CSA CCM Data Security and Privacy Lifecycle Management Capability Group

This control describes the shared responsibility of both the CSP and CSC for securely managing data retention, archiving, and deletion across all cloud service models. Implementation involves establishing secure tools and processes for data retention, configuring backups, enforcing retention policies, and maintaining safeguards within each party’s environment. For this technique, adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. In terms of mitigation, automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system.

This control describes the shared responsibility of both the CSP and CSC for securely managing data retention, archiving, and deletion across all cloud service models. Implementation involves establishing secure tools and processes for data retention, configuring backups, enforcing retention policies, and maintaining safeguards within each party’s environment. For this technique, adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. In terms of mitigation, backups that are stored off system and are protected from common methods adversaries may use to gain access and manipulate backups can lessen the impact of this technique.

This control describes the shared responsibility of both the CSP and CSC for securely managing data retention, archiving, and deletion across all cloud service models. Implementation involves establishing secure tools and processes for data retention, configuring backups, enforcing retention policies, and maintaining safeguards within each party’s environment. For this technique, in cloud environments, adversaries may disable versioning and backup policies and delete snapshots, database backups, machine images, and prior versions of objects designed to be used in disaster recovery scenarios. In terms of mitigation, enable versioning on storage objects where possible within the cloud environment, and copy backups to other accounts or regions to isolate them from the original copies can aid with lessening the impact of this technique.

This control describes the shared responsibility of both the CSP and CSC for securely managing data retention, archiving, and deletion across all cloud service models. Implementation involves establishing secure tools and processes for data retention, configuring backups, enforcing retention policies, and maintaining safeguards within each party’s environment. For this technique, adversaries may modify external systems or applications to an enterprise network, thus affecting the integrity of the original content by external users. In terms of mitigation, taking regular data backups that can be used to restore organizational data can limit the impact of this technique.

This control describes the shared responsibility of both the CSP and CSC for securely managing data retention, archiving, and deletion across all cloud service models. Implementation involves establishing secure tools and processes for data retention, configuring backups, enforcing retention policies, and maintaining safeguards within each party’s environment. For this technique, adversaries may modify internal systems or thus affecting the integrity and operations of the original content by internal users. In terms of mitigation, taking regular data backups that can be used to restore organizational data can limit the impact of this technique.

This control describes the shared responsibility of both the CSP and CSC for securely managing data retention, archiving, and deletion across all cloud service models. Implementation involves establishing secure tools and processes for data retention, configuring backups, enforcing retention policies, and maintaining safeguards within each party’s environment. For this technique, adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. In terms of mitigation, taking regular data backups that can be used to restore organizational data can limit the impact of this technique.

This control describes the shared responsibility of both the CSP and CSC for securely managing data retention, archiving, and deletion across all cloud service models. Implementation involves establishing secure tools and processes for data retention, configuring backups, enforcing retention policies, and maintaining safeguards within each party’s environment. For this technique, adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. In terms of mitigation, consider enabling versioning in cloud environments to maintain backup copies of storage objects to limit the impact of this technique.

This control describes the shared responsibility of both the CSP and CSC for securely managing data retention, archiving, and deletion across all cloud service models. Implementation involves establishing secure tools and processes for data retention, configuring backups, enforcing retention policies, and maintaining safeguards within each party’s environment. For this technique, adversaries may modify the lifecycle policies of a cloud storage bucket to destroy all objects stored within. Cloud storage buckets often allow users to set lifecycle policies to automate the migration, archival, or deletion of objects after a set period of time In terms of mitigation, consider limiting permissions to lessen the impact of this technique by modifying cloud bucket lifecycle policies (e.g., PutLifecycleConfiguration in AWS) to only those accounts that require it. In AWS environments, consider using Service Control policies to limit the use of the PutBucketLifecycle API call.

This control describes the shared responsibility of both the CSP and CSC for securely managing data retention, archiving, and deletion across all cloud service models. Implementation involves establishing secure tools and processes for data retention, configuring backups, enforcing retention policies, and maintaining safeguards within each party’s environment. For this technique, adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. In terms of mitigation, taking regular data backups that can be used to restore organizational data and ensuring backups are stored off system and protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery can limit the impact of this technique.

This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, adversaries may insert, delete, replicate, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. In terms of mitigation, identifying critical business and system processes that may be targeted by adversaries and working to isolate and secure those systems against unauthorized access and tampering.

This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data. In terms of mitigation, encrypting important information to reduce an adversary’s ability to perform tailored data modifications such as replication of data from production to non-production environments. Also, enforcing least privilege principles applied to important information resources could reduce exposure to data manipulation risk from different systems and environments.

This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data. In terms of mitigation, encrypt all important data flows to reduce the impact of tailored modifications on data in transit.

This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands, such as replicating production data in non-production environments. In terms of mitigation, granting access to application deployment systems only to a limited number of authorized administrators to limit the ability to replicate data across production and non-production environments. Also, verifying that account credentials that may be used to access deployment systems are unique and not used throughout the enterprise network can limit the abuse of this technique to replicate production data in non-production environments.

This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, an adversary may access the Docker API to collect logs that contain credentials to cloud, container, and various other resources in the environment. In terms of mitigation, limit communications with the container service to managed and secured channels and deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls to lessen the ability of the abuse of this technique.

This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network. In terms of mitigation, network segmentation can be used to isolate infrastructure components that do not require broad network access from various trusted partners and properly managing accounts and permissions used by parties in trusted relationships to minimize potential abuse by the party and if the party is compromised by an adversary.

This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, or cloud service. In terms of mitigation, segmenting networks and systems appropriately to reduce access to production systems and services to controlled methods. Also, minimizing permissions and access for service accounts to limit impact of exploitation.

This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. In terms of mitigation, denying direct remote access to internal production systems through the use of network proxies, gateways, and firewalls can lessen the abuse of this technique. Also, consider using IP allowlisting along with user account management to ensure that data access is restricted not only to valid users but only from expected IP ranges to mitigate the use of stolen or replication to access data.

This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, adversaries may steal data by exfiltrating it over an un-encrypted protocol than that of the existing command and control channel. The data may also be sent to an alternate network location, such as a non-production environment to facilitate exfiltration. In terms of mitigation, follow best practices for network firewall configurations to allow only necessary ports and traffic to enter and exit the network. Also, consider using IP allowlisting along with user account management to ensure that data access is restricted not only to valid users but only from expected IP ranges to mitigate the use of stolen or replication to access data.

This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, adversaries may steal data by exfiltrating it over an asymmetric protocol than that of the existing command and control channel. The data may also be sent to an alternate network location, such as a non-production environment to facilitate exfiltration. In terms of mitigation, follow best practices for network firewall configurations to allow only necessary ports and traffic to enter and exit the network. Also, consider using IP allowlisting along with user account management to ensure that data access is restricted not only to valid users but only from expected IP ranges to mitigate the use of stolen or replication to access data.

This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, adversaries may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location, such as a non-production environment to facilitate exfiltration. In terms of mitigation, follow best practices for network firewall configurations to allow only necessary ports and traffic to enter and exit the network. Also, consider using IP allowlisting along with user account management to ensure that data access is restricted not only to valid users but only from expected IP ranges to mitigate the use of stolen or replication to access data.

This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location, such as a non-production environment to facilitate exfiltration. In terms of mitigation, follow best practices for network firewall configurations to allow only necessary ports and traffic to enter and exit the network. Also, consider using IP allowlisting along with user account management to ensure that data access is restricted not only to valid users but only from expected IP ranges to mitigate the use of stolen or replication to access data.

This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container which could contain production data of the environment. In terms of mitigation, enforcing the principle of least privilege by limiting container dashboard access to only the necessary users. Also, denying direct remote access to internal production systems through the use of network proxies, gateways, and firewalls in order to lessen the ability to use of production data in non-production environments.

This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, adversaries may add adversary-controlled credentials to a cloud account to move production data throughout the cloud environment. In terms of mitigation, consider configuring access controls and firewalls to limit which accounts have access to production critical systems and domain controllers. Most cloud environments support separate virtual private cloud (VPC) instances that enable further segmentation of cloud systems from production and non-production environments.

This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, adversaries may add adversary-controlled credentials to a cloud account to move production data throughout the cloud environment. In terms of mitigation, consider configuring access controls and firewalls to limit which accounts have access to production critical systems and domain controllers. Most cloud environments support separate virtual private cloud (VPC) instances that enable further segmentation of cloud systems from production and non-production environments.

This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, adversaries may add adversary-controlled credentials to a cloud account to move production data throughout the cloud environment. In terms of mitigation, consider configuring access controls and firewalls to limit which accounts have access to production critical systems and domain controllers. Most cloud environments support separate virtual private cloud (VPC) instances that enable further segmentation of cloud systems from production and non-production environments.

This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, many IaaS providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Google Cloud Storage. In terms of mitigation, enforcing access control lists on storage systems and objects to block the unauthorized access of which production data could be replicated in non-production environments.

The control describes the implementation of strong technical and procedural safeguards, such as TLS with strong keys)to protect sensitive data during transfer and prevent unauthorized access or interception. For this technique, adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Many cloud-based environments also support traffic mirroring. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to. Ensure that all wired and/or wireless traffic is encrypted appropriately. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS.

The control describes the implementation of strong technical and procedural safeguards, such as TLS with strong keys)to protect sensitive data during transfer and prevent unauthorized access or interception. For this technique, Ensure that all wired and/or wireless traffic is encrypted appropriately. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS. Further mitigation may include separating networking environments for Wi-Fi and Ethernet-wired networks for access to sensitive resources.

The control describes the implementation of strong technical and procedural safeguards, such as TLS with strong keys)to protect sensitive data during transfer and prevent unauthorized access or interception. For this technique, consider implementing network-based filtering restrictions to prohibit data transfers to untrusted VPCs as a possible mitigation. Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service.

The control describes the implementation of strong technical and procedural safeguards, such as TLS with strong keys)to protect sensitive data during transfer and prevent unauthorized access or interception. For this technique, adversaries may collect on and exfiltrate on sensitive data stored in cloud storage. In terms of mitigation, the use of IP allowlisting along with user account management to ensure that data access is restricted not only to valid users but only from expected IP ranges could mitigate the use of stolen credentials to access data.

The control describes the implementation of strong technical and procedural safeguards, such as TLS with strong keys)to protect sensitive data during transfer and prevent unauthorized access or interception. For this technique, adversaries may steal sensitive data by exfiltrating it over a different protocol than that of the existing command and control channel. In terms of mitigation, the use of IP allowlisting along with user account management to ensure that data access is restricted not only to valid users but only from expected IP ranges could mitigate the use of stolen credentials to access data.

The control describes the implementation of strong technical and procedural safeguards, such as TLS with strong keys)to protect sensitive data during transfer and prevent unauthorized access or interception. For this technique, file encryption should be enforced across email communications containing sensitive information that may be obtained through access to email services. Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems.

The control describes the implementation of strong technical and procedural safeguards, such as TLS with strong keys)to protect sensitive data during transfer and prevent unauthorized access or interception. For this technique, ensure that all wired and/or wireless traffic is encrypted appropriately. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS.

The control describes the implementation of strong technical and procedural safeguards, such as TLS with strong keys)to protect sensitive data during transfer and prevent unauthorized access or interception. For this technique, the use of encryption provides an added layer of security to sensitive information sent over email.

The control describes the implementation of strong technical and procedural safeguards, such as TLS with strong keys)to protect sensitive data during transfer and prevent unauthorized access or interception. For this technique, the use of encryption provides an added layer of security to sensitive information sent over email.

The control describes the implementation of strong technical and procedural safeguards, such as TLS with strong keys)to protect sensitive data during transfer and prevent unauthorized access or interception. For this technique, the use of encryption provides an added layer of security to sensitive information sent over email.

The control describes the implementation of strong technical and procedural safeguards, such as TLS with strong keys)to protect sensitive data during transfer and prevent unauthorized access or interception. For this technique, the use of encryption provides an added layer of security to sensitive information sent over email.

The control describes the implementation of strong technical and procedural safeguards, such as TLS with strong keys)to protect sensitive data during transfer and prevent unauthorized access or interception. For this technique, encrypt all important data flows to reduce the impact of tailored modifications on data in transit. Also, In cloud environments, use VPCs, subnets, and security groups to isolate applications and enforce traffic rules on those systems to mitigate any against unauthorized access and tampering.

The control describes the implementation of strong technical and procedural safeguards, such as TLS with strong keys)to protect sensitive data during transfer and prevent unauthorized access or interception. For this technique, encrypt all important data flows to reduce the impact of tailored modifications on data in transit. Also, In cloud environments, use VPCs, subnets, and security groups to isolate applications and enforce traffic rules on those systems to mitigate any against unauthorized access and tampering.

The control describes the implementation of strong technical and procedural safeguards, such as TLS with strong keys)to protect sensitive data during transfer and prevent unauthorized access or interception. For this technique, encrypt all important data flows to reduce the impact of tailored modifications on data in transit. Also, In cloud environments, use VPCs, subnets, and security groups to isolate applications and enforce traffic rules on those systems to mitigate any against unauthorized access and tampering.

The control describes the implementation of strong technical and procedural safeguards, such as TLS with strong keys)to protect sensitive data during transfer and prevent unauthorized access or interception. For this technique, encryption and off-system storage of sensitive information may be one way to mitigate the successful exfiltration of files.

The control describes the implementation of strong technical and procedural safeguards, such as TLS with strong keys)to protect sensitive data during transfer and prevent unauthorized access or interception. For this technique, encryption and off-system storage of sensitive information may be one way to mitigate collection of files.

Privacy by design and default is emphasized in this control, integrating privacy measures at every stage of the SDLC and across all components. This includes implementing controls for encrypting sensitive information to ensure the confidentiality and integrity of data, preventing unauthorized access or tampering. For this technique, configure browsers or tasks to regularly delete persistent cookies to prevent the adversaries form using stolen session cookies to authenticate to web applications and services as legitmate users.

Privacy by design and default is emphasized in this control, integrating privacy measures at every stage of the SDLC and across all components. This includes implementing controls for encrypting sensitive information to ensure the confidentiality and integrity of data, preventing unauthorized access or tampering. For this technique, the use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages.

Privacy by design and default is emphasized in this control, integrating privacy measures at every stage of the SDLC and across all components. This includes implementing controls for encrypting sensitive information to ensure the confidentiality and integrity of data, preventing unauthorized access or tampering. For this technique, the use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages.

Privacy by design and default is emphasized in this control, integrating privacy measures at every stage of the SDLC and across all components. This includes implementing controls for encrypting sensitive information to ensure the confidentiality and integrity of data, preventing unauthorized access or tampering. For this technique, the use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages.

Privacy by design and default is emphasized in this control, integrating privacy measures at every stage of the SDLC and across all components. This includes implementing controls for encrypting sensitive information to ensure the confidentiality and integrity of data, preventing unauthorized access or tampering. For this technique, the use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages.

Privacy by design and default is emphasized in this control, integrating privacy measures at every stage of the SDLC and across all components. This includes implementing controls for encrypting sensitive information to ensure the confidentiality and integrity of data, preventing unauthorized access or tampering. For this technique, encrypt all important data flows to reduce the impact of tailored modifications on data in transit for mitigation.

Privacy by design and default is emphasized in this control, integrating privacy measures at every stage of the SDLC and across all components. This includes implementing controls for encrypting sensitive information to ensure the confidentiality and integrity of data, preventing unauthorized access or tampering. For this technique, consider encrypting important information to reduce an adversary’s ability to perform tailored data modifications.

Privacy by design and default is emphasized in this control, integrating privacy measures at every stage of the SDLC and across all components. This includes implementing controls for encrypting sensitive information to ensure the confidentiality and integrity of data, preventing unauthorized access or tampering. For this technique, consider encrypting important information to reduce an adversary’s ability to perform tailored data modifications.

Privacy by design and default is emphasized in this control, integrating privacy measures at every stage of the SDLC and across all components. This includes implementing controls for encrypting sensitive information to ensure the confidentiality and integrity of data, preventing unauthorized access or tampering. For this technique, encrypt data stored at rest in databases for mitigation.

Privacy by design and default is emphasized in this control, integrating privacy measures at every stage of the SDLC and across all components. This includes implementing controls for encrypting sensitive information to ensure the confidentiality and integrity of data, preventing unauthorized access or tampering. For this technique, encrypt data stored at rest in cloud storage for mitigation. Managed encryption keys can be rotated by most providers.

Data protection by design and default is emphasized in this control, requiring proactive integration of security and privacy measures at every stage of the SDLC and across all components. Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. In terms of mitigations, ensure that applications do not store sensitive data or credentials insecurely. (e.g. plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage). Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment.

Data protection by design and default is emphasized in this control, requiring proactive integration of security and privacy measures at every stage of the SDLC and across all components. Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. In terms of mitigation, consider implementing token binding strategies that cryptographically bind a token to a secret. This may prevent the token from being used without knowledge of the secret or possession of the device the token is tied to

Data protection by design and default is emphasized in this control, requiring proactive integration of security and privacy measures at every stage of the SDLC and across all components. Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls. In terms of mitigation, consider implementing token binding strategies that cryptographically bind a token to a secret. This may prevent the token from being used without knowledge of the secret or possession of the device the token is tied to

Data protection by design and default is emphasized in this control, requiring proactive integration of security and privacy measures at every stage of the SDLC and across all components. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency. In terms of mitigation, application developers should be cautious when selecting third-party libraries to integrate into their application. Additionally, where possible, developers should lock software dependencies to specific versions that are known to be secure rather than pulling the latest version on build.

Data protection by design and default is emphasized in this control, requiring proactive integration of security and privacy measures at every stage of the SDLC and across all components. Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. In terms of mitigation, application developers should be cautious when selecting third-party libraries to integrate into their application. Additionally, where possible, developers should lock software dependencies to specific versions that are known to be secure rather than pulling the latest version on build.

Data protection by design and default is emphasized in this control, requiring proactive integration of security and privacy measures at every stage of the SDLC and across all components. Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. When it comes to mitigation from this control to this technique, ensuring all COM alerts and Protected View are enabled and enable the Hardened Runtime capability when developing applications.

Data protection by design and default is emphasized in this control, requiring proactive integration of security and privacy measures at every stage of the SDLC and across all components. Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses. In terms of mitigation, when possible, the inclusion hash values in manifest files may help prevent side-loading of malicious libraries.

Data protection by design and default is emphasized in this control, requiring proactive integration of security and privacy measures at every stage of the SDLC and across all components. For this technique, adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. To mitigate when possible, include hash values in manifest files to help prevent side-loading of malicious libraries.

Data protection by design and default is emphasized in this control, requiring proactive integration of security and privacy measures at every stage of the SDLC and across all components. For this technique, adversaries may exploit software vulnerabilities in an attempt to collect credentials. Mitigation use-cases include application developers considering taking measures to validate authentication requests by enabling one-time passwords, providing timestamps or sequence numbers for messages sent, using digital signatures, and/or using random session keys.

This control requires the Cloud Service Provider (CSP) to implement robust mitigative controls such as network segmentation and firewalling, encryption, access controls with multi-factor authentication and intrusion detection to ensure sensitive customer data is protected throughout its lifecycle. For this technique, adversaries who steal account API tokens in cloud and containerized environments may be able to access data and perform actions with the permissions of these accounts, which can lead to privilege escalation and further compromise of the environment. In terms of mitigation, enforcing role-based access control can limit accounts to the least privileges they require. A Cloud Access Security Broker (CASB) can be used to set usage policies and manage user permissions on cloud applications to prevent access to application access tokens.

This control requires the Cloud Service Provider (CSP) to implement robust mitigative controls such as network segmentation and firewalling, encryption, access controls with multi-factor authentication and intrusion detection to ensure sensitive customer data is protected throughout its lifecycle. For this technique, adversaries may search for common password storage locations, such as cloud secrets managers, to obtain user credentials. In terms of mitigation, Limit the number of cloud accounts and services with permission to query the secrets manager to only those required. Ensure that accounts and services with permissions to query the secrets manager only have access to the secrets they require.

This control requires the Cloud Service Provider (CSP) to implement robust mitigative controls such as network segmentation and firewalling, encryption, access controls with multi-factor authentication and intrusion detection to ensure sensitive customer data is protected throughout its lifecycle. For this technique, adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment and access to sensitive data within it. In terms of mitigation, in Kubernetes clusters deployed in cloud environments, use native cloud platform features to restrict the IP ranges that are permitted to access to API server.

This control requires the Cloud Service Provider (CSP) to implement robust mitigative controls such as network segmentation and firewalling, encryption, access controls with multi-factor authentication and intrusion detection to ensure sensitive customer data is protected throughout its lifecycle. For this technique, adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a feature-rich method for programmatic access to nearly all aspects of a tenant. In terms of mitigation, using application control where appropriate to block use of PowerShell CmdLets or other host based resources to access cloud API resources and sensitive data could mitigate this technique.

This control requires the Cloud Service Provider (CSP) to implement robust mitigative controls such as network segmentation and firewalling, encryption, access controls with multi-factor authentication and intrusion detection to ensure sensitive customer data is protected throughout its lifecycle. For this technique, adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a feature-rich method for programmatic access to nearly all aspects of a tenant. In terms of mitigation, using application control where appropriate to block use of PowerShell CmdLets or other host based resources to access cloud API resources and sensitive data could mitigate this technique.

This control requires the Cloud Service Provider (CSP) to implement robust mitigative controls such as network segmentation and firewalling, encryption, access controls with multi-factor authentication and intrusion detection to ensure sensitive customer data is protected throughout its lifecycle. For this technique, adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment. In terms of mitigation, Use multi-factor authentication for user and privileged accounts. Consider enforcing multi-factor authentication for the CreateKeyPair and ImportKeyPair API calls through IAM policies; Configure access controls and firewalls to limit access to critical systems and domain controllers. Most cloud environments support separate virtual private cloud (VPC) instances that enable further segmentation of cloud systems; Or, Ensure that low-privileged user accounts do not have permission to add access keys to accounts. In certain cloud environments, prohibit users from calling the GetFederationToken API unless explicitly required.

This control requires the Cloud Service Provider (CSP) to implement robust mitigative controls such as network segmentation and firewalling, encryption, access controls with multi-factor authentication and intrusion detection to ensure sensitive customer data is protected throughout its lifecycle. For this technique, adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service. In terms of mitigation, implementing network-based filtering restrictions to prohibit data transfers to untrusted VPCs can aid with mitigating this technique.

This control requires the Cloud Service Provider (CSP) to implement robust mitigative controls such as network segmentation and firewalling, encryption, access controls with multi-factor authentication and intrusion detection to ensure sensitive customer data is protected throughout its lifecycle. For this technique, if an application is hosted on cloud-based infrastructure then exploiting it may lead to compromise of the underlying sensitive data hosted on that platform. In terms of mitigation, Web Application Firewalls (WAFs) may be used to limit exposure of applications to prevent exploit traffic from reaching the application, or segment externally facing servers and services from the rest of the network with a DMZ or on separate hosting infrastructure could limit the impact the exploited application has on the rest of the infrastructure hosting the data.

This control requires the Cloud Service Provider (CSP) to implement robust mitigative controls such as network segmentation and firewalling, encryption, access controls with multi-factor authentication and intrusion detection to ensure sensitive customer data is protected throughout its lifecycle. As it related to this technique, many IaaS and SaaS platforms (such as Microsoft Exchange, Microsoft SharePoint, GitHub, and AWS S3) support the direct download of files, emails, source code, and other sensitive information via the web console or Cloud API. In terms of mitigation, configure network firewalls to allow only necessary ports and traffic to enter and exit the network, configure user permissions groups and roles for access to cloud storage, or enforce proxies and use dedicated servers for services such as DNS and only allow those systems to communicate over respective ports/protocols, instead of all systems within a network. Cloud service providers support IP-based restrictions when accessing cloud resources.

This control requires the Cloud Service Provider (CSP) to implement robust mitigative controls such as network segmentation and firewalling, encryption, access controls with multi-factor authentication and intrusion detection to ensure sensitive customer data is protected throughout its lifecycle. For this technique, application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used to access resources in cloud, container-based applications, and software-as-a-service (SaaS). In terms of mitigation, where possible, consider restricting the use of access tokens outside of expected contexts. For example, in AWS environments, consider using data perimeters to prevent credential use outside of an expected network.

This control requires the Cloud Service Provider (CSP) to implement robust mitigative controls such as network segmentation and firewalling, encryption, access controls with multi-factor authentication and intrusion detection to ensure sensitive customer data is protected throughout its lifecycle. For this technique, adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data. Limit access to the Instance Metadata API. A properly configured Web Application Firewall (WAF) may help prevent external adversaries from exploiting Server-side Request Forgery (SSRF) attacks that allow access to the Cloud Instance Metadata API.

This control requires the Cloud Service Provider (CSP) to implement robust mitigative controls such as network segmentation and firewalling, encryption, access controls with multi-factor authentication and intrusion detection to ensure sensitive customer data is protected throughout its lifecycle. For this technique, adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations. In terms of mitigation, limit access to sensitive services, for example if it is necessary that a SaaS application must store credentials in some object storage, registry, or password store, then ensure the associated accounts have limited permissions so they cannot be abused if obtained by an adversary.

This control requires the Cloud Service Provider (CSP) to implement robust mitigative controls such as network segmentation and firewalling, encryption, access controls with multi-factor authentication and intrusion detection to ensure sensitive customer data is protected throughout its lifecycle. For this technique, information repositories have been improperly secured, typically by unintentionally allowing for overly-broad access by all users or even public access to unauthenticated users. This is particularly common with cloud-native or cloud-hosted services, such as AWS Relational Database Service (RDS), Redis, or ElasticSearch. In terms of mitigation, encrypt data stored at rest in databases and ensure that repositories such as cloud-hosted databases are not unintentionally exposed to the public, and that security groups assigned to them permit only necessary and authorized hosts.

This control requires the Cloud Service Provider (CSP) to implement robust mitigative controls such as network segmentation and firewalling, encryption, access controls with multi-factor authentication and intrusion detection to ensure sensitive customer data is protected throughout its lifecycle. For this technique, in cloud-based environments, adversaries may also use cloud APIs, data pipelines, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data. In terms of mitigation, encrypting data stored at rest in cloud storage through the use of managed encryption keys can be rotated by most providers.

This control requires the Cloud Service Provider (CSP) to implement robust mitigative controls such as network segmentation and firewalling, encryption, access controls with multi-factor authentication and intrusion detection to ensure sensitive customer data is protected throughout its lifecycle. For this technique, adversaries may collect sensitive data from these cloud storage solutions. Providers typically offer security guides to help end users configure systems, though misconfigurations are a common problem. Many IaaS providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Google Cloud Storage.

This control requires the Cloud Service Provider (CSP) to implement robust mitigative controls such as network segmentation and firewalling, encryption, access controls with multi-factor authentication and intrusion detection to ensure sensitive customer data is protected throughout its lifecycle. For this technique, adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. In terms of mitigation, an NIDS or DLP solution may can block sensitive data being uploaded to web services via web browsers based on what's on the allow/block list.