Software Firewall capability_group: UEM capability_id: UEM-10 comments: This control describes how CSPs and CSCs must install, update, and properly configure endpoint and software-defined firewalls, regularly review and approve firewall rule changes, and monitor traffic for anomalies and malicious code. These mitigative actions help prevent unauthorized access, block threats, and ensure only approved firewall rules are active. mapping_type: mitigates references: [] - attack_object_id: T1219 attack_object_name: Remote Access Tools capability_description: Software Firewall capability_group: UEM capability_id: UEM-10 comments: This control describes how CSPs and CSCs must install, update, and properly configure endpoint and software-defined firewalls, regularly review and approve firewall rule changes, and monitor traffic for anomalies and malicious code. These mitigative actions help prevent unauthorized access, block threats, and ensure only approved firewall rules are active. mapping_type: mitigates references: [] - attack_object_id: T1090.003 attack_object_name: Multi-hop Proxy capability_description: Software Firewall capability_group: UEM capability_id: UEM-10 comments: This control describes how CSPs and CSCs must install, update, and properly configure endpoint and software-defined firewalls, regularly review and approve firewall rule changes, and monitor traffic for anomalies and malicious code. These mitigative actions help prevent unauthorized access, block threats, and ensure only approved firewall rules are active. mapping_type: mitigates references: [] - attack_object_id: T1090 attack_object_name: Proxy capability_description: Software Firewall capability_group: UEM capability_id: UEM-10 comments: This control describes how CSPs and CSCs must install, update, and properly configure endpoint and software-defined firewalls, regularly review and approve firewall rule changes, and monitor traffic for anomalies and malicious code. These mitigative actions help prevent unauthorized access, block threats, and ensure only approved firewall rules are active. mapping_type: mitigates references: [] - attack_object_id: T1572 attack_object_name: Protocol Tunneling capability_description: Software Firewall capability_group: UEM capability_id: UEM-10 comments: This control describes how CSPs and CSCs must install, update, and properly configure endpoint and software-defined firewalls, regularly review and approve firewall rule changes, and monitor traffic for anomalies and malicious code. These mitigative actions help prevent unauthorized access, block threats, and ensure only approved firewall rules are active. mapping_type: mitigates references: [] - attack_object_id: T1095 attack_object_name: Non-Application Layer Protocol capability_description: Software Firewall capability_group: UEM capability_id: UEM-10 comments: This control describes how CSPs and CSCs must install, update, and properly configure endpoint and software-defined firewalls, regularly review and approve firewall rule changes, and monitor traffic for anomalies and malicious code. These mitigative actions help prevent unauthorized access, block threats, and ensure only approved firewall rules are active. mapping_type: mitigates references: [] - attack_object_id: T1071.005 attack_object_name: Publish/Subscribe Protocols capability_description: Software Firewall capability_group: UEM capability_id: UEM-10 comments: This control describes how CSPs and CSCs must install, update, and properly configure endpoint and software-defined firewalls, regularly review and approve firewall rule changes, and monitor traffic for anomalies and malicious code. These mitigative actions help prevent unauthorized access, block threats, and ensure only approved firewall rules are active. mapping_type: mitigates references: [] - attack_object_id: T1071 attack_object_name: Application Layer Protocol capability_description: Software Firewall capability_group: UEM capability_id: UEM-10 comments: This control describes how CSPs and CSCs must install, update, and properly configure endpoint and software-defined firewalls, regularly review and approve firewall rule changes, and monitor traffic for anomalies and malicious code. These mitigative actions help prevent unauthorized access, block threats, and ensure only approved firewall rules are active. mapping_type: mitigates references: [] - attack_object_id: T1499 attack_object_name: Endpoint Denial of Service capability_description: Software Firewall capability_group: UEM capability_id: UEM-10 comments: This control describes how CSPs and CSCs must install, update, and properly configure endpoint and software-defined firewalls, regularly review and approve firewall rule changes, and monitor traffic for anomalies and malicious code. These mitigative actions help prevent unauthorized access, block threats, and ensure only approved firewall rules are active. mapping_type: mitigates references: [] - attack_object_id: T1498 attack_object_name: Network Denial of Service capability_description: Software Firewall capability_group: UEM capability_id: UEM-10 comments: This control describes how CSPs and CSCs must install, update, and properly configure endpoint and software-defined firewalls, regularly review and approve firewall rule changes, and monitor traffic for anomalies and malicious code. These mitigative actions help prevent unauthorized access, block threats, and ensure only approved firewall rules are active. mapping_type: mitigates references: [] - attack_object_id: T1498.002 attack_object_name: Reflection Amplification capability_description: Software Firewall capability_group: UEM capability_id: UEM-10 comments: This control describes how CSPs and CSCs must install, update, and properly configure endpoint and software-defined firewalls, regularly review and approve firewall rule changes, and monitor traffic for anomalies and malicious code. These mitigative actions help prevent unauthorized access, block threats, and ensure only approved firewall rules are active. mapping_type: mitigates references: [] - attack_object_id: T1498.001 attack_object_name: Direct Network Flood capability_description: Software Firewall capability_group: UEM capability_id: UEM-10 comments: This control describes how CSPs and CSCs must install, update, and properly configure endpoint and software-defined firewalls, regularly review and approve firewall rule changes, and monitor traffic for anomalies and malicious code. These mitigative actions help prevent unauthorized access, block threats, and ensure only approved firewall rules are active. mapping_type: mitigates references: [] - attack_object_id: T1499.002 attack_object_name: Service Exhaustion Flood capability_description: Software Firewall capability_group: UEM capability_id: UEM-10 comments: This control describes how CSPs and CSCs must install, update, and properly configure endpoint and software-defined firewalls, regularly review and approve firewall rule changes, and monitor traffic for anomalies and malicious code. These mitigative actions help prevent unauthorized access, block threats, and ensure only approved firewall rules are active. mapping_type: mitigates references: [] - attack_object_id: T1499.003 attack_object_name: Application Exhaustion Flood capability_description: Software Firewall capability_group: UEM capability_id: UEM-10 comments: This control describes how CSPs and CSCs must install, update, and properly configure endpoint and software-defined firewalls, regularly review and approve firewall rule changes, and monitor traffic for anomalies and malicious code. These mitigative actions help prevent unauthorized access, block threats, and ensure only approved firewall rules are active. mapping_type: mitigates references: [] - attack_object_id: T1070.009 attack_object_name: Clear Persistence capability_description: Audit Records Protection capability_group: LOG capability_id: LOG-10 comments: This control requires both CSP and CSC to independently protect audit logs by enforcing strict access controls, encryption, isolated log environments, continuous monitoring, vulnerability management, and so forth for investigations or legal proceedings. mapping_type: mitigates references: [] - attack_object_id: T1070.007 attack_object_name: Clear Network Connection History and Configurations capability_description: Audit Records Protection capability_group: LOG capability_id: LOG-10 comments: This control requires both CSP and CSC to independently protect audit logs by enforcing strict access controls, encryption, isolated log environments, continuous monitoring, vulnerability management, and so forth for investigations or legal proceedings. mapping_type: mitigates references: [] - attack_object_id: T1070.007 attack_object_name: Clear Network Connection History and Configurations capability_description: Software Firewall capability_group: UEM capability_id: UEM-10 comments: This control describes how CSPs and CSCs must install, update, and properly configure endpoint and software-defined firewalls, regularly review and approve firewall rule changes, and monitor traffic for anomalies and malicious code. These mitigative actions help prevent unauthorized access, block threats, and ensure only approved firewall rules are active. mapping_type: mitigates references: [] - attack_object_id: T1070 attack_object_name: Indicator Removal capability_description: Software Firewall capability_group: UEM capability_id: UEM-10 comments: This control describes how CSPs and CSCs must install, update, and properly configure endpoint and software-defined firewalls, regularly review and approve firewall rule changes, and monitor traffic for anomalies and malicious code. These mitigative actions help prevent unauthorized access, block threats, and ensure only approved firewall rules are active. mapping_type: mitigates references: [] - attack_object_id: T1562.004 attack_object_name: Disable or Modify System Firewall capability_description: Software Firewall capability_group: UEM capability_id: UEM-10 comments: This control describes how CSPs and CSCs must install, update, and properly configure endpoint and software-defined firewalls, regularly review and approve firewall rule changes, and monitor traffic for anomalies and malicious code. These mitigative actions help prevent unauthorized access, block threats, and ensure only approved firewall rules are active. mapping_type: mitigates references: [] - attack_object_id: T1562.007 attack_object_name: Disable or Modify Cloud Firewall capability_description: Software Firewall capability_group: UEM capability_id: UEM-10 comments: This control describes how CSPs and CSCs must install, update, and properly configure endpoint and software-defined firewalls, regularly review and approve firewall rule changes, and monitor traffic for anomalies and malicious code. These mitigative actions help prevent unauthorized access, block threats, and ensure only approved firewall rules are active. mapping_type: mitigates references: [] - attack_object_id: T1562 attack_object_name: Impair Defenses capability_description: Software Firewall capability_group: UEM capability_id: UEM-10 comments: This control describes how CSPs and CSCs must install, update, and properly configure endpoint and software-defined firewalls, regularly review and approve firewall rule changes, and monitor traffic for anomalies and malicious code. These mitigative actions help prevent unauthorized access, block threats, and ensure only approved firewall rules are active. mapping_type: mitigates references: [] - attack_object_id: T1221 attack_object_name: Template Injection capability_description: Anti-Malware Detection and Prevention capability_group: UEM capability_id: UEM-09 comments: "This control describes the implementation of endpoint security, including\ \ anti-malware software, to mitigate the risk of exploitation by threat actors.\ \ The implementation guidance provides several examples of that the technical\ \ measures under Anti-Malware should aid with preventing which include: \nScan\ \ installed software and system data content to identify and remove unauthorized\ \ code/software. \nProhibit the use of installation of unauthorized software.\n\ Restricting on obtaining malicious data and software from external networks.\n\ Endpoint removable media management." mapping_type: mitigates references: [] - attack_object_id: T1204 attack_object_name: User Execution capability_description: Anti-Malware Detection and Prevention capability_group: UEM capability_id: UEM-09 comments: "This control describes the implementation of endpoint security, including\ \ anti-malware software, to mitigate the risk of exploitation by threat actors.\ \ The implementation guidance provides several examples of that the technical\ \ measures under Anti-Malware should aid with preventing which include: \nScan\ \ installed software and system data content to identify and remove unauthorized\ \ code/software. \nProhibit the use of installation of unauthorized software.\n\ Restricting on obtaining malicious data and software from external networks.\n\ Endpoint removable media management." mapping_type: mitigates references: [] - attack_object_id: T1543 attack_object_name: Create or Modify System Process capability_description: Anti-Malware Detection and Prevention capability_group: UEM capability_id: UEM-09 comments: "This control describes the implementation of endpoint security, including\ \ anti-malware software, to mitigate the risk of exploitation by threat actors.\ \ The implementation guidance provides several examples of that the technical\ \ measures under Anti-Malware should aid with preventing which include: \nScan\ \ installed software and system data content to identify and remove unauthorized\ \ code/software. \nProhibit the use of installation of unauthorized software.\n\ Restricting on obtaining malicious data and software from external networks.\n\ Endpoint removable media management." mapping_type: mitigates references: [] - attack_object_id: T1564 attack_object_name: Hide Artifacts capability_description: Anti-Malware Detection and Prevention capability_group: UEM capability_id: UEM-09 comments: "This control describes the implementation of endpoint security, including\ \ anti-malware software, to mitigate the risk of exploitation by threat actors.\ \ The implementation guidance provides several examples of that the technical\ \ measures under Anti-Malware should aid with preventing which include: \nScan\ \ installed software and system data content to identify and remove unauthorized\ \ code/software. \nProhibit the use of installation of unauthorized software.\n\ Restricting on obtaining malicious data and software from external networks.\n\ Endpoint removable media management." mapping_type: mitigates references: [] - attack_object_id: T1221 attack_object_name: Template Injection capability_description: Anti-Malware Detection and Prevention capability_group: UEM capability_id: UEM-09 comments: "This control describes the implementation of endpoint security, including\ \ anti-malware software, to mitigate the risk of exploitation by threat actors.\ \ The implementation guidance provides several examples of that the technical\ \ measures under Anti-Malware should aid with preventing which include: \nScan\ \ installed software and system data content to identify and remove unauthorized\ \ code/software. \nProhibit the use of installation of unauthorized software.\n\ Restricting on obtaining malicious data and software from external networks.\n\ Endpoint removable media management." mapping_type: mitigates references: [] - attack_object_id: T1080 attack_object_name: Taint Shared Content capability_description: Anti-Malware Detection and Prevention capability_group: UEM capability_id: UEM-09 comments: "This control describes the implementation of endpoint security, including\ \ anti-malware software, to mitigate the risk of exploitation by threat actors.\ \ The implementation guidance provides several examples of that the technical\ \ measures under Anti-Malware should aid with preventing which include: \nScan\ \ installed software and system data content to identify and remove unauthorized\ \ code/software. \nProhibit the use of installation of unauthorized software.\n\ Restricting on obtaining malicious data and software from external networks.\n\ Endpoint removable media management." mapping_type: mitigates references: [] - attack_object_id: T1027 attack_object_name: Obfuscated Files or Information capability_description: Anti-Malware Detection and Prevention capability_group: UEM capability_id: UEM-09 comments: "This control describes the implementation of endpoint security, including\ \ anti-malware software, to mitigate the risk of exploitation by threat actors.\ \ The implementation guidance provides several examples of that the technical\ \ measures under Anti-Malware should aid with preventing which include: \nScan\ \ installed software and system data content to identify and remove unauthorized\ \ code/software. \nProhibit the use of installation of unauthorized software.\n\ Restricting on obtaining malicious data and software from external networks.\n\ Endpoint removable media management." mapping_type: mitigates references: [] - attack_object_id: T1036 attack_object_name: Masquerading capability_description: Anti-Malware Detection and Prevention capability_group: UEM capability_id: UEM-09 comments: "This control describes the implementation of endpoint security, including\ \ anti-malware software, to mitigate the risk of exploitation by threat actors.\ \ The implementation guidance provides several examples of that the technical\ \ measures under Anti-Malware should aid with preventing which include: \nScan\ \ installed software and system data content to identify and remove unauthorized\ \ code/software. \nProhibit the use of installation of unauthorized software.\n\ Restricting on obtaining malicious data and software from external networks.\n\ Endpoint removable media management." mapping_type: mitigates references: [] - attack_object_id: T1059.006 attack_object_name: Python capability_description: Anti-Malware Detection and Prevention capability_group: UEM capability_id: UEM-09 comments: "This control describes the implementation of endpoint security, including\ \ anti-malware software, to mitigate the risk of exploitation by threat actors.\ \ The implementation guidance provides several examples of that the technical\ \ measures under Anti-Malware should aid with preventing which include: \nScan\ \ installed software and system data content to identify and remove unauthorized\ \ code/software. \nProhibit the use of installation of unauthorized software.\n\ Restricting on obtaining malicious data and software from external networks.\n\ Endpoint removable media management." mapping_type: mitigates references: [] - attack_object_id: T1059.005 attack_object_name: Visual Basic capability_description: Anti-Malware Detection and Prevention capability_group: UEM capability_id: UEM-09 comments: "This control describes the implementation of endpoint security, including\ \ anti-malware software, to mitigate the risk of exploitation by threat actors.\ \ The implementation guidance provides several examples of that the technical\ \ measures under Anti-Malware should aid with preventing which include: \nScan\ \ installed software and system data content to identify and remove unauthorized\ \ code/software. \nProhibit the use of installation of unauthorized software.\n\ Restricting on obtaining malicious data and software from external networks.\n\ Endpoint removable media management." mapping_type: mitigates references: [] - attack_object_id: T1059.001 attack_object_name: PowerShell capability_description: Anti-Malware Detection and Prevention capability_group: UEM capability_id: UEM-09 comments: "This control describes the implementation of endpoint security, including\ \ anti-malware software, to mitigate the risk of exploitation by threat actors.\ \ The implementation guidance provides several examples of that the technical\ \ measures under Anti-Malware should aid with preventing which include: \nScan\ \ installed software and system data content to identify and remove unauthorized\ \ code/software. \nProhibit the use of installation of unauthorized software.\n\ Restricting on obtaining malicious data and software from external networks.\n\ Endpoint removable media management." mapping_type: mitigates references: [] - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Anti-Malware Detection and Prevention capability_group: UEM capability_id: UEM-09 comments: "This control describes the implementation of endpoint security, including\ \ anti-malware software, to mitigate the risk of exploitation by threat actors.\ \ The implementation guidance provides several examples of that the technical\ \ measures under Anti-Malware should aid with preventing which include: \nScan\ \ installed software and system data content to identify and remove unauthorized\ \ code/software. \nProhibit the use of installation of unauthorized software.\n\ Restricting on obtaining malicious data and software from external networks.\n\ Endpoint removable media management." mapping_type: mitigates references: [] - attack_object_id: T1092 attack_object_name: Communication Through Removable Media capability_description: Anti-Malware Detection and Prevention capability_group: UEM capability_id: UEM-09 comments: "This control describes the implementation of endpoint security, including\ \ anti-malware software, to mitigate the risk of exploitation by threat actors.\ \ The implementation guidance provides several examples of that the technical\ \ measures under Anti-Malware should aid with preventing which include: \nScan\ \ installed software and system data content to identify and remove unauthorized\ \ code/software. \nProhibit the use of installation of unauthorized software.\n\ Restricting on obtaining malicious data and software from external networks.\n\ Endpoint removable media management." mapping_type: mitigates references: [] - attack_object_id: T1091 attack_object_name: Replication Through Removable Media capability_description: Anti-Malware Detection and Prevention capability_group: UEM capability_id: UEM-09 comments: "This control describes the implementation of endpoint security, including\ \ anti-malware software, to mitigate the risk of exploitation by threat actors.\ \ The implementation guidance provides several examples of that the technical\ \ measures under Anti-Malware should aid with preventing which include: \nScan\ \ installed software and system data content to identify and remove unauthorized\ \ code/software. \nProhibit the use of installation of unauthorized software.\n\ Restricting on obtaining malicious data and software from external networks.\n\ Endpoint removable media management." mapping_type: mitigates references: [] - attack_object_id: T1025 attack_object_name: Data from Removable Media capability_description: Anti-Malware Detection and Prevention capability_group: UEM capability_id: UEM-09 comments: "This control describes the implementation of endpoint security, including\ \ anti-malware software, to mitigate the risk of exploitation by threat actors.\ \ The implementation guidance provides several examples of that the technical\ \ measures under Anti-Malware should aid with preventing which include: \nScan\ \ installed software and system data content to identify and remove unauthorized\ \ code/software. \nProhibit the use of installation of unauthorized software.\n\ Restricting on obtaining malicious data and software from external networks.\n\ Endpoint removable media management." mapping_type: mitigates references: [] - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Penetration Testing capability_group: TVM capability_id: TVM-07 comments: 'This control requires both CSP and CSC to conduct regular penetration testing using reputable third parties for overall testing processes and communication of results within agreed boundaries. The control guidance states that the penetration testing should be used to identify critical vulnerabilities, assess the effectiveness of security controls, validate compliance with industry standards, in order to provide recommendations for remediation and security improvements in cloud environments. The mapping for TVM-07 Penetration Testing will be aligned with the M1016 Vulnerability Scanning mitigation definition of using "automated or manual assessment of systems, applications, and networks to identify misconfigurations, unpatched software, or other security weaknesses." Penetration testing in this context can take the form of Cloud Environment Scanning, use application security testing (SAST/DAST) tools, and the use of any red team cloud tools (Pacu, StormSpotter) to detect vulnerabilities and weaknesses for exploitation and impact. ' mapping_type: mitigates references: [] - attack_object_id: T1499.004 attack_object_name: Application or System Exploitation capability_description: Penetration Testing capability_group: TVM capability_id: TVM-07 comments: 'This control requires both CSP and CSC to conduct regular penetration testing using reputable third parties for overall testing processes and communication of results within agreed boundaries. The control guidance states that the penetration testing should be used to identify critical vulnerabilities, assess the effectiveness of security controls, validate compliance with industry standards, in order to provide recommendations for remediation and security improvements in cloud environments. The mapping for TVM-07 Penetration Testing will be aligned with the M1016 Vulnerability Scanning mitigation definition of using "automated or manual assessment of systems, applications, and networks to identify misconfigurations, unpatched software, or other security weaknesses." Penetration testing in this context can take the form of Cloud Environment Scanning, use application security testing (SAST/DAST) tools, and the use of any red team cloud tools (Pacu, StormSpotter) to detect vulnerabilities and weaknesses for exploitation and impact. ' mapping_type: mitigates references: [] - attack_object_id: T1211 attack_object_name: Exploitation for Defense Evasion capability_description: Penetration Testing capability_group: TVM capability_id: TVM-07 comments: 'This control requires both CSP and CSC to conduct regular penetration testing using reputable third parties for overall testing processes and communication of results within agreed boundaries. The control guidance states that the penetration testing should be used to identify critical vulnerabilities, assess the effectiveness of security controls, validate compliance with industry standards, in order to provide recommendations for remediation and security improvements in cloud environments. The mapping for TVM-07 Penetration Testing will be aligned with the M1016 Vulnerability Scanning mitigation definition of using "automated or manual assessment of systems, applications, and networks to identify misconfigurations, unpatched software, or other security weaknesses." Penetration testing in this context can take the form of Cloud Environment Scanning, use application security testing (SAST/DAST) tools, and the use of any red team cloud tools (Pacu, StormSpotter) to detect vulnerabilities and weaknesses for exploitation and impact. ' mapping_type: mitigates references: [] - attack_object_id: T1212 attack_object_name: Exploitation for Credential Access capability_description: Penetration Testing capability_group: TVM capability_id: TVM-07 comments: 'This control requires both CSP and CSC to conduct regular penetration testing using reputable third parties for overall testing processes and communication of results within agreed boundaries. The control guidance states that the penetration testing should be used to identify critical vulnerabilities, assess the effectiveness of security controls, validate compliance with industry standards, in order to provide recommendations for remediation and security improvements in cloud environments. The mapping for TVM-07 Penetration Testing will be aligned with the M1016 Vulnerability Scanning mitigation definition of using "automated or manual assessment of systems, applications, and networks to identify misconfigurations, unpatched software, or other security weaknesses." Penetration testing in this context can take the form of Cloud Environment Scanning, use application security testing (SAST/DAST) tools, and the use of any red team cloud tools (Pacu, StormSpotter) to detect vulnerabilities and weaknesses for exploitation and impact. ' mapping_type: mitigates references: [] - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: External Library Vulnerabilities capability_group: TVM capability_id: TVM-06 comments: This control requires both CSP and CSC to independently manage third-party and open-source libraries by maintaining accurate inventories, integrating with vulnerability databases, automating patching and updates, using dependency and scanning tools to mitigate risks from library vulnerabilities. mapping_type: mitigates references: [] - attack_object_id: T1574.001 attack_object_name: DLL capability_description: External Library Vulnerabilities capability_group: TVM capability_id: TVM-06 comments: "This control requires both CSP and CSC to independently manage third-party\ \ and open-source libraries by maintaining accurate inventories, integrating with\ \ vulnerability databases, automating patching and updates, using dependency and\ \ scanning tools to mitigate risks from library vulnerabilities.\nFor this specific\ \ technique, leveraging the program sxstrace.exe that is included with Windows\ \ along with manual inspection, to check manifest files for side-loading vulnerabilities\ \ in software with the use of vulnerable DLLs. \n" mapping_type: mitigates references: [] - attack_object_id: T1574 attack_object_name: Hijack Execution Flow capability_description: External Library Vulnerabilities capability_group: TVM capability_id: TVM-06 comments: "This control requires both CSP and CSC to independently manage third-party\ \ and open-source libraries by maintaining accurate inventories, integrating with\ \ vulnerability databases, automating patching and updates, using dependency and\ \ scanning tools to mitigate risks from library vulnerabilities.\nFor this specific\ \ technique, leveraging the program sxstrace.exe that is included with Windows\ \ along with manual inspection, to check manifest files for side-loading vulnerabilities\ \ in software with the use of vulnerable DLLs. \n" mapping_type: mitigates references: [] - attack_object_id: T1176 attack_object_name: Software Extensions capability_description: External Library Vulnerabilities capability_group: TVM capability_id: TVM-06 comments: This control requires both CSP and CSC to independently manage third-party and open-source libraries by maintaining accurate inventories, integrating with vulnerability databases, automating patching and updates, using dependency and scanning tools to mitigate risks from library vulnerabilities. mapping_type: mitigates references: [] - attack_object_id: T1204.003 attack_object_name: Malicious Image capability_description: External Library Vulnerabilities capability_group: TVM capability_id: TVM-06 comments: This control requires both CSP and CSC to independently manage third-party and open-source libraries by maintaining accurate inventories, integrating with vulnerability databases, automating patching and updates, using dependency and scanning tools to mitigate risks from library vulnerabilities. mapping_type: mitigates references: [] - attack_object_id: T1525 attack_object_name: Implant Internal Image capability_description: External Library Vulnerabilities capability_group: TVM capability_id: TVM-06 comments: This control requires both CSP and CSC to independently manage third-party and open-source libraries by maintaining accurate inventories, integrating with vulnerability databases, automating patching and updates, using dependency and scanning tools to mitigate risks from library vulnerabilities. mapping_type: mitigates references: [] - attack_object_id: T1195.002 attack_object_name: Compromise Software Supply Chain capability_description: External Library Vulnerabilities capability_group: TVM capability_id: TVM-06 comments: This control requires both CSP and CSC to independently manage third-party and open-source libraries by maintaining accurate inventories, integrating with vulnerability databases, automating patching and updates, using dependency and scanning tools to mitigate risks from library vulnerabilities. mapping_type: mitigates references: [] - attack_object_id: T1195.001 attack_object_name: Compromise Software Dependencies and Development Tools capability_description: External Library Vulnerabilities capability_group: TVM capability_id: TVM-06 comments: This control requires both CSP and CSC to independently manage third-party and open-source libraries by maintaining accurate inventories, integrating with vulnerability databases, automating patching and updates, using dependency and scanning tools to mitigate risks from library vulnerabilities. mapping_type: mitigates references: [] - attack_object_id: T1195 attack_object_name: Supply Chain Compromise capability_description: External Library Vulnerabilities capability_group: TVM capability_id: TVM-06 comments: This control requires both CSP and CSC to independently manage third-party and open-source libraries by maintaining accurate inventories, integrating with vulnerability databases, automating patching and updates, using dependency and scanning tools to mitigate risks from library vulnerabilities. mapping_type: mitigates references: [] - attack_object_id: T1212 attack_object_name: Exploitation for Credential Access capability_description: Detection Updates capability_group: TVM capability_id: TVM-05 comments: "This control requires both CSP and CSC to independently define, implement,\ \ and regularly update detection tools, threat signatures, and indicators of compromise\ \ based from a threat intelligence platform/program ensuring effective and timely\ \ detection of threats across all cloud service models. \n\nA centralized threat\ \ intelligence platform or program enables organizations to proactively identify,\ \ analyze, and act on cyber threats by leveraging internal and external data sources.\ \ As it applies to mitigable techniques, developing a robust cyber threat intelligence\ \ capability to mitigate and determine what types and levels of threat may use\ \ software exploits and 0-days or N-days against a particular organization. For\ \ the impersonation, threat intelligence helps defenders and users be aware of\ \ and defend against common lures and active campaigns that have been used for\ \ impersonation." mapping_type: mitigates references: [] - attack_object_id: T1211 attack_object_name: Exploitation for Defense Evasion capability_description: Detection Updates capability_group: TVM capability_id: TVM-05 comments: "This control requires both CSP and CSC to independently define, implement,\ \ and regularly update detection tools, threat signatures, and indicators of compromise\ \ based from a threat intelligence platform/program ensuring effective and timely\ \ detection of threats across all cloud service models. \n\nA centralized threat\ \ intelligence platform or program enables organizations to proactively identify,\ \ analyze, and act on cyber threats by leveraging internal and external data sources.\ \ As it applies to mitigable techniques, developing a robust cyber threat intelligence\ \ capability to mitigate and determine what types and levels of threat may use\ \ software exploits and 0-days or N-days against a particular organization. For\ \ the impersonation, threat intelligence helps defenders and users be aware of\ \ and defend against common lures and active campaigns that have been used for\ \ impersonation." mapping_type: mitigates references: [] - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Detection Updates capability_group: TVM capability_id: TVM-05 comments: "This control requires both CSP and CSC to independently define, implement,\ \ and regularly update detection tools, threat signatures, and indicators of compromise\ \ based from a threat intelligence platform/program ensuring effective and timely\ \ detection of threats across all cloud service models. \n\nA centralized threat\ \ intelligence platform or program enables organizations to proactively identify,\ \ analyze, and act on cyber threats by leveraging internal and external data sources.\ \ As it applies to mitigable techniques, developing a robust cyber threat intelligence\ \ capability to mitigate and determine what types and levels of threat may use\ \ software exploits and 0-days or N-days against a particular organization. For\ \ the impersonation, threat intelligence helps defenders and users be aware of\ \ and defend against common lures and active campaigns that have been used for\ \ impersonation." mapping_type: mitigates references: [] - attack_object_id: T1210 attack_object_name: Exploitation of Remote Services capability_description: Detection Updates capability_group: TVM capability_id: TVM-05 comments: "This control requires both CSP and CSC to independently define, implement,\ \ and regularly update detection tools, threat signatures, and indicators of compromise\ \ based from a threat intelligence platform/program ensuring effective and timely\ \ detection of threats across all cloud service models. \n\nA centralized threat\ \ intelligence platform or program enables organizations to proactively identify,\ \ analyze, and act on cyber threats by leveraging internal and external data sources.\ \ As it applies to mitigable techniques, developing a robust cyber threat intelligence\ \ capability to mitigate and determine what types and levels of threat may use\ \ software exploits and 0-days or N-days against a particular organization." mapping_type: mitigates references: [] - attack_object_id: T1656 attack_object_name: Impersonation capability_description: Detection Updates capability_group: TVM capability_id: TVM-05 comments: "This control requires both CSP and CSC to independently define, implement,\ \ and regularly update detection tools, threat signatures, and indicators of compromise\ \ based from a threat intelligence platform/program ensuring effective and timely\ \ detection of threats across all cloud service models. \n\nA centralized threat\ \ intelligence platform or program enables organizations to proactively identify,\ \ analyze, and act on cyber threats by leveraging internal and external data sources.\ \ As it applies to mitigable techniques, developing a robust cyber threat intelligence\ \ capability to mitigate and determine what types and levels of threat may use\ \ software exploits and 0-days or N-days against a particular organization. For\ \ the impersonation, threat intelligence helps defenders and users be aware of\ \ and defend against common lures and active campaigns that have been used for\ \ impersonation." mapping_type: mitigates references: [] - attack_object_id: T1070 attack_object_name: Indicator Removal capability_description: Audit Records Protection capability_group: LOG capability_id: LOG-10 comments: This control requires both CSP and CSC to independently protect audit logs by enforcing strict access controls, encryption, isolated log environments, continuous monitoring, vulnerability management, and so forth for investigations or legal proceedings. mapping_type: mitigates references: [] - attack_object_id: T1562 attack_object_name: Impair Defenses capability_description: Audit Records Protection capability_group: LOG capability_id: LOG-10 comments: This control requires both CSP and CSC to independently protect audit logs by enforcing strict access controls, encryption, isolated log environments, continuous monitoring, vulnerability management, and so forth for investigations or legal proceedings. mapping_type: mitigates references: [] - attack_object_id: T1562.002 attack_object_name: Disable Windows Event Logging capability_description: Audit Records Protection capability_group: LOG capability_id: LOG-10 comments: This control requires both CSP and CSC to independently protect audit logs by enforcing strict access controls, encryption, isolated log environments, continuous monitoring, vulnerability management, and so forth for investigations or legal proceedings. mapping_type: mitigates references: [] - attack_object_id: T1070.002 attack_object_name: Clear Linux or Mac System Logs capability_description: Audit Records Protection capability_group: LOG capability_id: LOG-10 comments: This control requires both CSP and CSC to independently protect audit logs by enforcing strict access controls, encryption, isolated log environments, continuous monitoring, vulnerability management, and so forth for investigations or legal proceedings. mapping_type: mitigates references: [] - attack_object_id: T1070.001 attack_object_name: Clear Windows Event Logs capability_description: Audit Records Protection capability_group: LOG capability_id: LOG-10 comments: This control requires both CSP and CSC to independently protect audit logs by enforcing strict access controls, encryption, isolated log environments, continuous monitoring, vulnerability management, and so forth for investigations or legal proceedings. mapping_type: mitigates references: [] - attack_object_id: T1562.012 attack_object_name: Disable or Modify Linux Audit System capability_description: Audit Records Protection capability_group: LOG capability_id: LOG-10 comments: This control requires both CSP and CSC to independently protect audit logs by enforcing strict access controls, encryption, isolated log environments, continuous monitoring, vulnerability management, and so forth for investigations or legal proceedings. mapping_type: mitigates references: [] - attack_object_id: T1562.001 attack_object_name: Disable or Modify Tools capability_description: Audit Records Protection capability_group: LOG capability_id: LOG-10 comments: This control requires both CSP and CSC to independently protect audit logs by enforcing strict access controls, encryption, isolated log environments, continuous monitoring, vulnerability management, and so forth for investigations or legal proceedings. mapping_type: mitigates references: [] - attack_object_id: T1562.007 attack_object_name: Disable or Modify Cloud Firewall capability_description: Audit Records Protection capability_group: LOG capability_id: LOG-10 comments: This control requires both CSP and CSC to independently protect audit logs by enforcing strict access controls, encryption, isolated log environments, continuous monitoring, vulnerability management, and so forth for investigations or legal proceedings. mapping_type: mitigates references: [] - attack_object_id: T1562.008 attack_object_name: Disable or Modify Cloud Logs capability_description: Audit Records Protection capability_group: LOG capability_id: LOG-10 comments: This control requires both CSP and CSC to independently protect audit logs by enforcing strict access controls, encryption, isolated log environments, continuous monitoring, vulnerability management, and so forth for investigations or legal proceedings. mapping_type: mitigates references: [] - attack_object_id: T1528 attack_object_name: Steal Application Access Token capability_description: Audit Logs Sanitization capability_group: LOG capability_id: LOG-08 comments: This control requires organizations to implement technical measures that automatically detect and remove sensitive data from logs to prevent unauthorized exposure. Log Sanitization may help mitigate risks from Unsecured Credentials (T1552), where attackers target logs for sensitive information such as credentials or access tokens. mapping_type: mitigates references: [] - attack_object_id: T1552 attack_object_name: Unsecured Credentials capability_description: Audit Logs Sanitization capability_group: LOG capability_id: LOG-08 comments: This control requires organizations to implement technical measures that automatically detect and remove sensitive data from logs to prevent unauthorized exposure. Log Sanitization may help mitigate risks from Unsecured Credentials (T1552), where attackers target logs for sensitive information such as credentials or access tokens. mapping_type: mitigates references: [] - attack_object_id: T1213 attack_object_name: Data from Information Repositories capability_description: Audit Logs Sanitization capability_group: LOG capability_id: LOG-08 comments: This control requires organizations to implement technical measures that automatically detect and remove sensitive data from logs to prevent unauthorized exposure. Data from Information Repositories (T1213) can occur if logs containing sensitive data are accessed or exfiltrated. mapping_type: mitigates references: [] - attack_object_id: T1562.008 attack_object_name: Disable or Modify Cloud Logs capability_description: Audit Logs Access and Accountability capability_group: LOG capability_id: LOG-04 comments: 'This control requires both CSP and CSC to restrict audit log access using RBAC, MFA, least privilege, and separation of duties, so that only authorized personnel can access sensitive logs and any access is traceable and secure. These set of controls are in place to ensure that proper user permissions are in place to prevent adversaries from disabling or interfering with security/logging services. ' mapping_type: mitigates references: [] - attack_object_id: T1562.001 attack_object_name: Disable or Modify Tools capability_description: Audit Logs Access and Accountability capability_group: LOG capability_id: LOG-04 comments: 'This control requires both CSP and CSC to restrict audit log access using RBAC, MFA, least privilege, and separation of duties, so that only authorized personnel can access sensitive logs and any access is traceable and secure. These set of controls are in place to ensure that proper user permissions are in place to prevent adversaries from disabling or interfering with security/logging services. ' mapping_type: mitigates references: [] - attack_object_id: T1562.012 attack_object_name: Disable or Modify Linux Audit System capability_description: Audit Logs Access and Accountability capability_group: LOG capability_id: LOG-04 comments: 'This control requires both CSP and CSC to restrict audit log access using RBAC, MFA, least privilege, and separation of duties, so that only authorized personnel can access sensitive logs and any access is traceable and secure. These set of controls are in place to ensure that proper user permissions are in place to prevent adversaries from disabling or interfering with security/logging services. ' mapping_type: mitigates references: [] - attack_object_id: T1070.001 attack_object_name: Clear Windows Event Logs capability_description: Audit Logs Access and Accountability capability_group: LOG capability_id: LOG-04 comments: 'This control requires both CSP and CSC to restrict audit log access using RBAC, MFA, least privilege, and separation of duties, so that only authorized personnel can access sensitive logs and any access is traceable and secure. These set of controls are in place to ensure that proper user permissions are in place to prevent adversaries from disabling or interfering with security/logging services. ' mapping_type: mitigates references: [] - attack_object_id: T1070.002 attack_object_name: Clear Linux or Mac System Logs capability_description: Audit Logs Access and Accountability capability_group: LOG capability_id: LOG-04 comments: 'This control requires both CSP and CSC to restrict audit log access using RBAC, MFA, least privilege, and separation of duties, so that only authorized personnel can access sensitive logs and any access is traceable and secure. These set of controls are in place to ensure that proper user permissions are in place to prevent adversaries from disabling or interfering with security/logging services. ' mapping_type: mitigates references: [] - attack_object_id: T1562.002 attack_object_name: Disable Windows Event Logging capability_description: Audit Logs Access and Accountability capability_group: LOG capability_id: LOG-04 comments: 'This control requires both CSP and CSC to restrict audit log access using RBAC, MFA, least privilege, and separation of duties, so that only authorized personnel can access sensitive logs and any access is traceable and secure. These set of controls are in place to ensure that proper user permissions are in place to prevent adversaries from disabling or interfering with security/logging services. ' mapping_type: mitigates references: [] - attack_object_id: T1562 attack_object_name: Impair Defenses capability_description: Audit Logs Access and Accountability capability_group: LOG capability_id: LOG-04 comments: 'This control requires both CSP and CSC to restrict audit log access using RBAC, MFA, least privilege, and separation of duties, so that only authorized personnel can access sensitive logs and any access is traceable and secure. These set of controls are in place to ensure that proper user permissions are in place to prevent adversaries from disabling or interfering with security/logging services. ' mapping_type: mitigates references: [] - attack_object_id: T1070 attack_object_name: Indicator Removal capability_description: Audit Logs Access and Accountability capability_group: LOG capability_id: LOG-04 comments: 'This control requires both CSP and CSC to restrict audit log access using RBAC, MFA, least privilege, and separation of duties, so that only authorized personnel can access sensitive logs and any access is traceable and secure. These set of controls are in place to ensure that proper user permissions are in place to prevent adversaries from disabling or interfering with security/logging services. ' mapping_type: mitigates references: [] - attack_object_id: T1070.009 attack_object_name: Clear Persistence capability_description: Audit Logs Protection capability_group: LOG capability_id: LOG-02 comments: This control requires both CSP and CSC to independently protect and retain audit logs by implementing controls such as, centralized logging, secure and tamper-evident storage, access restrictions, regular monitoring and review ensuring logs remain available and trustworthy for investigations and protected against any improper modification and tampering. mapping_type: mitigates references: [] - attack_object_id: T1070.007 attack_object_name: Clear Network Connection History and Configurations capability_description: Audit Logs Protection capability_group: LOG capability_id: LOG-02 comments: This control requires both CSP and CSC to independently protect and retain audit logs by implementing controls such as, centralized logging, secure and tamper-evident storage, access restrictions, regular monitoring and review ensuring logs remain available and trustworthy for investigations and protected against any improper modification and tampering. mapping_type: mitigates references: [] - attack_object_id: T1562.007 attack_object_name: Disable or Modify Cloud Firewall capability_description: Audit Logs Protection capability_group: LOG capability_id: LOG-02 comments: This control requires both CSP and CSC to independently protect and retain audit logs by implementing controls such as, centralized logging, secure and tamper-evident storage, access restrictions, regular monitoring and review ensuring logs remain available and trustworthy for investigations and protected against any improper modification and tampering. mapping_type: mitigates references: [] - attack_object_id: T1562.008 attack_object_name: Disable or Modify Cloud Logs capability_description: Audit Logs Protection capability_group: LOG capability_id: LOG-02 comments: This control requires both CSP and CSC to independently protect and retain audit logs by implementing controls such as, centralized logging, secure and tamper-evident storage, access restrictions, regular monitoring and review ensuring logs remain available and trustworthy for investigations and protected against any improper modification and tampering. mapping_type: mitigates references: [] - attack_object_id: T1562.001 attack_object_name: Disable or Modify Tools capability_description: Audit Logs Protection capability_group: LOG capability_id: LOG-02 comments: This control requires both CSP and CSC to independently protect and retain audit logs by implementing controls such as, centralized logging, secure and tamper-evident storage, access restrictions, regular monitoring and review ensuring logs remain available and trustworthy for investigations and protected against any improper modification and tampering. mapping_type: mitigates references: [] - attack_object_id: T1562.012 attack_object_name: Disable or Modify Linux Audit System capability_description: Audit Logs Protection capability_group: LOG capability_id: LOG-02 comments: This control requires both CSP and CSC to independently protect and retain audit logs by implementing controls such as, centralized logging, secure and tamper-evident storage, access restrictions, regular monitoring and review ensuring logs remain available and trustworthy for investigations and protected against any improper modification and tampering. mapping_type: mitigates references: [] - attack_object_id: T1070.001 attack_object_name: Clear Windows Event Logs capability_description: Audit Logs Protection capability_group: LOG capability_id: LOG-02 comments: This control requires both CSP and CSC to independently protect and retain audit logs by implementing controls such as, centralized logging, secure and tamper-evident storage, access restrictions, regular monitoring and review ensuring logs remain available and trustworthy for investigations and protected against any improper modification and tampering. mapping_type: mitigates references: [] - attack_object_id: T1070.002 attack_object_name: Clear Linux or Mac System Logs capability_description: Audit Logs Protection capability_group: LOG capability_id: LOG-02 comments: This control requires both CSP and CSC to independently protect and retain audit logs by implementing controls such as, centralized logging, secure and tamper-evident storage, access restrictions, regular monitoring and review ensuring logs remain available and trustworthy for investigations and protected against any improper modification and tampering. mapping_type: mitigates references: [] - attack_object_id: T1562.002 attack_object_name: Disable Windows Event Logging capability_description: Audit Logs Protection capability_group: LOG capability_id: LOG-02 comments: This control requires both CSP and CSC to independently protect and retain audit logs by implementing controls such as, centralized logging, secure and tamper-evident storage, access restrictions, regular monitoring and review ensuring logs remain available and trustworthy for investigations and protected against any improper modification and tampering. mapping_type: mitigates references: [] - attack_object_id: T1562 attack_object_name: Impair Defenses capability_description: Audit Logs Protection capability_group: LOG capability_id: LOG-02 comments: This control requires both CSP and CSC to independently protect and retain audit logs by implementing controls such as, centralized logging, secure and tamper-evident storage, access restrictions, regular monitoring and review ensuring logs remain available and trustworthy for investigations and protected against any improper modification and tampering. mapping_type: mitigates references: [] - attack_object_id: T1070 attack_object_name: Indicator Removal capability_description: Audit Logs Protection capability_group: LOG capability_id: LOG-02 comments: This control requires both CSP and CSC to independently protect and retain audit logs by implementing controls such as, centralized logging, secure and tamper-evident storage, access restrictions, regular monitoring and review ensuring logs remain available and trustworthy for investigations and protected against any improper modification and tampering. mapping_type: mitigates references: [] - attack_object_id: T1008 attack_object_name: Fallback Channels capability_description: Network Defense capability_group: I&S capability_id: I&S-09 comments: 'This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware can be used to mitigate activity at the network level. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to restrict external network access and mitigate adversary use of fallback or alternative communication channels. ' mapping_type: mitigates references: [] - attack_object_id: T1072 attack_object_name: Software Deployment Tools capability_description: Network Defense capability_group: I&S capability_id: I&S-09 comments: This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Isolation of critical network systems through use of cloud-based segmentation, virtual private cloud (VPC) security groups, network access control lists (NACLs), and firewalls can mitigate abuse of centralized software suites. mapping_type: mitigates references: [] - attack_object_id: T1210 attack_object_name: Exploitation of Remote Services capability_description: Network Defense capability_group: I&S capability_id: I&S-09 comments: This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. This includes using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Segmenting networks and systems reduces access to critical systems and services, mitigating exploitation via remote services. mapping_type: mitigates references: [] - attack_object_id: T1090.002 attack_object_name: External Proxy capability_description: Network Defense capability_group: I&S capability_id: I&S-09 comments: This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or unexpected protocol standards and traffic flows can be used to mitigate activity at the network level. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate use of a connection proxy for communications. mapping_type: mitigates references: [] - attack_object_id: T1090.001 attack_object_name: Internal Proxy capability_description: Network Defense capability_group: I&S capability_id: I&S-09 comments: This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or unexpected protocol standards and traffic flows can be used to mitigate activity at the network level. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate use of a connection proxy for communications. mapping_type: mitigates references: [] - attack_object_id: T1090 attack_object_name: Proxy capability_description: Network Defense capability_group: I&S capability_id: I&S-09 comments: This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or unexpected protocol standards and traffic flows can be used to mitigate activity at the network level. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate use of a connection proxy for communications. mapping_type: mitigates references: [] - attack_object_id: T1090.003 attack_object_name: Multi-hop Proxy capability_description: Network Defense capability_group: I&S capability_id: I&S-09 comments: This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or unexpected protocol standards and traffic flows can be used to mitigate activity at the network level. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate use of a connection proxy for communications. mapping_type: mitigates references: [] - attack_object_id: T1572 attack_object_name: Protocol Tunneling capability_description: Network Defense capability_group: I&S capability_id: I&S-09 comments: This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Configuring firewalls to filter network traffic to untrusted domains or hosts can prevent encapsulating a protocol within another protocol for communication. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware and unexpected protocol standards or traffic flows can be used to mitigate activity at the network level. mapping_type: mitigates references: [] - attack_object_id: T1095 attack_object_name: Non-Application Layer Protocol capability_description: Network Defense capability_group: I&S capability_id: I&S-09 comments: This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Configuring firewalls and proxies to limit outgoing traffic to only necessary ports and through proper network gateway systems and also ensuring hosts are only provisioned to communicate over authorized interfaces can prevent the use of an OSI non-application layer protocol for communication. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware and uncommon patterns or flows can be used to mitigate activity at the network level. mapping_type: mitigates references: [] - attack_object_id: T1219 attack_object_name: Remote Access Tools capability_description: Network Defense capability_group: I&S capability_id: I&S-09 comments: This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Firewalls and proxies can be configured to limit outgoing traffic to sites and services used by remote access software. In addition, network intrusion detection and prevention systems that use network signatures may be able to prevent traffic to remote access services. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can also be used to limit traffic between systems and mitigate abuse of remote access tools. mapping_type: mitigates references: [] - attack_object_id: T1136 attack_object_name: Create Account capability_description: Network Defense capability_group: I&S capability_id: I&S-09 comments: 'This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Restricting access to domain controllers and systems used for account creation and management through access controls, firewalls, and separate VPC instances mitigates the ability of adversaries to create unauthorized accounts. ' mapping_type: mitigates references: [] - attack_object_id: T1046 attack_object_name: Network Service Discovery capability_description: Network Defense capability_group: I&S capability_id: I&S-09 comments: This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. This includes implementing cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level) to protect critical servers and devices from discovery and exploitation. In addition, network intrusion prevention devices can be configured to detect and prevent remote service scans. mapping_type: mitigates references: [] - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Network Defense capability_group: I&S capability_id: I&S-09 comments: 'This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Network proxies, gateways, and firewalls can be used to deny direct remote access to internal systems. ' mapping_type: mitigates references: [] - attack_object_id: T1570 attack_object_name: Lateral Tool Transfer capability_description: Network Defense capability_group: I&S capability_id: I&S-09 comments: This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or unusual data transfer over known tools and protocols can be used to mitigate activity at the network level. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate the transfer of tools or other files. mapping_type: mitigates references: [] - attack_object_id: T1029 attack_object_name: Scheduled Transfer capability_description: Network Defense capability_group: I&S capability_id: I&S-09 comments: This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for adversary command and control infrastructure, unexpected network connections or traffic, and malware can be used to mitigate activity at the network level. mapping_type: mitigates references: [] - attack_object_id: T1132.001 attack_object_name: Standard Encoding capability_description: Network Defense capability_group: I&S capability_id: I&S-09 comments: This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or uncommon data flows can be used to mitigate activity at the network level. mapping_type: mitigates references: [] - attack_object_id: T1199 attack_object_name: Trusted Relationship capability_description: Network Defense capability_group: I&S capability_id: I&S-09 comments: This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to isolate infrastructure components that do not require broad network access, limiting attacks that leverage trusted relationships. mapping_type: mitigates references: [] - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Network Defense capability_group: I&S capability_id: I&S-09 comments: This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. This includes using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). If an application is hosted on cloud-based infrastructure, VPC security perimeters can segment resources to further reduce access and operate in logically separate environments, limiting exposure. mapping_type: mitigates references: [] - attack_object_id: T1571 attack_object_name: Non-Standard Port capability_description: Network Defense capability_group: I&S capability_id: I&S-09 comments: This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Configuring firewalls and proxies to limit outgoing traffic to only necessary ports for that particular network segment can prevent the use of a protocol and port pairing that are typically not associated for communication. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware and unexpected patterns or protocols can be used to mitigate activity at the network level. mapping_type: mitigates references: [] - attack_object_id: T1048.001 attack_object_name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol capability_description: Network Defense capability_group: I&S capability_id: I&S-09 comments: This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Configuring access controls and network firewalls to enforce restrictions on accessing cloud resources, while allowing only essential ports and traffic, helps mitigate the risk of alternative exfiltration through cloud services. Also, network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate exfiltration activity at the network level. mapping_type: mitigates references: [] - attack_object_id: T1048.002 attack_object_name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol capability_description: Network Defense capability_group: I&S capability_id: I&S-09 comments: This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Configuring access controls and network firewalls to enforce restrictions on accessing cloud resources, while allowing only essential ports and traffic, helps mitigate the risk of alternative exfiltration through cloud services. Also, network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate exfiltration activity at the network level. mapping_type: mitigates references: [] - attack_object_id: T1048 attack_object_name: Exfiltration Over Alternative Protocol capability_description: Network Defense capability_group: I&S capability_id: I&S-09 comments: This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Configuring access controls and network firewalls to enforce restrictions on accessing cloud resources, while allowing only essential ports and traffic, helps mitigate the risk of alternative exfiltration through cloud services. Also, network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate exfiltration activity at the network level. mapping_type: mitigates references: [] - attack_object_id: T1132 attack_object_name: Data Encoding capability_description: Network Defense capability_group: I&S capability_id: I&S-09 comments: This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or uncommon data flows can be used to mitigate activity at the network level. mapping_type: mitigates references: [] - attack_object_id: T1602.001 attack_object_name: SNMP (MIB Dump) capability_description: Network Defense capability_group: I&S capability_id: I&S-09 comments: This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Access controls, firewalls, and cloud-based segmentation can be used to isolate and protect configuration repositories. In addition, network intrusion prevention devices can be configured to block SNMP queries and commands from unauthorized sources. mapping_type: mitigates references: [] - attack_object_id: T1602 attack_object_name: Data from Configuration Repository capability_description: Network Defense capability_group: I&S capability_id: I&S-09 comments: This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Access controls, firewalls, and cloud-based segmentation can be used to isolate and protect configuration repositories. In addition, network intrusion prevention devices can be configured to block SNMP queries and commands from unauthorized sources. mapping_type: mitigates references: [] - attack_object_id: T1136.003 attack_object_name: Cloud Account capability_description: Network Defense capability_group: I&S capability_id: I&S-09 comments: This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Restricting access to domain controllers and systems used for account creation and management through access controls, firewalls, and separate VPC instances mitigates the ability of adversaries to create unauthorized accounts. mapping_type: mitigates references: [] - attack_object_id: T1104 attack_object_name: Multi-Stage Channels capability_description: Network Defense capability_group: I&S capability_id: I&S-09 comments: This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or uncommon data flows can be used to mitigate activity at the network level. mapping_type: mitigates references: [] - attack_object_id: T1048.003 attack_object_name: Exfiltration Over Unencrypted Non-C2 Protocol capability_description: Network Defense capability_group: I&S capability_id: I&S-09 comments: This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Configuring access controls and network firewalls to enforce restrictions on accessing cloud resources, while allowing only essential ports and traffic, helps mitigate the risk of alternative exfiltration through cloud services. Also, network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate exfiltration activity at the network level. mapping_type: mitigates references: [] - attack_object_id: T1071 attack_object_name: Application Layer Protocol capability_description: Network Defense capability_group: I&S capability_id: I&S-09 comments: This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware can be used to mitigate activity at the network level, such as adversary use of OSI application layer protocols to embed commands. mapping_type: mitigates references: [] - attack_object_id: T1040 attack_object_name: Network Sniffing capability_description: Network Defense capability_group: I&S capability_id: I&S-09 comments: This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. This includes implementing cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Segmentation can be implemented to deny direct access of broadcasts and multicast sniffing, and prevent information capture. mapping_type: mitigates references: [] - attack_object_id: T1098.001 attack_object_name: Additional Cloud Credentials capability_description: Network Defense capability_group: I&S capability_id: I&S-09 comments: This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level) to filter traffic based on security rules. Limiting access to critical systems and domain controllers can mitigate adversary use of account manipulation to maintain and/or elevate access to systems. mapping_type: mitigates references: [] - attack_object_id: T1071.004 attack_object_name: DNS capability_description: Network Defense capability_group: I&S capability_id: I&S-09 comments: This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware can be used to mitigate activity at the network level, such as adversary use of the Domain Name System (DNS) application layer protocol to embed commands. mapping_type: mitigates references: [] - attack_object_id: T1071.003 attack_object_name: Mail Protocols capability_description: Network Defense capability_group: I&S capability_id: I&S-09 comments: This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware can be used to mitigate activity at the network level, such as adversary use of application layer protocols associated with electronic mail delivery to embed commands. mapping_type: mitigates references: [] - attack_object_id: T1071.002 attack_object_name: File Transfer Protocols capability_description: Network Defense capability_group: I&S capability_id: I&S-09 comments: This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware can be used to mitigate activity at the network level, such as adversary use of application layer protocols associated with transferring files to embed commands. mapping_type: mitigates references: [] - attack_object_id: T1071.001 attack_object_name: Web Protocols capability_description: Network Defense capability_group: I&S capability_id: I&S-09 comments: This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware can be used to mitigate activity at the network level, such as adversary use of application layer protocols associated with web traffic to embed commands. mapping_type: mitigates references: [] - attack_object_id: T1132.002 attack_object_name: Non-Standard Encoding capability_description: Network Defense capability_group: I&S capability_id: I&S-09 comments: This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or uncommon data flows can be used to mitigate activity at the network level. mapping_type: mitigates references: [] - attack_object_id: T1557 attack_object_name: Adversary-in-the-Middle capability_description: Network Defense capability_group: I&S capability_id: I&S-09 comments: This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that can identify traffic patterns indicative of AiTM activity can be used to mitigate activity at the network level. Network segmentation can be used to isolate infrastructure components that do not require broad network access. This may mitigate, or at least alleviate, the scope of AiTM activity. mapping_type: mitigates references: [] - attack_object_id: T1602.002 attack_object_name: Network Device Configuration Dump capability_description: Network Defense capability_group: I&S capability_id: I&S-09 comments: This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Access controls, firewalls, and cloud-based segmentation can be used to isolate and protect configuration repositories. In addition, network intrusion prevention devices can be configured to block SNMP queries and commands from unauthorized sources. mapping_type: mitigates references: [] - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Network Defense capability_group: I&S capability_id: I&S-09 comments: This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level) to filter traffic based on security rules. Limiting access to critical systems and domain controllers can mitigate adversary use of account manipulation to maintain and/or elevate access to systems. mapping_type: mitigates references: [] - attack_object_id: T1071.005 attack_object_name: Publish/Subscribe Protocols capability_description: Network Defense capability_group: I&S capability_id: I&S-09 comments: This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware can be used to mitigate activity at the network level, such as adversary use of publish/subscribe (pub/sub) application layer protocols to embed commands. mapping_type: mitigates references: [] - attack_object_id: T1213 attack_object_name: Data from Information Repositories capability_description: Migration to Cloud Environments capability_group: I&S capability_id: I&S-07 comments: 'This control provides for the use of secure and encrypted communication channels when migrating to cloud environments. Encrypting data at all stages, from storage to transmission, ensures the confidentiality of data and can mitigate adversary access to information of value, such as sensitive documents or data that may aid their further objectives.' mapping_type: mitigates references: [] - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Production and Non-Production Environments capability_group: I&S capability_id: I&S-05 comments: This control maintains separation of production and non-production environments, which can prevent the introduction of exploitable weaknesses and avoid exposure of sensitive information. Ensure that production environments do not store sensitive data or credentials insecurely (e.g. plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage) to mitigate adversaries from obtaining credentials of existing accounts. mapping_type: mitigates references: [] - attack_object_id: T1550.001 attack_object_name: Application Access Token capability_description: Production and Non-Production Environments capability_group: I&S capability_id: I&S-05 comments: This control maintains separation of production and non-production environments, which can prevent the introduction of exploitable weaknesses and avoid exposure of sensitive information. Restricting the use of authentication material outside of expected contexts can help prevent adversary misuse of alternate authentication material. mapping_type: mitigates references: [] - attack_object_id: T1550 attack_object_name: Use Alternate Authentication Material capability_description: Production and Non-Production Environments capability_group: I&S capability_id: I&S-05 comments: This control maintains separation of production and non-production environments, which can prevent the introduction of exploitable weaknesses and avoid exposure of sensitive information. Restricting the use of authentication material outside of expected contexts can help prevent adversary misuse of alternate authentication material. mapping_type: mitigates references: [] - attack_object_id: T1195 attack_object_name: Supply Chain Compromise capability_description: Production and Non-Production Environments capability_group: I&S capability_id: I&S-05 comments: This control maintains separation of production and non-production environments, which can prevent the introduction of exploitable weaknesses and avoid exposure of sensitive information. During development, apply caution when selecting third-party libraries to integrate into applications and, where possible, lock software dependencies to specific versions rather than pulling the latest version on build to help mitigate supply chain compromise. mapping_type: mitigates references: [] - attack_object_id: T1550.001 attack_object_name: Application Access Token capability_description: Migration to Cloud Environments capability_group: I&S capability_id: I&S-07 comments: 'This control provides for the use of secure and encrypted communication channels when migrating to cloud environments. Encryption ensures the confidentiality and integrity of data, such as OAuth access tokens used in a cloud-based email service. File encryption across email communications containing sensitive information that may be obtained through access to email services can help prevent adversaries from stealing application access tokens.' mapping_type: mitigates references: [] - attack_object_id: T1557.002 attack_object_name: ARP Cache Poisoning capability_description: Migration to Cloud Environments capability_group: I&S capability_id: I&S-07 comments: 'This control provides for the use of secure and encrypted communication channels when migrating to cloud environments. Encryption ensures the confidentiality and integrity of data, preventing unauthorized access or tampering. Ensuring that all wireless traffic is encrypted appropriately can safeguard ARP traffic and mitigate adversary use of ARP cache poisoning.' mapping_type: mitigates references: [] - attack_object_id: T1552.004 attack_object_name: Private Keys capability_description: Migration to Cloud Environments capability_group: I&S capability_id: I&S-07 comments: 'This control provides for the use of secure and encrypted communication channels when migrating to cloud environments. Encrypting data at all stages, from storage to transmission, ensures the confidentiality of data such as credentials, preventing unauthorized access. ' mapping_type: mitigates references: [] - attack_object_id: T1552 attack_object_name: Unsecured Credentials capability_description: Migration to Cloud Environments capability_group: I&S capability_id: I&S-07 comments: 'This control provides for the use of secure and encrypted communication channels when migrating to cloud environments. Encrypting data at all stages, from storage to transmission, ensures the confidentiality of data such as credentials, preventing unauthorized access. ' mapping_type: mitigates references: [] - attack_object_id: T1649 attack_object_name: Steal or Forge Authentication Certificates capability_description: Migration to Cloud Environments capability_group: I&S capability_id: I&S-07 comments: 'This control provides for the use of secure and encrypted communication channels when migrating to cloud environments. Encrypting data at all stages, from storage to transmission, ensures the confidentiality of data such as credentials, preventing unauthorized access. ' mapping_type: mitigates references: [] - attack_object_id: T1565.002 attack_object_name: Transmitted Data Manipulation capability_description: Migration to Cloud Environments capability_group: I&S capability_id: I&S-07 comments: 'This control provides for the use of secure and encrypted communication channels when migrating to cloud environments. Encryption ensures the confidentiality and integrity of data, preventing unauthorized access or tampering. Encrypting important data flows reduces the impact of adversary tailored data modifications.' mapping_type: mitigates references: [] - attack_object_id: T1565.001 attack_object_name: Stored Data Manipulation capability_description: Migration to Cloud Environments capability_group: I&S capability_id: I&S-07 comments: "This control provides for the use of secure and encrypted communication\n\ channels when migrating to cloud environments. Encrypting data at all stages,\ \ from storage to transmission, ensures the confidentiality and integrity of data,\ \ preventing unauthorized access or tampering. Encrypting important information\ \ reduces an adversary\u2019s ability to perform tailored data modifications." mapping_type: mitigates references: [] - attack_object_id: T1565 attack_object_name: Data Manipulation capability_description: Migration to Cloud Environments capability_group: I&S capability_id: I&S-07 comments: "This control provides for the use of secure and encrypted communication\n\ channels when migrating to cloud environments. Encryption ensures the confidentiality\ \ and integrity of data, preventing unauthorized access or tampering. Encrypting\ \ important information reduces an adversary\u2019s ability to perform tailored\ \ data modifications." mapping_type: mitigates references: [] - attack_object_id: T1020.001 attack_object_name: Traffic Duplication capability_description: Migration to Cloud Environments capability_group: I&S capability_id: I&S-07 comments: 'This control provides for the use of secure and encrypted communication channels when migrating to cloud environments. Ensuring that all wireless traffic is encrypted appropriately can mitigate adversary abuse of traffic mirroring for redirection of network traffic and automated data exfiltration.' mapping_type: mitigates references: [] - attack_object_id: T1119 attack_object_name: Automated Collection capability_description: Migration to Cloud Environments capability_group: I&S capability_id: I&S-07 comments: 'This control provides for the use of secure and encrypted communication channels when migrating to cloud environments. Encrypting data at all stages, from storage to transmission, ensures the confidentiality of data and can help to mitigate adversary use of automated techniques for automatically collecting data and files.' mapping_type: mitigates references: [] - attack_object_id: T1557 attack_object_name: Adversary-in-the-Middle capability_description: Migration to Cloud Environments capability_group: I&S capability_id: I&S-07 comments: 'This control provides for the use of secure and encrypted communication channels when migrating to cloud environments. Encryption ensures the confidentiality and integrity of data, preventing unauthorized access or tampering. Ensuring that all wireless traffic is encrypted appropriately can safeguard data and mitigate adversary-in-the-middle activities such as information collection.' mapping_type: mitigates references: [] - attack_object_id: T1530 attack_object_name: Data from Cloud Storage capability_description: Migration to Cloud Environments capability_group: I&S capability_id: I&S-07 comments: 'This control provides for the use of secure and encrypted communication channels when migrating to cloud environments. Encrypting data at all stages, from storage to transmission, ensures the confidentiality of data and can mitigate adversary access to information of value in cloud storage.' mapping_type: mitigates references: [] - attack_object_id: T1052.001 attack_object_name: Exfiltration over USB capability_description: Clean Desk Policy and Procedures capability_group: HRS capability_id: HRS-03 comments: This control can help prevent adversaries attempting to exfiltrate data via a USB connected physical device, through mechanisms such as automatic screen locking and automatic session logout. mapping_type: mitigates references: [] - attack_object_id: T1550.001 attack_object_name: Application Access Token capability_description: Data Encryption capability_group: CEK capability_id: CEK-03 comments: This control provides cryptographic protection for data-at-rest and data-in-transit within the cloud environment. Encryption ensures the confidentiality and integrity of data, such as OAuth access tokens used in a cloud-based email service. File encryption across email communications containing sensitive information that may be obtained through access to email services can help prevent adversaries from stealing application access tokens. mapping_type: mitigates references: [] - attack_object_id: T1557.002 attack_object_name: ARP Cache Poisoning capability_description: Data Encryption capability_group: CEK capability_id: CEK-03 comments: This control provides cryptographic protection for data-at-rest and data-in-transit within the cloud environment. Encryption ensures the confidentiality and integrity of data, preventing unauthorized access or tampering. Ensuring that all wireless traffic is encrypted appropriately can safeguard ARP traffic and mitigate adversary use of ARP cache poisoning. mapping_type: mitigates references: [] - attack_object_id: T1561.001 attack_object_name: Disk Content Wipe capability_description: Backup capability_group: BCR capability_id: BCR-08 comments: Adversaries may wipe, overwrite, or corrupt arbitrary portions of disk content on cloud storage objects or other cloud resources. Periodically backing up data stored in the cloud; ensuring backup confidentiality, integrity, and availability; and verifying data restoration from backup provides data protection and allows for quick recovery from disk wipe attacks. mapping_type: mitigates references: [] - attack_object_id: T1561.002 attack_object_name: Disk Structure Wipe capability_description: Backup capability_group: BCR capability_id: BCR-08 comments: Adversaries may wipe or corrupt disk data structures or overwrite critical data in disk structures on cloud storage objects or other cloud resources. Periodically backing up data stored in the cloud; ensuring backup confidentiality, integrity, and availability; and verifying data restoration from backup provides data protection and allows for quick recovery from disk wipe attacks. mapping_type: mitigates references: [] - attack_object_id: T1491.001 attack_object_name: Internal Defacement capability_description: Backup capability_group: BCR capability_id: BCR-08 comments: Adversaries may deface visual content through modifying data and files in cloud storage objects, including website files. Periodically backing up data stored in the cloud; ensuring backup confidentiality, integrity, and availability; and verifying data restoration from backup provides data protection and allows for quick recovery from defacement attacks. mapping_type: mitigates references: [] - attack_object_id: T1491.002 attack_object_name: External Defacement capability_description: Backup capability_group: BCR capability_id: BCR-08 comments: Adversaries may deface visual content through modifying data and files in cloud storage objects, including website files. Periodically backing up data stored in the cloud; ensuring backup confidentiality, integrity, and availability; and verifying data restoration from backup provides data protection and allows for quick recovery from defacement attacks. mapping_type: mitigates references: [] - attack_object_id: T1485.001 attack_object_name: Lifecycle-Triggered Deletion capability_description: Backup capability_group: BCR capability_id: BCR-08 comments: Adversaries may destroy, overwrite, or delete data and files in cloud storage buckets. Periodically backing up data stored in the cloud; ensuring backup confidentiality, integrity, and availability; and verifying data restoration from backup provides data protection and allows for quick recovery from data destruction attacks. mapping_type: mitigates references: [] - attack_object_id: T1669 attack_object_name: Wi-Fi Networks capability_description: Data Encryption capability_group: CEK capability_id: CEK-03 comments: This control provides cryptographic protection for data-at-rest and data-in-transit within the cloud environment. Encryption ensures the confidentiality and integrity of data, preventing unauthorized access or tampering. Ensuring that cloud-managed Wi-Fi or cloud-based networking traffic is encrypted appropriately can mitigate adversary exploitation of Wi-Fi networks. mapping_type: mitigates references: [] - attack_object_id: T1552.004 attack_object_name: Private Keys capability_description: Data Encryption capability_group: CEK capability_id: CEK-03 comments: This control provides cryptographic protection for data-at-rest within the cloud environment. Encryption ensures the confidentiality of data such as credentials, preventing unauthorized access. When possible, keys should be stored on separate cryptographic hardware instead of on the local system. mapping_type: mitigates references: [] - attack_object_id: T1552 attack_object_name: Unsecured Credentials capability_description: Data Encryption capability_group: CEK capability_id: CEK-03 comments: This control provides cryptographic protection for data-at-rest within the cloud environment. Encryption ensures the confidentiality of data such as credentials, preventing unauthorized access. When possible, keys should be stored on separate cryptographic hardware instead of on the local system. mapping_type: mitigates references: [] - attack_object_id: T1649 attack_object_name: Steal or Forge Authentication Certificates capability_description: Data Encryption capability_group: CEK capability_id: CEK-03 comments: This control provides cryptographic protection for data-at-rest within the cloud environment. Encryption ensures the confidentiality of data such as credentials, preventing unauthorized access. Ensuring certificates as well as associated private keys are appropriately secured and enforcing HTTPS can help prevent adversaries from stealing or forging certificates used for authentication. mapping_type: mitigates references: [] - attack_object_id: T1565.002 attack_object_name: Transmitted Data Manipulation capability_description: Data Encryption capability_group: CEK capability_id: CEK-03 comments: This control provides cryptographic protection for data-in-transit within the cloud environment. Encryption ensures the confidentiality and integrity of data, preventing unauthorized access or tampering. Encrypting important data flows reduces the impact of adversary tailored data modifications. mapping_type: mitigates references: [] - attack_object_id: T1565.001 attack_object_name: Stored Data Manipulation capability_description: Data Encryption capability_group: CEK capability_id: CEK-03 comments: "This control provides cryptographic protection for data-at-rest within\ \ the cloud environment. Encryption ensures the confidentiality and integrity\ \ of data, preventing unauthorized access or tampering. Encrypting important information\ \ reduces an adversary\u2019s ability to perform tailored data modifications." mapping_type: mitigates references: [] - attack_object_id: T1565 attack_object_name: Data Manipulation capability_description: Data Encryption capability_group: CEK capability_id: CEK-03 comments: "This control provides cryptographic protection for data-at-rest and data-in-transit\ \ within the cloud environment. Encryption ensures the confidentiality and integrity\ \ of data, preventing unauthorized access or tampering. Encrypting important information\ \ reduces an adversary\u2019s ability to perform tailored data modifications." mapping_type: mitigates references: [] - attack_object_id: T1020.001 attack_object_name: Traffic Duplication capability_description: Data Encryption capability_group: CEK capability_id: CEK-03 comments: This control provides cryptographic protection for data-at-rest and data-in-transit within the cloud environment. Ensuring that all wireless traffic is encrypted appropriately can mitigate adversary abuse of traffic mirroring for redirection of network traffic and automated data exfiltration. mapping_type: mitigates references: [] - attack_object_id: T1119 attack_object_name: Automated Collection capability_description: Data Encryption capability_group: CEK capability_id: CEK-03 comments: This control provides cryptographic protection for data-at-rest and data-in-transit within the cloud environment. Encryption and off-system storage of sensitive information ensures the confidentiality of data and can help to mitigate adversary use of automated techniques for automatically collecting data and files. mapping_type: mitigates references: [] - attack_object_id: T1557 attack_object_name: Adversary-in-the-Middle capability_description: Data Encryption capability_group: CEK capability_id: CEK-03 comments: This control provides cryptographic protection for data-in-transit within the cloud environment. Encryption ensures the confidentiality and integrity of data, preventing unauthorized access or tampering. Ensuring that all wireless traffic is encrypted appropriately can safeguard data and mitigate adversary-in-the-middle activities such as information collection. mapping_type: mitigates references: [] - attack_object_id: T1213 attack_object_name: Data from Information Repositories capability_description: Data Encryption capability_group: CEK capability_id: CEK-03 comments: This control provides cryptographic protection for data-at-rest within the cloud environment. Encrypting data stored at rest in information repositories ensures the confidentiality of data and can mitigate adversary access to information of value, such as sensitive documents or data that may aid their further objectives. mapping_type: mitigates references: [] - attack_object_id: T1530 attack_object_name: Data from Cloud Storage capability_description: Data Encryption capability_group: CEK capability_id: CEK-03 comments: 'This control provides mechanisms for encryption of at-rest data, and for managing encryption keys securely, ensuring they are regularly rotated and not exposed to unauthorized parties. Encrypting data stored at rest in cloud storage and rotating managed encryption keys can mitigate adversary access to data from cloud storage. ' mapping_type: mitigates references: [] - attack_object_id: T1486 attack_object_name: Data Encrypted for Impact capability_description: Backup capability_group: BCR capability_id: BCR-08 comments: Adversaries may encrypt data and files in cloud storage objects within compromised accounts and other cloud resources to render stored data inaccessible. Periodically backing up data stored in the cloud; ensuring backup confidentiality, integrity, and availability; and verifying data restoration from backup provides data protection and allows for quick recovery from data encryption attacks. mapping_type: mitigates references: [] - attack_object_id: T1491 attack_object_name: Defacement capability_description: Backup capability_group: BCR capability_id: BCR-08 comments: Adversaries may deface visual content through modifying data and files in cloud storage objects, including website files. Periodically backing up data stored in the cloud; ensuring backup confidentiality, integrity, and availability; and verifying data restoration from backup provides data protection and allows for quick recovery from defacement attacks. mapping_type: mitigates references: [] - attack_object_id: T1561 attack_object_name: Disk Wipe capability_description: Backup capability_group: BCR capability_id: BCR-08 comments: Adversaries may wipe, overwrite, or corrupt raw disk data on cloud storage objects or other cloud resources. Periodically backing up data stored in the cloud; ensuring backup confidentiality, integrity, and availability; and verifying data restoration from backup provides data protection and allows for quick recovery from disk wipe attacks. mapping_type: mitigates references: [] - attack_object_id: T1490 attack_object_name: Inhibit System Recovery capability_description: Backup capability_group: BCR capability_id: BCR-08 comments: Adversaries may delete or remove built-in data and turn off services designed to aid in recovery, disable versioning and backup policies and delete snapshots, database backups, machine images, and prior versions of objects designed to be used in disaster recovery scenarios. Periodically backing up data stored in the cloud; ensuring backup confidentiality, integrity, and availability; and verifying data restoration from backup provides data protection and allows for quick recovery from attacks intended to prevent recovery. mapping_type: mitigates references: [] - attack_object_id: T1485 attack_object_name: Data Destruction capability_description: Backup capability_group: BCR capability_id: BCR-08 comments: Adversaries may destroy, overwrite, or delete data and files in cloud storage objects and other cloud resources. Periodically backing up data stored in the cloud; ensuring backup confidentiality, integrity, and availability; and verifying data restoration from backup provides data protection and allows for quick recovery from data destruction attacks. mapping_type: mitigates references: [] - attack_object_id: T1195.002 attack_object_name: Compromise Software Supply Chain capability_description: Supply Chain Risk Management capability_group: STA capability_id: STA-10 comments: "The mitigative applications of this control relate to (e) \"software\ \ supply chain risk management practices for ensuring software integrity, traceability,\ \ and provenance (e.g., software build practices, component management, and use\ \ of Software Bill of Materials (SBOMs))\" \nSBOMs are known to provide transparency\ \ into software components, which may enable the identification of vulnerable\ \ software libraries, components, or code and mitigate the injection or execution\ \ of vulnerable or malicious code. " mapping_type: mitigates references: [] - attack_object_id: T1195 attack_object_name: Supply Chain Compromise capability_description: Supply Chain Risk Management capability_group: STA capability_id: STA-10 comments: "The mitigative applications of this control relate to (e) \"software\ \ supply chain risk management practices for ensuring software integrity, traceability,\ \ and provenance (e.g., software build practices, component management, and use\ \ of Software Bill of Materials (SBOMs))\" \nSBOMs are known to provide transparency\ \ into software components, which may enable the identification of vulnerable\ \ software libraries, components, or code and mitigate the injection or execution\ \ of vulnerable or malicious code. " mapping_type: mitigates references: [] - attack_object_id: T1659 attack_object_name: Content Injection capability_description: Secure Interoperability and Portability Management capability_group: IPY capability_id: IPY-03 comments: This control requires the CSP to encrypt communications using industry-standard protocols, securely manage API certificates and keys, and monitor/patch for vulnerabilities. The guidance for CSC requires it to classify API data, encrypt sensitive information during import/export, use secure protocols, and manage encryption keys independently to mitigate risks of data tampering, loss, or unauthorized access. mapping_type: mitigates references: [] - attack_object_id: T1119 attack_object_name: Automated Collection capability_description: Secure Interoperability and Portability Management capability_group: IPY capability_id: IPY-03 comments: This control requires the CSP to encrypt communications using industry-standard protocols, securely manage API certificates and keys, and monitor/patch for vulnerabilities. The guidance for CSC requires it to classify API data, encrypt sensitive information during import/export, use secure protocols, and manage encryption keys independently to mitigate risks of data tampering, loss, or unauthorized access. mapping_type: mitigates references: [] - attack_object_id: T1021.007 attack_object_name: Cloud Services capability_description: Secure Interoperability and Portability Management capability_group: IPY capability_id: IPY-03 comments: This control requires the CSP to encrypt communications using industry-standard protocols, securely manage API certificates and keys, and monitor/patch for vulnerabilities. The guidance for CSC requires it to classify API data, encrypt sensitive information during import/export, use secure protocols, and manage encryption keys independently to mitigate risks of data tampering, loss, or unauthorized access. mapping_type: mitigates references: [] - attack_object_id: T1552.004 attack_object_name: Private Keys capability_description: Secure Interoperability and Portability Management capability_group: IPY capability_id: IPY-03 comments: This control requires the CSP to encrypt communications using industry-standard protocols, securely manage API certificates and keys, and monitor/patch for vulnerabilities. The guidance for CSC requires it to classify API data, encrypt sensitive information during import/export, use secure protocols, and manage encryption keys independently to mitigate risks of data tampering, loss, or unauthorized access. mapping_type: mitigates references: [] - attack_object_id: T1567 attack_object_name: Exfiltration Over Web Service capability_description: Secure Interoperability and Portability Management capability_group: IPY capability_id: IPY-03 comments: This control requires the CSP to encrypt communications using industry-standard protocols, securely manage API certificates and keys, and monitor/patch for vulnerabilities. The guidance for CSC requires it to classify API data, encrypt sensitive information during import/export, use secure protocols, and manage encryption keys independently to mitigate risks of data tampering, loss, or unauthorized access. mapping_type: mitigates references: [] - attack_object_id: T1213 attack_object_name: Data from Information Repositories capability_description: Secure Interoperability and Portability Management capability_group: IPY capability_id: IPY-03 comments: This control requires the CSP to encrypt communications using industry-standard protocols, securely manage API certificates and keys, and monitor/patch for vulnerabilities. The guidance for CSC requires it to classify API data, encrypt sensitive information during import/export, use secure protocols, and manage encryption keys independently to mitigate risks of data tampering, loss, or unauthorized access. mapping_type: mitigates references: [] - attack_object_id: T1537 attack_object_name: Transfer Data to Cloud Account capability_description: Secure Interoperability and Portability Management capability_group: IPY capability_id: IPY-03 comments: This control requires the CSP to encrypt communications using industry-standard protocols, securely manage API certificates and keys, and monitor/patch for vulnerabilities. The guidance for CSC requires it to classify API data, encrypt sensitive information during import/export, use secure protocols, and manage encryption keys independently to mitigate risks of data tampering, loss, or unauthorized access. mapping_type: mitigates references: [] - attack_object_id: T1530 attack_object_name: Data from Cloud Storage capability_description: Secure Interoperability and Portability Management capability_group: IPY capability_id: IPY-03 comments: This control requires the CSP to encrypt communications using industry-standard protocols, securely manage API certificates and keys, and monitor/patch for vulnerabilities. The guidance for CSC requires it to classify API data, encrypt sensitive information during import/export, use secure protocols, and manage encryption keys independently to mitigate risks of data tampering, loss, or unauthorized access. mapping_type: mitigates references: [] - attack_object_id: T1651 attack_object_name: Cloud Administration Command capability_description: Secure Interoperability and Portability Management capability_group: IPY capability_id: IPY-03 comments: This control requires the CSP to encrypt communications using industry-standard protocols, securely manage API certificates and keys, and monitor/patch for vulnerabilities. The guidance for CSC requires it to classify API data, encrypt sensitive information during import/export, use secure protocols, and manage encryption keys independently to mitigate risks of data tampering, loss, or unauthorized access. mapping_type: mitigates references: [] - attack_object_id: T1552.005 attack_object_name: Cloud Instance Metadata API capability_description: Secure Interoperability and Portability Management capability_group: IPY capability_id: IPY-03 comments: This control requires the CSP to encrypt communications using industry-standard protocols, securely manage API certificates and keys, and monitor/patch for vulnerabilities. The guidance for CSC requires it to classify API data, encrypt sensitive information during import/export, use secure protocols, and manage encryption keys independently to mitigate risks of data tampering, loss, or unauthorized access. mapping_type: mitigates references: [] - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Secure Interoperability and Portability Management capability_group: IPY capability_id: IPY-03 comments: This control requires the CSP to encrypt communications using industry-standard protocols, securely manage API certificates and keys, and monitor/patch for vulnerabilities. The guidance for CSC requires it to classify API data, encrypt sensitive information during import/export, use secure protocols, and manage encryption keys independently to mitigate risks of data tampering, loss, or unauthorized access. mapping_type: mitigates references: [] - attack_object_id: T1610 attack_object_name: Deploy Container capability_description: Secure Interoperability and Portability Management capability_group: IPY capability_id: IPY-03 comments: This control requires the CSP to encrypt communications using industry-standard protocols, securely manage API certificates and keys, and monitor/patch for vulnerabilities. The guidance for CSC requires it to classify API data, encrypt sensitive information during import/export, use secure protocols, and manage encryption keys independently to mitigate risks of data tampering, loss, or unauthorized access. mapping_type: mitigates references: [] - attack_object_id: T1552.007 attack_object_name: Container API capability_description: Secure Interoperability and Portability Management capability_group: IPY capability_id: IPY-03 comments: This control requires the CSP to encrypt communications using industry-standard protocols, securely manage API certificates and keys, and monitor/patch for vulnerabilities. The guidance for CSC requires it to classify API data, encrypt sensitive information during import/export, use secure protocols, and manage encryption keys independently to mitigate risks of data tampering, loss, or unauthorized access. mapping_type: mitigates references: [] - attack_object_id: T1552 attack_object_name: Unsecured Credentials capability_description: Secure Interoperability and Portability Management capability_group: IPY capability_id: IPY-03 comments: This control requires the CSP to encrypt communications using industry-standard protocols, securely manage API certificates and keys, and monitor/patch for vulnerabilities. The guidance for CSC requires it to classify API data, encrypt sensitive information during import/export, use secure protocols, and manage encryption keys independently to mitigate risks of data tampering, loss, or unauthorized access. mapping_type: mitigates references: [] - attack_object_id: T1021 attack_object_name: Remote Services capability_description: Secure Interoperability and Portability Management capability_group: IPY capability_id: IPY-03 comments: This control requires the CSP to encrypt communications using industry-standard protocols, securely manage API certificates and keys, and monitor/patch for vulnerabilities. The guidance for CSC requires it to classify API data, encrypt sensitive information during import/export, use secure protocols, and manage encryption keys independently to mitigate risks of data tampering, loss, or unauthorized access. mapping_type: mitigates references: [] - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Secure Interoperability and Portability Management capability_group: IPY capability_id: IPY-03 comments: This control requires the CSP to encrypt communications using industry-standard protocols, securely manage API certificates and keys, and monitor/patch for vulnerabilities. The guidance for CSC requires it to classify API data, encrypt sensitive information during import/export, use secure protocols, and manage encryption keys independently to mitigate risks of data tampering, loss, or unauthorized access. mapping_type: mitigates references: [] - attack_object_id: T1651 attack_object_name: Cloud Administration Command capability_description: Application Interface Availability capability_group: IPY capability_id: IPY-02 comments: This control requires the CSP to provide secure, standards-based, interoperable APIs with up-to-date documentation and communicate changes, while the CSC must review API documentation, use open standards, test API functionality for data transfer and recovery, monitor for outages and changes, and ensure secure, portable, and interoperable cloud deployments. mapping_type: mitigates references: [] - attack_object_id: T1098.004 attack_object_name: SSH Authorized Keys capability_description: Application Interface Availability capability_group: IPY capability_id: IPY-02 comments: This control requires the CSP to provide secure, standards-based, interoperable APIs with up-to-date documentation and communicate changes, while the CSC must review API documentation, use open standards, test API functionality for data transfer and recovery, monitor for outages and changes, and ensure secure, portable, and interoperable cloud deployments. mapping_type: mitigates references: [] - attack_object_id: T1199 attack_object_name: Trusted Relationship capability_description: Application Interface Availability capability_group: IPY capability_id: IPY-02 comments: This control requires the CSP to provide secure, standards-based, interoperable APIs with up-to-date documentation and communicate changes, while the CSC must review API documentation, use open standards, test API functionality for data transfer and recovery, monitor for outages and changes, and ensure secure, portable, and interoperable cloud deployments. mapping_type: mitigates references: [] - attack_object_id: T1072 attack_object_name: Software Deployment Tools capability_description: Application Interface Availability capability_group: IPY capability_id: IPY-02 comments: This control requires the CSP to provide secure, standards-based, interoperable APIs with up-to-date documentation and communicate changes, while the CSC must review API documentation, use open standards, test API functionality for data transfer and recovery, monitor for outages and changes, and ensure secure, portable, and interoperable cloud deployments. mapping_type: mitigates references: [] - attack_object_id: T1071.001 attack_object_name: Web Protocols capability_description: Application Interface Availability capability_group: IPY capability_id: IPY-02 comments: This control requires the CSP to provide secure, standards-based, interoperable APIs with up-to-date documentation and communicate changes, while the CSC must review API documentation, use open standards, test API functionality for data transfer and recovery, monitor for outages and changes, and ensure secure, portable, and interoperable cloud deployments. mapping_type: mitigates references: [] - attack_object_id: T1538 attack_object_name: Cloud Service Dashboard capability_description: Application Interface Availability capability_group: IPY capability_id: IPY-02 comments: This control requires the CSP to provide secure, standards-based, interoperable APIs with up-to-date documentation and communicate changes, while the CSC must review API documentation, use open standards, test API functionality for data transfer and recovery, monitor for outages and changes, and ensure secure, portable, and interoperable cloud deployments. mapping_type: mitigates references: [] - attack_object_id: T1021.007 attack_object_name: Cloud Services capability_description: Application Interface Availability capability_group: IPY capability_id: IPY-02 comments: This control requires the CSP to provide secure, standards-based, interoperable APIs with up-to-date documentation and communicate changes, while the CSC must review API documentation, use open standards, test API functionality for data transfer and recovery, monitor for outages and changes, and ensure secure, portable, and interoperable cloud deployments. mapping_type: mitigates references: [] - attack_object_id: T1671 attack_object_name: Cloud Application Integration capability_description: Application Interface Availability capability_group: IPY capability_id: IPY-02 comments: This control requires the CSP to provide secure, standards-based, interoperable APIs with up-to-date documentation and communicate changes, while the CSC must review API documentation, use open standards, test API functionality for data transfer and recovery, monitor for outages and changes, and ensure secure, portable, and interoperable cloud deployments. mapping_type: mitigates references: [] - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Application Interface Availability capability_group: IPY capability_id: IPY-02 comments: This control requires the CSP to provide secure, standards-based, interoperable APIs with up-to-date documentation and communicate changes, while the CSC must review API documentation, use open standards, test API functionality for data transfer and recovery, monitor for outages and changes, and ensure secure, portable, and interoperable cloud deployments. mapping_type: mitigates references: [] - attack_object_id: T1552.007 attack_object_name: Container API capability_description: Application Interface Availability capability_group: IPY capability_id: IPY-02 comments: This control requires the CSP to provide secure, standards-based, interoperable APIs with up-to-date documentation and communicate changes, while the CSC must review API documentation, use open standards, test API functionality for data transfer and recovery, monitor for outages and changes, and ensure secure, portable, and interoperable cloud deployments. mapping_type: mitigates references: [] - attack_object_id: T1552.005 attack_object_name: Cloud Instance Metadata API capability_description: Application Interface Availability capability_group: IPY capability_id: IPY-02 comments: This control requires the CSP to provide secure, standards-based, interoperable APIs with up-to-date documentation and communicate changes, while the CSC must review API documentation, use open standards, test API functionality for data transfer and recovery, monitor for outages and changes, and ensure secure, portable, and interoperable cloud deployments. mapping_type: mitigates references: [] - attack_object_id: T1059.009 attack_object_name: Cloud API capability_description: Application Interface Availability capability_group: IPY capability_id: IPY-02 comments: This control requires the CSP to provide secure, standards-based, interoperable APIs with up-to-date documentation and communicate changes, while the CSC must review API documentation, use open standards, test API functionality for data transfer and recovery, monitor for outages and changes, and ensure secure, portable, and interoperable cloud deployments. mapping_type: mitigates references: [] - attack_object_id: T1052 attack_object_name: Exfiltration Over Physical Medium capability_description: Clean Desk Policy and Procedures capability_group: HRS capability_id: HRS-03 comments: This control can help prevent adversaries attempting to exfiltrate data via a physical medium, such as a removable drive, through mechanisms such as automatic screen locking and automatic session logout. mapping_type: mitigates references: [] - attack_object_id: T1098.003 attack_object_name: Additional Cloud Roles capability_description: Clean Desk Policy and Procedures capability_group: HRS capability_id: HRS-03 comments: This control includes account management controls such as enabling multi-factor authentication (MFA), which can help prevent adversaries from creating or manipulating accounts. mapping_type: mitigates references: [] - attack_object_id: T1098.001 attack_object_name: Additional Cloud Credentials capability_description: Clean Desk Policy and Procedures capability_group: HRS capability_id: HRS-03 comments: This control includes account management controls such as enabling multi-factor authentication (MFA), which can help prevent adversaries from creating or manipulating accounts. mapping_type: mitigates references: [] - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Clean Desk Policy and Procedures capability_group: HRS capability_id: HRS-03 comments: This control includes account management controls such as enabling multi-factor authentication (MFA), which can help prevent adversaries from creating or manipulating accounts. mapping_type: mitigates references: [] - attack_object_id: T1556.007 attack_object_name: Hybrid Identity capability_description: Clean Desk Policy and Procedures capability_group: HRS capability_id: HRS-03 comments: This control includes account management controls such as enabling multi-factor authentication (MFA), which can help prevent adversaries from modifying or manipulating authentication mechanisms. mapping_type: mitigates references: [] - attack_object_id: T1556.006 attack_object_name: Multi-Factor Authentication capability_description: Clean Desk Policy and Procedures capability_group: HRS capability_id: HRS-03 comments: This control includes account management controls such as enabling multi-factor authentication (MFA), which can help prevent adversaries from modifying or manipulating authentication mechanisms. mapping_type: mitigates references: [] - attack_object_id: T1556 attack_object_name: Modify Authentication Process capability_description: Clean Desk Policy and Procedures capability_group: HRS capability_id: HRS-03 comments: This control includes account management controls such as enabling multi-factor authentication (MFA), which can help prevent adversaries from modifying or manipulating authentication mechanisms. mapping_type: mitigates references: [] - attack_object_id: T1113 attack_object_name: Screen Capture capability_description: Clean Desk Policy and Procedures capability_group: HRS capability_id: HRS-03 comments: This control can help prevent adversaries attempting to exfiltrate data via screenshots through mechanisms such as automatic screen locking and automatic session logout. mapping_type: mitigates references: [] - attack_object_id: T1530 attack_object_name: Data from Cloud Storage capability_description: Clean Desk Policy and Procedures capability_group: HRS capability_id: HRS-03 comments: This control can help prevent adversaries attempting to access data from cloud storage through using multi-factor authentication to restrict access to resources and cloud storage APIs. mapping_type: mitigates references: [] - attack_object_id: T1485 attack_object_name: Data Destruction capability_description: Clean Desk Policy and Procedures capability_group: HRS capability_id: HRS-03 comments: This control can help prevent adversaries attempting to destroy data and files on specific systems or in large numbers on a network through Implementing multi-factor authentication (MFA) for cloud storage resources to prevent unauthorized deletion of critical data and infrastructure. mapping_type: mitigates references: [] - attack_object_id: T1548.005 attack_object_name: Temporary Elevated Cloud Access capability_description: Separation of Duties capability_group: IAM capability_id: IAM-04 comments: "This control describes separation of duties (SoD) must be implemented\ \ by assigning and managing distinct roles for users, applications, and services,\ \ minimizing overlapping responsibilities and restricting access to critical functions\ \ through centralized role management, multi-level approvals, and automated provisioning\ \ tools. \n\nAdversaries may abuse permission configurations that allow them to\ \ gain temporarily elevated access to cloud resources. Many cloud environments\ \ allow administrators to grant user or service accounts permission to request\ \ just-in-time access to roles, impersonate other accounts, or pass roles onto\ \ resources and services. In terms of mitigations, limit the privileges of cloud\ \ accounts to assume, create, or impersonate additional roles, policies, and permissions\ \ to only those required. Where just-in-time access is enabled, consider requiring\ \ manual approval for temporary elevation of privileges.\n" mapping_type: mitigates references: [] - attack_object_id: T1098.006 attack_object_name: Additional Container Cluster Roles capability_description: Separation of Duties capability_group: IAM capability_id: IAM-04 comments: "This control describes separation of duties (SoD) must be implemented\ \ by assigning and managing distinct roles for users, applications, and services,\ \ minimizing overlapping responsibilities and restricting access to critical functions\ \ through centralized role management, multi-level approvals, and automated provisioning\ \ tools. \n\nAn adversary may add additional roles or permissions to an adversary-controlled\ \ user or service account to maintain persistent access to a container orchestration\ \ system. In terms of mitigation, having multi-level approval chains for creating\ \ additional roles or ensuring that low-privileged user accounts do not have permissions\ \ to add permissions to accounts or update IAM policies could help catch the use\ \ of this technique. \n\n" mapping_type: mitigates references: [] - attack_object_id: T1098.003 attack_object_name: Additional Cloud Roles capability_description: Separation of Duties capability_group: IAM capability_id: IAM-04 comments: "This control describes separation of duties (SoD) must be implemented\ \ by assigning and managing distinct roles for users, applications, and services,\ \ minimizing overlapping responsibilities and restricting access to critical functions\ \ through centralized role management, multi-level approvals, and automated provisioning\ \ tools. \n\nAn adversary may add additional roles or permissions to an adversary-controlled\ \ cloud account to maintain persistent access to a tenant. For example, adversaries\ \ may update IAM policies in cloud-based environments or add a new global administrator\ \ in Office 365 environments. In terms of mitigation, having multi-level approval\ \ chains for creating additional roles or ensuring that low-privileged user accounts\ \ do not have permissions to add permissions to accounts or update IAM policies\ \ could help catch the use of this technique. \n\n" mapping_type: mitigates references: [] - attack_object_id: T1548 attack_object_name: Abuse Elevation Control Mechanism capability_description: Separation of Duties capability_group: IAM capability_id: IAM-04 comments: "This control describes separation of duties (SoD) must be implemented\ \ by assigning and managing distinct roles for users, applications, and services,\ \ minimizing overlapping responsibilities and restricting access to critical functions\ \ through centralized role management, multi-level approvals, and automated provisioning\ \ tools. \n\nAdversaries may abuse permission configurations that allow them to\ \ gain temporarily elevated access to cloud resources. Many cloud environments\ \ allow administrators to grant user or service accounts permission to request\ \ just-in-time access to roles, impersonate other accounts, or pass roles onto\ \ resources and services. In terms of mitigations, limit the privileges of cloud\ \ accounts to assume, create, or impersonate additional roles, policies, and permissions\ \ to only those required. Where just-in-time access is enabled, consider requiring\ \ manual approval for temporary elevation of privileges.\n" mapping_type: mitigates references: [] - attack_object_id: T1556.007 attack_object_name: Hybrid Identity capability_description: Identity Inventory capability_group: IAM capability_id: IAM-03 comments: 'This control describes how the CSP must actively maintain and review a comprehensive inventory of all system identities (users, services, applications, roles, groups) with access to cloud resources. Many organizations maintain hybrid user and device identities that are shared between on-premises and cloud-based environments. For this technique, adversaries may be able to modify the hybrid identity authentication process from the cloud. In terms of mitigation, reviewing the hybrid identity solution in use for any discrepancies could aid with thwarting the use of this technique. ' mapping_type: mitigates references: [] - attack_object_id: T1098.001 attack_object_name: Additional Cloud Credentials capability_description: Identity Inventory capability_group: IAM capability_id: IAM-03 comments: 'This control describes how the CSP must actively maintain and review a comprehensive inventory of all system identities (users, services, applications, roles, groups) with access to cloud resources. For this technique, adversaries may add adversary-controlled credentials and identity to a cloud account to maintain persistent access to victim accounts and instances within the environment. For example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure / Entra ID. In terms of mitigation, a dynamic inventory of permitted cloud identities and roles may aid in flagging the creation or addition of any unauthorized identities. ' mapping_type: mitigates references: [] - attack_object_id: T1136.003 attack_object_name: Cloud Account capability_description: Identity Inventory capability_group: IAM capability_id: IAM-03 comments: 'This control describes how the CSP must actively maintain and review a comprehensive inventory of all system identities (users, services, applications, roles, groups) with access to cloud resources. Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. A dynamic inventory of permitted cloud identities may aid in flagging the creation of any unauthorized identities. ' mapping_type: mitigates references: [] - attack_object_id: T1136 attack_object_name: Create Account capability_description: Identity Inventory capability_group: IAM capability_id: IAM-03 comments: 'This control describes how the CSP must actively maintain and review a comprehensive inventory of all system identities (users, services, applications, roles, groups) with access to cloud resources. In relation to this technique, default accounts may be created on a system after initial setup by connecting or integrating it with another application. Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. A dynamic inventory of permitted identities may aid in flagging the creation of any unauthorized identities. ' mapping_type: mitigates references: [] - attack_object_id: T1078.004 attack_object_name: Cloud Accounts capability_description: User Access Changes and Revocation capability_group: IAM capability_id: IAM-07 comments: 'This control focuses on the secure deprovisioning of user access by automating account removal, detecting and revoking inactive accounts. These mitigative actions reduce the risk of lingering or inappropriate access following employee termination, role changes, or security incidents. ' mapping_type: mitigates references: [] - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: User Access Changes and Revocation capability_group: IAM capability_id: IAM-07 comments: 'This control focuses on the secure deprovisioning of user access by automating account removal, detecting and revoking inactive accounts. These mitigative actions reduce the risk of lingering or inappropriate access following employee termination, role changes, or security incidents. ' mapping_type: mitigates references: [] - attack_object_id: T1648 attack_object_name: Serverless Execution capability_description: User Access Changes and Revocation capability_group: IAM capability_id: IAM-07 comments: 'This control focuses on the secure deprovisioning of user access by automating account removal, detecting and revoking inactive accounts. These mitigative actions reduce the risk of lingering or inappropriate access following employee termination, role changes, or security incidents. ' mapping_type: mitigates references: [] - attack_object_id: T1021 attack_object_name: Remote Services capability_description: User Access Changes and Revocation capability_group: IAM capability_id: IAM-07 comments: 'This control focuses on the secure deprovisioning of user access by automating account removal, detecting and revoking inactive accounts. These mitigative actions reduce the risk of lingering or inappropriate access following employee termination, role changes, or security incidents. ' mapping_type: mitigates references: [] - attack_object_id: T1021.001 attack_object_name: Remote Desktop Protocol capability_description: User Access Changes and Revocation capability_group: IAM capability_id: IAM-07 comments: 'This control focuses on the secure deprovisioning of user access by automating account removal, detecting and revoking inactive accounts. These mitigative actions reduce the risk of lingering or inappropriate access following employee termination, role changes, or security incidents. ' mapping_type: mitigates references: [] - attack_object_id: T1021.004 attack_object_name: SSH capability_description: User Access Changes and Revocation capability_group: IAM capability_id: IAM-07 comments: 'This control focuses on the secure deprovisioning of user access by automating account removal, detecting and revoking inactive accounts. These mitigative actions reduce the risk of lingering or inappropriate access following employee termination, role changes, or security incidents. ' mapping_type: mitigates references: [] - attack_object_id: T1021.008 attack_object_name: Direct Cloud VM Connections capability_description: User Access Changes and Revocation capability_group: IAM capability_id: IAM-07 comments: 'This control focuses on the secure deprovisioning of user access by automating account removal, detecting and revoking inactive accounts. These mitigative actions reduce the risk of lingering or inappropriate access following employee termination, role changes, or security incidents. ' mapping_type: mitigates references: [] - attack_object_id: T1213.002 attack_object_name: Sharepoint capability_description: User Access Changes and Revocation capability_group: IAM capability_id: IAM-07 comments: 'This control focuses on the secure deprovisioning of user access by automating account removal, detecting and revoking inactive accounts. These mitigative actions reduce the risk of lingering or inappropriate access following employee termination, role changes, or security incidents. ' mapping_type: mitigates references: [] - attack_object_id: T1213.001 attack_object_name: Confluence capability_description: User Access Changes and Revocation capability_group: IAM capability_id: IAM-07 comments: 'This control focuses on the secure deprovisioning of user access by automating account removal, detecting and revoking inactive accounts. These mitigative actions reduce the risk of lingering or inappropriate access following employee termination, role changes, or security incidents. ' mapping_type: mitigates references: [] - attack_object_id: T1213 attack_object_name: Data from Information Repositories capability_description: User Access Changes and Revocation capability_group: IAM capability_id: IAM-07 comments: 'This control focuses on the secure deprovisioning of user access by automating account removal, detecting and revoking inactive accounts. These mitigative actions reduce the risk of lingering or inappropriate access following employee termination, role changes, or security incidents. ' mapping_type: mitigates references: [] - attack_object_id: T1530 attack_object_name: Data from Cloud Storage capability_description: User Access Changes and Revocation capability_group: IAM capability_id: IAM-07 comments: This control focuses on the secure deprovisioning of user access by automating account removal, detecting and revoking inactive accounts. These mitigative actions reduce the risk of lingering or inappropriate access following employee termination, role changes, or security incidents. mapping_type: mitigates references: [] - attack_object_id: T1555.005 attack_object_name: Password Managers capability_description: User Access Changes and Revocation capability_group: IAM capability_id: IAM-07 comments: This control focuses on the secure deprovisioning of user access by automating account removal, detecting and revoking inactive accounts. These mitigative actions reduce the risk of lingering or inappropriate access following employee termination, role changes, or security incidents. mapping_type: mitigates references: [] - attack_object_id: T1555 attack_object_name: Credentials from Password Stores capability_description: User Access Changes and Revocation capability_group: IAM capability_id: IAM-07 comments: This control focuses on the secure deprovisioning of user access by automating account removal, detecting and revoking inactive accounts. These mitigative actions reduce the risk of lingering or inappropriate access following employee termination, role changes, or security incidents. mapping_type: mitigates references: [] - attack_object_id: T1538 attack_object_name: Cloud Service Dashboard capability_description: User Access Changes and Revocation capability_group: IAM capability_id: IAM-07 comments: This control focuses on the secure deprovisioning of user access by automating account removal, detecting and revoking inactive accounts. These mitigative actions reduce the risk of lingering or inappropriate access following employee termination, role changes, or security incidents. mapping_type: mitigates references: [] - attack_object_id: T1098.003 attack_object_name: Additional Cloud Roles capability_description: User Access Changes and Revocation capability_group: IAM capability_id: IAM-07 comments: This control focuses on the secure deprovisioning of user access by automating account removal, detecting and revoking inactive accounts. These mitigative actions reduce the risk of lingering or inappropriate access following employee termination, role changes, or security incidents. mapping_type: mitigates references: [] - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: User Access Changes and Revocation capability_group: IAM capability_id: IAM-07 comments: This control focuses on the secure deprovisioning of user access by automating account removal, detecting and revoking inactive accounts. These mitigative actions reduce the risk of lingering or inappropriate access following employee termination, role changes, or security incidents. mapping_type: mitigates references: [] - attack_object_id: T1548.005 attack_object_name: Temporary Elevated Cloud Access capability_description: User Access Changes and Revocation capability_group: IAM capability_id: IAM-07 comments: This control focuses on the secure deprovisioning of user access by automating account removal, detecting and revoking inactive accounts. These mitigative actions reduce the risk of lingering or inappropriate access following employee termination, role changes, or security incidents. mapping_type: mitigates references: [] - attack_object_id: T1485.001 attack_object_name: Lifecycle-Triggered Deletion capability_description: Least Privilege capability_group: IAM capability_id: IAM-05 comments: "This control describes the enforcement of the principle of least privilege\ \ implementing controls such as regular automated reviews of access permissions,\ \ enforcing MFA for high-risk accounts, promptly revoking unused privileges, and\ \ by limiting access to sensitive data. \n\nFor this technique, in terms of mitigation,\ \ limit permissions to modify cloud bucket lifecycle policies (e.g., PutLifecycleConfiguration\ \ in AWS) to only those accounts that require it. In AWS environments, consider\ \ using Service Control policies to limit the use of the PutBucketLifecycle API\ \ call." mapping_type: mitigates references: [] - attack_object_id: T1490 attack_object_name: Inhibit System Recovery capability_description: Least Privilege capability_group: IAM capability_id: IAM-05 comments: "This control describes the enforcement of the principle of least privilege\ \ implementing controls such as regular automated reviews of access permissions,\ \ enforcing MFA for high-risk accounts, promptly revoking unused privileges, and\ \ by limiting access to sensitive data. \n\nAdversaries has been observed using\ \ this technique to delete backup files and disable any restoration capabilties.\ \ For this technique, in terms of mitigation, limit the user accounts that have\ \ access to backups to only those required. For example, in AWS environments,\ \ consider using Service Control Policies to restrict API calls to delete backups,\ \ snapshots, and images." mapping_type: mitigates references: [] - attack_object_id: T1530 attack_object_name: Data from Cloud Storage capability_description: Least Privilege capability_group: IAM capability_id: IAM-05 comments: "This control describes the enforcement of the principle of least privilege\ \ implementing controls such as regular automated reviews of access permissions,\ \ enforcing MFA for high-risk accounts, promptly revoking unused privileges, and\ \ by limiting access to sensitive data. \n\nAdversaries has been observed using\ \ this technique to directly download cloud user data such as OneDrive files.\ \ For this technique, in terms of mitigation, Configure user permissions groups\ \ and roles for access to cloud storage. Implement strict Identity and Access\ \ Management (IAM) controls to prevent access to storage solutions except for\ \ the applications, users, and services that require access. Ensure that temporary\ \ access tokens are issued rather than permanent credentials, especially when\ \ access is being granted to entities outside of the internal security boundary." mapping_type: mitigates references: [] - attack_object_id: T1048 attack_object_name: Exfiltration Over Alternative Protocol capability_description: Least Privilege capability_group: IAM capability_id: IAM-05 comments: "This control describes the enforcement of the principle of least privilege\ \ implementing controls such as regular automated reviews of access permissions,\ \ enforcing MFA for high-risk accounts, promptly revoking unused privileges, and\ \ by limiting access to sensitive data. \n\nAdversaries has been observed using\ \ this technique to directly download cloud user data such as OneDrive files.\ \ For this technique, in terms of mitigation, Configure user permissions groups\ \ and roles for access to cloud storage. Implement strict Identity and Access\ \ Management (IAM) controls to prevent access to storage solutions except for\ \ the applications, users, and services that require access. Ensure that temporary\ \ access tokens are issued rather than permanent credentials, especially when\ \ access is being granted to entities outside of the internal security boundary." mapping_type: mitigates references: [] - attack_object_id: T1021.008 attack_object_name: Direct Cloud VM Connections capability_description: Least Privilege capability_group: IAM capability_id: IAM-05 comments: "This control describes the enforcement of the principle of least privilege\ \ implementing controls such as regular automated reviews of access permissions,\ \ enforcing MFA for high-risk accounts, promptly revoking unused privileges, and\ \ by limiting access to sensitive data. \n\nAdversaries may utilize these cloud\ \ native methods to directly access virtual infrastructure and pivot through an\ \ environment. These connections typically provide direct console access to the\ \ VM rather than the execution of scripts (i.e., Cloud Administration Command).\ \ For this technique, in terms of mitigation, limit which users are allowed to\ \ access compute infrastructure via cloud native methods. If direct virtual machine\ \ connections are not required for administrative use or certain users, disable\ \ these connection types where feasible.\n" mapping_type: mitigates references: [] - attack_object_id: T1666 attack_object_name: Modify Cloud Resource Hierarchy capability_description: Least Privilege capability_group: IAM capability_id: IAM-05 comments: "This control describes the enforcement of the principle of least privilege\ \ implementing controls such as regular automated reviews of access permissions,\ \ enforcing MFA for high-risk accounts, promptly revoking unused privileges, and\ \ by limiting access to sensitive data. \n\nAdversaries may add, delete, or otherwise\ \ modify resource groups within an IaaS hierarchy. For this technique, in terms\ \ of mitigation, limit permissions to add, delete, or modify resource groups to\ \ only those required. \n\n" mapping_type: mitigates references: [] - attack_object_id: T1578.002 attack_object_name: Create Cloud Instance capability_description: Least Privilege capability_group: IAM capability_id: IAM-05 comments: "This control describes the enforcement of the principle of least privilege\ \ implementing controls such as regular automated reviews of access permissions,\ \ enforcing MFA for high-risk accounts, promptly revoking unused privileges, and\ \ by limiting access to sensitive data. \n\nAdversary's have been observed using\ \ this technique to create new virtual machines for defense evasion within the\ \ target's cloud environment after leveraging credential access to cloud assets.\ \ For this technique, in terms of mitigation, limit permissions for deleting new\ \ instances in accordance with least privilege. Organizations should limit the\ \ number of users within the organization with an IAM role that has administrative\ \ privileges, strive to reduce all permanent privileged role assignments, and\ \ conduct periodic entitlement reviews on IAM users, roles and policies. Additionally,\ \ enforce user permissions to ensure only the expected users have the capability\ \ to create new instances.\n\n" mapping_type: mitigates references: [] - attack_object_id: T1578.001 attack_object_name: Create Snapshot capability_description: Least Privilege capability_group: IAM capability_id: IAM-05 comments: "This control describes the enforcement of the principle of least privilege\ \ implementing controls such as regular automated reviews of access permissions,\ \ enforcing MFA for high-risk accounts, promptly revoking unused privileges, and\ \ by limiting access to sensitive data. \n\nAdversary's have been observed using\ \ this technique to create snapshots of EBS volumes and RDS instances for execution\ \ and defense evasion. For this technique, in terms of mitigation, limit permissions\ \ for deleting new instances in accordance with least privilege. Organizations\ \ should limit the number of users within the organization with an IAM role that\ \ has administrative privileges, strive to reduce all permanent privileged role\ \ assignments, and conduct periodic entitlement reviews on IAM users, roles and\ \ policies. \n\n" mapping_type: mitigates references: [] - attack_object_id: T1578.003 attack_object_name: Delete Cloud Instance capability_description: Least Privilege capability_group: IAM capability_id: IAM-05 comments: "This control describes the enforcement of the principle of least privilege\ \ implementing controls such as regular automated reviews of access permissions,\ \ enforcing MFA for high-risk accounts, promptly revoking unused privileges, and\ \ by limiting access to sensitive data. \n\nAdversary's have been observed using\ \ this technique to delete the victime's systems and resources in the cloud to\ \ trigger the organization's incident and crisis response process. For this technique,\ \ in terms of mitigation, limit permissions for deleting new instances in accordance\ \ with least privilege. Organizations should limit the number of users within\ \ the organization with an IAM role that has administrative privileges, strive\ \ to reduce all permanent privileged role assignments, and conduct periodic entitlement\ \ reviews on IAM users, roles and policies. \n\n" mapping_type: mitigates references: [] - attack_object_id: T1578.005 attack_object_name: Modify Cloud Compute Configurations capability_description: Least Privilege capability_group: IAM capability_id: IAM-05 comments: This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data. For this technique, in terms of mitigation, limit permissions to request quotas adjustments or modify tenant-level compute setting to only those required. mapping_type: mitigates references: [] - attack_object_id: T1578 attack_object_name: Modify Cloud Compute Infrastructure capability_description: Least Privilege capability_group: IAM capability_id: IAM-05 comments: "This control describes the enforcement of the principle of least privilege\ \ implementing controls such as regular automated reviews of access permissions,\ \ enforcing MFA for high-risk accounts, promptly revoking unused privileges, and\ \ by limiting access to sensitive data.\n\n Adversaries have been known to modify\ \ cloud compute infrastructure for evading defenses. For this technique, in terms\ \ of mitigation, limit permissions for creating, deleting, and otherwise altering\ \ compute components in accordance with least privilege. Organizations should\ \ limit the number of users within the organization with an IAM role that has\ \ administrative privileges, strive to reduce all permanent privileged role assignments,\ \ and conduct periodic entitlement reviews on IAM users, roles and policies." mapping_type: mitigates references: [] - attack_object_id: T1562 attack_object_name: Impair Defenses capability_description: Least Privilege capability_group: IAM capability_id: IAM-05 comments: "This control describes the enforcement of the principle of least privilege\ \ implementing controls such as regular automated reviews of access permissions,\ \ enforcing MFA for high-risk accounts, promptly revoking unused privileges, and\ \ by limiting access to sensitive data.\n\n Adversaries have been known to introduce\ \ new firewall rules or policies to allow access into a victim cloud environment\ \ and/or disable cloud logs to evade defenses. For this technique, in terms of\ \ mitigation, configure and ensure least privilege principles are applied to Identity\ \ and Access Management (IAM) security policies to prevent only necessary users\ \ to modify certain security mechanisms in place. " mapping_type: mitigates references: [] - attack_object_id: T1562.007 attack_object_name: Disable or Modify Cloud Firewall capability_description: Least Privilege capability_group: IAM capability_id: IAM-05 comments: "This control describes the enforcement of the principle of least privilege\ \ implementing controls such as regular automated reviews of access permissions,\ \ enforcing MFA for high-risk accounts, promptly revoking unused privileges, and\ \ by limiting access to sensitive data.\n\n Adversaries have been known to introduce\ \ new firewall rules or policies to allow access into a victim cloud environment\ \ and/or move laterally from the cloud control plane to the data plane. For this\ \ technique, in terms of mitigation, configure and ensure least privilege principles\ \ are applied to Identity and Access Management (IAM) security policies to prevent\ \ only necessary users to modify firewall rules or policies." mapping_type: mitigates references: [] - attack_object_id: T1562.008 attack_object_name: Disable or Modify Cloud Logs capability_description: Least Privilege capability_group: IAM capability_id: IAM-05 comments: 'This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data. For this technique, in terms of mitigation, configure default account policy to enable logging. Manage policies to ensure only necessary users have permissions to make changes to logging policies. Adversaries have been known to disable or otherwise restrict various AWS logging services, such as AWS CloudTrail and VPC flow logs' mapping_type: mitigates references: [] - attack_object_id: T1548.005 attack_object_name: Temporary Elevated Cloud Access capability_description: Least Privilege capability_group: IAM capability_id: IAM-05 comments: "This control describes the enforcement of the principle of least privilege\ \ implementing controls such as regular automated reviews of access permissions,\ \ enforcing MFA for high-risk accounts, promptly revoking unused privileges, and\ \ by limiting access to sensitive data.\n\nFor this technique, in terms of mitigation,\ \ limit the privileges of cloud accounts to assume, create, or impersonate additional\ \ roles, policies, and permissions to only those required. Where just-in-time\ \ access is enabled, consider requiring manual approval for temporary elevation\ \ of privileges. \n\n" mapping_type: mitigates references: [] - attack_object_id: T1098.004 attack_object_name: SSH Authorized Keys capability_description: Least Privilege capability_group: IAM capability_id: IAM-05 comments: 'This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data. For this technique, in terms of mitigation for cloud IaaS, ensure that only users who explicitly require the permissions to update instance metadata or configurations can do so.' mapping_type: mitigates references: [] - attack_object_id: T1098.001 attack_object_name: Additional Cloud Credentials capability_description: Least Privilege capability_group: IAM capability_id: IAM-05 comments: 'This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data. For this technique, in terms of mitigation, ensure that low-privileged user accounts do not have permission to add access keys to accounts. For example, in AWS environments, prohibit users from calling the sts:GetFederationToken API unless explicitly required.' mapping_type: mitigates references: [] - attack_object_id: T1098.003 attack_object_name: Additional Cloud Roles capability_description: Least Privilege capability_group: IAM capability_id: IAM-05 comments: 'This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data. For this technique, in terms of mitigation, ensure that low-privileged user accounts do not have permissions to add permissions to accounts or update IAM policies.' mapping_type: mitigates references: [] - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Least Privilege capability_group: IAM capability_id: IAM-05 comments: 'This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data. For this technique, in terms of mitigation, ensure that ensure that low-privileged user accounts do not have permissions to modify accounts or account-related policies.' mapping_type: mitigates references: [] - attack_object_id: T1556.006 attack_object_name: Multi-Factor Authentication capability_description: Least Privilege capability_group: IAM capability_id: IAM-05 comments: 'This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data. For this technique, in terms of mitigation, ensure that proper cloud policies are implemented to dictate the the secure enrollment and deactivation of authentication mechanisms, such as MFA, for user accounts.' mapping_type: mitigates references: [] - attack_object_id: T1556 attack_object_name: Modify Authentication Process capability_description: Least Privilege capability_group: IAM capability_id: IAM-05 comments: 'This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data. For this technique, in terms of mitigation, ensure that proper cloud policies are implemented to dictate the the secure enrollment and deactivation of authentication mechanisms, such as MFA, for user accounts.' mapping_type: mitigates references: [] - attack_object_id: T1556.009 attack_object_name: Conditional Access Policies capability_description: Least Privilege capability_group: IAM capability_id: IAM-05 comments: 'This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data. For this technique, in terms of mitigation, limit permissions to modify conditional access policies to only those required.' mapping_type: mitigates references: [] - attack_object_id: T1136.003 attack_object_name: Cloud Account capability_description: Least Privilege capability_group: IAM capability_id: IAM-05 comments: 'This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data. For this technique, limit the ability for user accounts to create additional accounts.' mapping_type: mitigates references: [] - attack_object_id: T1072 attack_object_name: Software Deployment Tools capability_description: Least Privilege capability_group: IAM capability_id: IAM-05 comments: 'This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data. For this technique, adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. In terms of mitigation, ensure that any accounts used by third-party providers to access these systems are traceable to the third-party and are not used throughout the network or used by other third-party providers in the same environment. Ensure there are regular reviews of accounts provisioned to these systems to verify continued business need, and ensure there is governance to trace de-provisioning of access that is no longer required. Ensure proper system and access isolation for critical network systems through use of account privilege separation.' mapping_type: mitigates references: [] - attack_object_id: T1648 attack_object_name: Serverless Execution capability_description: Least Privilege capability_group: IAM capability_id: IAM-05 comments: 'This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data. For this technique, adversaries may abuse serverless computing, integration, and automation services to execute arbitrary code in cloud environments. Remove permissions to create, modify, or run serverless resources from users that do not explicitly require them. Where possible, consider restricting access to and use of serverless functions. For examples, conditional access policies can be applied to users attempting to abuse these resources in various ways as a means of executing arbitrary commands.' mapping_type: mitigates references: [] - attack_object_id: T1199 attack_object_name: Trusted Relationship capability_description: Least Privilege capability_group: IAM capability_id: IAM-05 comments: 'This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data. For this technique, properly manage accounts and permissions used by parties in trusted relationships to minimize potential abuse by the party and if the party is compromised by an adversary. In Office 365 environments, partner relationships and roles can be viewed under the "Partner Relationships" page' mapping_type: mitigates references: [] - attack_object_id: T1484.002 attack_object_name: Trust Modification capability_description: Least Privilege capability_group: IAM capability_id: IAM-05 comments: "This control describes the enforcement of the principle of least privilege\ \ implementing controls such as regular automated reviews of access permissions,\ \ enforcing MFA for high-risk accounts, promptly revoking unused privileges, and\ \ by limiting access to sensitive data.\n\nFor this technique, adversaries have\ \ been known to add a federated identity provider to the victim\u2019s SSO tenant\ \ and activates automatic account linking. In terms of mitigation, using the principal\ \ of least privilege and protect administrative access to domain trusts and identity\ \ tenants. Additionally, in cloud environments, limit permissions to create new\ \ identity providers to only those accounts that require them. In AWS environments,\ \ consider using Service Control policies to limit the use of API calls such as\ \ CreateSAMLProvider or CreateOpenIDConnectProvider.\n" mapping_type: mitigates references: [] - attack_object_id: T1213 attack_object_name: Data from Information Repositories capability_description: Least Privilege capability_group: IAM capability_id: IAM-05 comments: "This control describes the enforcement of the principle of least privilege\ \ implementing controls such as regular automated reviews of access permissions,\ \ enforcing MFA for high-risk accounts, promptly revoking unused privileges, and\ \ by limiting access to sensitive data. \n\nAdversaries have been observed leveraging\ \ this type of technique for collecting data from misconfigured cloud-hosted databases.\ \ For this technique, in terms of mitigation, enforce the principle of least-privilege.\ \ Consider implementing access control mechanisms that include both authentication\ \ and authorization." mapping_type: mitigates references: [] - attack_object_id: T1136.003 attack_object_name: Cloud Account capability_description: Strong Password Policy and Procedures capability_group: IAM capability_id: IAM-02 comments: "This control requires the CSP to enforce strong password management practices,\ \ implement protections against brute-force attacks, and support secure password\ \ reset processes. \n\nFor this technique, adversaries may create a cloud account\ \ to maintain access to victim systems. In terms of mitigation, use multi-factor\ \ authentication for new user and privileged accounts. For instance, require multi-factor\ \ authentication to register devices in Entra ID. Configure multi-factor authentication\ \ systems to disallow enrolling new devices for inactive accounts. When first\ \ enrolling MFA, use conditional access policies to restrict device enrollment\ \ to trusted locations or devices, and consider using temporary access passes\ \ as an initial MFA solution to enroll a device." mapping_type: mitigates references: [] - attack_object_id: T1098.003 attack_object_name: Additional Cloud Roles capability_description: Strong Password Policy and Procedures capability_group: IAM capability_id: IAM-02 comments: "This control requires the CSP to enforce strong password management practices,\ \ implement protections against brute-force attacks, and support secure password\ \ reset processes. \n\nFor this technique, an adversary may add additional roles\ \ or permissions to an adversary-controlled cloud account to maintain persistent\ \ access to a tenant. In terms of mitigation, use multi-factor authentication\ \ for user and privileged accounts. Implementing MFA across all critical systems\ \ and services ensures robust protection against account takeover and unauthorized\ \ access." mapping_type: mitigates references: [] - attack_object_id: T1098.001 attack_object_name: Additional Cloud Credentials capability_description: Strong Password Policy and Procedures capability_group: IAM capability_id: IAM-02 comments: "This control requires the CSP to enforce strong password management practices,\ \ implement protections against brute-force attacks, and support secure password\ \ reset processes. \n\nFor this technique, adversaries may add adversary-controlled\ \ credentials to a cloud account to maintain persistent access to victim accounts\ \ and instances within the environment. In terms of mitigation, use multi-factor\ \ authentication for user and privileged accounts. Consider enforcing multi-factor\ \ authentication for the CreateKeyPair and ImportKeyPair API calls through IAM\ \ policies" mapping_type: mitigates references: [] - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Strong Password Policy and Procedures capability_group: IAM capability_id: IAM-02 comments: "This control requires the CSP to enforce strong password management practices,\ \ implement protections against brute-force attacks, and support secure password\ \ reset processes. \n\nFor this technique, in order to create or manipulate accounts,\ \ the adversary must already have sufficient permissions on systems or the domain.\ \ In terms of mitigation, use multi-factor authentication for user and privileged\ \ accounts." mapping_type: mitigates references: [] - attack_object_id: T1078.004 attack_object_name: Cloud Accounts capability_description: Strong Password Policy and Procedures capability_group: IAM capability_id: IAM-02 comments: "This control requires the CSP to enforce strong password management practices,\ \ implement protections against brute-force attacks, and support secure password\ \ reset processes. \n\nFor this technique, in terms of mitigation, ensure that\ \ cloud accounts, particularly privileged accounts, have complex, unique passwords\ \ across all systems on the network. Passwords and access keys should be rotated\ \ regularly. This limits the amount of time credentials can be used to access\ \ resources if a credential is compromised without your knowledge. Cloud service\ \ providers may track access key age to help audit and identify keys that may\ \ need to be rotated." mapping_type: mitigates references: [] - attack_object_id: T1556.007 attack_object_name: Hybrid Identity capability_description: Strong Password Policy and Procedures capability_group: IAM capability_id: IAM-02 comments: "This control requires the CSP to enforce strong password management practices,\ \ implement protections against brute-force attacks, and support secure password\ \ reset processes. \n\nFor this technique, adversaries may modify or otherwise\ \ backdoor cloud authentication processes that are tied to on-premises user identities\ \ in order to bypass typical authentication mechanisms, access credentials, and\ \ enable persistent access to accounts. In. terms of mitigation, integrating multi-factor\ \ authentication (MFA) as part of organizational policy can greatly reduce the\ \ risk of an adversary gaining control of valid credentials that may be used for\ \ additional tactics. " mapping_type: mitigates references: [] - attack_object_id: T1621 attack_object_name: Multi-Factor Authentication Request Generation capability_description: Strong Password Policy and Procedures capability_group: IAM capability_id: IAM-02 comments: "This control requires the CSP to enforce strong password management practices,\ \ implement protections against brute-force attacks, and support secure password\ \ reset processes. \n\nFor this technique, adversaries may attempt to bypass multi-factor\ \ authentication (MFA) mechanisms and gain access to accounts by generating MFA\ \ requests sent to users. In terms of mitigation, implementing more secure 2FA/MFA\ \ mechanisms in replacement of simple push or one-click 2FA/MFA options, or enabling\ \ account restrictions to prevent login attempts, and the subsequent 2FA/MFA service\ \ requests, from being initiated from suspicious locations or when the source\ \ of the login attempts do not match the location of the 2FA/MFA smart device,\ \ or using conditional access policies to block logins from non-compliant devices\ \ or from outside defined organization IP ranges can limit the abuse of this technique\ \ to circumvent account compromise. " mapping_type: mitigates references: [] - attack_object_id: T1556.006 attack_object_name: Multi-Factor Authentication capability_description: Strong Password Policy and Procedures capability_group: IAM capability_id: IAM-02 comments: "This control requires the CSP to enforce strong password management practices,\ \ implement protections against brute-force attacks, and support secure password\ \ reset processes. \n\nFor this technique, adversaries may disable or modify multi-factor\ \ authentication (MFA) mechanisms to enable persistent access to compromised accounts.\ \ In terms of mitigation, ensure that proper policies are implemented to dictate\ \ the secure enrollment and deactivation of MFA for user accounts." mapping_type: mitigates references: [] - attack_object_id: T1556 attack_object_name: Modify Authentication Process capability_description: Strong Password Policy and Procedures capability_group: IAM capability_id: IAM-02 comments: "This control requires the CSP to enforce strong password management practices,\ \ implement protections against brute-force attacks, and support secure password\ \ reset processes. \n\nFor this technique, adversaries may modify authentication\ \ mechanisms and processes to access user credentials or enable otherwise unwarranted\ \ access to accounts. In terms of mitigation, integrating multi-factor authentication\ \ (MFA) as part of organizational policy can greatly reduce the risk of an adversary\ \ gaining control of valid credentials, then attempting to modify the authentication\ \ process that may be used for additional tactics such as initial access, lateral\ \ movement, and collecting information. MFA can also be used to restrict access\ \ to cloud resources and APIs." mapping_type: mitigates references: [] - attack_object_id: T1555.006 attack_object_name: Cloud Secrets Management Stores capability_description: Strong Password Policy and Procedures capability_group: IAM capability_id: IAM-02 comments: "This control requires the CSP to enforce strong password management practices,\ \ implement protections against brute-force attacks, and support secure password\ \ reset processes. \n\nFor this technique, secrets managers support the secure\ \ centralized management of passwords, API keys, and other credential material.\ \ Where secrets managers are in use, cloud services can dynamically acquire credentials\ \ via API requests rather than accessing secrets insecurely stored in plain text\ \ files or environment variables. In terms of mitigation, limit the number of\ \ cloud accounts and services with permission to query the secrets manager to\ \ only those required. Ensure that accounts and services with permissions to query\ \ the secrets manager only have access to the secrets they require." mapping_type: mitigates references: [] - attack_object_id: T1110.003 attack_object_name: Password Spraying capability_description: Strong Password Policy and Procedures capability_group: IAM capability_id: IAM-02 comments: "This control requires the CSP to enforce strong password management practices,\ \ implement protections against brute-force attacks, and support secure password\ \ reset processes. \n\nFor this technique, adversaries may use brute force techniques\ \ to gain access to accounts when passwords are unknown or when password hashes\ \ are obtained. In terms of mitigation, Set account lockout policies after a certain\ \ number of failed login attempts to prevent passwords from being guessed. Also,\ \ where possible, enforce multi-factor authentication on externally facing services\ \ to limit brute force succession." mapping_type: mitigates references: [] - attack_object_id: T1110.004 attack_object_name: Credential Stuffing capability_description: Strong Password Policy and Procedures capability_group: IAM capability_id: IAM-02 comments: "This control requires the CSP to enforce strong password management practices,\ \ implement protections against brute-force attacks, and support secure password\ \ reset processes. \n\nFor this technique, adversaries may use brute force techniques\ \ to gain access to accounts when passwords are unknown or when password hashes\ \ are obtained. In terms of mitigation, Set account lockout policies after a certain\ \ number of failed login attempts to prevent passwords from being guessed. Also,\ \ where possible, enforce multi-factor authentication on externally facing services\ \ to limit brute force succession." mapping_type: mitigates references: [] - attack_object_id: T1110.002 attack_object_name: Password Cracking capability_description: Strong Password Policy and Procedures capability_group: IAM capability_id: IAM-02 comments: "This control requires the CSP to enforce strong password management practices,\ \ implement protections against brute-force attacks, and support secure password\ \ reset processes. \n\nFor this technique, adversaries may use brute force techniques\ \ to gain access to accounts when passwords are unknown or when password hashes\ \ are obtained. In terms of mitigation, Set account lockout policies after a certain\ \ number of failed login attempts to prevent passwords from being guessed. Also,\ \ where possible, enforce multi-factor authentication on externally facing services\ \ to limit brute force succession." mapping_type: mitigates references: [] - attack_object_id: T1110.001 attack_object_name: Password Guessing capability_description: Strong Password Policy and Procedures capability_group: IAM capability_id: IAM-02 comments: "This control requires the CSP to enforce strong password management practices,\ \ implement protections against brute-force attacks, and support secure password\ \ reset processes. \n\nFor this technique, adversaries may use brute force techniques\ \ to gain access to accounts when passwords are unknown or when password hashes\ \ are obtained. In terms of mitigation, Set account lockout policies after a certain\ \ number of failed login attempts to prevent passwords from being guessed. Also,\ \ where possible, enforce multi-factor authentication on externally facing services\ \ to limit brute force succession." mapping_type: mitigates references: [] - attack_object_id: T1110 attack_object_name: Brute Force capability_description: Strong Password Policy and Procedures capability_group: IAM capability_id: IAM-02 comments: "This control requires the CSP to enforce strong password management practices,\ \ implement protections against brute-force attacks, and support secure password\ \ reset processes. \n\nFor this technique, adversaries may use brute force techniques\ \ to gain access to accounts when passwords are unknown or when password hashes\ \ are obtained. In terms of mitigation, Set account lockout policies after a certain\ \ number of failed login attempts to prevent passwords from being guessed. Also,\ \ where possible, enforce multi-factor authentication on externally facing services\ \ to limit brute force succession." mapping_type: mitigates references: [] - attack_object_id: T1199 attack_object_name: Trusted Relationship capability_description: Strong Password Policy and Procedures capability_group: IAM capability_id: IAM-02 comments: "This control requires the CSP to enforce strong password management practices,\ \ implement protections against brute-force attacks, and support secure password\ \ reset processes. \n\nFor this technique, adversaries may breach or otherwise\ \ leverage organizations who have access to intended victims. Access through trusted\ \ third party relationship abuses an existing connection that may not be protected\ \ or receives less scrutiny than standard mechanisms of gaining access to a network.\n\ \nIn terms of mitigation, eequire MFA for all delegated administrator accounts.\ \ Properly manage accounts and password policies, including MFA requirements,\ \ used by parties in trusted relationships to minimize potential abuse by the\ \ party if the party is compromised by an adversary." mapping_type: mitigates references: [] - attack_object_id: T1070 attack_object_name: Indicator Removal capability_description: Data Retention and Deletion capability_group: DSP capability_id: DSP-16 comments: "This control describes the shared responsibility of both the CSP and\ \ CSC for securely managing data retention, archiving, and deletion across all\ \ cloud service models. Implementation involves establishing secure tools and\ \ processes for data retention, configuring backups, enforcing retention policies,\ \ and maintaining safeguards within each party\u2019s environment. For this technique,\ \ adversaries may delete or modify artifacts generated within systems to remove\ \ evidence of their presence or hinder defenses.\n\nIn terms of mitigation, automatically\ \ forward events to a log server or data repository to prevent conditions in which\ \ the adversary can locate and manipulate data on the local system. When possible,\ \ minimize time delay on event reporting to avoid prolonged storage on the local\ \ system." mapping_type: mitigates references: [] - attack_object_id: T1565 attack_object_name: Data Manipulation capability_description: Data Retention and Deletion capability_group: DSP capability_id: DSP-16 comments: "This control describes the shared responsibility of both the CSP and\ \ CSC for securely managing data retention, archiving, and deletion across all\ \ cloud service models. Implementation involves establishing secure tools and\ \ processes for data retention, configuring backups, enforcing retention policies,\ \ and maintaining safeguards within each party\u2019s environment. For this technique,\ \ adversaries may insert, delete, or manipulate data in order to influence external\ \ outcomes or hide activity, thus threatening the integrity of the data.\n\nIn\ \ terms of mitigation, backups that are stored off system and are protected from\ \ common methods adversaries may use to gain access and manipulate backups can\ \ lessen the impact of this technique. " mapping_type: mitigates references: [] - attack_object_id: T1490 attack_object_name: Inhibit System Recovery capability_description: Data Retention and Deletion capability_group: DSP capability_id: DSP-16 comments: "This control describes the shared responsibility of both the CSP and\ \ CSC for securely managing data retention, archiving, and deletion across all\ \ cloud service models. Implementation involves establishing secure tools and\ \ processes for data retention, configuring backups, enforcing retention policies,\ \ and maintaining safeguards within each party\u2019s environment. For this technique,\ \ in cloud environments, adversaries may disable versioning and backup policies\ \ and delete snapshots, database backups, machine images, and prior versions of\ \ objects designed to be used in disaster recovery scenarios.\n\nIn terms of mitigation,\ \ enable versioning on storage objects where possible within the cloud environment,\ \ and copy backups to other accounts or regions to isolate them from the original\ \ copies can aid with lessening the impact of this technique. " mapping_type: mitigates references: [] - attack_object_id: T1491.002 attack_object_name: External Defacement capability_description: Data Retention and Deletion capability_group: DSP capability_id: DSP-16 comments: "This control describes the shared responsibility of both the CSP and\ \ CSC for securely managing data retention, archiving, and deletion across all\ \ cloud service models. Implementation involves establishing secure tools and\ \ processes for data retention, configuring backups, enforcing retention policies,\ \ and maintaining safeguards within each party\u2019s environment. For this technique,\ \ adversaries may modify external systems or applications to an enterprise network,\ \ thus affecting the integrity of the original content by external users.\n\n\ In terms of mitigation, taking regular data backups that can be used to restore\ \ organizational data can limit the impact of this technique. " mapping_type: mitigates references: [] - attack_object_id: T1491.001 attack_object_name: Internal Defacement capability_description: Data Retention and Deletion capability_group: DSP capability_id: DSP-16 comments: "This control describes the shared responsibility of both the CSP and\ \ CSC for securely managing data retention, archiving, and deletion across all\ \ cloud service models. Implementation involves establishing secure tools and\ \ processes for data retention, configuring backups, enforcing retention policies,\ \ and maintaining safeguards within each party\u2019s environment. For this technique,\ \ adversaries may modify internal systems or thus affecting the integrity and\ \ operations of the original content by internal users. \n\nIn terms of mitigation,\ \ taking regular data backups that can be used to restore organizational data\ \ can limit the impact of this technique. " mapping_type: mitigates references: [] - attack_object_id: T1491 attack_object_name: Defacement capability_description: Data Retention and Deletion capability_group: DSP capability_id: DSP-16 comments: "This control describes the shared responsibility of both the CSP and\ \ CSC for securely managing data retention, archiving, and deletion across all\ \ cloud service models. Implementation involves establishing secure tools and\ \ processes for data retention, configuring backups, enforcing retention policies,\ \ and maintaining safeguards within each party\u2019s environment. For this technique,\ \ adversaries may modify visual content available internally or externally to\ \ an enterprise network, thus affecting the integrity of the original content.\n\ \nIn terms of mitigation, taking regular data backups that can be used to restore\ \ organizational data can limit the impact of this technique. " mapping_type: mitigates references: [] - attack_object_id: T1486 attack_object_name: Data Encrypted for Impact capability_description: Data Retention and Deletion capability_group: DSP capability_id: DSP-16 comments: "This control describes the shared responsibility of both the CSP and\ \ CSC for securely managing data retention, archiving, and deletion across all\ \ cloud service models. Implementation involves establishing secure tools and\ \ processes for data retention, configuring backups, enforcing retention policies,\ \ and maintaining safeguards within each party\u2019s environment. For this technique,\ \ adversaries may encrypt data on target systems or on large numbers of systems\ \ in a network to interrupt availability to system and network resources.\n\n\ In terms of mitigation, consider enabling versioning in cloud environments to\ \ maintain backup copies of storage objects to limit the impact of this technique. " mapping_type: mitigates references: [] - attack_object_id: T1485.001 attack_object_name: Lifecycle-Triggered Deletion capability_description: Data Retention and Deletion capability_group: DSP capability_id: DSP-16 comments: "This control describes the shared responsibility of both the CSP and\ \ CSC for securely managing data retention, archiving, and deletion across all\ \ cloud service models. Implementation involves establishing secure tools and\ \ processes for data retention, configuring backups, enforcing retention policies,\ \ and maintaining safeguards within each party\u2019s environment. For this technique,\ \ adversaries may modify the lifecycle policies of a cloud storage bucket to destroy\ \ all objects stored within. Cloud storage buckets often allow users to set lifecycle\ \ policies to automate the migration, archival, or deletion of objects after a\ \ set period of time\n\nIn terms of mitigation, consider limiting permissions\ \ to lessen the impact of this technique by modifying cloud bucket lifecycle policies\ \ (e.g., PutLifecycleConfiguration in AWS) to only those accounts that require\ \ it. In AWS environments, consider using Service Control policies to limit the\ \ use of the PutBucketLifecycle API call." mapping_type: mitigates references: [] - attack_object_id: T1485 attack_object_name: Data Destruction capability_description: Data Retention and Deletion capability_group: DSP capability_id: DSP-16 comments: "This control describes the shared responsibility of both the CSP and\ \ CSC for securely managing data retention, archiving, and deletion across all\ \ cloud service models. Implementation involves establishing secure tools and\ \ processes for data retention, configuring backups, enforcing retention policies,\ \ and maintaining safeguards within each party\u2019s environment. For this technique,\ \ adversaries may destroy data and files on specific systems or in large numbers\ \ on a network to interrupt availability to systems, services, and network resources.\n\ \nIn terms of mitigation, taking regular data backups that can be used to restore\ \ organizational data and ensuring backups are stored off system and protected\ \ from common methods adversaries may use to gain access and destroy the backups\ \ to prevent recovery can limit the impact of this technique. " mapping_type: mitigates references: [] - attack_object_id: T1565 attack_object_name: Data Manipulation capability_description: Limitation of Production Data Use capability_group: DSP capability_id: DSP-15 comments: 'This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, adversaries may insert, delete, replicate, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. In terms of mitigation, identifying critical business and system processes that may be targeted by adversaries and working to isolate and secure those systems against unauthorized access and tampering.' mapping_type: mitigates references: [] - attack_object_id: T1565.001 attack_object_name: Stored Data Manipulation capability_description: Limitation of Production Data Use capability_group: DSP capability_id: DSP-15 comments: "This control describes how the CSP and CSC must independently implement\ \ technical safeguards such as network segmentation, encryption (at rest and in\ \ transit), secure key management, and access controls to prevent unauthorized\ \ replication or use of production data in non-production environments. For this\ \ technique, adversaries may insert, delete, or manipulate data at rest in order\ \ to influence external outcomes or hide activity, thus threatening the integrity\ \ of the data. In terms of mitigation, encrypting important information to reduce\ \ an adversary\u2019s ability to perform tailored data modifications such as replication\ \ of data from production to non-production environments. Also, enforcing least\ \ privilege principles applied to important information resources could reduce\ \ exposure to data manipulation risk from different systems and environments." mapping_type: mitigates references: [] - attack_object_id: T1565.002 attack_object_name: Transmitted Data Manipulation capability_description: Limitation of Production Data Use capability_group: DSP capability_id: DSP-15 comments: This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data. In terms of mitigation, encrypt all important data flows to reduce the impact of tailored modifications on data in transit. mapping_type: mitigates references: [] - attack_object_id: T1072 attack_object_name: Software Deployment Tools capability_description: Limitation of Production Data Use capability_group: DSP capability_id: DSP-15 comments: "This control describes how the CSP and CSC must independently implement\ \ technical safeguards such as network segmentation, encryption (at rest and in\ \ transit), secure key management, and access controls to prevent unauthorized\ \ replication or use of production data in non-production environments. For this\ \ technique, adversaries may gain access to and use centralized software suites\ \ installed within an enterprise to execute commands, such as replicating production\ \ data in non-production environments. \n\nIn terms of mitigation, granting access\ \ to application deployment systems only to a limited number of authorized administrators\ \ to limit the ability to replicate data across production and non-production\ \ environments. Also, verifying that account credentials that may be used to access\ \ deployment systems are unique and not used throughout the enterprise network\ \ can limit the abuse of this technique to replicate production data in non-production\ \ environments. " mapping_type: mitigates references: [] - attack_object_id: T1552.007 attack_object_name: Container API capability_description: Limitation of Production Data Use capability_group: DSP capability_id: DSP-15 comments: 'This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, an adversary may access the Docker API to collect logs that contain credentials to cloud, container, and various other resources in the environment. In terms of mitigation, limit communications with the container service to managed and secured channels and deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls to lessen the ability of the abuse of this technique. ' mapping_type: mitigates references: [] - attack_object_id: T1199 attack_object_name: Trusted Relationship capability_description: Limitation of Production Data Use capability_group: DSP capability_id: DSP-15 comments: 'This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network. In terms of mitigation, network segmentation can be used to isolate infrastructure components that do not require broad network access from various trusted partners and properly managing accounts and permissions used by parties in trusted relationships to minimize potential abuse by the party and if the party is compromised by an adversary.' mapping_type: mitigates references: [] - attack_object_id: T1210 attack_object_name: Exploitation of Remote Services capability_description: Limitation of Production Data Use capability_group: DSP capability_id: DSP-15 comments: 'This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, or cloud service. In terms of mitigation, segmenting networks and systems appropriately to reduce access to production systems and services to controlled methods. Also, minimizing permissions and access for service accounts to limit impact of exploitation.' mapping_type: mitigates references: [] - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Limitation of Production Data Use capability_group: DSP capability_id: DSP-15 comments: 'This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. In terms of mitigation, denying direct remote access to internal production systems through the use of network proxies, gateways, and firewalls can lessen the abuse of this technique. Also, consider using IP allowlisting along with user account management to ensure that data access is restricted not only to valid users but only from expected IP ranges to mitigate the use of stolen or replication to access data.' mapping_type: mitigates references: [] - attack_object_id: T1048.003 attack_object_name: Exfiltration Over Unencrypted Non-C2 Protocol capability_description: Limitation of Production Data Use capability_group: DSP capability_id: DSP-15 comments: 'This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, adversaries may steal data by exfiltrating it over an un-encrypted protocol than that of the existing command and control channel. The data may also be sent to an alternate network location, such as a non-production environment to facilitate exfiltration. In terms of mitigation, follow best practices for network firewall configurations to allow only necessary ports and traffic to enter and exit the network. Also, consider using IP allowlisting along with user account management to ensure that data access is restricted not only to valid users but only from expected IP ranges to mitigate the use of stolen or replication to access data.' mapping_type: mitigates references: [] - attack_object_id: T1048.002 attack_object_name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol capability_description: Limitation of Production Data Use capability_group: DSP capability_id: DSP-15 comments: 'This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, adversaries may steal data by exfiltrating it over an asymmetric protocol than that of the existing command and control channel. The data may also be sent to an alternate network location, such as a non-production environment to facilitate exfiltration. In terms of mitigation, follow best practices for network firewall configurations to allow only necessary ports and traffic to enter and exit the network. Also, consider using IP allowlisting along with user account management to ensure that data access is restricted not only to valid users but only from expected IP ranges to mitigate the use of stolen or replication to access data.' mapping_type: mitigates references: [] - attack_object_id: T1048.001 attack_object_name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol capability_description: Limitation of Production Data Use capability_group: DSP capability_id: DSP-15 comments: 'This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, adversaries may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location, such as a non-production environment to facilitate exfiltration. In terms of mitigation, follow best practices for network firewall configurations to allow only necessary ports and traffic to enter and exit the network. Also, consider using IP allowlisting along with user account management to ensure that data access is restricted not only to valid users but only from expected IP ranges to mitigate the use of stolen or replication to access data.' mapping_type: mitigates references: [] - attack_object_id: T1048 attack_object_name: Exfiltration Over Alternative Protocol capability_description: Limitation of Production Data Use capability_group: DSP capability_id: DSP-15 comments: 'This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location, such as a non-production environment to facilitate exfiltration. In terms of mitigation, follow best practices for network firewall configurations to allow only necessary ports and traffic to enter and exit the network. Also, consider using IP allowlisting along with user account management to ensure that data access is restricted not only to valid users but only from expected IP ranges to mitigate the use of stolen or replication to access data.' mapping_type: mitigates references: [] - attack_object_id: T1610 attack_object_name: Deploy Container capability_description: Limitation of Production Data Use capability_group: DSP capability_id: DSP-15 comments: "This control describes how the CSP and CSC must independently implement\ \ technical safeguards such as network segmentation, encryption (at rest and in\ \ transit), secure key management, and access controls to prevent unauthorized\ \ replication or use of production data in non-production environments. For this\ \ technique, adversaries may deploy a container into an environment to facilitate\ \ execution or evade defenses. In some cases, adversaries may deploy a new container\ \ which could contain production data of the environment. \n\nIn terms of mitigation,\ \ enforcing the principle of least privilege by limiting container dashboard access\ \ to only the necessary users. Also, denying direct remote access to internal\ \ production systems through the use of network proxies, gateways, and firewalls\ \ in order to lessen the ability to use of production data in non-production environments.\ \ " mapping_type: mitigates references: [] - attack_object_id: T1586.003 attack_object_name: Cloud Accounts capability_description: Limitation of Production Data Use capability_group: DSP capability_id: DSP-15 comments: "This control describes how the CSP and CSC must independently implement\ \ technical safeguards such as network segmentation, encryption (at rest and in\ \ transit), secure key management, and access controls to prevent unauthorized\ \ replication or use of production data in non-production environments. For this\ \ technique, adversaries may add adversary-controlled credentials to a cloud account\ \ to move production data throughout the cloud environment. \n\nIn terms of mitigation,\ \ consider configuring access controls and firewalls to limit which accounts have\ \ access to production critical systems and domain controllers. Most cloud environments\ \ support separate virtual private cloud (VPC) instances that enable further segmentation\ \ of cloud systems from production and non-production environments. " mapping_type: mitigates references: [] - attack_object_id: T1098.001 attack_object_name: Additional Cloud Credentials capability_description: Limitation of Production Data Use capability_group: DSP capability_id: DSP-15 comments: "This control describes how the CSP and CSC must independently implement\ \ technical safeguards such as network segmentation, encryption (at rest and in\ \ transit), secure key management, and access controls to prevent unauthorized\ \ replication or use of production data in non-production environments. For this\ \ technique, adversaries may add adversary-controlled credentials to a cloud account\ \ to move production data throughout the cloud environment. \n\nIn terms of mitigation,\ \ consider configuring access controls and firewalls to limit which accounts have\ \ access to production critical systems and domain controllers. Most cloud environments\ \ support separate virtual private cloud (VPC) instances that enable further segmentation\ \ of cloud systems from production and non-production environments. " mapping_type: mitigates references: [] - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Limitation of Production Data Use capability_group: DSP capability_id: DSP-15 comments: "This control describes how the CSP and CSC must independently implement\ \ technical safeguards such as network segmentation, encryption (at rest and in\ \ transit), secure key management, and access controls to prevent unauthorized\ \ replication or use of production data in non-production environments. For this\ \ technique, adversaries may add adversary-controlled credentials to a cloud account\ \ to move production data throughout the cloud environment. \n\nIn terms of mitigation,\ \ consider configuring access controls and firewalls to limit which accounts have\ \ access to production critical systems and domain controllers. Most cloud environments\ \ support separate virtual private cloud (VPC) instances that enable further segmentation\ \ of cloud systems from production and non-production environments. " mapping_type: mitigates references: [] - attack_object_id: T1530 attack_object_name: Data from Cloud Storage capability_description: Limitation of Production Data Use capability_group: DSP capability_id: DSP-15 comments: This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, many IaaS providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Google Cloud Storage. In terms of mitigation, enforcing access control lists on storage systems and objects to block the unauthorized access of which production data could be replicated in non-production environments. mapping_type: mitigates references: [] - attack_object_id: T1020.001 attack_object_name: Traffic Duplication capability_description: Sensitive Data Transfer capability_group: DSP capability_id: DSP-10 comments: The control describes the implementation of strong technical and procedural safeguards, such as TLS with strong keys)to protect sensitive data during transfer and prevent unauthorized access or interception. For this technique, adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Many cloud-based environments also support traffic mirroring. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to. Ensure that all wired and/or wireless traffic is encrypted appropriately. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS. mapping_type: mitigates references: [] - attack_object_id: T1669 attack_object_name: Wi-Fi Networks capability_description: Sensitive Data Transfer capability_group: DSP capability_id: DSP-10 comments: 'The control describes the implementation of strong technical and procedural safeguards, such as TLS with strong keys)to protect sensitive data during transfer and prevent unauthorized access or interception. For this technique, Ensure that all wired and/or wireless traffic is encrypted appropriately. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS. Further mitigation may include separating networking environments for Wi-Fi and Ethernet-wired networks for access to sensitive resources. ' mapping_type: mitigates references: [] - attack_object_id: T1537 attack_object_name: Transfer Data to Cloud Account capability_description: Sensitive Data Transfer capability_group: DSP capability_id: DSP-10 comments: The control describes the implementation of strong technical and procedural safeguards, such as TLS with strong keys)to protect sensitive data during transfer and prevent unauthorized access or interception. For this technique, consider implementing network-based filtering restrictions to prohibit data transfers to untrusted VPCs as a possible mitigation. Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service. mapping_type: mitigates references: [] - attack_object_id: T1530 attack_object_name: Data from Cloud Storage capability_description: Sensitive Data Transfer capability_group: DSP capability_id: DSP-10 comments: The control describes the implementation of strong technical and procedural safeguards, such as TLS with strong keys)to protect sensitive data during transfer and prevent unauthorized access or interception. For this technique, adversaries may collect on and exfiltrate on sensitive data stored in cloud storage. In terms of mitigation, the use of IP allowlisting along with user account management to ensure that data access is restricted not only to valid users but only from expected IP ranges could mitigate the use of stolen credentials to access data. mapping_type: mitigates references: [] - attack_object_id: T1048 attack_object_name: Exfiltration Over Alternative Protocol capability_description: Sensitive Data Transfer capability_group: DSP capability_id: DSP-10 comments: The control describes the implementation of strong technical and procedural safeguards, such as TLS with strong keys)to protect sensitive data during transfer and prevent unauthorized access or interception. For this technique, adversaries may steal sensitive data by exfiltrating it over a different protocol than that of the existing command and control channel. In terms of mitigation, the use of IP allowlisting along with user account management to ensure that data access is restricted not only to valid users but only from expected IP ranges could mitigate the use of stolen credentials to access data. mapping_type: mitigates references: [] - attack_object_id: T1550.001 attack_object_name: Application Access Token capability_description: Sensitive Data Transfer capability_group: DSP capability_id: DSP-10 comments: The control describes the implementation of strong technical and procedural safeguards, such as TLS with strong keys)to protect sensitive data during transfer and prevent unauthorized access or interception. For this technique, file encryption should be enforced across email communications containing sensitive information that may be obtained through access to email services. Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. mapping_type: mitigates references: [] - attack_object_id: T1040 attack_object_name: Network Sniffing capability_description: Sensitive Data Transfer capability_group: DSP capability_id: DSP-10 comments: The control describes the implementation of strong technical and procedural safeguards, such as TLS with strong keys)to protect sensitive data during transfer and prevent unauthorized access or interception. For this technique, ensure that all wired and/or wireless traffic is encrypted appropriately. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS. mapping_type: mitigates references: [] - attack_object_id: T1114.003 attack_object_name: Email Forwarding Rule capability_description: Sensitive Data Transfer capability_group: DSP capability_id: DSP-10 comments: 'The control describes the implementation of strong technical and procedural safeguards, such as TLS with strong keys)to protect sensitive data during transfer and prevent unauthorized access or interception. For this technique, the use of encryption provides an added layer of security to sensitive information sent over email. ' mapping_type: mitigates references: [] - attack_object_id: T1114.002 attack_object_name: Remote Email Collection capability_description: Sensitive Data Transfer capability_group: DSP capability_id: DSP-10 comments: 'The control describes the implementation of strong technical and procedural safeguards, such as TLS with strong keys)to protect sensitive data during transfer and prevent unauthorized access or interception. For this technique, the use of encryption provides an added layer of security to sensitive information sent over email. ' mapping_type: mitigates references: [] - attack_object_id: T1114.001 attack_object_name: Local Email Collection capability_description: Sensitive Data Transfer capability_group: DSP capability_id: DSP-10 comments: 'The control describes the implementation of strong technical and procedural safeguards, such as TLS with strong keys)to protect sensitive data during transfer and prevent unauthorized access or interception. For this technique, the use of encryption provides an added layer of security to sensitive information sent over email. ' mapping_type: mitigates references: [] - attack_object_id: T1114 attack_object_name: Email Collection capability_description: Sensitive Data Transfer capability_group: DSP capability_id: DSP-10 comments: 'The control describes the implementation of strong technical and procedural safeguards, such as TLS with strong keys)to protect sensitive data during transfer and prevent unauthorized access or interception. For this technique, the use of encryption provides an added layer of security to sensitive information sent over email. ' mapping_type: mitigates references: [] - attack_object_id: T1565.003 attack_object_name: Runtime Data Manipulation capability_description: Sensitive Data Transfer capability_group: DSP capability_id: DSP-10 comments: The control describes the implementation of strong technical and procedural safeguards, such as TLS with strong keys)to protect sensitive data during transfer and prevent unauthorized access or interception. For this technique, encrypt all important data flows to reduce the impact of tailored modifications on data in transit. Also, In cloud environments, use VPCs, subnets, and security groups to isolate applications and enforce traffic rules on those systems to mitigate any against unauthorized access and tampering. mapping_type: mitigates references: [] - attack_object_id: T1565.002 attack_object_name: Transmitted Data Manipulation capability_description: Sensitive Data Transfer capability_group: DSP capability_id: DSP-10 comments: The control describes the implementation of strong technical and procedural safeguards, such as TLS with strong keys)to protect sensitive data during transfer and prevent unauthorized access or interception. For this technique, encrypt all important data flows to reduce the impact of tailored modifications on data in transit. Also, In cloud environments, use VPCs, subnets, and security groups to isolate applications and enforce traffic rules on those systems to mitigate any against unauthorized access and tampering. mapping_type: mitigates references: [] - attack_object_id: T1565 attack_object_name: Data Manipulation capability_description: Sensitive Data Transfer capability_group: DSP capability_id: DSP-10 comments: The control describes the implementation of strong technical and procedural safeguards, such as TLS with strong keys)to protect sensitive data during transfer and prevent unauthorized access or interception. For this technique, encrypt all important data flows to reduce the impact of tailored modifications on data in transit. Also, In cloud environments, use VPCs, subnets, and security groups to isolate applications and enforce traffic rules on those systems to mitigate any against unauthorized access and tampering. mapping_type: mitigates references: [] - attack_object_id: T1020 attack_object_name: Automated Exfiltration capability_description: Sensitive Data Transfer capability_group: DSP capability_id: DSP-10 comments: 'The control describes the implementation of strong technical and procedural safeguards, such as TLS with strong keys)to protect sensitive data during transfer and prevent unauthorized access or interception. For this technique, encryption and off-system storage of sensitive information may be one way to mitigate the successful exfiltration of files. ' mapping_type: mitigates references: [] - attack_object_id: T1119 attack_object_name: Automated Collection capability_description: Sensitive Data Transfer capability_group: DSP capability_id: DSP-10 comments: 'The control describes the implementation of strong technical and procedural safeguards, such as TLS with strong keys)to protect sensitive data during transfer and prevent unauthorized access or interception. For this technique, encryption and off-system storage of sensitive information may be one way to mitigate collection of files. ' mapping_type: mitigates references: [] - attack_object_id: T1550.004 attack_object_name: Web Session Cookie capability_description: Data Privacy by Design and Default capability_group: DSP capability_id: DSP-08 comments: 'Privacy by design and default is emphasized in this control, integrating privacy measures at every stage of the SDLC and across all components. This includes implementing controls for encrypting sensitive information to ensure the confidentiality and integrity of data, preventing unauthorized access or tampering. For this technique, configure browsers or tasks to regularly delete persistent cookies to prevent the adversaries form using stolen session cookies to authenticate to web applications and services as legitmate users. ' mapping_type: mitigates references: [] - attack_object_id: T1114.003 attack_object_name: Email Forwarding Rule capability_description: Data Privacy by Design and Default capability_group: DSP capability_id: DSP-08 comments: Privacy by design and default is emphasized in this control, integrating privacy measures at every stage of the SDLC and across all components. This includes implementing controls for encrypting sensitive information to ensure the confidentiality and integrity of data, preventing unauthorized access or tampering. For this technique, the use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages. mapping_type: mitigates references: [] - attack_object_id: T1114.002 attack_object_name: Remote Email Collection capability_description: Data Privacy by Design and Default capability_group: DSP capability_id: DSP-08 comments: Privacy by design and default is emphasized in this control, integrating privacy measures at every stage of the SDLC and across all components. This includes implementing controls for encrypting sensitive information to ensure the confidentiality and integrity of data, preventing unauthorized access or tampering. For this technique, the use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages. mapping_type: mitigates references: [] - attack_object_id: T1114.001 attack_object_name: Local Email Collection capability_description: Data Privacy by Design and Default capability_group: DSP capability_id: DSP-08 comments: Privacy by design and default is emphasized in this control, integrating privacy measures at every stage of the SDLC and across all components. This includes implementing controls for encrypting sensitive information to ensure the confidentiality and integrity of data, preventing unauthorized access or tampering. For this technique, the use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages. mapping_type: mitigates references: [] - attack_object_id: T1114 attack_object_name: Email Collection capability_description: Data Privacy by Design and Default capability_group: DSP capability_id: DSP-08 comments: Privacy by design and default is emphasized in this control, integrating privacy measures at every stage of the SDLC and across all components. This includes implementing controls for encrypting sensitive information to ensure the confidentiality and integrity of data, preventing unauthorized access or tampering. For this technique, the use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages. mapping_type: mitigates references: [] - attack_object_id: T1565.002 attack_object_name: Transmitted Data Manipulation capability_description: Data Privacy by Design and Default capability_group: DSP capability_id: DSP-08 comments: 'Privacy by design and default is emphasized in this control, integrating privacy measures at every stage of the SDLC and across all components. This includes implementing controls for encrypting sensitive information to ensure the confidentiality and integrity of data, preventing unauthorized access or tampering. For this technique, encrypt all important data flows to reduce the impact of tailored modifications on data in transit for mitigation. ' mapping_type: mitigates references: [] - attack_object_id: T1565.001 attack_object_name: Stored Data Manipulation capability_description: Data Privacy by Design and Default capability_group: DSP capability_id: DSP-08 comments: "Privacy by design and default is emphasized in this control, integrating\ \ privacy measures at every stage of the SDLC and across all components. This\ \ includes implementing controls for encrypting sensitive information to ensure\ \ the confidentiality and integrity of data, preventing unauthorized access or\ \ tampering. For this technique, consider encrypting important information to\ \ reduce an adversary\u2019s ability to perform tailored data modifications." mapping_type: mitigates references: [] - attack_object_id: T1565 attack_object_name: Data Manipulation capability_description: Data Privacy by Design and Default capability_group: DSP capability_id: DSP-08 comments: "Privacy by design and default is emphasized in this control, integrating\ \ privacy measures at every stage of the SDLC and across all components. This\ \ includes implementing controls for encrypting sensitive information to ensure\ \ the confidentiality and integrity of data, preventing unauthorized access or\ \ tampering. For this technique, consider encrypting important information to\ \ reduce an adversary\u2019s ability to perform tailored data modifications." mapping_type: mitigates references: [] - attack_object_id: T1213 attack_object_name: Data from Information Repositories capability_description: Data Privacy by Design and Default capability_group: DSP capability_id: DSP-08 comments: Privacy by design and default is emphasized in this control, integrating privacy measures at every stage of the SDLC and across all components. This includes implementing controls for encrypting sensitive information to ensure the confidentiality and integrity of data, preventing unauthorized access or tampering. For this technique, encrypt data stored at rest in databases for mitigation. mapping_type: mitigates references: [] - attack_object_id: T1530 attack_object_name: Data from Cloud Storage capability_description: Data Privacy by Design and Default capability_group: DSP capability_id: DSP-08 comments: 'Privacy by design and default is emphasized in this control, integrating privacy measures at every stage of the SDLC and across all components. This includes implementing controls for encrypting sensitive information to ensure the confidentiality and integrity of data, preventing unauthorized access or tampering. For this technique, encrypt data stored at rest in cloud storage for mitigation. Managed encryption keys can be rotated by most providers. ' mapping_type: mitigates references: [] - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Data Protection by Design and Default capability_group: DSP capability_id: DSP-07 comments: Data protection by design and default is emphasized in this control, requiring proactive integration of security and privacy measures at every stage of the SDLC and across all components. Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. In terms of mitigations, ensure that applications do not store sensitive data or credentials insecurely. (e.g. plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage). Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment. mapping_type: mitigates references: [] - attack_object_id: T1550.001 attack_object_name: Application Access Token capability_description: Data Protection by Design and Default capability_group: DSP capability_id: DSP-07 comments: Data protection by design and default is emphasized in this control, requiring proactive integration of security and privacy measures at every stage of the SDLC and across all components. Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. In terms of mitigation, consider implementing token binding strategies that cryptographically bind a token to a secret. This may prevent the token from being used without knowledge of the secret or possession of the device the token is tied to mapping_type: mitigates references: [] - attack_object_id: T1550 attack_object_name: Use Alternate Authentication Material capability_description: Data Protection by Design and Default capability_group: DSP capability_id: DSP-07 comments: Data protection by design and default is emphasized in this control, requiring proactive integration of security and privacy measures at every stage of the SDLC and across all components. Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls. In terms of mitigation, consider implementing token binding strategies that cryptographically bind a token to a secret. This may prevent the token from being used without knowledge of the secret or possession of the device the token is tied to mapping_type: mitigates references: [] - attack_object_id: T1195.001 attack_object_name: Compromise Software Dependencies and Development Tools capability_description: Data Protection by Design and Default capability_group: DSP capability_id: DSP-07 comments: Data protection by design and default is emphasized in this control, requiring proactive integration of security and privacy measures at every stage of the SDLC and across all components. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency. In terms of mitigation, application developers should be cautious when selecting third-party libraries to integrate into their application. Additionally, where possible, developers should lock software dependencies to specific versions that are known to be secure rather than pulling the latest version on build. mapping_type: mitigates references: [] - attack_object_id: T1195 attack_object_name: Supply Chain Compromise capability_description: Data Protection by Design and Default capability_group: DSP capability_id: DSP-07 comments: Data protection by design and default is emphasized in this control, requiring proactive integration of security and privacy measures at every stage of the SDLC and across all components. Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. In terms of mitigation, application developers should be cautious when selecting third-party libraries to integrate into their application. Additionally, where possible, developers should lock software dependencies to specific versions that are known to be secure rather than pulling the latest version on build. mapping_type: mitigates references: [] - attack_object_id: T1559 attack_object_name: Inter-Process Communication capability_description: Data Protection by Design and Default capability_group: DSP capability_id: DSP-07 comments: Data protection by design and default is emphasized in this control, requiring proactive integration of security and privacy measures at every stage of the SDLC and across all components. Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. When it comes to mitigation from this control to this technique, ensuring all COM alerts and Protected View are enabled and enable the Hardened Runtime capability when developing applications. mapping_type: mitigates references: [] - attack_object_id: T1574.001 attack_object_name: DLL capability_description: Data Protection by Design and Default capability_group: DSP capability_id: DSP-07 comments: Data protection by design and default is emphasized in this control, requiring proactive integration of security and privacy measures at every stage of the SDLC and across all components. Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses. In terms of mitigation, when possible, the inclusion hash values in manifest files may help prevent side-loading of malicious libraries. mapping_type: mitigates references: [] - attack_object_id: T1574 attack_object_name: Hijack Execution Flow capability_description: Data Protection by Design and Default capability_group: DSP capability_id: DSP-07 comments: Data protection by design and default is emphasized in this control, requiring proactive integration of security and privacy measures at every stage of the SDLC and across all components. For this technique, adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. To mitigate when possible, include hash values in manifest files to help prevent side-loading of malicious libraries. mapping_type: mitigates references: [] - attack_object_id: T1212 attack_object_name: Exploitation for Credential Access capability_description: Data Protection by Design and Default capability_group: DSP capability_id: DSP-07 comments: Data protection by design and default is emphasized in this control, requiring proactive integration of security and privacy measures at every stage of the SDLC and across all components. For this technique, adversaries may exploit software vulnerabilities in an attempt to collect credentials. Mitigation use-cases include application developers considering taking measures to validate authentication requests by enabling one-time passwords, providing timestamps or sequence numbers for messages sent, using digital signatures, and/or using random session keys. mapping_type: mitigates references: [] - attack_object_id: T1528 attack_object_name: Steal Application Access Token capability_description: Sensitive Data Protection capability_group: DSP capability_id: DSP-17 comments: 'This control requires the Cloud Service Provider (CSP) to implement robust mitigative controls such as network segmentation and firewalling, encryption, access controls with multi-factor authentication and intrusion detection to ensure sensitive customer data is protected throughout its lifecycle. For this technique, adversaries who steal account API tokens in cloud and containerized environments may be able to access data and perform actions with the permissions of these accounts, which can lead to privilege escalation and further compromise of the environment. In terms of mitigation, enforcing role-based access control can limit accounts to the least privileges they require. A Cloud Access Security Broker (CASB) can be used to set usage policies and manage user permissions on cloud applications to prevent access to application access tokens. ' mapping_type: mitigates references: [] - attack_object_id: T1555.006 attack_object_name: Cloud Secrets Management Stores capability_description: Sensitive Data Protection capability_group: DSP capability_id: DSP-17 comments: 'This control requires the Cloud Service Provider (CSP) to implement robust mitigative controls such as network segmentation and firewalling, encryption, access controls with multi-factor authentication and intrusion detection to ensure sensitive customer data is protected throughout its lifecycle. For this technique, adversaries may search for common password storage locations, such as cloud secrets managers, to obtain user credentials. In terms of mitigation, Limit the number of cloud accounts and services with permission to query the secrets manager to only those required. Ensure that accounts and services with permissions to query the secrets manager only have access to the secrets they require.' mapping_type: mitigates references: [] - attack_object_id: T1609 attack_object_name: Container Administration Command capability_description: Sensitive Data Protection capability_group: DSP capability_id: DSP-17 comments: 'This control requires the Cloud Service Provider (CSP) to implement robust mitigative controls such as network segmentation and firewalling, encryption, access controls with multi-factor authentication and intrusion detection to ensure sensitive customer data is protected throughout its lifecycle. For this technique, adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment and access to sensitive data within it. In terms of mitigation, in Kubernetes clusters deployed in cloud environments, use native cloud platform features to restrict the IP ranges that are permitted to access to API server.' mapping_type: mitigates references: [] - attack_object_id: T1098.003 attack_object_name: Additional Cloud Roles capability_description: Sensitive Data Protection capability_group: DSP capability_id: DSP-17 comments: "This control requires the Cloud Service Provider (CSP) to implement robust\ \ mitigative controls such as network segmentation and firewalling, encryption,\ \ access controls with multi-factor authentication and intrusion detection to\ \ ensure sensitive customer data is protected throughout its lifecycle.\n\nFor\ \ this technique, adversaries may abuse cloud APIs to execute malicious commands.\ \ APIs available in cloud environments provide various functionalities and are\ \ a feature-rich method for programmatic access to nearly all aspects of a tenant.\ \ \n\nIn terms of mitigation, using application control where appropriate to block\ \ use of PowerShell CmdLets or other host based resources to access cloud API\ \ resources and sensitive data could mitigate this technique. " mapping_type: mitigates references: [] - attack_object_id: T1059.009 attack_object_name: Cloud API capability_description: Sensitive Data Protection capability_group: DSP capability_id: DSP-17 comments: "This control requires the Cloud Service Provider (CSP) to implement robust\ \ mitigative controls such as network segmentation and firewalling, encryption,\ \ access controls with multi-factor authentication and intrusion detection to\ \ ensure sensitive customer data is protected throughout its lifecycle.\n\nFor\ \ this technique, adversaries may abuse cloud APIs to execute malicious commands.\ \ APIs available in cloud environments provide various functionalities and are\ \ a feature-rich method for programmatic access to nearly all aspects of a tenant.\ \ \n\nIn terms of mitigation, using application control where appropriate to block\ \ use of PowerShell CmdLets or other host based resources to access cloud API\ \ resources and sensitive data could mitigate this technique. " mapping_type: mitigates references: [] - attack_object_id: T1098.001 attack_object_name: Additional Cloud Credentials capability_description: Sensitive Data Protection capability_group: DSP capability_id: DSP-17 comments: 'This control requires the Cloud Service Provider (CSP) to implement robust mitigative controls such as network segmentation and firewalling, encryption, access controls with multi-factor authentication and intrusion detection to ensure sensitive customer data is protected throughout its lifecycle. For this technique, adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment. In terms of mitigation, Use multi-factor authentication for user and privileged accounts. Consider enforcing multi-factor authentication for the CreateKeyPair and ImportKeyPair API calls through IAM policies; Configure access controls and firewalls to limit access to critical systems and domain controllers. Most cloud environments support separate virtual private cloud (VPC) instances that enable further segmentation of cloud systems; Or, Ensure that low-privileged user accounts do not have permission to add access keys to accounts. In certain cloud environments, prohibit users from calling the GetFederationToken API unless explicitly required. ' mapping_type: mitigates references: [] - attack_object_id: T1537 attack_object_name: Transfer Data to Cloud Account capability_description: Sensitive Data Protection capability_group: DSP capability_id: DSP-17 comments: 'This control requires the Cloud Service Provider (CSP) to implement robust mitigative controls such as network segmentation and firewalling, encryption, access controls with multi-factor authentication and intrusion detection to ensure sensitive customer data is protected throughout its lifecycle. For this technique, adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service. In terms of mitigation, implementing network-based filtering restrictions to prohibit data transfers to untrusted VPCs can aid with mitigating this technique. ' mapping_type: mitigates references: [] - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Sensitive Data Protection capability_group: DSP capability_id: DSP-17 comments: 'This control requires the Cloud Service Provider (CSP) to implement robust mitigative controls such as network segmentation and firewalling, encryption, access controls with multi-factor authentication and intrusion detection to ensure sensitive customer data is protected throughout its lifecycle. For this technique, if an application is hosted on cloud-based infrastructure then exploiting it may lead to compromise of the underlying sensitive data hosted on that platform. In terms of mitigation, Web Application Firewalls (WAFs) may be used to limit exposure of applications to prevent exploit traffic from reaching the application, or segment externally facing servers and services from the rest of the network with a DMZ or on separate hosting infrastructure could limit the impact the exploited application has on the rest of the infrastructure hosting the data.' mapping_type: mitigates references: [] - attack_object_id: T1048 attack_object_name: Exfiltration Over Alternative Protocol capability_description: Sensitive Data Protection capability_group: DSP capability_id: DSP-17 comments: 'This control requires the Cloud Service Provider (CSP) to implement robust mitigative controls such as network segmentation and firewalling, encryption, access controls with multi-factor authentication and intrusion detection to ensure sensitive customer data is protected throughout its lifecycle. As it related to this technique, many IaaS and SaaS platforms (such as Microsoft Exchange, Microsoft SharePoint, GitHub, and AWS S3) support the direct download of files, emails, source code, and other sensitive information via the web console or Cloud API. In terms of mitigation, configure network firewalls to allow only necessary ports and traffic to enter and exit the network, configure user permissions groups and roles for access to cloud storage, or enforce proxies and use dedicated servers for services such as DNS and only allow those systems to communicate over respective ports/protocols, instead of all systems within a network. Cloud service providers support IP-based restrictions when accessing cloud resources. ' mapping_type: mitigates references: [] - attack_object_id: T1550.001 attack_object_name: Application Access Token capability_description: Sensitive Data Protection capability_group: DSP capability_id: DSP-17 comments: 'This control requires the Cloud Service Provider (CSP) to implement robust mitigative controls such as network segmentation and firewalling, encryption, access controls with multi-factor authentication and intrusion detection to ensure sensitive customer data is protected throughout its lifecycle. For this technique, application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used to access resources in cloud, container-based applications, and software-as-a-service (SaaS). In terms of mitigation, where possible, consider restricting the use of access tokens outside of expected contexts. For example, in AWS environments, consider using data perimeters to prevent credential use outside of an expected network. ' mapping_type: mitigates references: [] - attack_object_id: T1552.005 attack_object_name: Cloud Instance Metadata API capability_description: Sensitive Data Protection capability_group: DSP capability_id: DSP-17 comments: 'This control requires the Cloud Service Provider (CSP) to implement robust mitigative controls such as network segmentation and firewalling, encryption, access controls with multi-factor authentication and intrusion detection to ensure sensitive customer data is protected throughout its lifecycle. For this technique, adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data. Limit access to the Instance Metadata API. A properly configured Web Application Firewall (WAF) may help prevent external adversaries from exploiting Server-side Request Forgery (SSRF) attacks that allow access to the Cloud Instance Metadata API. ' mapping_type: mitigates references: [] - attack_object_id: T1552 attack_object_name: Unsecured Credentials capability_description: Sensitive Data Protection capability_group: DSP capability_id: DSP-17 comments: 'This control requires the Cloud Service Provider (CSP) to implement robust mitigative controls such as network segmentation and firewalling, encryption, access controls with multi-factor authentication and intrusion detection to ensure sensitive customer data is protected throughout its lifecycle. For this technique, adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations. In terms of mitigation, limit access to sensitive services, for example if it is necessary that a SaaS application must store credentials in some object storage, registry, or password store, then ensure the associated accounts have limited permissions so they cannot be abused if obtained by an adversary.' mapping_type: mitigates references: [] - attack_object_id: T1213 attack_object_name: Data from Information Repositories capability_description: Sensitive Data Protection capability_group: DSP capability_id: DSP-17 comments: 'This control requires the Cloud Service Provider (CSP) to implement robust mitigative controls such as network segmentation and firewalling, encryption, access controls with multi-factor authentication and intrusion detection to ensure sensitive customer data is protected throughout its lifecycle. For this technique, information repositories have been improperly secured, typically by unintentionally allowing for overly-broad access by all users or even public access to unauthenticated users. This is particularly common with cloud-native or cloud-hosted services, such as AWS Relational Database Service (RDS), Redis, or ElasticSearch. In terms of mitigation, encrypt data stored at rest in databases and ensure that repositories such as cloud-hosted databases are not unintentionally exposed to the public, and that security groups assigned to them permit only necessary and authorized hosts.' mapping_type: mitigates references: [] - attack_object_id: T1119 attack_object_name: Automated Collection capability_description: Sensitive Data Protection capability_group: DSP capability_id: DSP-17 comments: 'This control requires the Cloud Service Provider (CSP) to implement robust mitigative controls such as network segmentation and firewalling, encryption, access controls with multi-factor authentication and intrusion detection to ensure sensitive customer data is protected throughout its lifecycle. For this technique, in cloud-based environments, adversaries may also use cloud APIs, data pipelines, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data. In terms of mitigation, encrypting data stored at rest in cloud storage through the use of managed encryption keys can be rotated by most providers. ' mapping_type: mitigates references: [] - attack_object_id: T1530 attack_object_name: Data from Cloud Storage capability_description: Sensitive Data Protection capability_group: DSP capability_id: DSP-17 comments: 'This control requires the Cloud Service Provider (CSP) to implement robust mitigative controls such as network segmentation and firewalling, encryption, access controls with multi-factor authentication and intrusion detection to ensure sensitive customer data is protected throughout its lifecycle. For this technique, adversaries may collect sensitive data from these cloud storage solutions. Providers typically offer security guides to help end users configure systems, though misconfigurations are a common problem. Many IaaS providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Google Cloud Storage.' mapping_type: mitigates references: [] - attack_object_id: T1567 attack_object_name: Exfiltration Over Web Service capability_description: Sensitive Data Protection capability_group: DSP capability_id: DSP-17 comments: 'This control requires the Cloud Service Provider (CSP) to implement robust mitigative controls such as network segmentation and firewalling, encryption, access controls with multi-factor authentication and intrusion detection to ensure sensitive customer data is protected throughout its lifecycle. For this technique, adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. In terms of mitigation, an NIDS or DLP solution may can block sensitive data being uploaded to web services via web browsers based on what''s on the allow/block list. ' mapping_type: mitigates references: [] - attack_object_id: T1537 attack_object_name: Transfer Data to Cloud Account capability_description: Data Loss Prevention capability_group: UEM capability_id: UEM-11 comments: Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service. This control requires implementing data leakage prevention (DLP) capapbiltities on endpoint devices. This includes classifying and inventorying data, protecting sensitive information in transit and at rest, monitoring for unauthorized disclosures, and responding to policy violations. mapping_type: mitigates references: [] - attack_object_id: T1567.004 attack_object_name: Exfiltration Over Webhook capability_description: Data Loss Prevention capability_group: UEM capability_id: UEM-11 comments: Adversaries may exfiltrate data to a webhook endpoint rather than over their primary command and control channel. This control requires implementing data leakage prevention (DLP) capapbiltities on endpoint devices. This includes classifying and inventorying data, protecting sensitive information in transit and at rest, monitoring for unauthorized disclosures, and responding to policy violations. mapping_type: mitigates references: [] - attack_object_id: T1567 attack_object_name: Exfiltration Over Web Service capability_description: Data Loss Prevention capability_group: UEM capability_id: UEM-11 comments: 'This control requires implementing data leakage prevention (DLP) capapbiltities on endpoint devices. This includes classifying and inventorying data, protecting sensitive information in transit and at rest, monitoring for unauthorized disclosures, and responding to policy violations. Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. ' mapping_type: mitigates references: [] - attack_object_id: T1052.001 attack_object_name: Exfiltration over USB capability_description: Data Loss Prevention capability_group: UEM capability_id: UEM-11 comments: Adversaries may attempt to exfiltrate data over a USB connected physical device. This control requires implementing data leakage prevention (DLP) capapbiltities on endpoint devices. This includes classifying and inventorying data, protecting sensitive information in transit and at rest, monitoring for unauthorized disclosures, and responding to policy violations. mapping_type: mitigates references: [] - attack_object_id: T1052 attack_object_name: Exfiltration Over Physical Medium capability_description: Data Loss Prevention capability_group: UEM capability_id: UEM-11 comments: Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. This control requires implementing data leakage prevention (DLP) capapbiltities on endpoint devices. This includes classifying and inventorying data, protecting sensitive information in transit and at rest, monitoring for unauthorized disclosures, and responding to policy violations. mapping_type: mitigates references: [] - attack_object_id: T1041 attack_object_name: Exfiltration Over C2 Channel capability_description: Data Loss Prevention capability_group: UEM capability_id: UEM-11 comments: Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications. This control requires implementing data leakage prevention (DLP) capapbiltities on endpoint devices. This includes classifying and inventorying data, protecting sensitive information in transit and at rest, monitoring for unauthorized disclosures, and responding to policy violations. mapping_type: mitigates references: [] - attack_object_id: T1048.003 attack_object_name: Exfiltration Over Unencrypted Non-C2 Protocol capability_description: Data Loss Prevention capability_group: UEM capability_id: UEM-11 comments: Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. Adversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). This may include custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields. This control requires implementing data leakage prevention (DLP) capapbiltities on endpoint devices. This includes classifying and inventorying data, protecting sensitive information in transit and at rest, monitoring for unauthorized disclosures, and responding to policy violations. mapping_type: mitigates references: [] - attack_object_id: T1048.002 attack_object_name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol capability_description: Data Loss Prevention capability_group: UEM capability_id: UEM-11 comments: This control requires implementing data leakage prevention (DLP) capapbiltities on endpoint devices. This includes classifying and inventorying data, protecting sensitive information in transit and at rest, monitoring for unauthorized disclosures, and responding to policy violations. Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. mapping_type: mitigates references: [] - attack_object_id: T1048 attack_object_name: Exfiltration Over Alternative Protocol capability_description: Data Loss Prevention capability_group: UEM capability_id: UEM-11 comments: Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. This control requires implementing data leakage prevention (DLP) capapbiltities on endpoint devices. This includes classifying and inventorying data, protecting sensitive information in transit and at rest, monitoring for unauthorized disclosures, and responding to policy violations. mapping_type: mitigates references: [] - attack_object_id: T1020 attack_object_name: Automated Exfiltration capability_description: Data Loss Prevention capability_group: UEM capability_id: UEM-11 comments: Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection. This control requires implementing data leakage prevention (DLP) capapbiltities on endpoint devices. This includes classifying and inventorying data, protecting sensitive information in transit and at rest, monitoring for unauthorized disclosures, and responding to policy violations. mapping_type: mitigates references: [] - attack_object_id: T1119 attack_object_name: Automated Collection capability_description: Data Loss Prevention capability_group: UEM capability_id: UEM-11 comments: Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a Command and Scripting Interpreter to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. In cloud-based environments, adversaries may also use cloud APIs, data pipelines, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data. This control requires implementing data leakage prevention (DLP) capapbiltities on endpoint devices. This includes classifying and inventorying data, protecting sensitive information in transit and at rest, monitoring for unauthorized disclosures, and responding to policy violations. mapping_type: mitigates references: [] - attack_object_id: T1025 attack_object_name: Data from Removable Media capability_description: Data Loss Prevention capability_group: UEM capability_id: UEM-11 comments: Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. This control requires implementing data leakage prevention (DLP) capapbiltities on endpoint devices. This includes classifying and inventorying data, protecting sensitive information in transit and at rest, monitoring for unauthorized disclosures, and responding to policy violations. mapping_type: mitigates references: [] - attack_object_id: T1005 attack_object_name: Data from Local System capability_description: Data Loss Prevention capability_group: UEM capability_id: UEM-11 comments: Adversaries may search local system sources, such as file systems, configuration files, local databases, or virtual machine files, to find files of interest and sensitive data prior to Exfiltration. This control requires implementing data leakage prevention (DLP) capapbiltities on endpoint devices. This includes classifying and inventorying data, protecting sensitive information in transit and at rest, monitoring for unauthorized disclosures, and responding to policy violations. mapping_type: mitigates references: [] - attack_object_id: T1550.001 attack_object_name: Application Access Token capability_description: Storage Encryption capability_group: UEM capability_id: UEM-08 comments: This control provides for implementation of endpoint storage encryption. Encryption ensures the confidentiality and integrity of data, such as OAuth access tokens used in a cloud-based email service. File encryption across email communications containing sensitive information that may be obtained through access to email services can help prevent adversaries from stealing application access tokens. mapping_type: mitigates references: [] - attack_object_id: T1204.003 attack_object_name: Malicious Image capability_description: Third-Party Endpoint Security Posture capability_group: UEM capability_id: UEM-14 comments: "This control provides for the implementation of best practices for third-party\ \ endpoint management. \nSeveral cloud service providers support content trust\ \ models that require container images be signed by trusted sources. Malicious\ \ images can be prevented from running by implementing application control, script\ \ blocking, and other runtime execution prevention mechanisms from untrusted sources\ \ ." mapping_type: mitigates references: [] - attack_object_id: T1204 attack_object_name: User Execution capability_description: Third-Party Endpoint Security Posture capability_group: UEM capability_id: UEM-14 comments: This control provides for the implementation of best practices for third-party endpoint management. Malicious executables can be prevented from running by implementing application control, script blocking, and other execution prevention mechanisms. mapping_type: mitigates references: [] - attack_object_id: T1562.001 attack_object_name: Disable or Modify Tools capability_description: Third-Party Endpoint Security Posture capability_group: UEM capability_id: UEM-14 comments: This control provides for the implementation of best practices for third-party endpoint management. Malicious modification or disabling of security tools can be mitigated by implementing application control, script blocking, and other execution prevention mechanisms. mapping_type: mitigates references: [] - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Third-Party Endpoint Security Posture capability_group: UEM capability_id: UEM-14 comments: This control provides for the implementation of best practices for third-party endpoint management. The execution of unauthorized or malicious code on systems through abuse of command and script interpreters can be prevented by implementing application control, script blocking, and other execution prevention mechanisms. mapping_type: mitigates references: [] - attack_object_id: T1059.009 attack_object_name: Cloud API capability_description: Third-Party Endpoint Security Posture capability_group: UEM capability_id: UEM-14 comments: This control provides for the implementation of best practices for third-party endpoint management. The execution of unauthorized or malicious code on systems through abuse of command and script interpreters can be prevented by implementing application control, script blocking, and other execution prevention mechanisms. mapping_type: mitigates references: [] - attack_object_id: T1080 attack_object_name: Taint Shared Content capability_description: Third-Party Endpoint Security Posture capability_group: UEM capability_id: UEM-14 comments: This control provides for the implementation of best practices for third-party endpoint management. Endpoint exploit protection capabilities can be used to detect, block, and mitigate conditions indicative of exploits to taint content in shared storage locations. mapping_type: mitigates references: [] - attack_object_id: T1211 attack_object_name: Exploitation for Defense Evasion capability_description: Third-Party Endpoint Security Posture capability_group: UEM capability_id: UEM-14 comments: This control provides for the implementation of best practices for third-party endpoint management. Endpoint exploit protection capabilities can be used to detect, block, and mitigate conditions indicative of exploits to bypass security features. mapping_type: mitigates references: [] - attack_object_id: T1552 attack_object_name: Unsecured Credentials capability_description: Third-Party Endpoint Security Posture capability_group: UEM capability_id: UEM-14 comments: This control provides for the implementation of best practices for third-party endpoint management. Endpoint exploit protection capabilities can be used to detect, block, and mitigate conditions indicative of exploits of public-facing applications. mapping_type: mitigates references: [] - attack_object_id: T1490 attack_object_name: Inhibit System Recovery capability_description: Third-Party Endpoint Security Posture capability_group: UEM capability_id: UEM-14 comments: This control provides for the implementation of best practices for third-party endpoint management. Proper security configurations, limited system access, and application control can help mitigate the risk of adversaries deleting or removing built-in data and turning off services designed to aid in the recovery of a corrupted system. mapping_type: mitigates references: [] - attack_object_id: T1136 attack_object_name: Create Account capability_description: Third-Party Endpoint Security Posture capability_group: UEM capability_id: UEM-14 comments: This control provides for the implementation of best practices for third-party endpoint management. Proper security configurations and limited system access can help prevent adversaries from creating accounts to maintain access. mapping_type: mitigates references: [] - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Third-Party Endpoint Security Posture capability_group: UEM capability_id: UEM-14 comments: This control provides for the implementation of best practices for third-party endpoint management. Proper security configurations and limited system access can help prevent adversaries from manipulating accounts to maintain and/or elevate access. mapping_type: mitigates references: [] - attack_object_id: T1087 attack_object_name: Account Discovery capability_description: Third-Party Endpoint Security Posture capability_group: UEM capability_id: UEM-14 comments: This control provides for the implementation of best practices for third-party endpoint management. Adjusting access to user lists can prevent abuse of system functionality and help prevent adversaries from getting a listing of valid accounts or usernames. mapping_type: mitigates references: [] - attack_object_id: T1548 attack_object_name: Abuse Elevation Control Mechanism capability_description: Third-Party Endpoint Security Posture capability_group: UEM capability_id: UEM-14 comments: This control provides for the implementation of best practices for third-party endpoint management. Adjusting system settings and hardening default configurations can mitigate adversary exploitation of elevation control mechanisms and prevent abuse of system functionality. mapping_type: mitigates references: [] - attack_object_id: T1550.004 attack_object_name: Web Session Cookie capability_description: Third-Party Endpoint Security Posture capability_group: UEM capability_id: UEM-14 comments: This control provides for the implementation of best practices for third-party endpoint management. Configuring applications to delete persistent web cookies to help mitigate the risk of adversaries using stolen session cookies. mapping_type: mitigates references: [] - attack_object_id: T1535 attack_object_name: Unused/Unsupported Cloud Regions capability_description: Third-Party Endpoint Security Posture capability_group: UEM capability_id: UEM-14 comments: This control provides for the implementation of best practices for third-party endpoint management. Cloud service providers may allow customers to deactivate unused regions to help mitigate the risk of adversaries creating resources in unused regions. mapping_type: mitigates references: [] - attack_object_id: T1537 attack_object_name: Transfer Data to Cloud Account capability_description: Third-Party Endpoint Security Posture capability_group: UEM capability_id: UEM-14 comments: This control provides for the implementation of best practices for third-party endpoint management. Configuring appropriate data sharing restrictions in cloud services can help mitigate the risk of adversaries exfiltrating data by transferring. mapping_type: mitigates references: [] - attack_object_id: T1666 attack_object_name: Modify Cloud Resource Hierarchy capability_description: Third-Party Endpoint Security Posture capability_group: UEM capability_id: UEM-14 comments: This control provides for the implementation of best practices for third-party endpoint management. Securing resource groups and limiting permissions can help mitigate the risk of adversaries adding, deleting, or otherwise modifying hierarchical structures. mapping_type: mitigates references: [] - attack_object_id: T1562 attack_object_name: Impair Defenses capability_description: Third-Party Endpoint Security Posture capability_group: UEM capability_id: UEM-14 comments: This control provides for the implementation of best practices for third-party endpoint management. Preventing insecure connections and ensuring proper permissions can help mitigate the risk of adversaries hindering or disabling preventative defenses. mapping_type: mitigates references: [] - attack_object_id: T1606.001 attack_object_name: Web Cookies capability_description: Third-Party Endpoint Security Posture capability_group: UEM capability_id: UEM-14 comments: This control provides for the implementation of best practices for third-party endpoint management. Configuring applications to delete persistent web credentials and limiting privileges can help mitigate the risk of adversaries generating and using forged web cookies. mapping_type: mitigates references: [] - attack_object_id: T1213.004 attack_object_name: Customer Relationship Management Software capability_description: Third-Party Endpoint Security Posture capability_group: UEM capability_id: UEM-14 comments: This control provides for the implementation of best practices for third-party endpoint management. Effectively securing information repositories and enforcing robust data retention policies can mitigate the risk of adversaries exploiting information repositories to access sensitive or valuable information. mapping_type: mitigates references: [] - attack_object_id: T1606 attack_object_name: Forge Web Credentials capability_description: Third-Party Endpoint Security Posture capability_group: UEM capability_id: UEM-14 comments: This control provides for the implementation of best practices for third-party endpoint management. Configuring applications to delete persistent web credentials and limiting privileges can help mitigate the risk of adversaries generating and using forged web credentials. mapping_type: mitigates references: [] - attack_object_id: T1213 attack_object_name: Data from Information Repositories capability_description: Third-Party Endpoint Security Posture capability_group: UEM capability_id: UEM-14 comments: This control provides for the implementation of best practices for third-party endpoint management. Effectively securing information repositories and enforcing robust data retention policies can mitigate the risk of adversaries exploiting information repositories to access sensitive or valuable information. mapping_type: mitigates references: [] - attack_object_id: T1505.003 attack_object_name: Web Shell capability_description: Automated Application Security Testing capability_group: AIS capability_id: AIS-05 comments: The control outlines several testing approaches, including the use of automated tools, to identify and remediate vulnerabilities or weaknesses that can be exploited. Web shells provide attackers with unauthorized and persistent remote control over a compromised web server, allowing them to execute commands, manipulate files, and steal data. A web application is compromised when an attacker exploits a vulnerability to upload a malicious script, which then acts as a backdoor for ongoing malicious activity. Remediating the vulnerabilities that allow an attacker to upload a web shell can help mitigate this technique. mapping_type: mitigates references: [] - attack_object_id: T1489 attack_object_name: Service Stop capability_description: Datacenter Operations Resilience capability_group: DCS capability_id: DCS-18 comments: "Adversaries may stop or disable services on a system to render those\ \ services unavailable to legitimate users. Stopping critical services or processes\ \ can inhibit or stop response to an incident or aid in the adversary's overall\ \ objectives to cause damage to the environment.\n\nThis control establishes and\ \ regularly evaluates processes, procedures, and technical measures to ensure\ \ continuous operations of the datacenter, mitigating attacker techniques such\ \ as denial\u2011of\u2011service and other availability\u2011impacting attacks\ \ that seek to disrupt business and operational continuity. " mapping_type: mitigates references: [] - attack_object_id: T1496.004 attack_object_name: Cloud Service Hijacking capability_description: Datacenter Operations Resilience capability_group: DCS capability_id: DCS-18 comments: "Adversaries may leverage compromised software-as-a-service (SaaS) applications\ \ to complete resource-intensive tasks, which may impact hosted service availability.\ \ This control establishes and regularly evaluates processes, procedures, and\ \ technical measures to ensure continuous operations of the datacenter, mitigating\ \ attacker techniques such as denial\u2011of\u2011service and other availability\u2011\ impacting attacks that seek to disrupt business and operational continuity. " mapping_type: mitigates references: [] - attack_object_id: T1498.002 attack_object_name: Reflection Amplification capability_description: Datacenter Operations Resilience capability_group: DCS capability_id: DCS-18 comments: "Adversaries may attempt to cause a denial of service (DoS) by reflecting\ \ a high-volume of network traffic to a target. This type of Network DoS takes\ \ advantage of a third-party server intermediary that hosts and will respond to\ \ a given spoofed source IP address.\n\nThis control establishes and regularly\ \ evaluates processes, procedures, and technical measures to ensure continuous\ \ operations of the datacenter, mitigating attacker techniques such as denial\u2011\ of\u2011service and other availability\u2011impacting attacks that seek to disrupt\ \ business and operational continuity. " mapping_type: mitigates references: [] - attack_object_id: T1498.001 attack_object_name: Direct Network Flood capability_description: Datacenter Operations Resilience capability_group: DCS capability_id: DCS-18 comments: "Adversaries may attempt to cause a denial of service (DoS) by directly\ \ sending a high-volume of network traffic to a target. This DoS attack may also\ \ reduce the availability and functionality of the targeted system(s) and network.\ \ Direct Network Floods are when one or more systems are used to send a high-volume\ \ of network packets towards the targeted service's network. Almost any network\ \ protocol may be used for flooding.\n\nThis control establishes and regularly\ \ evaluates processes, procedures, and technical measures to ensure continuous\ \ operations of the datacenter, mitigating attacker techniques such as denial\u2011\ of\u2011service and other availability\u2011impacting attacks that seek to disrupt\ \ business and operational continuity. " mapping_type: mitigates references: [] - attack_object_id: T1490 attack_object_name: Inhibit System Recovery capability_description: Datacenter Operations Resilience capability_group: DCS capability_id: DCS-18 comments: "Adversaries may delete or remove built-in data and turn off services\ \ designed to aid in the recovery of a corrupted system to prevent recovery. This\ \ control establishes and regularly evaluates processes, procedures, and technical\ \ measures to ensure continuous operations of the datacenter, mitigating attacker\ \ techniques such as denial\u2011of\u2011service and other availability\u2011\ impacting attacks that seek to disrupt business and operational continuity. " mapping_type: mitigates references: [] - attack_object_id: T1499.003 attack_object_name: Application Exhaustion Flood capability_description: Datacenter Operations Resilience capability_group: DCS capability_id: DCS-18 comments: "Adversaries may target resource intensive features of applications to\ \ cause a denial of service (DoS), denying availability to those applications.\ \ For example, specific features in web applications may be highly resource intensive.\ \ Repeated requests to those features may be able to exhaust system resources\ \ and deny access to the application or the server itself.\n\nThis control establishes\ \ and regularly evaluates processes, procedures, and technical measures to ensure\ \ continuous operations of the datacenter, mitigating attacker techniques such\ \ as denial\u2011of\u2011service and other availability\u2011impacting attacks\ \ that seek to disrupt business and operational continuity. " mapping_type: mitigates references: [] - attack_object_id: T1499.002 attack_object_name: Service Exhaustion Flood capability_description: Datacenter Operations Resilience capability_group: DCS capability_id: DCS-18 comments: "Adversaries may target the different network services provided by systems\ \ to conduct a denial of service (DoS). Adversaries often target the availability\ \ of DNS and web services, however others have been targeted as well. Web server\ \ software can be attacked through a variety of means, some of which apply generally\ \ while others are specific to the software being used to provide the service.\n\ \nThis control establishes and regularly evaluates processes, procedures, and\ \ technical measures to ensure continuous operations of the datacenter, mitigating\ \ attacker techniques such as denial\u2011of\u2011service and other availability\u2011\ impacting attacks that seek to disrupt business and operational continuity. " mapping_type: mitigates references: [] - attack_object_id: T1499 attack_object_name: Endpoint Denial of Service capability_description: Datacenter Operations Resilience capability_group: DCS capability_id: DCS-18 comments: "Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade\ \ or block the availability of services to users. Endpoint DoS can be performed\ \ by exhausting the system resources those services are hosted on or exploiting\ \ the system to cause a persistent crash condition. Example services include websites,\ \ email services, DNS, and web-based applications. \n\nThis control establishes\ \ and regularly evaluates processes, procedures, and technical measures to ensure\ \ continuous operations of the datacenter, mitigating attacker techniques such\ \ as denial\u2011of\u2011service and other availability\u2011impacting attacks\ \ that seek to disrupt business and operational continuity. " mapping_type: mitigates references: [] - attack_object_id: T1491 attack_object_name: Defacement capability_description: Datacenter Operations Resilience capability_group: DCS capability_id: DCS-18 comments: "Adversaries may modify visual content available internally or externally\ \ to an enterprise network, thus affecting the integrity of the original content.\ \ This control establishes and regularly evaluates processes, procedures, and\ \ technical measures to ensure continuous operations of the datacenter, mitigating\ \ attacker techniques such as denial\u2011of\u2011service and other availability\u2011\ impacting attacks that seek to disrupt business and operational continuity. " mapping_type: mitigates references: [] - attack_object_id: T1485.001 attack_object_name: Lifecycle-Triggered Deletion capability_description: Datacenter Operations Resilience capability_group: DCS capability_id: DCS-18 comments: "Adversaries may modify the lifecycle policies of a cloud storage bucket\ \ to destroy all objects stored within. Cloud storage buckets often allow users\ \ to set lifecycle policies to automate the migration, archival, or deletion of\ \ objects after a set period of time If a threat actor has sufficient permissions\ \ to modify these policies, they may be able to delete all objects at once. \n\ \nThis control establishes and regularly evaluates processes, procedures, and\ \ technical measures to ensure continuous operations of the datacenter, mitigating\ \ attacker techniques such as denial\u2011of\u2011service and other availability\u2011\ impacting attacks that seek to disrupt business and operational continuity. " mapping_type: mitigates references: [] - attack_object_id: T1485 attack_object_name: Data Destruction capability_description: Datacenter Operations Resilience capability_group: DCS capability_id: DCS-18 comments: "Adversaries may destroy data and files on specific systems or in large\ \ numbers on a network to interrupt availability to systems, services, and network\ \ resources. This control establishes and regularly evaluates processes, procedures,\ \ and technical measures to ensure continuous operations of the datacenter, mitigating\ \ attacker techniques such as denial\u2011of\u2011service and other availability\u2011\ impacting attacks that seek to disrupt business and operational continuity. " mapping_type: mitigates references: [] - attack_object_id: T1498 attack_object_name: Network Denial of Service capability_description: Datacenter Operations Resilience capability_group: DCS capability_id: DCS-18 comments: "Adversaries may perform Network Denial of Service (DoS) attacks to degrade\ \ or block the availability of targeted resources to users. Network DoS can be\ \ performed by exhausting the network bandwidth services rely on. Example resources\ \ include DNS, and web-based services and applications that provide resources\ \ to the utility services. This control establishes and regularly evaluates processes,\ \ procedures, and technical measures to ensure continuous operations of the datacenter,\ \ mitigating attacker techniques such as denial\u2011of\u2011service and other\ \ availability\u2011impacting attacks that seek to disrupt business and operational\ \ continuity. " mapping_type: mitigates references: [] - attack_object_id: T1496.001 attack_object_name: Compute Hijacking capability_description: Datacenter Operations Resilience capability_group: DCS capability_id: DCS-18 comments: "Adversaries may leverage the compute resources of co-opted systems to\ \ complete resource-intensive tasks, which may impact system and/or hosted service\ \ availability. This control establishes and regularly evaluates processes, procedures,\ \ and technical measures to ensure continuous operations of the datacenter, mitigating\ \ attacker techniques such as denial\u2011of\u2011service and other availability\u2011\ impacting attacks that seek to disrupt business and operational continuity. " mapping_type: mitigates references: [] - attack_object_id: T1496 attack_object_name: Resource Hijacking capability_description: Datacenter Operations Resilience capability_group: DCS capability_id: DCS-18 comments: "Adversaries may leverage the resources of co-opted systems to complete\ \ resource-intensive tasks, which may impact system and/or hosted service availability.\ \ This control establishes and regularly evaluates processes, procedures, and\ \ technical measures to ensure continuous operations of the datacenter, mitigating\ \ attacker techniques such as denial\u2011of\u2011service and other availability\u2011\ impacting attacks that seek to disrupt business and operational continuity. " mapping_type: mitigates references: [] - attack_object_id: T1496.002 attack_object_name: Bandwidth Hijacking capability_description: Datacenter Operations Resilience capability_group: DCS capability_id: DCS-18 comments: "Adversaries may leverage the network bandwidth resources of co-opted\ \ systems to complete resource-intensive tasks, which may impact system and/or\ \ hosted service availability. This control establishes and regularly evaluates\ \ processes, procedures, and technical measures to ensure continuous operations\ \ of the datacenter, mitigating attacker techniques such as denial\u2011of\u2011\ service and other availability\u2011impacting attacks that seek to disrupt business\ \ and operational continuity. " mapping_type: mitigates references: [] - attack_object_id: T1529 attack_object_name: System Shutdown/Reboot capability_description: Datacenter Operations Resilience capability_group: DCS capability_id: DCS-18 comments: "Adversaries may shutdown/reboot systems to interrupt access to, or aid\ \ in the destruction of, those systems. This control establishes and regularly\ \ evaluates processes, procedures, and technical measures to ensure continuous\ \ operations of the datacenter, mitigating attacker techniques such as denial\u2011\ of\u2011service and other availability\u2011impacting attacks that seek to disrupt\ \ business and operational continuity. " mapping_type: mitigates references: [] - attack_object_id: T1529 attack_object_name: System Shutdown/Reboot capability_description: Secure Utilities capability_group: DCS capability_id: DCS-15 comments: 'Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. This control requires securing, monitoring, maintaining, and regularly testing utility services (e.g., power, HVAC, communications) to ensure ongoing effectiveness, mitigating attacker techniques such as disruption of infrastructure, exploitation of unmonitored service failures, and availability attacks that can compromise system resilience.' mapping_type: mitigates references: [] - attack_object_id: T1496.002 attack_object_name: Bandwidth Hijacking capability_description: Secure Utilities capability_group: DCS capability_id: DCS-15 comments: 'Adversaries may leverage the network bandwidth resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. This control requires securing, monitoring, maintaining, and regularly testing utility services (e.g., power, HVAC, communications) to ensure ongoing effectiveness, mitigating attacker techniques such as disruption of infrastructure, exploitation of unmonitored service failures, and availability attacks that can compromise system resilience.' mapping_type: mitigates references: [] - attack_object_id: T1496 attack_object_name: Resource Hijacking capability_description: Secure Utilities capability_group: DCS capability_id: DCS-15 comments: 'Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. This control requires securing, monitoring, maintaining, and regularly testing utility services (e.g., power, HVAC, communications) to ensure ongoing effectiveness, mitigating attacker techniques such as disruption of infrastructure, exploitation of unmonitored service failures, and availability attacks that can compromise system resilience.' mapping_type: mitigates references: [] - attack_object_id: T1498.002 attack_object_name: Reflection Amplification capability_description: Secure Utilities capability_group: DCS capability_id: DCS-15 comments: 'Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This control requires securing, monitoring, maintaining, and regularly testing utility services (e.g., power, HVAC, communications) to ensure ongoing effectiveness, mitigating attacker techniques such as disruption of infrastructure, exploitation of unmonitored service failures, and availability attacks that can compromise system resilience.' mapping_type: mitigates references: [] - attack_object_id: T1498.001 attack_object_name: Direct Network Flood capability_description: Secure Utilities capability_group: DCS capability_id: DCS-15 comments: 'Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Direct Network Floods are when one or more systems are used to send a high-volume of network packets towards the targeted service''s network. Almost any network protocol may be used for flooding. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well. This control requires securing, monitoring, maintaining, and regularly testing utility services (e.g., power, HVAC, communications) to ensure ongoing effectiveness, mitigating attacker techniques such as disruption of infrastructure, exploitation of unmonitored service failures, and availability attacks that can compromise system resilience.' mapping_type: mitigates references: [] - attack_object_id: T1499.004 attack_object_name: Application or System Exploitation capability_description: Automated Application Security Testing capability_group: AIS capability_id: AIS-05 comments: Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users. Some systems may automatically restart critical applications and services when crashes occur, but they can likely be re-exploited to cause a persistent denial of service (DoS) condition. The control outlines several testing approaches, which could help mitigate this technique, including the use of automated tools, to identify vulnerabilities throughout the software development lifecycle from development to production. mapping_type: mitigates references: [] - attack_object_id: T1499.003 attack_object_name: Application Exhaustion Flood capability_description: Automated Application Security Testing capability_group: AIS capability_id: AIS-05 comments: Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications. For example, specific features in web applications may be highly resource intensive. Repeated requests to those features may be able to exhaust system resources and deny access to the application or the server itself. The control outlines several testing approaches, including the use of automated tools, to identify and remediate vulnerabilities or weaknesses that can be exploited such as the use of the application exhaustion flood technique to exhaust system resources and deny access to the web application for others. mapping_type: mitigates references: [] - attack_object_id: T1498 attack_object_name: Network Denial of Service capability_description: Secure Utilities capability_group: DCS capability_id: DCS-15 comments: 'Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include DNS, and web-based services and applications that provide resources to the utility services. This control requires securing, monitoring, maintaining, and regularly testing utility services (e.g., power, HVAC, communications) to ensure ongoing effectiveness, mitigating attacker techniques such as disruption of infrastructure, exploitation of unmonitored service failures, and availability attacks that can compromise system resilience.' mapping_type: mitigates references: [] - attack_object_id: T1499.002 attack_object_name: Service Exhaustion Flood capability_description: Secure Utilities capability_group: DCS capability_id: DCS-15 comments: 'Adversaries may target the different network services provided by systems to conduct a denial of service (DoS). Adversaries often target the availability of DNS and web services, however others have been targeted as well. Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service. This control requires securing, monitoring, maintaining, and regularly testing utility services (e.g., power, HVAC, communications) to ensure ongoing effectiveness, mitigating attacker techniques such as disruption of infrastructure, exploitation of unmonitored service failures, and availability attacks that can compromise system resilience.' mapping_type: mitigates references: [] - attack_object_id: T1489 attack_object_name: Service Stop capability_description: Secure Utilities capability_group: DCS capability_id: DCS-15 comments: "Adversaries may stop or disable services on a system to render those\ \ services unavailable to legitimate users. Stopping critical services or processes\ \ can inhibit or stop response to an incident or aid in the adversary's overall\ \ objectives to cause damage to the environment. \n\nThis control requires securing,\ \ monitoring, maintaining, and regularly testing utility services (e.g., power,\ \ HVAC, communications) to ensure ongoing effectiveness, mitigating attacker techniques\ \ such as disruption of infrastructure, exploitation of unmonitored service failures,\ \ and availability attacks that can compromise system resilience." mapping_type: mitigates references: [] - attack_object_id: T1599.001 attack_object_name: Network Address Translation Traversal capability_description: Equipment Identification capability_group: DCS capability_id: DCS-09 comments: "This control enforces equipment identification as part of connection\ \ authentication, mitigating attacker techniques such as device spoofing, rogue\ \ device connections, and unauthorized network access through unverified or compromised\ \ hardware. Blocking unknown devices and accessories by endpoint security configuration\ \ and monitoring agent can help with blocking this technique. Blocking unknown\ \ devices and accessories by endpoint security configuration and monitoring agent\ \ may help in blocking this technique.\n\nAdversaries may bridge network boundaries\ \ by modifying a network device\u2019s Network Address Translation (NAT) configuration,\ \ effectively compromising the device. Malicious modifications to NAT may enable\ \ an adversary to bypass restrictions on traffic routing that otherwise separate\ \ trusted and untrusted networks. \n\nUpon identifying a compromised network device\ \ being used to bridge a network boundary, block the malicious packets using an\ \ unaffected network device in path, such as a firewall or a router that has not\ \ been compromised. Continue to monitor for additional activity and to ensure\ \ that the blocks are indeed effective." mapping_type: mitigates references: [] - attack_object_id: T1599 attack_object_name: Network Boundary Bridging capability_description: Equipment Identification capability_group: DCS capability_id: DCS-09 comments: "Adversaries may bridge network boundaries by compromising perimeter network\ \ devices or internal devices responsible for network segmentation. Breaching\ \ these devices may enable an adversary to bypass restrictions on traffic routing\ \ that otherwise separate trusted and untrusted networks.\n\nThis control enforces\ \ equipment identification as part of connection authentication, mitigating attacker\ \ techniques such as device spoofing, rogue device connections, and unauthorized\ \ network access through unverified or compromised hardware. Blocking unknown\ \ devices and accessories by endpoint security configuration and monitoring agent\ \ can help with blocking this technique. Blocking unknown devices and accessories\ \ by endpoint security configuration and monitoring agent may help in blocking\ \ this technique. \n\nUpon identifying a compromised network device being used\ \ to bridge a network boundary, block the malicious packets using an unaffected\ \ network device in path, such as a firewall or a router that has not been compromised.\ \ Continue to monitor for additional activity and to ensure that the blocks are\ \ indeed effective." mapping_type: mitigates references: [] - attack_object_id: T1200 attack_object_name: Hardware Additions capability_description: Equipment Identification capability_group: DCS capability_id: DCS-09 comments: 'Adversaries may physically introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. This control enforces equipment identification as part of connection authentication, mitigating attacker techniques such as device spoofing, rogue device connections, and unauthorized network access through unverified or compromised hardware. Blocking unknown devices and accessories by endpoint security configuration and monitoring agent can help with blocking this technique. Blocking unknown devices and accessories by endpoint security configuration and monitoring agent may help in blocking this technique. ' mapping_type: mitigates references: [] - attack_object_id: T1219.003 attack_object_name: Remote Access Hardware capability_description: Equipment Identification capability_group: DCS capability_id: DCS-09 comments: 'An adversary may use legitimate remote access hardware to establish an interactive command and control channel to target systems within networks. Remote access hardware may be physically installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote session with the target system. This control enforces equipment identification as part of connection authentication, mitigating attacker techniques such as device spoofing, rogue device connections, and unauthorized network access through unverified or compromised hardware. Blocking unknown devices and accessories by endpoint security configuration and monitoring agent can help with blocking this technique. ' mapping_type: mitigates references: [] - attack_object_id: T1537 attack_object_name: Transfer Data to Cloud Account capability_description: Data Classification capability_group: DCS capability_id: DSP-04 comments: 'Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service. This control enforces the classification of data by type, criticality, and sensitivity level to enable appropriate protections (including DLP measures), mitigating attacker techniques such as data exfiltration, unauthorized disclosure, and the misuse of unprotected sensitive information. Certain data loss prevention capabilities can be detect and block data tagged as sensitive from being shared with individuals outside an organization' mapping_type: mitigates references: [] - attack_object_id: T1567.004 attack_object_name: Exfiltration Over Webhook capability_description: Data Classification capability_group: DCS capability_id: DSP-04 comments: "Adversaries may exfiltrate data to a webhook endpoint rather than over\ \ their primary command and control channel. \n\nThis control enforces the classification\ \ of data by type, criticality, and sensitivity level to enable appropriate protections\ \ (including DLP measures), mitigating attacker techniques such as data exfiltration,\ \ unauthorized disclosure, and the misuse of unprotected sensitive information.\ \ Certain data loss prevention capabilities can be detect and block pre-defined\ \ approved and non-approved webhooks to prevent unauthorized exfiltration. " mapping_type: mitigates references: [] - attack_object_id: T1567 attack_object_name: Exfiltration Over Web Service capability_description: Data Classification capability_group: DCS capability_id: DSP-04 comments: Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. This control enforces the classification of data by type, criticality, and sensitivity level to enable appropriate protections (including DLP measures), mitigating attacker techniques such as data exfiltration, unauthorized disclosure, and the misuse of unprotected sensitive information. Data loss prevention capabilities can be detect and block tagged sensitive data being uploaded to web services via web browsers or block pre-defined blacklisted websites. mapping_type: mitigates references: [] - attack_object_id: T1052.001 attack_object_name: Exfiltration over USB capability_description: Data Classification capability_group: DCS capability_id: DSP-04 comments: Adversaries may attempt to exfiltrate data over a USB connected physical device. This control enforces the classification of data by type, criticality, and sensitivity level to enable appropriate protections (including DLP measures), mitigating attacker techniques such as data exfiltration, unauthorized disclosure, and the misuse of unprotected sensitive information. Data loss prevention can detect and block sensitive data being copied to USB devices. mapping_type: mitigates references: [] - attack_object_id: T1052 attack_object_name: Exfiltration Over Physical Medium capability_description: Data Classification capability_group: DCS capability_id: DSP-04 comments: Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. This control enforces the classification of data by type, criticality, and sensitivity level to enable appropriate protections (including DLP measures), mitigating attacker techniques such as data exfiltration, unauthorized disclosure, and the misuse of unprotected sensitive information. Data loss prevention can detect and block sensitive data being copied to physical mediums. mapping_type: mitigates references: [] - attack_object_id: T1041 attack_object_name: Exfiltration Over C2 Channel capability_description: Data Classification capability_group: DCS capability_id: DSP-04 comments: 'Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications. This control enforces the classification of data by type, criticality, and sensitivity level to enable appropriate protections (including DLP measures), mitigating attacker techniques such as data exfiltration, unauthorized disclosure, and the misuse of unprotected sensitive information. DLP can detect and block sensitive data being uploaded via known malicious C2 channels and unencrypted protocols. ' mapping_type: mitigates references: [] - attack_object_id: T1048.003 attack_object_name: Exfiltration Over Unencrypted Non-C2 Protocol capability_description: Data Classification capability_group: DCS capability_id: DSP-04 comments: 'Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. Adversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). This may include custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields. This control enforces the classification of data by type, criticality, and sensitivity level to enable appropriate protections (including DLP measures), mitigating attacker techniques such as data exfiltration, unauthorized disclosure, and the misuse of unprotected sensitive information. Some DLP capabilities can detect and block sensitive data being sent over unencrypted protocols.' mapping_type: mitigates references: [] - attack_object_id: T1048.002 attack_object_name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol capability_description: Data Classification capability_group: DCS capability_id: DSP-04 comments: 'Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. This control enforces the classification of data by type, criticality, and sensitivity level to enable appropriate protections (including DLP measures), mitigating attacker techniques such as data exfiltration, unauthorized disclosure, and the misuse of unprotected sensitive information. Some DLP capabilities can detect and block sensitive data being uploaded via web browsers.' mapping_type: mitigates references: [] - attack_object_id: T1048 attack_object_name: Exfiltration Over Alternative Protocol capability_description: Data Classification capability_group: DCS capability_id: DSP-04 comments: 'Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. This control enforces the classification of data by type, criticality, and sensitivity level to enable appropriate protections (including DLP measures), mitigating attacker techniques such as data exfiltration, unauthorized disclosure, and the misuse of unprotected sensitive information. Some DLP capabilities can detect and block sensitive data being uploaded via web browsers.' mapping_type: mitigates references: [] - attack_object_id: T1020 attack_object_name: Automated Exfiltration capability_description: Data Classification capability_group: DCS capability_id: DSP-04 comments: Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection. This control enforces the classification of data by type, criticality, and sensitivity level to enable appropriate protections (including DLP measures), mitigating attacker techniques such as data exfiltration, unauthorized disclosure, and the misuse of unprotected sensitive information. Certain data loss prevention capabilities can restrict the attempt of mass automated exfiltrating tagged sensitive data and prevent the execution of it. mapping_type: mitigates references: [] - attack_object_id: T1119 attack_object_name: Automated Collection capability_description: Data Classification capability_group: DCS capability_id: DSP-04 comments: 'Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a Command and Scripting Interpreter to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. In cloud-based environments, adversaries may also use cloud APIs, data pipelines, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data. This control enforces the classification of data by type, criticality, and sensitivity level to enable appropriate protections (including DLP measures), mitigating attacker techniques such as data exfiltration, unauthorized disclosure, and the misuse of unprotected sensitive information. Certain data loss prevention capabilities can restrict the feature of mass automated collection techniques used by attackers on data that has been tagged sensitive. ' mapping_type: mitigates references: [] - attack_object_id: T1025 attack_object_name: Data from Removable Media capability_description: Data Classification capability_group: DCS capability_id: DSP-04 comments: Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. This control enforces the classification of data by type, criticality, and sensitivity level to enable appropriate protections (including DLP measures), mitigating attacker techniques such as data exfiltration, unauthorized disclosure, and the misuse of unprotected sensitive information. mapping_type: mitigates references: [] - attack_object_id: T1005 attack_object_name: Data from Local System capability_description: Data Classification capability_group: DCS capability_id: DSP-04 comments: Adversaries may search local system sources, such as file systems, configuration files, local databases, or virtual machine files, to find files of interest and sensitive data prior to Exfiltration. This control enforces the classification of data by type, criticality, and sensitivity level to enable appropriate protections (including DLP measures), mitigating attacker techniques such as data exfiltration, unauthorized disclosure, and the misuse of unprotected sensitive information. Data loss prevention can restrict access to sensitive data and detect sensitive data that is unencrypted. mapping_type: mitigates references: [] - attack_object_id: T1556.009 attack_object_name: Conditional Access Policies capability_description: Automated Secure Application Deployment capability_group: AIS capability_id: AIS-06 comments: This control applies to the secure deployments of applications and emphasizes the prevention of misconfigurations and malicious deployment activities. By modifying conditional access policies, such as adding additional trusted IP ranges, removing Multi-Factor Authentication requirements, or allowing additional Unused/Unsupported Cloud Regions, adversaries may be able to ensure persistent access to accounts and circumvent defensive measures. Secure deployment templates can limit a user's ability to modify conditional access policies to only those required, which may limit this technique. mapping_type: mitigates references: [] - attack_object_id: T1072 attack_object_name: Software Deployment Tools capability_description: Automated Secure Application Deployment capability_group: AIS capability_id: AIS-06 comments: 'This control applies to the secure deployments of applications and emphasizes the prevention of misconfigurations and malicious deployment activities. Adversaries may gain access to and use configuration management and software deployment applications to execute commands and move laterally through the network. Security requirements for secure application deployment such as only granting access to application deployment systems only to authorized users and administrators, or ensuring the application deployment system can be configured to deploy only signed binaries can mitigate the adversary''s abuse of this technique to execute commands and move laterally through the network. ' mapping_type: mitigates references: [] - attack_object_id: T1648 attack_object_name: Serverless Execution capability_description: Automated Secure Application Deployment capability_group: AIS capability_id: AIS-06 comments: 'This control applies to the secure deployments of applications and emphasizes the prevention of misconfigurations and malicious deployment activities. Adversaries may abuse serverless computing, integration, and automation services to execute arbitrary code in cloud environments. For example, in Microsoft 365 environments, an adversary may create a Power Automate workflow that forwards all emails a user receives or creates anonymous sharing links whenever a user is granted access to a document in SharePoint. Secure deployment templates and IaC scripts can restrict unusual serverless function modifications, such as adding roles to a function that allow unauthorized access or execution. ' mapping_type: mitigates references: [] - attack_object_id: T1666 attack_object_name: Modify Cloud Resource Hierarchy capability_description: Automated Secure Application Deployment capability_group: AIS capability_id: AIS-06 comments: 'This control applies to the secure deployments of applications and emphasizes the prevention of misconfigurations and malicious deployment activities. Adversaries may add, delete, or otherwise modify resource groups within an IaaS hierarchy. For example, in Azure environments, an adversary who has gained access to a Global Administrator account may create new subscriptions in which to deploy resources. Secure deployment templates should restrict the ability to openly changes to resource groups, such as creating new resource groups which may mitigate the abuse of this technique. ' mapping_type: mitigates references: [] - attack_object_id: T1610 attack_object_name: Deploy Container capability_description: Automated Secure Application Deployment capability_group: AIS capability_id: AIS-06 comments: 'This control applies to the secure deployments of applications and emphasizes the prevention of misconfigurations and malicious deployment activities. Adversaries may deploy a container into a cloud environment to facilitate execution or evade defenses. The control outlines the use of scanning images before deployment, and block those that are not in compliance with security policies, which can mitigate this technique. ' mapping_type: mitigates references: [] - attack_object_id: T1546 attack_object_name: Event Triggered Execution capability_description: Automated Secure Application Deployment capability_group: AIS capability_id: AIS-06 comments: 'This control applies to the secure deployments of applications and emphasizes the prevention of misconfigurations and malicious deployment activities. Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events. Secure deployment templates and tools that limit the modification of cloud resources that may be abused for persistence, such as functions and workflows monitoring cloud events, could mitigate this technique. ' mapping_type: mitigates references: [] - attack_object_id: T1671 attack_object_name: Cloud Application Integration capability_description: Automated Secure Application Deployment capability_group: AIS capability_id: AIS-06 comments: 'This control applies to the secure deployments of applications and emphasizes the prevention of misconfigurations and malicious deployment activities. Adversaries may achieve persistence by leveraging OAuth application integrations in a software-as-a-service environment. Adversaries may create a custom application, add a legitimate application into the environment, or even co-opt an existing integration to achieve malicious ends. Secure deployment templates may mitigate the ability of an adversary to deploy malicious additions and changes to applications in the SaaS environment. ' mapping_type: mitigates references: [] - attack_object_id: T1525 attack_object_name: Implant Internal Image capability_description: Automated Secure Application Deployment capability_group: AIS capability_id: AIS-06 comments: 'This control applies to the secure deployments of applications and emphasizes the prevention of misconfigurations and malicious deployment activities. Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Secure deployment templates and checking the integrity of images and containers used in cloud deployments to ensure they have not been modified to include malicious software may aid in mitigating this technique. ' mapping_type: mitigates references: [] - attack_object_id: T1535 attack_object_name: Unused/Unsupported Cloud Regions capability_description: Automated Secure Application Deployment capability_group: AIS capability_id: AIS-06 comments: 'This control applies to the secure deployments of applications and emphasizes the prevention of misconfigurations and malicious deployment activities. Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Deployment templates and IaC scripts enforce which regions a deployment can occur and mitigate the ability of a compromised deployment to occur in an unused/unsupported region. ' mapping_type: mitigates references: [] - attack_object_id: T1496 attack_object_name: Resource Hijacking capability_description: Automated Secure Application Deployment capability_group: AIS capability_id: AIS-06 comments: "This control applies to the secure deployments of applications and emphasizes\ \ the prevention of misconfigurations and malicious deployment activities. Adversaries\ \ may abuse compute resource within a victim's cloud environment by modifying\ \ any tenant-wide policies that limit the sizes of deployed virtual machines.\ \ Deployment templates and automated rollback can enforce resource quotas, network\ \ segmentation, and least\u2011privilege IAM roles, reducing the ability of a\ \ compromised deployment to be repurposed for crypto\u2011mining or other illicit\ \ compute use." mapping_type: mitigates references: [] - attack_object_id: T1578.005 attack_object_name: Modify Cloud Compute Configurations capability_description: Automated Secure Application Deployment capability_group: AIS capability_id: AIS-06 comments: 'This control applies to the secure deployments of applications and emphasizes the prevention of misconfigurations and malicious deployment activities. Adversaries may also modify settings that affect where cloud resources can be deployed, such as enabling T1535 : Unused/Unsupported Cloud Regions. Enforcing approved deployment regions, and vetting deployed applications and resources under this control may reduce the chance that malicious cloud applications can be deployed. ' mapping_type: mitigates references: [] - attack_object_id: T1578 attack_object_name: Modify Cloud Compute Infrastructure capability_description: Automated Secure Application Deployment capability_group: AIS capability_id: AIS-06 comments: 'This control applies to the secure deployments of applications and emphasizes the prevention of misconfigurations and malicious deployment activities. Adversaries may also modify settings that affect where cloud resources can be deployed, such as enabling T1535 : Unused/Unsupported Cloud Regions. Enforcing approved deployment regions, and vetting deployed applications and resources under this control may reduce the chance that malicious cloud applications can be deployed. ' mapping_type: mitigates references: [] - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Automated Secure Application Deployment capability_group: AIS capability_id: AIS-06 comments: "This control applies to the secure deployments of applications and emphasizes\ \ the prevention of misconfigurations and malicious deployment activities. The\ \ automated patch\u2011management system could ensure OS, runtime, and application\ \ vulnerabilities are remediated quickly, removing the exploitable footholds attackers\ \ use to elevate privileges after a compromised deployment." mapping_type: mitigates references: [] - attack_object_id: T1195.001 attack_object_name: Compromise Software Dependencies and Development Tools capability_description: Automated Secure Application Deployment capability_group: AIS capability_id: AIS-06 comments: "This control applies to the secure deployments of applications and emphasizes\ \ the prevention of misconfigurations and malicious deployment activities. Standardized\ \ deployment templates, a curated list of approved automation/deployment tools,\ \ and vetting of IaC libraries reduce the chance that malicious third\u2011party\ \ code or compromised build tools enter the pipeline." mapping_type: mitigates references: [] - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Automated Secure Application Deployment capability_group: AIS capability_id: AIS-06 comments: 'This control applies to the secure deployments of applications and emphasizes the prevention of misconfigurations and malicious deployment activities. Adversaries may attempt to exploit a weakness in an cloud-hosted applications through software bugs or even deployment misconfigurations. Protecting cloud-hosted applications through standardized security configurations and deployment templates can mitigate the impact of this technique. ' mapping_type: mitigates references: [] - attack_object_id: T1052 attack_object_name: Exfiltration Over Physical Medium capability_description: Secure Disposal capability_group: DCS capability_id: DSP-02 comments: "Adversaries may attempt to exfiltrate data via a physical medium, such\ \ as removable drives. This control ensures that storage media is securely and\ \ irreversibly sanitized using industry\u2011accepted methods to prevent data\ \ recovery, thereby mitigating attacker techniques such as data remanence exploitation,\ \ forensic recovery, and unauthorized access to residual sensitive information\ \ from discarded or repurposed devices." mapping_type: mitigates references: [] - attack_object_id: T1091 attack_object_name: Replication Through Removable Media capability_description: Secure Disposal capability_group: DCS capability_id: DSP-02 comments: "Adversaries may may attempt to connect and distribute malware via removable\ \ storage. In initial access, this may occur through manual manipulation of the\ \ media, modification of systems used to initially format the media, or modification\ \ to the media's firmware itself. This control ensures that storage media is securely\ \ and irreversibly sanitized using industry\u2011accepted methods to prevent data\ \ recovery, thereby mitigating attacker techniques such as data remanence exploitation,\ \ forensic recovery, and unauthorized access to residual sensitive information\ \ from discarded or repurposed devices." mapping_type: mitigates references: [] - attack_object_id: T1567 attack_object_name: Exfiltration Over Web Service capability_description: Automated Application Security Testing capability_group: AIS capability_id: AIS-05 comments: 'The control outlines several testing approaches, including the use of automated tools, to identify and remediate vulnerabilities or weaknesses that can be exploited. Attackers may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Regular testing should identify data exfiltration paths through applications and testing cloud APIs and web applications for unauthorized data access exfiltration. ' mapping_type: mitigates references: [] - attack_object_id: T1606.001 attack_object_name: Web Cookies capability_description: Secure Application Design and Development capability_group: AIS capability_id: AIS-04 comments: 'This control requires both Cloud Service Providers and customers to implement a Secure Software Development Lifecycle (SSDLC) with security practices throughout the entire application development process to protect cloud-based applications from cyber threats. ' mapping_type: mitigates references: [] - attack_object_id: T1528 attack_object_name: Steal Application Access Token capability_description: Secure Application Design and Development capability_group: AIS capability_id: AIS-04 comments: 'This control requires both Cloud Service Providers and customers to implement a Secure Software Development Lifecycle (SSDLC) with security practices throughout the entire application development process to protect cloud-based applications from cyber threats. Adversaries can steal application access tokens as a means of acquiring credentials. Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications. The SSDLC process should ensure that applications APIs, and applications access tokens are securely created and protected in their cloud environments. ' mapping_type: mitigates references: [] - attack_object_id: T1550.001 attack_object_name: Application Access Token capability_description: Secure Application Design and Development capability_group: AIS capability_id: AIS-04 comments: 'This control requires both Cloud Service Providers and customers to implement a Secure Software Development Lifecycle (SSDLC) with security practices throughout the entire application development process to protect cloud-based applications from cyber threats. Adversaries can steal and use application access tokens as a means of acquiring credentials. Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications. The SSDLC process should ensure that applications APIs, and applications access tokens are securely designed, developed, and protected in their cloud environments. ' mapping_type: mitigates references: [] - attack_object_id: T1550 attack_object_name: Use Alternate Authentication Material capability_description: Secure Application Design and Development capability_group: AIS capability_id: AIS-04 comments: 'This control requires both Cloud Service Providers and customers to implement a Secure Software Development Lifecycle (SSDLC) with security practices throughout the entire application development process to protect cloud-based applications from cyber threats. By stealing alternate authentication material, adversaries are able to bypass system access controls and authenticate to systems without knowing the plaintext password or any additional authentication factors. The use of secure coding techniques to implement token binding allows applications and services to cryptographically bind their security tokens to the TLS layer to mitigate token theft. ' mapping_type: mitigates references: [] - attack_object_id: T1212 attack_object_name: Exploitation for Credential Access capability_description: Secure Application Design and Development capability_group: AIS capability_id: AIS-04 comments: 'This control requires both Cloud Service Providers and customers to implement a Secure Software Development Lifecycle (SSDLC) with security practices throughout the entire application development process to protect cloud-based applications from cyber threats. Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Secure coding and secure configurations can prevent the exploit of known web application vulnerabilities used by attackers to access stored credentials. ' mapping_type: mitigates references: [] - attack_object_id: T1195.001 attack_object_name: Compromise Software Dependencies and Development Tools capability_description: Secure Application Design and Development capability_group: AIS capability_id: AIS-04 comments: 'This control requires both Cloud Service Providers and customers to implement a Secure Software Development Lifecycle (SSDLC) with security practices throughout the entire application development process to protect cloud-based applications from cyber threats. Adversaries may manipulate source code in open-source dependencies for the purpose of compromise to add malicious code to users of the dependency. SSDLC should validate open-source components to prevent the use of malicious or vulnerable dependencies. ' mapping_type: mitigates references: [] - attack_object_id: T1552.005 attack_object_name: Cloud Instance Metadata API capability_description: Secure Application Design and Development capability_group: AIS capability_id: AIS-04 comments: 'This control requires both Cloud Service Providers and customers to implement a Secure Software Development Lifecycle (SSDLC) with security practices throughout the entire application development process to protect cloud-based applications from cyber threats. Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data. The SSDLC process should ensure that applications and APIs are securely designed, developed, and operated in their cloud environments. ' mapping_type: mitigates references: [] - attack_object_id: T1078.004 attack_object_name: Cloud Accounts capability_description: Secure Application Design and Development capability_group: AIS capability_id: AIS-04 comments: 'This control requires both Cloud Service Providers and customers to implement a Secure Software Development Lifecycle (SSDLC) with security practices throughout the entire application development process to protect cloud-based applications from cyber threats. Adversaries may query and search through compromised applications to find and obtain insecurely stored credentials. Secure coding practices and secure credential handling may prevent hardcoded/insecurely stored credentials and ensure the that those cloud accounts are not compromised. ' mapping_type: mitigates references: [] - attack_object_id: T1552 attack_object_name: Unsecured Credentials capability_description: Secure Application Design and Development capability_group: AIS capability_id: AIS-04 comments: 'This control requires both Cloud Service Providers and customers to implement a Secure Software Development Lifecycle (SSDLC) with security practices throughout the entire application development process to protect cloud-based applications from cyber threats. Adversaries may query and search through compromised applications to find and obtain insecurely stored credentials. Secure coding practices and secure credential handling may prevent hardcoded/insecurely stored credentials and ensure the use of proper encryption for credentials and application data. ' mapping_type: mitigates references: [] - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Secure Application Design and Development capability_group: AIS capability_id: AIS-04 comments: "This control requires both Cloud Service Providers and customers to implement\ \ a Secure Software Development Lifecycle (SSDLC) with security practices throughout\ \ the entire application development process to protect cloud-based applications\ \ from cyber threats. Adversaries will use T1059 for various command injection\ \ attacks through web application interfaces. Securing serverless functions, cloud\ \ APIs, and web applications from command injection can help in mitigating this\ \ technique. \n" mapping_type: mitigates references: [] - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Secure Application Design and Development capability_group: AIS capability_id: AIS-04 comments: "This control requires both Cloud Service Providers and customers to implement\ \ a Secure Software Development Lifecycle (SSDLC) with security practices throughout\ \ the entire application development process to protect cloud-based applications\ \ from cyber threats. Adversaries will use T1190 to exploit vulnerabilities in\ \ web applications internet-facing host or system to initially access a network.\ \ Proper input validation and secure coding practices can prevent exploitation\ \ of web application vulnerabilities. \n\n" mapping_type: mitigates references: [] - attack_object_id: T1195.001 attack_object_name: Compromise Software Dependencies and Development Tools capability_description: Automated Application Security Testing capability_group: AIS capability_id: AIS-05 comments: "The control outlines several testing approaches, including the use of\ \ automated tools, to identify vulnerabilities throughout the software development\ \ lifecycle from development to production. It emphasizes testing for risks such\ \ as injection attacks and session hijacking, and recommends alignment with industry\ \ standards like the OWASP Top 10 to enhance application security. \nAdversaries\ \ may manipulate software dependencies and development tools prior to receipt\ \ by a final consumer for the purpose of data or system compromise. A vulnerability\ \ scanner can be used to identify any third-party issues as outlined in the implementation\ \ guidelines." mapping_type: mitigates references: [] - attack_object_id: T1078.004 attack_object_name: Cloud Accounts capability_description: Automated Application Security Testing capability_group: AIS capability_id: AIS-05 comments: The control outlines several testing approaches, including the use of automated tools, to identify vulnerabilities throughout the software development lifecycle from development to production. It emphasizes testing for risks such as injection attacks and session hijacking, and recommends alignment with industry standards like the OWASP Top 10 to enhance application security. Adversaries may attempt to exploit default admin or user accounts in cloud services, SaaS platforms, or cloud-deployed databases that weren't properly secured during setup. mapping_type: mitigates references: [] - attack_object_id: T1110 attack_object_name: Brute Force capability_description: Automated Application Security Testing capability_group: AIS capability_id: AIS-05 comments: 'The control outlines several testing approaches, including the use of automated tools, to identify vulnerabilities throughout the software development lifecycle from development to production. It emphasizes testing for risks such as injection attacks and session hijacking, and recommends alignment with industry standards like the OWASP Top 10 to enhance application security. Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Deprecated hash functions (MD5, SHA1) and weak key derivation make password cracking significantly faster, enabling successful brute force attacks . ' mapping_type: mitigates references: [] - attack_object_id: T1552 attack_object_name: Unsecured Credentials capability_description: Automated Application Security Testing capability_group: AIS capability_id: AIS-05 comments: 'The control outlines several testing approaches, including the use of automated tools, to identify vulnerabilities throughout the software development lifecycle from development to production. It emphasizes testing for risks such as injection attacks and session hijacking, and recommends alignment with industry standards like the OWASP Top 10 to enhance application security. Adversaries may search compromised services or applications to find and obtain insecurely stored API keys for SaaS services or cloud storage encryption keys. ' mapping_type: mitigates references: [] - attack_object_id: T1040 attack_object_name: Network Sniffing capability_description: Automated Application Security Testing capability_group: AIS capability_id: AIS-05 comments: 'The control outlines several testing approaches, including the use of automated tools, to identify vulnerabilities throughout the software development lifecycle from development to production. It emphasizes testing for risks such as injection attacks and session hijacking, and recommends alignment with industry standards like the OWASP Top 10 to enhance application security. Adversaries may passively sniff network traffic to capture traffic between microservices, API calls to SaaS platforms, or data transfers between on-premises and IaaS resources that lack proper TLS encryption. ' mapping_type: mitigates references: [] - attack_object_id: T1134 attack_object_name: Access Token Manipulation capability_description: Automated Application Security Testing capability_group: AIS capability_id: AIS-05 comments: 'The control outlines several testing approaches, including the use of automated tools, to identify vulnerabilities throughout the software development lifecycle from development to production. It emphasizes testing for risks such as injection attacks and session hijacking, and recommends alignment with industry standards like the OWASP Top 10 to enhance application security. Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. For example, replaying or tampering with a JSON Web Token (JWT) access control token to elevate privileges or abusing JWT invalidation. ' mapping_type: mitigates references: [] - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Automated Application Security Testing capability_group: AIS capability_id: AIS-05 comments: The control outlines several testing approaches, including the use of automated tools, to identify vulnerabilities throughout the software development lifecycle from development to production. It emphasizes testing for risks such as injection attacks and session hijacking, and recommends alignment with industry standards like the OWASP Top 10 to enhance application security. Adversaries may attempt to bypass access controls and elevate privileges to gain unauthorized access. Therefore, testing for improper privilege escalation, such as scenarios where a user can act without authentication or gain administrative rights while logged in as a standard user, can help mitigate these risks. mapping_type: mitigates references: [] - attack_object_id: T1548 attack_object_name: Abuse Elevation Control Mechanism capability_description: Automated Application Security Testing capability_group: AIS capability_id: AIS-05 comments: The control outlines several testing approaches, including the use of automated tools, to identify vulnerabilities throughout the software development lifecycle from development to production. It emphasizes testing for risks such as injection attacks and session hijacking, and recommends alignment with industry standards like the OWASP Top 10 to enhance application security. Adversaries may attempt to bypass access controls and elevate privileges to gain unauthorized access. Therefore, testing for improper privilege escalation, such as scenarios where a user bypasses access control checks by modifying the URL, can help mitigate these risks. mapping_type: mitigates references: [] - attack_object_id: T1552.005 attack_object_name: Cloud Instance Metadata API capability_description: Automated Application Security Testing capability_group: AIS capability_id: AIS-05 comments: The control describes multiple testing approaches with automated tools to identify vulnerabilities from development through production. The control outlines testing for injection attacks, session hijacking, and aligning with industry standards like OWASP Top 10 to ensure applications are secure. Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data. Testing for the unnecessary use of metadata services or restricting and disabling insecure versions of metadata services that are in use may prevent adversary use of this technique. Additionally, adversaries may exploit a Server-Side Request Forgery (SSRF) vulnerability in a public facing web proxy that allows them to gain access to the sensitive information via a request to the Instance Metadata API. mapping_type: mitigates references: [] - attack_object_id: T1059.009 attack_object_name: Cloud API capability_description: Automated Application Security Testing capability_group: AIS capability_id: AIS-05 comments: The control describes multiple testing approaches with automated tools to identify vulnerabilities from development through production. The control outlines testing for injection attacks, session hijacking, and aligning with industry standards like OWASP Top 10 to ensure applications are secure. With proper permissions (often via use of credentials such as Application Access Token and Web Session Cookie), adversaries may abuse cloud APIs to invoke various functions that execute malicious actions. mapping_type: mitigates references: [] - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Automated Application Security Testing capability_group: AIS capability_id: AIS-05 comments: 'The control describes multiple testing approaches with automated tools to identify vulnerabilities from development through production. The control outlines testing for injection attacks, session hijacking, and aligning with industry standards like OWASP Top 10 to ensure applications are secure. Adversaries may attempt to exploit a weakness in an Internet-facing host or application by using techniques such as as SQL injection, command injections, Cross-site scripting (XSS), and Cross-Site Request Forgery (CSRF). ' mapping_type: mitigates references: [] - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Automated Application Security Testing capability_group: AIS capability_id: AIS-05 comments: 'The control describes multiple testing approaches with automated tools to identify vulnerabilities from development through production. The control outlines testing for injection attacks, session hijacking, and aligning with industry standards like OWASP Top 10 to ensure applications are secure. Adversaries may attempt to exploit a weakness in an Internet-facing host or application by using techniques such as as SQL injection, command injections, Cross-site scripting (XSS), and Cross-Site Request Forgery (CSRF). ' mapping_type: mitigates references: [] - attack_object_id: T1539 attack_object_name: Steal Web Session Cookie capability_description: Automated Application Security Testing capability_group: AIS capability_id: AIS-05 comments: The control describes multiple testing approaches with automated tools to identify vulnerabilities from development through production. The control outlines testing for injection attacks, session hijacking, and aligning with industry standards like OWASP Top 10 to ensure applications are secure. An adversary may steal web application or service session cookies and use them to gain access to web applications, internet services, or cloud services, as an authenticated user without needing credentials. mapping_type: mitigates references: [] - attack_object_id: T1550.004 attack_object_name: Web Session Cookie capability_description: Automated Application Security Testing capability_group: AIS capability_id: AIS-05 comments: 'The control describes multiple testing approaches with automated tools to identify vulnerabilities from development through production. The control outlines testing for injection attacks, session hijacking, and aligning with industry standards like OWASP Top 10 to ensure applications are secure. Adversaries can use stolen session cookies to authenticate to web applications and services. Authentication cookies are commonly used in web applications, including cloud-based services, after a user has authenticated to the service so credentials are not passed and re-authentication does not need to occur as frequently. ' mapping_type: mitigates references: [] - attack_object_id: T1606.001 attack_object_name: Web Cookies capability_description: Automated Application Security Testing capability_group: AIS capability_id: AIS-05 comments: The control describes multiple testing approaches with automated tools to identify vulnerabilities from development through production. The control outlines testing for injection attacks, session hijacking, and aligning with industry standards like OWASP Top 10 to ensure applications are secure. Adversaries may forge web cookies that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies to authenticate and authorize user access. mapping_type: mitigates references: [] - attack_object_id: T1210 attack_object_name: Exploitation of Remote Services capability_description: Application Vulnerability Remediation capability_group: AIS capability_id: AIS-07 comments: The control requires prioritized remediation based on risk assessment and CVSS scores, automated patch management, and integration of remediation tools into CI/CD pipelines to address vulnerabilities as early as possible in the development lifecycle. mapping_type: mitigates references: [] - attack_object_id: T1211 attack_object_name: Exploitation for Defense Evasion capability_description: Application Vulnerability Remediation capability_group: AIS capability_id: AIS-07 comments: The control requires prioritized remediation based on risk assessment and CVSS scores, automated patch management, and integration of remediation tools into CI/CD pipelines to address vulnerabilities as early as possible in the development lifecycle. mapping_type: mitigates references: [] - attack_object_id: T1212 attack_object_name: Exploitation for Credential Access capability_description: Application Vulnerability Remediation capability_group: AIS capability_id: AIS-07 comments: The control requires prioritized remediation based on risk assessment and CVSS scores, automated patch management, and integration of remediation tools into CI/CD pipelines to address vulnerabilities as early as possible in the development lifecycle. mapping_type: mitigates references: [] - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Application Vulnerability Remediation capability_group: AIS capability_id: AIS-07 comments: The control requires prioritized remediation based on risk assessment and CVSS scores, automated patch management, and integration of remediation tools into CI/CD pipelines to address vulnerabilities as early as possible in the development lifecycle. mapping_type: mitigates references: [] - attack_object_id: T1195.002 attack_object_name: Compromise Software Supply Chain capability_description: Application Vulnerability Remediation capability_group: AIS capability_id: AIS-07 comments: The control requires prioritized remediation based on risk assessment and CVSS scores, automated patch management, and integration of remediation tools into CI/CD pipelines to address vulnerabilities as early as possible in the development lifecycle. mapping_type: mitigates references: [] - attack_object_id: T1496.004 attack_object_name: Cloud Service Hijacking capability_description: Application Security Baseline Requirements capability_group: AIS capability_id: AIS-02 comments: This control guidance requires organizations to establish security baseline requirements for different cloud applications. Security requirement examples include access control, encryption, and configuration management for applications to prevent misuse, abuse, and exploitation. When it comes to Cloud Service Hijacking, adversaries may leverage compromised software-as-a-service (SaaS) applications to complete resource-intensive tasks, which may impact hosted service availability. mapping_type: mitigates references: [] - attack_object_id: T1567 attack_object_name: Exfiltration Over Web Service capability_description: Application Security Baseline Requirements capability_group: AIS capability_id: AIS-02 comments: This control guidance requires organizations to establish security baseline requirements for different cloud applications. Security requirement examples include access control, encryption, and configuration management for applications. Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Security requirements should be in place to mitigate the configuration cloud applications and web services that could be abused to exfiltrate data mapping_type: mitigates references: [] - attack_object_id: T1119 attack_object_name: Automated Collection capability_description: Application Security Baseline Requirements capability_group: AIS capability_id: AIS-02 comments: 'This control guidance requires organizations to establish security baseline requirements for different cloud applications. Security requirement examples include access control, encryption, and configuration management for applications. In cloud-based environments, adversaries may also use cloud APIs, data pipelines, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data. ' mapping_type: mitigates references: [] - attack_object_id: T1530 attack_object_name: Data from Cloud Storage capability_description: Application Security Baseline Requirements capability_group: AIS capability_id: AIS-02 comments: This control guidance requires organizations to establish security baseline requirements for different cloud applications. Security requirement examples include access control, encryption, and configuration management for applications. Adversaries may collect sensitive data from cloud storage solutions used for cloud applications. mapping_type: mitigates references: [] - attack_object_id: T1528 attack_object_name: Steal Application Access Token capability_description: Application Security Baseline Requirements capability_group: AIS capability_id: AIS-02 comments: This control guidance requires organizations to establish security baseline requirements for different cloud applications. Security requirement examples include access control, encryption, and configuration management for applications. Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications and software-as-a-service (SaaS). The baseline security requirements outlined in the implementation guidance can be used to set usage limits and manage user permissions on cloud applications to prevent access to application access tokens. mapping_type: mitigates references: [] - attack_object_id: T1539 attack_object_name: Steal Web Session Cookie capability_description: Application Security Baseline Requirements capability_group: AIS capability_id: AIS-02 comments: 'This control guidance requires organizations to establish security baseline requirements for different cloud applications. Security requirement examples include access control, encryption, and configuration management for applications. An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. The baseline security requirements outlined in the implementation guidance can be used to help reduce the impact of stolen cookies. ' mapping_type: mitigates references: [] - attack_object_id: T1550.004 attack_object_name: Web Session Cookie capability_description: Application Security Baseline Requirements capability_group: AIS capability_id: AIS-02 comments: This control guidance requires organizations to establish security baseline requirements for different cloud applications. Security requirement examples include access control, encryption, and configuration management for applications. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies to authenticate and authorize user access. Access control and permissions can be mitigations to limit and restrict acceptable users granted to access web applications and services. mapping_type: mitigates references: [] - attack_object_id: T1078.004 attack_object_name: Cloud Accounts capability_description: Application Security Baseline Requirements capability_group: AIS capability_id: AIS-02 comments: 'This control guidance requires organizations to establish security baseline requirements for different cloud applications. Security requirement examples include access control, encryption, and configuration management for applications. Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Access control and account management related to cloud accounts for web applications may mitigate the abuse of legitimate cloud accounts. ' mapping_type: mitigates references: [] - attack_object_id: T1671 attack_object_name: Cloud Application Integration capability_description: Application Security Baseline Requirements capability_group: AIS capability_id: AIS-02 comments: 'This control guidance requires organizations to establish security baseline requirements for different cloud applications. Security requirement examples include access control, encryption, and configuration management for applications. Adversaries may achieve persistence by leveraging OAuth application integrations in a software-as-a-service environment. Adversaries may create a custom application, add a legitimate application into the environment, or even co-opt an existing integration to achieve malicious ends. Review integrations by restricting or limiting users'' ability to carelessly add new application integrations into a SaaS environment before a unapproved or potentially malicious applications is introduced to the cloud environment. ' mapping_type: mitigates references: [] - attack_object_id: T1072 attack_object_name: Software Deployment Tools capability_description: Application Security Baseline Requirements capability_group: AIS capability_id: AIS-02 comments: 'This control guidance requires organizations to establish security baseline requirements for different cloud applications. Security requirement examples include access control, encryption, and configuration management for applications. Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management and software deployment applications may be used in an enterprise network or cloud environment for routine administration purposes. These systems may also be integrated into CI/CD pipelines. Ensuing proper system and access control isolation for cloud applications through use of group policy may aid in mitigating this technique. ' mapping_type: mitigates references: [] - attack_object_id: T1648 attack_object_name: Serverless Execution capability_description: Application Security Baseline Requirements capability_group: AIS capability_id: AIS-02 comments: 'This control guidance requires organizations to establish security baseline requirements for different cloud applications. Security requirement examples include access control, encryption, and configuration management for applications. Adversaries may abuse serverless computing, integration, and automation services to execute arbitrary code in cloud environments. Many cloud providers offer a variety of serverless resources, including compute engines, application integration services, and web servers. Access control that can restrict the abuse of serverless functions from users and processes can help with mitigating this technique. ' mapping_type: mitigates references: [] - attack_object_id: null attack_object_name: null capability_description: Primary Service and Contractual Agreement capability_group: STA capability_id: STA-11 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Off-Site Transfer Authorization Policy and Procedures capability_group: DCS capability_id: DCS-03 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Secure Media Transportation Policy and Procedures capability_group: DCS capability_id: DCS-04 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Unauthorized Change Protection capability_group: CCC capability_id: CCC-04 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Encryption Algorithm capability_group: CEK capability_id: CEK-04 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Key Archival capability_group: CEK capability_id: CEK-18 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Key Compromise capability_group: CEK capability_id: CEK-19 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Key Suspension capability_group: CEK capability_id: CEK-16 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Key Deactivation capability_group: CEK capability_id: CEK-17 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Key Revocation capability_group: CEK capability_id: CEK-13 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Key Destruction capability_group: CEK capability_id: CEK-14 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Key Purpose capability_group: CEK capability_id: CEK-11 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Key Rotation capability_group: CEK capability_id: CEK-12 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Key Generation capability_group: CEK capability_id: CEK-10 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Encryption Change Cost Benefit Analysis capability_group: CEK capability_id: CEK-06 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Encryption Change Management capability_group: CEK capability_id: CEK-05 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Remote Wipe capability_group: UEM capability_id: UEM-13 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Endpoint Inventory capability_group: UEM capability_id: UEM-04 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Threat Response capability_group: TVM capability_id: TVM-10 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Vulnerability Identification capability_group: TVM capability_id: TVM-08 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Malware Protection Policy and Procedures capability_group: TVM capability_id: TVM-02 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Vulnerability Remediation Schedule capability_group: TVM capability_id: TVM-03 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Threat Analysis and Modeling capability_group: TVM capability_id: TVM-04 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Service Management Policy and Procedures capability_group: SEF capability_id: SEF-02 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Remote Locate capability_group: UEM capability_id: UEM-12 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Operating Systems capability_group: UEM capability_id: UEM-07 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Automatic Lock Screen capability_group: UEM capability_id: UEM-06 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Application and Service Approval capability_group: UEM capability_id: UEM-02 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Endpoint Devices Policy and Procedures capability_group: UEM capability_id: UEM-01 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Vulnerability Management Metrics capability_group: TVM capability_id: TVM-12 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Vulnerability Management Reporting capability_group: TVM capability_id: TVM-11 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Vulnerability Prioritization capability_group: TVM capability_id: TVM-09 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Threat and Vulnerability Management Policy and Procedures capability_group: TVM capability_id: TVM-01 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Supply Chain Governance Review capability_group: STA capability_id: STA-15 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Supply Chain Risk Management Policies and Procedures capability_group: STA capability_id: STA-01 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: SSRM Guidance capability_group: STA capability_id: STA-04 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: SSRM Control Ownership capability_group: STA capability_id: STA-05 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: SSRM Documentation Review capability_group: STA capability_id: STA-06 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: SSRM Policy and Procedures capability_group: STA capability_id: STA-02 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: SSRM Control Implementation capability_group: STA capability_id: STA-07 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Supply Chain Inventory capability_group: STA capability_id: STA-08 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Service Bill of Material (BOM) capability_group: STA capability_id: STA-09 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Supply Chain Agreement Review capability_group: STA capability_id: STA-12 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Supply Chain Compliance Assessment capability_group: STA capability_id: STA-13 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Supply Chain Service Agreement Compliance capability_group: STA capability_id: STA-14 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: SSRM Supply Chain capability_group: STA capability_id: STA-03 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Points of Contact Maintenance capability_group: SEF capability_id: SEF-09 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Incident Response Testing capability_group: SEF capability_id: SEF-04 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Incident Response Metrics capability_group: SEF capability_id: SEF-05 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Event Triage Processes capability_group: SEF capability_id: SEF-06 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Incident Management and Response capability_group: SEF capability_id: SEF-07 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Security Breach Notification capability_group: SEF capability_id: SEF-08 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Security Incident Management Policy and Procedures capability_group: SEF capability_id: SEF-01 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Incident Response Plans capability_group: SEF capability_id: SEF-03 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Encryption Monitoring and Reporting capability_group: LOG capability_id: LOG-11 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Transaction/Activity Logging capability_group: LOG capability_id: LOG-12 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Access Control Logs capability_group: LOG capability_id: LOG-13 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Log Records capability_group: LOG capability_id: LOG-09 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Failures and Anomalies Reporting capability_group: LOG capability_id: LOG-14 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Logging Scope capability_group: LOG capability_id: LOG-07 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Audit Logs Monitoring and Response capability_group: LOG capability_id: LOG-05 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Clock Synchronization capability_group: LOG capability_id: LOG-06 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Security Monitoring and Alerting capability_group: LOG capability_id: LOG-03 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Logging and Monitoring Policy and Procedures capability_group: LOG capability_id: LOG-01 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Network Architecture Documentation capability_group: I&S capability_id: I&S-08 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Capacity and Resource Planning capability_group: I&S capability_id: I&S-02 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Infrastructure and Virtualization Security Policy and Procedures capability_group: I&S capability_id: I&S-01 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Interoperability and Portability Policy and Procedures capability_group: IPY capability_id: IPY-01 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Identity and Access Management Policy and Procedures capability_group: IAM capability_id: IAM-01 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Data Protection Impact Assessment capability_group: DSP capability_id: DSP-09 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Disclosure Notification capability_group: DSP capability_id: DSP-18 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Data Ownership and Stewardship capability_group: DSP capability_id: DSP-06 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Data Flow Documentation capability_group: DSP capability_id: DSP-05 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Security and Privacy Policy and Procedures capability_group: DSP capability_id: DSP-01 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Data Location capability_group: DSP capability_id: DSP-19 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Secure Area Authorization capability_group: DCS capability_id: DCS-10 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Controlled Physical Access Points capability_group: DCS capability_id: DCS-08 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Surveillance System capability_group: DCS capability_id: DCS-11 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Adverse Event Response Training capability_group: DCS capability_id: DCS-12 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Cabling Security capability_group: DCS capability_id: DCS-13 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Environmental Systems capability_group: DCS capability_id: DCS-14 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Datacenter Metrics capability_group: DCS capability_id: DCS-17 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Equipment Location capability_group: DCS capability_id: DCS-16 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Assets Classification capability_group: DCS capability_id: DCS-06 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Assets Cataloguing and Tracking capability_group: DCS capability_id: DCS-07 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Secure Media Transportation Policy and Procedures capability_group: DCS capability_id: DCS-05 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Physical and Environmental Security Policy and Procedures capability_group: DCS capability_id: DCS-01 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Off-Site Equipment Disposal Policy and Procedures capability_group: DCS capability_id: DCS-02 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Application and Interface Security Policy and Procedures capability_group: AIS capability_id: AIS-01 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Application Security Metrics capability_group: AIS capability_id: AIS-03 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Background Screening Policy and Procedures capability_group: HRS capability_id: HRS-01 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Acceptable Use of Technology Policy and Procedures capability_group: HRS capability_id: HRS-02 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Asset returns capability_group: HRS capability_id: HRS-05 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Employment Termination capability_group: HRS capability_id: HRS-06 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Employment Agreement Process capability_group: HRS capability_id: HRS-07 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Employment Agreement Content capability_group: HRS capability_id: HRS-08 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Personnel Roles and Responsibilities capability_group: HRS capability_id: HRS-09 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Non-Disclosure Agreements capability_group: HRS capability_id: HRS-10 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Security Awareness Training capability_group: HRS capability_id: HRS-11 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Personal and Sensitive Data Awareness and Training capability_group: HRS capability_id: HRS-12 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Compliance User Responsibility capability_group: HRS capability_id: HRS-13 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Governance Program Policy and Procedures capability_group: GRC capability_id: GRC-01 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Risk Management Program capability_group: GRC capability_id: GRC-02 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Organizational Policy Reviews capability_group: GRC capability_id: GRC-03 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Policy Exception Process capability_group: GRC capability_id: GRC-04 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Information Security Program capability_group: GRC capability_id: GRC-05 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Governance Responsibility Model capability_group: GRC capability_id: GRC-06 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Information System Regulatory Mapping capability_group: GRC capability_id: GRC-07 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Special Interest Groups capability_group: GRC capability_id: GRC-08 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Encryption and Key Management Policy and Procedures capability_group: CEK capability_id: CEK-01 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: CEK Roles and Responsibilities capability_group: CEK capability_id: CEK-02 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Encryption Risk Management capability_group: CEK capability_id: CEK-07 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: CSC Key Management Capability capability_group: CEK capability_id: CEK-08 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Encryption and Key Management Audit capability_group: CEK capability_id: CEK-09 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Key Activation capability_group: CEK capability_id: CEK-15 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Key Recovery capability_group: CEK capability_id: CEK-20 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Key Inventory Management capability_group: CEK capability_id: CEK-21 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Change Management Policy and Procedures capability_group: CCC capability_id: CCC-01 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Change Management Technology capability_group: CCC capability_id: CCC-03 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Change Agreements capability_group: CCC capability_id: CCC-05 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Change Management Baseline capability_group: CCC capability_id: CCC-06 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Detection of Baseline Deviation capability_group: CCC capability_id: CCC-07 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Exception Management capability_group: CCC capability_id: CCC-08 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Change Restoration capability_group: CCC capability_id: CCC-09 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Business Continuity Management Policy and Procedures capability_group: BCR capability_id: BCR-01 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Risk Assessment and Impact Analysis capability_group: BCR capability_id: BCR-02 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Business Continuity Strategy capability_group: BCR capability_id: BCR-03 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Business Continuity Planning capability_group: BCR capability_id: BCR-04 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Documentation capability_group: BCR capability_id: BCR-05 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Business Continuity Exercises capability_group: BCR capability_id: BCR-06 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Communication capability_group: BCR capability_id: BCR-07 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Disaster Response Plan capability_group: BCR capability_id: BCR-09 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Response Plan Exercise capability_group: BCR capability_id: BCR-10 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Equipment Redundancy capability_group: BCR capability_id: BCR-11 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Audit and Assurance Policy and Procedures capability_group: A&A capability_id: A&A-01 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Independent Assessments capability_group: A&A capability_id: A&A-02 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Risk Based Planning Assessment capability_group: A&A capability_id: A&A-03 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Requirements Compliance capability_group: A&A capability_id: A&A-04 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Audit Management Process capability_group: A&A capability_id: A&A-05 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Remediation capability_group: A&A capability_id: A&A-06 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Clean Desk Policy and Procedures capability_group: HRS capability_id: HRS-03 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Remote and Home Working Policy and Procedures capability_group: HRS capability_id: HRS-04 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Disclosure of Data Sub-processors capability_group: DSP capability_id: DSP-14 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Personal Data Sub-processing capability_group: DSP capability_id: DSP-13 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Limitation of Purpose in Personal Data Processing capability_group: DSP capability_id: DSP-12 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Personal Data Access, Reversal, Rectification and Deletion capability_group: DSP capability_id: DSP-11 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Data Inventory capability_group: DCS capability_id: DSP-03 mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Compatibility capability_group: UEM capability_id: UEM-03 mapping_type: non_mappable references: [] metadata: attack_version: '17.1' author: null capability_groups: A&A: Audit and Assurance AIS: Application and Interface Security BCR: Business Continuity Management and Operational Resilience CCC: Change Control and Configuration Management CEK: Cryptography, Encryption, and Key Management DCS: Datacenter Security DSP: Data Security and Privacy Lifecycle Management GRC: Governance, Risk, and Compliance HRS: Human Resources I&S: Infrastructure Security IAM: Identity and Access Management IPY: Interoperability and Portability LOG: Logging and Monitoring SEF: Security Incident Management, E-Discovery, and Cloud Forensics STA: Supply Chain Management, Transparency, and Accountability TVM: Threat and Vulnerability Management UEM: Universal Endpoint Management contact: null creation_date: 07/29/2025 last_update: 01/27/2026 mapping_framework: csa_ccm mapping_framework_version: '4.1' mapping_types: mitigates: description: The security control may prevent successful execution of the technique or sub-technique. name: mitigates non_mappable: description: The control is out of scope (e.g., does not provide security capabilities) or does not provide mitigation of specific threats as contained in ATT&CK. name: non_mappable mapping_version: '' organization: null technology_domain: enterprise