CSA CCM DSP-15

This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, adversaries may insert, delete, replicate, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. In terms of mitigation, identifying critical business and system processes that may be targeted by adversaries and working to isolate and secure those systems against unauthorized access and tampering.

This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data. In terms of mitigation, encrypting important information to reduce an adversary’s ability to perform tailored data modifications such as replication of data from production to non-production environments. Also, enforcing least privilege principles applied to important information resources could reduce exposure to data manipulation risk from different systems and environments.

This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data. In terms of mitigation, encrypt all important data flows to reduce the impact of tailored modifications on data in transit.

This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands, such as replicating production data in non-production environments. In terms of mitigation, granting access to application deployment systems only to a limited number of authorized administrators to limit the ability to replicate data across production and non-production environments. Also, verifying that account credentials that may be used to access deployment systems are unique and not used throughout the enterprise network can limit the abuse of this technique to replicate production data in non-production environments.

This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, an adversary may access the Docker API to collect logs that contain credentials to cloud, container, and various other resources in the environment. In terms of mitigation, limit communications with the container service to managed and secured channels and deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls to lessen the ability of the abuse of this technique.

This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network. In terms of mitigation, network segmentation can be used to isolate infrastructure components that do not require broad network access from various trusted partners and properly managing accounts and permissions used by parties in trusted relationships to minimize potential abuse by the party and if the party is compromised by an adversary.

This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, or cloud service. In terms of mitigation, segmenting networks and systems appropriately to reduce access to production systems and services to controlled methods. Also, minimizing permissions and access for service accounts to limit impact of exploitation.

This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. In terms of mitigation, denying direct remote access to internal production systems through the use of network proxies, gateways, and firewalls can lessen the abuse of this technique. Also, consider using IP allowlisting along with user account management to ensure that data access is restricted not only to valid users but only from expected IP ranges to mitigate the use of stolen or replication to access data.

This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, adversaries may steal data by exfiltrating it over an un-encrypted protocol than that of the existing command and control channel. The data may also be sent to an alternate network location, such as a non-production environment to facilitate exfiltration. In terms of mitigation, follow best practices for network firewall configurations to allow only necessary ports and traffic to enter and exit the network. Also, consider using IP allowlisting along with user account management to ensure that data access is restricted not only to valid users but only from expected IP ranges to mitigate the use of stolen or replication to access data.

This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, adversaries may steal data by exfiltrating it over an asymmetric protocol than that of the existing command and control channel. The data may also be sent to an alternate network location, such as a non-production environment to facilitate exfiltration. In terms of mitigation, follow best practices for network firewall configurations to allow only necessary ports and traffic to enter and exit the network. Also, consider using IP allowlisting along with user account management to ensure that data access is restricted not only to valid users but only from expected IP ranges to mitigate the use of stolen or replication to access data.

This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, adversaries may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location, such as a non-production environment to facilitate exfiltration. In terms of mitigation, follow best practices for network firewall configurations to allow only necessary ports and traffic to enter and exit the network. Also, consider using IP allowlisting along with user account management to ensure that data access is restricted not only to valid users but only from expected IP ranges to mitigate the use of stolen or replication to access data.

This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location, such as a non-production environment to facilitate exfiltration. In terms of mitigation, follow best practices for network firewall configurations to allow only necessary ports and traffic to enter and exit the network. Also, consider using IP allowlisting along with user account management to ensure that data access is restricted not only to valid users but only from expected IP ranges to mitigate the use of stolen or replication to access data.

This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container which could contain production data of the environment. In terms of mitigation, enforcing the principle of least privilege by limiting container dashboard access to only the necessary users. Also, denying direct remote access to internal production systems through the use of network proxies, gateways, and firewalls in order to lessen the ability to use of production data in non-production environments.

This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, adversaries may add adversary-controlled credentials to a cloud account to move production data throughout the cloud environment. In terms of mitigation, consider configuring access controls and firewalls to limit which accounts have access to production critical systems and domain controllers. Most cloud environments support separate virtual private cloud (VPC) instances that enable further segmentation of cloud systems from production and non-production environments.

This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, adversaries may add adversary-controlled credentials to a cloud account to move production data throughout the cloud environment. In terms of mitigation, consider configuring access controls and firewalls to limit which accounts have access to production critical systems and domain controllers. Most cloud environments support separate virtual private cloud (VPC) instances that enable further segmentation of cloud systems from production and non-production environments.

This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, adversaries may add adversary-controlled credentials to a cloud account to move production data throughout the cloud environment. In terms of mitigation, consider configuring access controls and firewalls to limit which accounts have access to production critical systems and domain controllers. Most cloud environments support separate virtual private cloud (VPC) instances that enable further segmentation of cloud systems from production and non-production environments.

This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, many IaaS providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Google Cloud Storage. In terms of mitigation, enforcing access control lists on storage systems and objects to block the unauthorized access of which production data could be replicated in non-production environments.