CSA CCM Datacenter Security Capability Group

Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment. This control establishes and regularly evaluates processes, procedures, and technical measures to ensure continuous operations of the datacenter, mitigating attacker techniques such as denial‑of‑service and other availability‑impacting attacks that seek to disrupt business and operational continuity.

Adversaries may leverage compromised software-as-a-service (SaaS) applications to complete resource-intensive tasks, which may impact hosted service availability. This control establishes and regularly evaluates processes, procedures, and technical measures to ensure continuous operations of the datacenter, mitigating attacker techniques such as denial‑of‑service and other availability‑impacting attacks that seek to disrupt business and operational continuity.

Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This control establishes and regularly evaluates processes, procedures, and technical measures to ensure continuous operations of the datacenter, mitigating attacker techniques such as denial‑of‑service and other availability‑impacting attacks that seek to disrupt business and operational continuity.

Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. This DoS attack may also reduce the availability and functionality of the targeted system(s) and network. Direct Network Floods are when one or more systems are used to send a high-volume of network packets towards the targeted service's network. Almost any network protocol may be used for flooding. This control establishes and regularly evaluates processes, procedures, and technical measures to ensure continuous operations of the datacenter, mitigating attacker techniques such as denial‑of‑service and other availability‑impacting attacks that seek to disrupt business and operational continuity.

Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery. This control establishes and regularly evaluates processes, procedures, and technical measures to ensure continuous operations of the datacenter, mitigating attacker techniques such as denial‑of‑service and other availability‑impacting attacks that seek to disrupt business and operational continuity.

Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications. For example, specific features in web applications may be highly resource intensive. Repeated requests to those features may be able to exhaust system resources and deny access to the application or the server itself. This control establishes and regularly evaluates processes, procedures, and technical measures to ensure continuous operations of the datacenter, mitigating attacker techniques such as denial‑of‑service and other availability‑impacting attacks that seek to disrupt business and operational continuity.

Adversaries may target the different network services provided by systems to conduct a denial of service (DoS). Adversaries often target the availability of DNS and web services, however others have been targeted as well. Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service. This control establishes and regularly evaluates processes, procedures, and technical measures to ensure continuous operations of the datacenter, mitigating attacker techniques such as denial‑of‑service and other availability‑impacting attacks that seek to disrupt business and operational continuity.

Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. This control establishes and regularly evaluates processes, procedures, and technical measures to ensure continuous operations of the datacenter, mitigating attacker techniques such as denial‑of‑service and other availability‑impacting attacks that seek to disrupt business and operational continuity.

Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. This control establishes and regularly evaluates processes, procedures, and technical measures to ensure continuous operations of the datacenter, mitigating attacker techniques such as denial‑of‑service and other availability‑impacting attacks that seek to disrupt business and operational continuity.

Adversaries may modify the lifecycle policies of a cloud storage bucket to destroy all objects stored within. Cloud storage buckets often allow users to set lifecycle policies to automate the migration, archival, or deletion of objects after a set period of time If a threat actor has sufficient permissions to modify these policies, they may be able to delete all objects at once. This control establishes and regularly evaluates processes, procedures, and technical measures to ensure continuous operations of the datacenter, mitigating attacker techniques such as denial‑of‑service and other availability‑impacting attacks that seek to disrupt business and operational continuity.

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. This control establishes and regularly evaluates processes, procedures, and technical measures to ensure continuous operations of the datacenter, mitigating attacker techniques such as denial‑of‑service and other availability‑impacting attacks that seek to disrupt business and operational continuity.

Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include DNS, and web-based services and applications that provide resources to the utility services. This control establishes and regularly evaluates processes, procedures, and technical measures to ensure continuous operations of the datacenter, mitigating attacker techniques such as denial‑of‑service and other availability‑impacting attacks that seek to disrupt business and operational continuity.

Adversaries may leverage the compute resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. This control establishes and regularly evaluates processes, procedures, and technical measures to ensure continuous operations of the datacenter, mitigating attacker techniques such as denial‑of‑service and other availability‑impacting attacks that seek to disrupt business and operational continuity.

Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. This control establishes and regularly evaluates processes, procedures, and technical measures to ensure continuous operations of the datacenter, mitigating attacker techniques such as denial‑of‑service and other availability‑impacting attacks that seek to disrupt business and operational continuity.

Adversaries may leverage the network bandwidth resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. This control establishes and regularly evaluates processes, procedures, and technical measures to ensure continuous operations of the datacenter, mitigating attacker techniques such as denial‑of‑service and other availability‑impacting attacks that seek to disrupt business and operational continuity.

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. This control establishes and regularly evaluates processes, procedures, and technical measures to ensure continuous operations of the datacenter, mitigating attacker techniques such as denial‑of‑service and other availability‑impacting attacks that seek to disrupt business and operational continuity.

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. This control requires securing, monitoring, maintaining, and regularly testing utility services (e.g., power, HVAC, communications) to ensure ongoing effectiveness, mitigating attacker techniques such as disruption of infrastructure, exploitation of unmonitored service failures, and availability attacks that can compromise system resilience.

Adversaries may leverage the network bandwidth resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. This control requires securing, monitoring, maintaining, and regularly testing utility services (e.g., power, HVAC, communications) to ensure ongoing effectiveness, mitigating attacker techniques such as disruption of infrastructure, exploitation of unmonitored service failures, and availability attacks that can compromise system resilience.

Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. This control requires securing, monitoring, maintaining, and regularly testing utility services (e.g., power, HVAC, communications) to ensure ongoing effectiveness, mitigating attacker techniques such as disruption of infrastructure, exploitation of unmonitored service failures, and availability attacks that can compromise system resilience.

Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This control requires securing, monitoring, maintaining, and regularly testing utility services (e.g., power, HVAC, communications) to ensure ongoing effectiveness, mitigating attacker techniques such as disruption of infrastructure, exploitation of unmonitored service failures, and availability attacks that can compromise system resilience.

Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Direct Network Floods are when one or more systems are used to send a high-volume of network packets towards the targeted service's network. Almost any network protocol may be used for flooding. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well. This control requires securing, monitoring, maintaining, and regularly testing utility services (e.g., power, HVAC, communications) to ensure ongoing effectiveness, mitigating attacker techniques such as disruption of infrastructure, exploitation of unmonitored service failures, and availability attacks that can compromise system resilience.

Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include DNS, and web-based services and applications that provide resources to the utility services. This control requires securing, monitoring, maintaining, and regularly testing utility services (e.g., power, HVAC, communications) to ensure ongoing effectiveness, mitigating attacker techniques such as disruption of infrastructure, exploitation of unmonitored service failures, and availability attacks that can compromise system resilience.

Adversaries may target the different network services provided by systems to conduct a denial of service (DoS). Adversaries often target the availability of DNS and web services, however others have been targeted as well. Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service. This control requires securing, monitoring, maintaining, and regularly testing utility services (e.g., power, HVAC, communications) to ensure ongoing effectiveness, mitigating attacker techniques such as disruption of infrastructure, exploitation of unmonitored service failures, and availability attacks that can compromise system resilience.

Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment. This control requires securing, monitoring, maintaining, and regularly testing utility services (e.g., power, HVAC, communications) to ensure ongoing effectiveness, mitigating attacker techniques such as disruption of infrastructure, exploitation of unmonitored service failures, and availability attacks that can compromise system resilience.

This control enforces equipment identification as part of connection authentication, mitigating attacker techniques such as device spoofing, rogue device connections, and unauthorized network access through unverified or compromised hardware. Blocking unknown devices and accessories by endpoint security configuration and monitoring agent can help with blocking this technique. Blocking unknown devices and accessories by endpoint security configuration and monitoring agent may help in blocking this technique. Adversaries may bridge network boundaries by modifying a network device’s Network Address Translation (NAT) configuration, effectively compromising the device. Malicious modifications to NAT may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks. Upon identifying a compromised network device being used to bridge a network boundary, block the malicious packets using an unaffected network device in path, such as a firewall or a router that has not been compromised. Continue to monitor for additional activity and to ensure that the blocks are indeed effective.

Adversaries may bridge network boundaries by compromising perimeter network devices or internal devices responsible for network segmentation. Breaching these devices may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks. This control enforces equipment identification as part of connection authentication, mitigating attacker techniques such as device spoofing, rogue device connections, and unauthorized network access through unverified or compromised hardware. Blocking unknown devices and accessories by endpoint security configuration and monitoring agent can help with blocking this technique. Blocking unknown devices and accessories by endpoint security configuration and monitoring agent may help in blocking this technique. Upon identifying a compromised network device being used to bridge a network boundary, block the malicious packets using an unaffected network device in path, such as a firewall or a router that has not been compromised. Continue to monitor for additional activity and to ensure that the blocks are indeed effective.

Adversaries may physically introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. This control enforces equipment identification as part of connection authentication, mitigating attacker techniques such as device spoofing, rogue device connections, and unauthorized network access through unverified or compromised hardware. Blocking unknown devices and accessories by endpoint security configuration and monitoring agent can help with blocking this technique. Blocking unknown devices and accessories by endpoint security configuration and monitoring agent may help in blocking this technique.

An adversary may use legitimate remote access hardware to establish an interactive command and control channel to target systems within networks. Remote access hardware may be physically installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote session with the target system. This control enforces equipment identification as part of connection authentication, mitigating attacker techniques such as device spoofing, rogue device connections, and unauthorized network access through unverified or compromised hardware. Blocking unknown devices and accessories by endpoint security configuration and monitoring agent can help with blocking this technique.

Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service. This control enforces the classification of data by type, criticality, and sensitivity level to enable appropriate protections (including DLP measures), mitigating attacker techniques such as data exfiltration, unauthorized disclosure, and the misuse of unprotected sensitive information. Certain data loss prevention capabilities can be detect and block data tagged as sensitive from being shared with individuals outside an organization

Adversaries may exfiltrate data to a webhook endpoint rather than over their primary command and control channel. This control enforces the classification of data by type, criticality, and sensitivity level to enable appropriate protections (including DLP measures), mitigating attacker techniques such as data exfiltration, unauthorized disclosure, and the misuse of unprotected sensitive information. Certain data loss prevention capabilities can be detect and block pre-defined approved and non-approved webhooks to prevent unauthorized exfiltration.

Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. This control enforces the classification of data by type, criticality, and sensitivity level to enable appropriate protections (including DLP measures), mitigating attacker techniques such as data exfiltration, unauthorized disclosure, and the misuse of unprotected sensitive information. Data loss prevention capabilities can be detect and block tagged sensitive data being uploaded to web services via web browsers or block pre-defined blacklisted websites.

Adversaries may attempt to exfiltrate data over a USB connected physical device. This control enforces the classification of data by type, criticality, and sensitivity level to enable appropriate protections (including DLP measures), mitigating attacker techniques such as data exfiltration, unauthorized disclosure, and the misuse of unprotected sensitive information. Data loss prevention can detect and block sensitive data being copied to USB devices.

Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. This control enforces the classification of data by type, criticality, and sensitivity level to enable appropriate protections (including DLP measures), mitigating attacker techniques such as data exfiltration, unauthorized disclosure, and the misuse of unprotected sensitive information. Data loss prevention can detect and block sensitive data being copied to physical mediums.

Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications. This control enforces the classification of data by type, criticality, and sensitivity level to enable appropriate protections (including DLP measures), mitigating attacker techniques such as data exfiltration, unauthorized disclosure, and the misuse of unprotected sensitive information. DLP can detect and block sensitive data being uploaded via known malicious C2 channels and unencrypted protocols.

Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. Adversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). This may include custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields. This control enforces the classification of data by type, criticality, and sensitivity level to enable appropriate protections (including DLP measures), mitigating attacker techniques such as data exfiltration, unauthorized disclosure, and the misuse of unprotected sensitive information. Some DLP capabilities can detect and block sensitive data being sent over unencrypted protocols.

Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. This control enforces the classification of data by type, criticality, and sensitivity level to enable appropriate protections (including DLP measures), mitigating attacker techniques such as data exfiltration, unauthorized disclosure, and the misuse of unprotected sensitive information. Some DLP capabilities can detect and block sensitive data being uploaded via web browsers.

Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. This control enforces the classification of data by type, criticality, and sensitivity level to enable appropriate protections (including DLP measures), mitigating attacker techniques such as data exfiltration, unauthorized disclosure, and the misuse of unprotected sensitive information. Some DLP capabilities can detect and block sensitive data being uploaded via web browsers.

Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection. This control enforces the classification of data by type, criticality, and sensitivity level to enable appropriate protections (including DLP measures), mitigating attacker techniques such as data exfiltration, unauthorized disclosure, and the misuse of unprotected sensitive information. Certain data loss prevention capabilities can restrict the attempt of mass automated exfiltrating tagged sensitive data and prevent the execution of it.

Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a Command and Scripting Interpreter to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. In cloud-based environments, adversaries may also use cloud APIs, data pipelines, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data. This control enforces the classification of data by type, criticality, and sensitivity level to enable appropriate protections (including DLP measures), mitigating attacker techniques such as data exfiltration, unauthorized disclosure, and the misuse of unprotected sensitive information. Certain data loss prevention capabilities can restrict the feature of mass automated collection techniques used by attackers on data that has been tagged sensitive.

Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. This control enforces the classification of data by type, criticality, and sensitivity level to enable appropriate protections (including DLP measures), mitigating attacker techniques such as data exfiltration, unauthorized disclosure, and the misuse of unprotected sensitive information.

Adversaries may search local system sources, such as file systems, configuration files, local databases, or virtual machine files, to find files of interest and sensitive data prior to Exfiltration. This control enforces the classification of data by type, criticality, and sensitivity level to enable appropriate protections (including DLP measures), mitigating attacker techniques such as data exfiltration, unauthorized disclosure, and the misuse of unprotected sensitive information. Data loss prevention can restrict access to sensitive data and detect sensitive data that is unencrypted.

Adversaries may attempt to exfiltrate data via a physical medium, such as removable drives. This control ensures that storage media is securely and irreversibly sanitized using industry‑accepted methods to prevent data recovery, thereby mitigating attacker techniques such as data remanence exploitation, forensic recovery, and unauthorized access to residual sensitive information from discarded or repurposed devices.

Adversaries may may attempt to connect and distribute malware via removable storage. In initial access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself. This control ensures that storage media is securely and irreversibly sanitized using industry‑accepted methods to prevent data recovery, thereby mitigating attacker techniques such as data remanence exploitation, forensic recovery, and unauthorized access to residual sensitive information from discarded or repurposed devices.