From 2e8cf3c8692a8e3b63b3f0c6440949dd7e3af19c Mon Sep 17 00:00:00 2001 From: Mike Surridge <27415349+mike1813@users.noreply.github.com> Date: Wed, 9 Aug 2023 14:32:13 +0100 Subject: [PATCH 1/5] Fixed backdoor access threats on hosts so they use a reverse shell pattern. Also changed the labels for backdoor TWA and Misbehaviours. Addresses #25. --- csv/MatchingPattern.csv | 2 ++ csv/MatchingPatternLinks.csv | 11 +++++++++++ csv/MatchingPatternNodes.csv | 5 +++++ csv/Misbehaviour.csv | 2 +- csv/RootPattern.csv | 2 ++ csv/RootPatternLinks.csv | 14 ++++++++++++++ csv/RootPatternNodes.csv | 12 ++++++++++++ csv/Threat.csv | 4 ++-- csv/ThreatEffects.csv | 4 ++-- csv/ThreatEntryPoints.csv | 16 ++++++++-------- csv/TrustworthinessAttribute.csv | 2 +- 11 files changed, 60 insertions(+), 14 deletions(-) diff --git a/csv/MatchingPattern.csv b/csv/MatchingPattern.csv index 002548e..f0a63dd 100644 --- a/csv/MatchingPattern.csv +++ b/csv/MatchingPattern.csv @@ -510,6 +510,8 @@ package#NetworkConnectivity,domain#MP-LPsLS,LPsLS,Finds a Logical Subnet at the package#NetworkConnectivity,domain#MP-NoH,NoH,"Finds an open network path not via the Internet from a remote attacker subnet to (but not via) a Host connected to a local subnet, and the associated network interface and access context, plus the location contexts for the host being on that subnet, and optionally the host manager.",domain#R-NoH,FALSE,FALSE package#NetworkConnectivity,domain#MP-NPLS,NPLS,"Finds a Network Path that starts and ends on the same subnet, i.e. it uses no gateways.",domain#R-NPLS,FALSE,FALSE package#NetworkConnectivity,domain#MP-NPmLSmSg,NPmLSmSg,"Finds a Network Path that traverses at least one Logical Segment, plus the Logical Subnet(s) it visits (in this pattern there should be more than one).",domain#R-NP,FALSE,FALSE +package#NetworkConnectivity,domain#MP-RIoH,RIoH,"Finds an open network path to the Internet from (but not via) a Host connected to a local subnet, and the associated network interface and access context, plus the location contexts for the host being on that subnet, and optionally the host manager.",domain#R-RIoH,FALSE,FALSE +package#NetworkConnectivity,domain#MP-RNoH,RNoH,"Finds an open network path not via the Internet to a remote attacker subnet from (but not via) a Host connected to a local subnet, and the associated network interface and access context, plus the location contexts for the host being on that subnet, and optionally the host manager.",domain#R-RNoH,FALSE,FALSE package#NetworkConnectivity,domain#MP-RoH,RoH,"Finds an open network path from a remote attacker L3 subnet to (and not via) a Host in a space connected to a local subnet, and the associated network interface, plus the contexts in which the host is so connected (there must be at least one), and optionally the host manager.",domain#R-RoH,FALSE,FALSE package#NetworkConnectivity,domain#MP-RScGcRS,RScGcRS,"Finds a Physical Host connected between two distinct WiFi subnets, both in the same space.",domain#R-RScGcRS,FALSE,FALSE package#NetworkConnectivity,domain#MP-Sg,Sg,"Finds a gateway host between two subnets, plus the logical segments representing routes between the subnets via this gateway.",domain#R-Sg,FALSE,FALSE diff --git a/csv/MatchingPatternLinks.csv b/csv/MatchingPatternLinks.csv index 8ce454c..1449e9a 100644 --- a/csv/MatchingPatternLinks.csv +++ b/csv/MatchingPatternLinks.csv @@ -839,6 +839,17 @@ package#NetworkConnectivity,domain#MP-NoH,domain#Link-NetworkPath-visits-Interne package#NetworkConnectivity,domain#MP-NPmLSmSg,domain#Link-LogicalPath-blockedPath-LogicalPath,TRUE package#NetworkConnectivity,domain#MP-NPmLSmSg,domain#Link-LogicalPath-traverses-LogicalSegment,FALSE package#NetworkConnectivity,domain#MP-NPmLSmSg,domain#Link-LogicalPath-visits-LogicalSubnet,FALSE +package#NetworkConnectivity,domain#MP-RIoH,domain#Link-HostAccess-accessTo-Host,FALSE +package#NetworkConnectivity,domain#MP-RIoH,domain#Link-HostAccess-accessVia-LogicalSubnet,FALSE +package#NetworkConnectivity,domain#MP-RIoH,domain#Link-HostManager-manages-Host,FALSE +package#NetworkConnectivity,domain#MP-RIoH,domain#Link-NetworkPath-blockedPath-NetworkPath,TRUE +package#NetworkConnectivity,domain#MP-RIoH,domain#Link-NetworkPath-visitsGateway-Host,TRUE +package#NetworkConnectivity,domain#MP-RNoH,domain#Link-HostAccess-accessTo-Host,FALSE +package#NetworkConnectivity,domain#MP-RNoH,domain#Link-HostAccess-accessVia-LogicalSubnet,FALSE +package#NetworkConnectivity,domain#MP-RNoH,domain#Link-HostManager-manages-Host,FALSE +package#NetworkConnectivity,domain#MP-RNoH,domain#Link-NetworkPath-blockedPath-NetworkPath,TRUE +package#NetworkConnectivity,domain#MP-RNoH,domain#Link-NetworkPath-visitsGateway-Host,TRUE +package#NetworkConnectivity,domain#MP-RNoH,domain#Link-NetworkPath-visits-Internet,FALSE package#NetworkConnectivity,domain#MP-RoH,domain#Link-HostAccess-accessTo-Host,FALSE package#NetworkConnectivity,domain#MP-RoH,domain#Link-HostAccess-accessVia-LogicalSubnet,FALSE package#NetworkConnectivity,domain#MP-RoH,domain#Link-HostManager-manages-Host,FALSE diff --git a/csv/MatchingPatternNodes.csv b/csv/MatchingPatternNodes.csv index 86e394f..0806307 100644 --- a/csv/MatchingPatternNodes.csv +++ b/csv/MatchingPatternNodes.csv @@ -457,6 +457,11 @@ package#NetworkConnectivity,domain#MP-NoH,domain#Node-HostManager-Human,FALSE,FA package#NetworkConnectivity,domain#MP-NoH,domain#Node-Internet-Internet,FALSE,TRUE,FALSE package#NetworkConnectivity,domain#MP-NPmLSmSg,domain#Node-LogicalSegment-LogicalSegment,TRUE,FALSE,FALSE package#NetworkConnectivity,domain#MP-NPmLSmSg,domain#Node-LogicalSubnet-LogicalSubnet,TRUE,FALSE,FALSE +package#NetworkConnectivity,domain#MP-RIoH,domain#Node-HostAccess-HContext,TRUE,FALSE,FALSE +package#NetworkConnectivity,domain#MP-RIoH,domain#Node-HostManager-Human,FALSE,FALSE,FALSE +package#NetworkConnectivity,domain#MP-RNoH,domain#Node-HostAccess-HContext,TRUE,FALSE,FALSE +package#NetworkConnectivity,domain#MP-RNoH,domain#Node-HostManager-Human,FALSE,FALSE,FALSE +package#NetworkConnectivity,domain#MP-RNoH,domain#Node-Internet-Internet,FALSE,TRUE,FALSE package#NetworkConnectivity,domain#MP-RoH,domain#Node-HostAccess-HContext,TRUE,FALSE,FALSE package#NetworkConnectivity,domain#MP-RoH,domain#Node-HostManager-Human,FALSE,FALSE,FALSE package#NetworkConnectivity,domain#MP-RoH,domain#Node-Internet-Internet,FALSE,TRUE,FALSE diff --git a/csv/Misbehaviour.csv b/csv/Misbehaviour.csv index f69efec..f96d6e1 100644 --- a/csv/Misbehaviour.csv +++ b/csv/Misbehaviour.csv @@ -22,7 +22,7 @@ package#Network,domain#LossOfUserTW,Loss Of User TW,"Untrusted, potentially mali package#Network,domain#MalwareInfection,MalwareInfection,"Insertion into the asset of malicious, self-propagating software.",TRUE,W package#Network,domain#Overloaded,Overloaded,The asset is being used or requested more than allowed or expected.,TRUE,O package#Network,domain#TotalLoad,TotalLoad,The total load on a Data Centre.,TRUE,O -package#Network,domain#TrojanInsertion,TrojanInsertion,Insertion of a back door into a host operating system or other software stored and running on a host.,FALSE,J +package#Network,domain#TrojanInsertion,BackdoorInsertion,Insertion of a back door into a host operating system or other software stored and running on a host.,FALSE,J package#NetworkConnectivity,domain#BandwidthUnmanaged,BandwidthUnmanaged,Signifies that bandwidth used by message flows through an interface cannot be restricted based on their source and/or destination addresses.,FALSE, package#NetworkConnectivity,domain#CommsSnoopable,CommsSnoopable,"Applies to a network or communication channel, signifying that messages in that network or channel can be intercepted and read via passive snooping or via a man-in-the-middle attack.",TRUE, package#NetworkConnectivity,domain#ConnectionsAllowed,ConnectionsAllowed,"Applies to a network communication route, i.e. the Interface between a Host and a Subnet, or a Logical Segment representing a route between two Subnets, signifying that by default, messages will be allowed to flow.",FALSE, diff --git a/csv/RootPattern.csv b/csv/RootPattern.csv index 664476a..bde1b66 100644 --- a/csv/RootPattern.csv +++ b/csv/RootPattern.csv @@ -432,6 +432,8 @@ package#NetworkConnectivity,domain#R-LPsLS,LPsLS,Finds a Logical Subnet at the s package#NetworkConnectivity,domain#R-NoH,NoH,"Finds an open network path from a remote attacker subnet to (but not via) a Host connected to a local subnet, and the associated network interface and access context.",FALSE,FALSE package#NetworkConnectivity,domain#R-NP,NP,Finds a network path (which may or may not be physical).,FALSE,FALSE package#NetworkConnectivity,domain#R-NPLS,NPLS,Finds a network path that starts and ends on the same logical subnet.,FALSE,TRUE +package#NetworkConnectivity,domain#R-RIoH,RIoH,"Finds an open network path to the Internet from a Host connected to a local subnet, and the associated network interface and access context.",FALSE,FALSE +package#NetworkConnectivity,domain#R-RNoH,RNoH,"Finds an open network path to a remote attacker subnet from a Host connected to a local subnet, and the associated network interface and access context.",FALSE,FALSE package#NetworkConnectivity,domain#R-RoH,RoH,"Finds an open network path from a remote attacker L3 subnet to (but not via) a Host connected to a local subnet, and the associated network interface and access context.",FALSE,FALSE package#NetworkConnectivity,domain#R-RScGcRS,RScGcRS,"Finds a Physical Host connected between two WiFi subnets, both in the same space.",FALSE,FALSE package#NetworkConnectivity,domain#R-Sg,Sg,"Finds a logical segment between two subnets, plus the associated gateway host and its inbound and outbound interfaces.",FALSE,FALSE diff --git a/csv/RootPatternLinks.csv b/csv/RootPatternLinks.csv index d041527..7ff6405 100644 --- a/csv/RootPatternLinks.csv +++ b/csv/RootPatternLinks.csv @@ -1685,6 +1685,20 @@ package#NetworkConnectivity,domain#R-NP,domain#Link-LogicalPath-start-FromSubnet package#NetworkConnectivity,domain#R-NPLS,domain#Link-LogicalPath-end-LogicalSubnet package#NetworkConnectivity,domain#R-NPLS,domain#Link-LogicalPath-start-LogicalSubnet package#NetworkConnectivity,domain#R-NPLS,domain#Link-LogicalPath-visits-LogicalSubnet +package#NetworkConnectivity,domain#R-RIoH,domain#Link-FromContext-accessTo-Host +package#NetworkConnectivity,domain#R-RIoH,domain#Link-FromContext-accessVia-LogicalSubnet +package#NetworkConnectivity,domain#R-RIoH,domain#Link-Host-connectedTo-LogicalSubnet +package#NetworkConnectivity,domain#R-RIoH,domain#Link-Interface-connectsFrom-Host +package#NetworkConnectivity,domain#R-RIoH,domain#Link-Interface-connectsTo-LogicalSubnet +package#NetworkConnectivity,domain#R-RIoH,domain#Link-NetworkPath-end-AttackerSubnet +package#NetworkConnectivity,domain#R-RIoH,domain#Link-NetworkPath-start-LogicalSubnet +package#NetworkConnectivity,domain#R-RNoH,domain#Link-FromContext-accessTo-Host +package#NetworkConnectivity,domain#R-RNoH,domain#Link-FromContext-accessVia-LogicalSubnet +package#NetworkConnectivity,domain#R-RNoH,domain#Link-Host-connectedTo-LogicalSubnet +package#NetworkConnectivity,domain#R-RNoH,domain#Link-Interface-connectsFrom-Host +package#NetworkConnectivity,domain#R-RNoH,domain#Link-Interface-connectsTo-LogicalSubnet +package#NetworkConnectivity,domain#R-RNoH,domain#Link-NetworkPath-end-AttackerSubnet +package#NetworkConnectivity,domain#R-RNoH,domain#Link-NetworkPath-start-LogicalSubnet package#NetworkConnectivity,domain#R-RoH,domain#Link-FromContext-accessTo-Host package#NetworkConnectivity,domain#R-RoH,domain#Link-FromContext-accessVia-LogicalSubnet package#NetworkConnectivity,domain#R-RoH,domain#Link-Host-connectedTo-LogicalSubnet diff --git a/csv/RootPatternNodes.csv b/csv/RootPatternNodes.csv index 54b7765..a550946 100644 --- a/csv/RootPatternNodes.csv +++ b/csv/RootPatternNodes.csv @@ -1725,6 +1725,18 @@ package#NetworkConnectivity,domain#R-NP,domain#Node-LogicalPath-NetworkPath,TRUE package#NetworkConnectivity,domain#R-NP,domain#Node-ToSubnet-LogicalSubnet,TRUE package#NetworkConnectivity,domain#R-NPLS,domain#Node-LogicalPath-NetworkPath,TRUE package#NetworkConnectivity,domain#R-NPLS,domain#Node-LogicalSubnet-LogicalSubnet,TRUE +package#NetworkConnectivity,domain#R-RIoH,domain#Node-AttackerSubnet-Internet,TRUE +package#NetworkConnectivity,domain#R-RIoH,domain#Node-FromContext-HostContext,TRUE +package#NetworkConnectivity,domain#R-RIoH,domain#Node-Host-Host,TRUE +package#NetworkConnectivity,domain#R-RIoH,domain#Node-Interface-Interface,TRUE +package#NetworkConnectivity,domain#R-RIoH,domain#Node-LogicalSubnet-LogicalSubnet,TRUE +package#NetworkConnectivity,domain#R-RIoH,domain#Node-NetworkPath-NetworkPath,TRUE +package#NetworkConnectivity,domain#R-RNoH,domain#Node-AttackerSubnet-LogicalSubnet,TRUE +package#NetworkConnectivity,domain#R-RNoH,domain#Node-FromContext-HostContext,TRUE +package#NetworkConnectivity,domain#R-RNoH,domain#Node-Host-Host,TRUE +package#NetworkConnectivity,domain#R-RNoH,domain#Node-Interface-Interface,TRUE +package#NetworkConnectivity,domain#R-RNoH,domain#Node-LogicalSubnet-LogicalSubnet,TRUE +package#NetworkConnectivity,domain#R-RNoH,domain#Node-NetworkPath-NetworkPath,TRUE package#NetworkConnectivity,domain#R-RoH,domain#Node-AttackerSubnet-L3Subnet,TRUE package#NetworkConnectivity,domain#R-RoH,domain#Node-FromContext-HostNetContext,TRUE package#NetworkConnectivity,domain#R-RoH,domain#Node-Host-Host,TRUE diff --git a/csv/Threat.csv b/csv/Threat.csv index 7a02d66..4c4d3be 100644 --- a/csv/Threat.csv +++ b/csv/Threat.csv @@ -308,9 +308,9 @@ package#NetworkConnectivity,domain#H.E.WScMcWS.9,H.E.WScMcWS.9,domain#Category-A package#NetworkConnectivity,domain#H.L.IoH.3,H.L.IoH.3,domain#Category-RemoteAttacks,FALSE,FALSE,domain#LikelihoodVeryHigh,TRUE,TRUE,Remote user access from _AttackerSubnet_ via _LogicalSubnet_ to insecure device _Host_: an attacker with access to _AttackerSubnet_ gains access to host _Host_ via an unprotected service listening on _LogicalSubnet_ .,domain#MP-IoH,domain#Role_Host package#NetworkConnectivity,domain#H.L.NoH.3,H.L.NoH.3,domain#Category-RemoteAttacks,FALSE,FALSE,domain#LikelihoodVeryHigh,TRUE,TRUE,Remote user access from _AttackerSubnet_ via _LogicalSubnet_ to insecure device _Host_: an attacker with access to _AttackerSubnet_ gains access to host _Host_ via an unprotected service listening on _LogicalSubnet_ .,domain#MP-NoH,domain#Role_Host package#NetworkConnectivity,domain#H.M.IoH.3,H.M.IoH.3,domain#Category-RemoteAttacks,FALSE,FALSE,domain#LikelihoodVeryHigh,TRUE,TRUE,Remote root access from _AttackerSubnet_ via _LogicalSubnet_ to insecure device _Host_: an attacker with access to _AttackerSubnet_ gains access to host _Host_ via an unprotected yet privileged service listening on _LogicalSubnet_ .,domain#MP-IoH,domain#Role_Host -package#NetworkConnectivity,domain#H.M.IoH.7,H.M.IoH.7,domain#Category-RemoteAttacks,FALSE,FALSE,domain#LikelihoodVeryHigh,TRUE,TRUE,Remote root access from _AttackerSubnet_ via _LogicalSubnet_ to back door on device _Host_: an attacker with access to _AttackerSubnet_ gains access to host _Host_ via a previously installed back door listening on _LogicalSubnet_ .,domain#MP-IoH,domain#Role_Host package#NetworkConnectivity,domain#H.M.NoH.3,H.M.NoH.3,domain#Category-RemoteAttacks,FALSE,FALSE,domain#LikelihoodVeryHigh,TRUE,TRUE,Remote root access from _AttackerSubnet_ via _LogicalSubnet_ to insecure device _Host_: an attacker with access to _AttackerSubnet_ gains access to host _Host_ via an unprotected yet privileged service listening on _LogicalSubnet_ .,domain#MP-NoH,domain#Role_Host -package#NetworkConnectivity,domain#H.M.NoH.7,H.M.NoH.7,domain#Category-RemoteAttacks,FALSE,FALSE,domain#LikelihoodVeryHigh,TRUE,TRUE,Remote root access from _AttackerSubnet_ via _LogicalSubnet_ to back door on device _Host_: an attacker with access to _AttackerSubnet_ gains access to host _Host_ via a previously installed back door listening on _LogicalSubnet_ .,domain#MP-NoH,domain#Role_Host +package#NetworkConnectivity,domain#H.M.RIoH.7,H.M.RIoH.7,domain#Category-RemoteAttacks,FALSE,FALSE,domain#LikelihoodVeryHigh,TRUE,TRUE,Remote root access from _AttackerSubnet_ via _LogicalSubnet_ to back door on device _Host_: an attacker with access to _AttackerSubnet_ gains access to host _Host_ via a previously installed back door providing a reverse shell via _LogicalSubnet_ .,domain#MP-RIoH,domain#Role_Host +package#NetworkConnectivity,domain#H.M.RNoH.7,H.M.RNoH.7,domain#Category-RemoteAttacks,FALSE,FALSE,domain#LikelihoodVeryHigh,TRUE,TRUE,Remote root access from _AttackerSubnet_ via _LogicalSubnet_ to back door on device _Host_: an attacker with access to _AttackerSubnet_ gains access to host _Host_ via a previously installed back door providing a reverse shell via _LogicalSubnet_ .,domain#MP-RNoH,domain#Role_Host package#NetworkConnectivity,domain#I.A.GdHRS.6,I.A.GdHRS.6,domain#Category-SideEffectsOfSecurity,FALSE,FALSE,domain#LikelihoodVeryHigh,TRUE,TRUE,"Device _Host_ unable to connect to radio subnet _LogicalSubnet_ from _Space_: if access to network subnet _LogicalSubnet_ is restricted, device _Host_ will be unable to connect if it does not have the necessary credentials.",domain#MP-GdHRS,domain#Role_Interface package#NetworkConnectivity,domain#I.A.GdHRSi.6,I.A.GdHRSi.6,domain#Category-SideEffectsOfSecurity,FALSE,FALSE,domain#LikelihoodVeryHigh,TRUE,TRUE,"Device _Host_ unable to connect to radio subnet _LogicalSubnet_: if access to network subnet _LogicalSubnet_ is restricted, device _Host_ will be unable to connect if it does not have the necessary credentials.",domain#MP-GdHRSi,domain#Role_Interface package#NetworkConnectivity,domain#I.A.GdHWS.6,I.A.GdHWS.6,domain#Category-SideEffectsOfSecurity,FALSE,FALSE,domain#LikelihoodVeryHigh,TRUE,TRUE,"Device _Host_ unable to connect to wired subnet _LogicalSubnet_: if access to network subnet _LogicalSubnet_ is restricted, device _Host_ will be unable to connect if it does not have the necessary credentials.",domain#MP-GdHWS,domain#Role_Interface diff --git a/csv/ThreatEffects.csv b/csv/ThreatEffects.csv index b16f754..2233484 100644 --- a/csv/ThreatEffects.csv +++ b/csv/ThreatEffects.csv @@ -283,9 +283,9 @@ package#Network,domain#P.W.HP-iT.7,domain#MS-MalwareInfection-Process package#NetworkConnectivity,domain#H.L.IoH.3,domain#MS-LocalLossOfUserTW-HostAccess package#NetworkConnectivity,domain#H.L.NoH.3,domain#MS-LocalLossOfUserTW-HostAccess package#NetworkConnectivity,domain#H.M.IoH.3,domain#MS-LocalLossOfControl-HostAccess -package#NetworkConnectivity,domain#H.M.IoH.7,domain#MS-LocalLossOfControl-HostAccess package#NetworkConnectivity,domain#H.M.NoH.3,domain#MS-LocalLossOfControl-HostAccess -package#NetworkConnectivity,domain#H.M.NoH.7,domain#MS-LocalLossOfControl-HostAccess +package#NetworkConnectivity,domain#H.M.RIoH.7,domain#MS-LocalLossOfControl-HostAccess +package#NetworkConnectivity,domain#H.M.RNoH.7,domain#MS-LocalLossOfControl-HostAccess package#NetworkConnectivity,domain#I.A.GdHRS.6,domain#MS-LossOfAvailability-Interface package#NetworkConnectivity,domain#I.A.GdHRSi.6,domain#MS-LossOfAvailability-Interface package#NetworkConnectivity,domain#I.A.GdHWS.6,domain#MS-LossOfAvailability-Interface diff --git a/csv/ThreatEntryPoints.csv b/csv/ThreatEntryPoints.csv index d7f4e04..05a50b9 100644 --- a/csv/ThreatEntryPoints.csv +++ b/csv/ThreatEntryPoints.csv @@ -193,17 +193,17 @@ package#NetworkConnectivity,domain#H.L.NoH.3,domain#TWAS-NetworkUserTW-AttackerS package#NetworkConnectivity,domain#H.M.IoH.3,domain#TWAS-ConnectionsBlocked-Interface package#NetworkConnectivity,domain#H.M.IoH.3,domain#TWAS-ConnectionsBlocked-NetworkPath package#NetworkConnectivity,domain#H.M.IoH.3,domain#TWAS-NetworkUserTW-AttackerSubnet -package#NetworkConnectivity,domain#H.M.IoH.7,domain#TWAS-ConnectionsBlocked-NetworkPath -package#NetworkConnectivity,domain#H.M.IoH.7,domain#TWAS-NetworkUserTW-AttackerSubnet -package#NetworkConnectivity,domain#H.M.IoH.7,domain#TWAS-OutOfService-Interface -package#NetworkConnectivity,domain#H.M.IoH.7,domain#TWAS-TrojanTW-Host package#NetworkConnectivity,domain#H.M.NoH.3,domain#TWAS-ConnectionsBlocked-Interface package#NetworkConnectivity,domain#H.M.NoH.3,domain#TWAS-ConnectionsBlocked-NetworkPath package#NetworkConnectivity,domain#H.M.NoH.3,domain#TWAS-NetworkUserTW-AttackerSubnet -package#NetworkConnectivity,domain#H.M.NoH.7,domain#TWAS-ConnectionsBlocked-NetworkPath -package#NetworkConnectivity,domain#H.M.NoH.7,domain#TWAS-NetworkUserTW-AttackerSubnet -package#NetworkConnectivity,domain#H.M.NoH.7,domain#TWAS-OutOfService-Interface -package#NetworkConnectivity,domain#H.M.NoH.7,domain#TWAS-TrojanTW-Host +package#NetworkConnectivity,domain#H.M.RIoH.7,domain#TWAS-ConnectionsBlocked-NetworkPath +package#NetworkConnectivity,domain#H.M.RIoH.7,domain#TWAS-NetworkUserTW-AttackerSubnet +package#NetworkConnectivity,domain#H.M.RIoH.7,domain#TWAS-OutOfService-Interface +package#NetworkConnectivity,domain#H.M.RIoH.7,domain#TWAS-TrojanTW-Host +package#NetworkConnectivity,domain#H.M.RNoH.7,domain#TWAS-ConnectionsBlocked-NetworkPath +package#NetworkConnectivity,domain#H.M.RNoH.7,domain#TWAS-NetworkUserTW-AttackerSubnet +package#NetworkConnectivity,domain#H.M.RNoH.7,domain#TWAS-OutOfService-Interface +package#NetworkConnectivity,domain#H.M.RNoH.7,domain#TWAS-TrojanTW-Host package#NetworkConnectivity,domain#I.A.GdHRS.6,domain#TWAS-DefaultTW-RadioSubnet package#NetworkConnectivity,domain#I.A.GdHRSi.6,domain#TWAS-DefaultTW-LogicalSubnet package#NetworkConnectivity,domain#I.A.GdHWS.6,domain#TWAS-DefaultTW-LogicalSubnet diff --git a/csv/TrustworthinessAttribute.csv b/csv/TrustworthinessAttribute.csv index 68fe61c..3b7b2a7 100644 --- a/csv/TrustworthinessAttribute.csv +++ b/csv/TrustworthinessAttribute.csv @@ -18,7 +18,7 @@ package#Network,domain#NetworkControl,NetworkControl,Control over routing within package#Network,domain#NetworkUserTW,NetworkUserTW,Trustworthiness of users with access to an abstract or logical network subnet.,TRUE package#Network,domain#OutOfService,OutOfService,"The asset is not currently engaged or being used within the system, and hence cannot be exploited by attackers.",FALSE package#Network,domain#ResourceTW,ResourceTW,Provisining is controlled by a trustworthy process or administrator.,TRUE -package#Network,domain#TrojanTW,TrojanTW,"The host has no back doors inserted into its operating system or other software running on the host. If back doors are present, this also makes processes running on the host vulnerable.",TRUE +package#Network,domain#TrojanTW,BackdoorTW,"The host has no back doors inserted into its operating system or other software running on the host. If back doors are present, this also makes processes running on the host vulnerable.",TRUE package#Network,domain#Underload,Underload,Represents the spare capacity at a Data Centre.,FALSE package#NetworkConnectivity,domain#BandwidthManaged,BandwidthManaged,Signifies that bandwidth used by message flows through an interface can be restricted based on their source and/or destination addresses.,FALSE package#NetworkConnectivity,domain#CommsNotSnoopable,CommsNotSnoopable,"Applies to a network or a communication channel between processes, signifying that messages cannot be intercepted and read in that network or channel.",TRUE From 961c9740a1ae4b774819e7a85511a42d52f2cd97 Mon Sep 17 00:00:00 2001 From: Mike Surridge <27415349+mike1813@users.noreply.github.com> Date: Mon, 14 Aug 2023 13:12:06 +0100 Subject: [PATCH 2/5] Fixed bugs in SC.A.CCfImSC.0 and SC.A.CCtImSC.0 secondary threats linking interface availability to service communications, and added direct and DDoS attacks from the Internet on host addresses. These changes address #26. --- csv/ControlStrategyBlocks.csv | 3 +++ csv/MatchingPattern.csv | 1 + csv/MatchingPatternLinks.csv | 7 +++++-- csv/MatchingPatternNodes.csv | 1 + csv/RootPattern.csv | 1 + csv/RootPatternLinks.csv | 12 ++++++++++-- csv/RootPatternNodes.csv | 7 +++++++ csv/Threat.csv | 3 +++ csv/ThreatEffects.csv | 3 +++ csv/ThreatEntryPoints.csv | 4 ++++ 10 files changed, 38 insertions(+), 4 deletions(-) diff --git a/csv/ControlStrategyBlocks.csv b/csv/ControlStrategyBlocks.csv index 1328494..3ae229a 100644 --- a/csv/ControlStrategyBlocks.csv +++ b/csv/ControlStrategyBlocks.csv @@ -364,12 +364,15 @@ package#Network,domain#CSG-UserWithoutEmail,domain#Hu.E.HummH-e.9 package#NetworkConnectivity,domain#CSG-BlockGatewayRoute,domain#Sg.DA.L3SSg2-b.8 package#NetworkConnectivity,domain#CSG-BlockInterface,domain#I.DA.I.8 package#NetworkConnectivity,domain#CSG-BWManagementAtInterface,domain#I.M.I.8 +package#NetworkConnectivity,domain#CSG-BWManagementAtInterface,domain#I.O.HIoH.3.1 package#NetworkConnectivity,domain#CSG-BWManagementAtInterface,domain#I.O.IoH.3 package#NetworkConnectivity,domain#CSG-BWManagementAtInterface,domain#I.O.RoH.3 package#NetworkConnectivity,domain#CSG-ContinuouslyObservedGateway,domain#I.Auth.HWSGSoS.3 package#NetworkConnectivity,domain#CSG-ContinuouslyObservedHost,domain#I.Auth.HSWSoGS.3 package#NetworkConnectivity,domain#CSG-DisableNetworkConnection,domain#I.IS.I.8 package#NetworkConnectivity,domain#CSG-FilterDosAtInterface,domain#I.M.I.8 +package#NetworkConnectivity,domain#CSG-FilterDosAtInterface,domain#I.O.DDoH.3 +package#NetworkConnectivity,domain#CSG-FilterDosAtInterface,domain#I.O.HIoH.3.2 package#NetworkConnectivity,domain#CSG-HostWithMultipleWiFiNIC,domain#H.E.RScGcRS.9 package#NetworkConnectivity,domain#CSG-HostWithMultipleWiredNIC,domain#H.E.WScMcWS.9 package#NetworkConnectivity,domain#CSG-IgnorePhysicalThreatsFromWorld,domain#I.Auth.HRSGSoS.3 diff --git a/csv/MatchingPattern.csv b/csv/MatchingPattern.csv index 002548e..c7fb66a 100644 --- a/csv/MatchingPattern.csv +++ b/csv/MatchingPattern.csv @@ -481,6 +481,7 @@ package#Network,domain#MP-WS-H,WS-H,Finds a solo WiFiLAN that is not an abstract package#Network,domain#MP-WSSH,WSSH,"Finds a Wired Subnet provided by a Gateway host accessible from a Space, and optionally the process controlling access and the manager of the gateway.",domain#R-WSSH,FALSE,FALSE package#Network,domain#MP-WSS-HP,WSS-HP,"Finds a Wired Subnet accessible from a Space, where there is no gateway specified as the subnet provider, and no controlling Process.",domain#R-WSS,FALSE,FALSE package#Network,domain#MP-WSSH-P,WSSH-P,"Finds a Wired Subnet with no controlling process, provided by a Gateway host accessible from a Space, and optionally the manager of the Gateway.",domain#R-WSSH,FALSE,FALSE +package#NetworkConnectivity,domain#MP-DDoH,DDoH,"Change from: Finds an open network path from the Internet to (but not via) a Host connected to a local subnet, and the associated network interface and access context, plus the location contexts for the host being on that subnet, and optionally the host manager.",domain#R-DDoH,FALSE,FALSE package#NetworkConnectivity,domain#MP-GdHRS,GdHRS,"Finds a gateway providing a radio subnet to which a distinct host is connected, and optionally a process controlling access to the radio subnet, which in this case implements an abstract network (hotspot or cellular network), i.e. there is an implements relationship to a distinct abstract subnet.",domain#R-GHRS,FALSE,FALSE package#NetworkConnectivity,domain#MP-GdHRSi,GdHRSi,"Finds a gateway providing a radio subnet to which a distinct host is connected, and optionally a process controlling access to the radio subnet, which in this case does not implement a separate abstract network (hotspot or cellular network), i.e. it has a self-referential implements relationship.",domain#R-GHRSi,FALSE,FALSE package#NetworkConnectivity,domain#MP-GdHWS,GdHWS,"Finds a gateway providing a wired subnet to which a distinct host is connected, and optionally a process controlling access to the subnet.",domain#R-GHWS,FALSE,FALSE diff --git a/csv/MatchingPatternLinks.csv b/csv/MatchingPatternLinks.csv index 8ce454c..692fdb1 100644 --- a/csv/MatchingPatternLinks.csv +++ b/csv/MatchingPatternLinks.csv @@ -777,6 +777,9 @@ package#Network,domain#MP-WSS-HP,domain#Link-LogicalSubnet-providedBy-Gateway,FA package#Network,domain#MP-WSS-HP,domain#Link-Process-controls-LogicalSubnet,FALSE package#Network,domain#MP-WSSH-P,domain#Link-HostManager-manages-Gateway,FALSE package#Network,domain#MP-WSSH-P,domain#Link-Process-controls-LogicalSubnet,FALSE +package#NetworkConnectivity,domain#MP-DDoH,domain#Link-HostManager-manages-Host,FALSE +package#NetworkConnectivity,domain#MP-DDoH,domain#Link-NetworkPath-blockedPath-NetworkPath,TRUE +package#NetworkConnectivity,domain#MP-DDoH,domain#Link-NetworkPath-visitsGateway-Host,TRUE package#NetworkConnectivity,domain#MP-GdHRS,domain#Link-Process-controls-RadioSubnet,FALSE package#NetworkConnectivity,domain#MP-GdHRSi,domain#Link-Process-controls-LogicalSubnet,FALSE package#NetworkConnectivity,domain#MP-GdHWS,domain#Link-Process-controls-LogicalSubnet,FALSE @@ -1079,9 +1082,9 @@ package#ProcessComms,domain#MP-CCDS2TC,domain#Link-DataFlow-flowsVia-InStep,FALS package#ProcessComms,domain#MP-CCDS2TC,domain#Link-DataFlow-flowsViaSC-ClientChannel,FALSE package#ProcessComms,domain#MP-CCDS2TC,domain#Link-ServiceManager-manages-Service,FALSE package#ProcessComms,domain#MP-CCfImSC,domain#Link-ClientChannel-channelVia-ServiceChannel,FALSE -package#ProcessComms,domain#MP-CCfImSC,domain#Link-ServiceChannel-viaInterface-Interface,FALSE +package#ProcessComms,domain#MP-CCfImSC,domain#Link-ServiceChannel-fromInterface-Interface,FALSE package#ProcessComms,domain#MP-CCtImSC,domain#Link-ClientChannel-channelVia-ServiceChannel,FALSE -package#ProcessComms,domain#MP-CCtImSC,domain#Link-ServiceChannel-viaInterface-Interface,FALSE +package#ProcessComms,domain#MP-CCtImSC,domain#Link-ServiceChannel-toInterface-Interface,FALSE package#ProcessComms,domain#MP-CDBSC,domain#Link-HostManager-manages-SHost,FALSE package#ProcessComms,domain#MP-CDBSCDSF,domain#Link-HostManager-manages-SHost,FALSE package#ProcessComms,domain#MP-CDBSCDSF,domain#Link-ServiceManager-manages-Service,FALSE diff --git a/csv/MatchingPatternNodes.csv b/csv/MatchingPatternNodes.csv index 86e394f..7753e16 100644 --- a/csv/MatchingPatternNodes.csv +++ b/csv/MatchingPatternNodes.csv @@ -428,6 +428,7 @@ package#Network,domain#MP-WSS-HP,domain#Node-Gateway-Host,FALSE,TRUE,FALSE package#Network,domain#MP-WSS-HP,domain#Node-Process-Process,FALSE,TRUE,FALSE package#Network,domain#MP-WSSH-P,domain#Node-HostManager-Human,FALSE,FALSE,FALSE package#Network,domain#MP-WSSH-P,domain#Node-Process-Process,FALSE,TRUE,FALSE +package#NetworkConnectivity,domain#MP-DDoH,domain#Node-HostManager-Human,FALSE,FALSE,FALSE package#NetworkConnectivity,domain#MP-GdHRS,domain#Node-Process-Process,FALSE,FALSE,FALSE package#NetworkConnectivity,domain#MP-GdHRSi,domain#Node-Process-Process,FALSE,FALSE,FALSE package#NetworkConnectivity,domain#MP-GdHWS,domain#Node-Process-Process,FALSE,FALSE,FALSE diff --git a/csv/RootPattern.csv b/csv/RootPattern.csv index 664476a..8fed116 100644 --- a/csv/RootPattern.csv +++ b/csv/RootPattern.csv @@ -405,6 +405,7 @@ package#Network,domain#R-WpHSH,WpHSH,"Finds a mobile host or virtual host runnin package#Network,domain#R-WS,WS,Finds a solo WiFiLAN.,FALSE,FALSE package#Network,domain#R-WSS,WSS,Finds a Wired Subnet accessible from a Space.,FALSE,FALSE package#Network,domain#R-WSSH,WSSH,Finds a Wired Subnet provided by a gateway Host accessible from a Space.,FALSE,FALSE +package#NetworkConnectivity,domain#R-DDoH,DDoH,"Finds an open network path from the Internet to (but not via) a Host connected to a local subnet, and the associated gateway and target network interfaces.",FALSE,FALSE package#NetworkConnectivity,domain#R-GHRS,GHRS,Finds a gateway providing a radio subnet to which a host is connected.,FALSE,FALSE package#NetworkConnectivity,domain#R-GHRSi,GHRSi,"Finds a gateway providing a radio subnet to which a host is connected, where the radio subnet implements itself (i.e. it is not the local realisation of a hotspot or cellular network).",TRUE,FALSE package#NetworkConnectivity,domain#R-GHWS,GHWS,Finds a gateway providing a wired subnet to which a host is connected.,FALSE,FALSE diff --git a/csv/RootPatternLinks.csv b/csv/RootPatternLinks.csv index d041527..fa97b06 100644 --- a/csv/RootPatternLinks.csv +++ b/csv/RootPatternLinks.csv @@ -1564,6 +1564,14 @@ package#Network,domain#R-WSSH,domain#Link-HostAccess-accessTo-Gateway package#Network,domain#R-WSSH,domain#Link-HostAccess-accessVia-LogicalSubnet package#Network,domain#R-WSSH,domain#Link-LogicalSubnet-accessibleFrom-Space package#Network,domain#R-WSSH,domain#Link-LogicalSubnet-providedBy-Gateway +package#NetworkConnectivity,domain#R-DDoH,domain#Link-Host-connectedTo-LogicalSubnet +package#NetworkConnectivity,domain#R-DDoH,domain#Link-InboundIF-connectsFrom-Host +package#NetworkConnectivity,domain#R-DDoH,domain#Link-InboundIF-connectsTo-LogicalSubnet +package#NetworkConnectivity,domain#R-DDoH,domain#Link-Interface-connectsTo-AttackerSubnet +package#NetworkConnectivity,domain#R-DDoH,domain#Link-LogicalSegment-from-Interface +package#NetworkConnectivity,domain#R-DDoH,domain#Link-NetworkPath-end-LogicalSubnet +package#NetworkConnectivity,domain#R-DDoH,domain#Link-NetworkPath-start-AttackerSubnet +package#NetworkConnectivity,domain#R-DDoH,domain#Link-NetworkPath-traverses-LogicalSegment package#NetworkConnectivity,domain#R-GHRS,domain#Link-Host-connectedTo-RadioSubnet package#NetworkConnectivity,domain#R-GHRS,domain#Link-Interface-connectsFrom-Host package#NetworkConnectivity,domain#R-GHRS,domain#Link-Interface-connectsTo-RadioSubnet @@ -2080,7 +2088,7 @@ package#ProcessComms,domain#R-CCDS2TC,domain#Link-InStep-flowsTo-Service package#ProcessComms,domain#R-CCfI,domain#Link-CHost-hosts-Client package#ProcessComms,domain#R-CCfI,domain#Link-ClientChannel-channelFrom-Client package#ProcessComms,domain#R-CCfI,domain#Link-ClientChannel-channelTo-Service -package#ProcessComms,domain#R-CCfI,domain#Link-ClientChannel-viaInterface-Interface +package#ProcessComms,domain#R-CCfI,domain#Link-ClientChannel-fromInterface-Interface package#ProcessComms,domain#R-CCfI,domain#Link-Interface-connectsFrom-CHost package#ProcessComms,domain#R-CCfI,domain#Link-Interface-connectsTo-LogicalSubnet package#ProcessComms,domain#R-CCSC,domain#Link-ClientChannel-channelFrom-Client @@ -2103,7 +2111,7 @@ package#ProcessComms,domain#R-CCSCvLS,domain#Link-ClientChannel-channelVia-Servi package#ProcessComms,domain#R-CCSCvLS,domain#Link-ServiceChannel-viaSubnet-LogicalSubnet package#ProcessComms,domain#R-CCtI,domain#Link-ClientChannel-channelFrom-Client package#ProcessComms,domain#R-CCtI,domain#Link-ClientChannel-channelTo-Service -package#ProcessComms,domain#R-CCtI,domain#Link-ClientChannel-viaInterface-Interface +package#ProcessComms,domain#R-CCtI,domain#Link-ClientChannel-toInterface-Interface package#ProcessComms,domain#R-CCtI,domain#Link-Interface-connectsFrom-SHost package#ProcessComms,domain#R-CCtI,domain#Link-Interface-connectsTo-LogicalSubnet package#ProcessComms,domain#R-CCtI,domain#Link-SHost-hosts-Service diff --git a/csv/RootPatternNodes.csv b/csv/RootPatternNodes.csv index 54b7765..df7ada8 100644 --- a/csv/RootPatternNodes.csv +++ b/csv/RootPatternNodes.csv @@ -1612,6 +1612,13 @@ package#Network,domain#R-WSSH,domain#Node-Gateway-Host,TRUE package#Network,domain#R-WSSH,domain#Node-HostAccess-HostNetContext,TRUE package#Network,domain#R-WSSH,domain#Node-LogicalSubnet-WiredSubnet,TRUE package#Network,domain#R-WSSH,domain#Node-Space-Space,TRUE +package#NetworkConnectivity,domain#R-DDoH,domain#Node-AttackerSubnet-Internet,TRUE +package#NetworkConnectivity,domain#R-DDoH,domain#Node-Host-Host,TRUE +package#NetworkConnectivity,domain#R-DDoH,domain#Node-InboundIF-Interface,TRUE +package#NetworkConnectivity,domain#R-DDoH,domain#Node-Interface-Interface,TRUE +package#NetworkConnectivity,domain#R-DDoH,domain#Node-LogicalSegment-LogicalSegment,TRUE +package#NetworkConnectivity,domain#R-DDoH,domain#Node-LogicalSubnet-LogicalSubnet,TRUE +package#NetworkConnectivity,domain#R-DDoH,domain#Node-NetworkPath-NetworkPath,TRUE package#NetworkConnectivity,domain#R-GHRS,domain#Node-Gateway-Host,TRUE package#NetworkConnectivity,domain#R-GHRS,domain#Node-Host-Host,TRUE package#NetworkConnectivity,domain#R-GHRS,domain#Node-Interface-Interface,TRUE diff --git a/csv/Threat.csv b/csv/Threat.csv index 7a02d66..effaf97 100644 --- a/csv/Threat.csv +++ b/csv/Threat.csv @@ -324,6 +324,9 @@ package#NetworkConnectivity,domain#I.DA.I.8,I.DA.I.8,domain#Category-NormalOpera package#NetworkConnectivity,domain#I.IS.I.8,I.IS.I.8,domain#Category-NormalOperation,FALSE,TRUE,domain#LikelihoodVeryHigh,TRUE,TRUE,"Access from _Host_ to _LogicalSubnet_ enabled: if _Host_ is in service, then it will connect to _LogicalSubnet_ by default, unless the connection is disabled.",domain#MP-I,domain#Role_Interface package#NetworkConnectivity,domain#I.IS.INC.1,I.IS.INC.1,domain#Category-ExploitationOfPrivileges,FALSE,FALSE,domain#LikelihoodVeryHigh,TRUE,TRUE,"Access from _Host_ to _LogicalSubnet_ not disabled: if an attacker has admin rights on device _Host_ when in range of _LogicalSubnet_, they can override a policy to avoid connecting to subnet _LogicalSubnet_.",domain#MP-INC,domain#Role_Interface package#NetworkConnectivity,domain#I.M.I.8,I.M.I.8,domain#Category-NormalOperation,FALSE,TRUE,domain#LikelihoodVeryHigh,TRUE,TRUE,"Message traffic from _LogicalSubnet_ via _Host_ is unconstrained: if the interface between _Host_ and _LogicalSubnet_ is in service, then traffic that is not blocked will not be subject to any bandwidth limits unless controls are used to impose such limits.",domain#MP-I,domain#Role_Interface +package#NetworkConnectivity,domain#I.O.DDoH.3,I.O.DDoH.3,domain#Category-DenialOfServiceAttacks,FALSE,FALSE,domain#LikelihoodVeryHigh,TRUE,TRUE,Remote DDoS attack from _AttackerSubnet_ on _Host_ connection to _LogicalSubnet_: an attacker able to orchestrate clients on subnet _AttackerSubnet_ arranges for them to send too many messages to the network address of the target device _Host_ on _LogicalSubnet_.,domain#MP-DDoH,domain#Role_Interface +package#NetworkConnectivity,domain#I.O.HIoH.3.1,I.O.HIoH.3.1,domain#Category-DenialOfServiceAttacks,FALSE,FALSE,domain#LikelihoodVeryHigh,TRUE,TRUE,Remote DoS attack from _LogicalSubnet_ on _Host_ connection to _LogicalSubnet_: an attacker with access to Layer 3 subnet _LogicalSubnet_ sends too many messages to the network address of the connected target device _Host_.,domain#MP-HIoH,domain#Role_Interface +package#NetworkConnectivity,domain#I.O.HIoH.3.2,I.O.HIoH.3.2,domain#Category-DenialOfServiceAttacks,FALSE,FALSE,domain#LikelihoodVeryHigh,TRUE,TRUE,Remote DDoS attack from _LogicalSubnet_ on _Host_ connection to _LogicalSubnet_: an attacker able to orchestrate clients on subnet _LogicalSubnet_ arranges for them to send too many messages to the network address of the connected target device _Host_.,domain#MP-HIoH,domain#Role_Interface package#NetworkConnectivity,domain#I.O.IoH.3,I.O.IoH.3,domain#Category-DenialOfServiceAttacks,FALSE,FALSE,domain#LikelihoodVeryHigh,TRUE,TRUE,Remote DoS attack from _AttackerSubnet_ on _Host_ connection to _LogicalSubnet_: an attacker with remote access to Layer 3 subnet _LogicalSubnet_ sends too many messages to the network address of the target device _Host_ on _LogicalSubnet_.,domain#MP-IoH,domain#Role_Interface package#NetworkConnectivity,domain#I.O.LoH.3,I.O.LoH.3,domain#Category-DenialOfServiceAttacks,FALSE,FALSE,domain#LikelihoodVeryHigh,TRUE,TRUE,Adjacent DoS attack on _Host_ from _LogicalSubnet_: an attacker with access to Layer 2 subnet _LogicalSubnet_ sends too many messages to the hardware address of a target device _Host_ connected to that subnet.,domain#MP-LoH,domain#Role_Interface package#NetworkConnectivity,domain#I.O.RoH.3,I.O.RoH.3,domain#Category-DenialOfServiceAttacks,FALSE,FALSE,domain#LikelihoodVeryHigh,TRUE,TRUE,Remote DoS attack from _AttackerSubnet_ on _Host_ connection to _LogicalSubnet_: an attacker with remote access to Layer 3 subnet _LogicalSubnet_ sends too many messages to the network address of the target device _Host_ on _LogicalSubnet_.,domain#MP-RoH,domain#Role_Interface diff --git a/csv/ThreatEffects.csv b/csv/ThreatEffects.csv index b16f754..f83632a 100644 --- a/csv/ThreatEffects.csv +++ b/csv/ThreatEffects.csv @@ -299,6 +299,9 @@ package#NetworkConnectivity,domain#I.DA.I.8,domain#MS-ConnectionsAllowed-Interfa package#NetworkConnectivity,domain#I.IS.I.8,domain#MS-InService-Interface package#NetworkConnectivity,domain#I.IS.INC.1,domain#MS-InService-Interface package#NetworkConnectivity,domain#I.M.I.8,domain#MS-BandwidthUnmanaged-Interface +package#NetworkConnectivity,domain#I.O.DDoH.3,domain#MS-Overloaded-Interface +package#NetworkConnectivity,domain#I.O.HIoH.3.1,domain#MS-Overloaded-Interface +package#NetworkConnectivity,domain#I.O.HIoH.3.2,domain#MS-Overloaded-Interface package#NetworkConnectivity,domain#I.O.IoH.3,domain#MS-Overloaded-Interface package#NetworkConnectivity,domain#I.O.LoH.3,domain#MS-Overloaded-Interface package#NetworkConnectivity,domain#I.O.RoH.3,domain#MS-Overloaded-Interface diff --git a/csv/ThreatEntryPoints.csv b/csv/ThreatEntryPoints.csv index d7f4e04..c7c49e3 100644 --- a/csv/ThreatEntryPoints.csv +++ b/csv/ThreatEntryPoints.csv @@ -218,6 +218,10 @@ package#NetworkConnectivity,domain#I.IS.I.8,domain#TWAS-OutOfService-LogicalSubn package#NetworkConnectivity,domain#I.IS.INC.1,domain#TWAS-Control-HostAccess package#NetworkConnectivity,domain#I.IS.INC.1,domain#TWAS-OutOfService-LogicalSubnet package#NetworkConnectivity,domain#I.M.I.8,domain#TWAS-OutOfService-Interface +package#NetworkConnectivity,domain#I.O.DDoH.3,domain#TWAS-ConnectionsBlocked-NetworkPath +package#NetworkConnectivity,domain#I.O.DDoH.3,domain#TWAS-NetworkControl-AttackerSubnet +package#NetworkConnectivity,domain#I.O.HIoH.3.1,domain#TWAS-NetworkUserTW-LogicalSubnet +package#NetworkConnectivity,domain#I.O.HIoH.3.2,domain#TWAS-NetworkControl-LogicalSubnet package#NetworkConnectivity,domain#I.O.IoH.3,domain#TWAS-ConnectionsBlocked-NetworkPath package#NetworkConnectivity,domain#I.O.IoH.3,domain#TWAS-NetworkUserTW-LogicalSubnet package#NetworkConnectivity,domain#I.O.LoH.3,domain#TWAS-NetworkUserTW-LogicalSubnet From 46e5ee55166d89aae2b595512541acf323bb1c18 Mon Sep 17 00:00:00 2001 From: Mike Surridge <27415349+mike1813@users.noreply.github.com> Date: Mon, 14 Aug 2023 15:43:31 +0100 Subject: [PATCH 3/5] Removed 'artificial' controls and control strategies previously used to support different types of risk calculation, addressing #28. --- csv/CASetting.csv | 46 --------------------------------- csv/Control.csv | 1 - csv/ControlLocations.csv | 2 -- csv/ControlStrategy.csv | 2 -- csv/ControlStrategyBlocks.csv | 21 --------------- csv/ControlStrategyControls.csv | 2 -- 6 files changed, 74 deletions(-) diff --git a/csv/CASetting.csv b/csv/CASetting.csv index eb39b71..725361c 100644 --- a/csv/CASetting.csv +++ b/csv/CASetting.csv @@ -8,7 +8,6 @@ package#5G,domain#CAS-AntiMalware-BaseStation,domain#BaseStation,domain#AntiMalw package#5G,domain#CAS-BiometricIDVerifier-BaseStation,domain#BaseStation,domain#BiometricIDVerifier,FALSE,domain#TrustworthinessLevelSafe,TRUE package#5G,domain#CAS-ChipAndPINVerifier-BaseStation,domain#BaseStation,domain#ChipAndPINVerifier,FALSE,domain#TrustworthinessLevelSafe,TRUE package#5G,domain#CAS-ContinuousAuthN-BaseStation,domain#BaseStation,domain#ContinuousAuthN,FALSE,domain#TrustworthinessLevelSafe,TRUE -package#5G,domain#CAS-CurrentRiskCalculation-BaseStation,domain#BaseStation,domain#CurrentRiskCalculation,TRUE,domain#TrustworthinessLevelSafe,TRUE package#5G,domain#CAS-DeviceCertification-BaseStation,domain#BaseStation,domain#DeviceCertification,TRUE,domain#TrustworthinessLevelSafe,TRUE package#5G,domain#CAS-DisabledHost-BaseStation,domain#BaseStation,domain#DisabledHost,TRUE,domain#TrustworthinessLevelSafe,TRUE package#5G,domain#CAS-DisableNetworkProvision-BaseStation,domain#BaseStation,domain#DisableNetworkProvision,TRUE,domain#TrustworthinessLevelSafe,TRUE @@ -103,18 +102,6 @@ package#Application,domain#CAS-ContinuousAuthVerifier-TextEditor,domain#TextEdit package#Application,domain#CAS-ContinuousAuthVerifier-WebApp,domain#WebApp,domain#ContinuousAuthVerifier,FALSE,domain#TrustworthinessLevelSafe,TRUE package#Application,domain#CAS-ContinuousAuthVerifier-WebBrowser,domain#WebBrowser,domain#ContinuousAuthVerifier,FALSE,domain#TrustworthinessLevelSafe,TRUE package#Application,domain#CAS-ContinuousAuthVerifier-WebClient,domain#WebClient,domain#ContinuousAuthVerifier,TRUE,domain#TrustworthinessLevelSafe,TRUE -package#Application,domain#CAS-CurrentRiskCalculation-ApplicationProcess,domain#ApplicationProcess,domain#CurrentRiskCalculation,TRUE,domain#TrustworthinessLevelSafe,TRUE -package#Application,domain#CAS-CurrentRiskCalculation-CmdLineProcess,domain#CmdLineProcess,domain#CurrentRiskCalculation,TRUE,domain#TrustworthinessLevelSafe,TRUE -package#Application,domain#CAS-CurrentRiskCalculation-DataService,domain#DataService,domain#CurrentRiskCalculation,TRUE,domain#TrustworthinessLevelSafe,TRUE -package#Application,domain#CAS-CurrentRiskCalculation-DB,domain#DB,domain#CurrentRiskCalculation,TRUE,domain#TrustworthinessLevelSafe,TRUE -package#Application,domain#CAS-CurrentRiskCalculation-DesktopService,domain#DesktopService,domain#CurrentRiskCalculation,TRUE,domain#TrustworthinessLevelSafe,TRUE -package#Application,domain#CAS-CurrentRiskCalculation-Editor,domain#Editor,domain#CurrentRiskCalculation,TRUE,domain#TrustworthinessLevelSafe,TRUE -package#Application,domain#CAS-CurrentRiskCalculation-EmailMX,domain#EmailMX,domain#CurrentRiskCalculation,TRUE,domain#TrustworthinessLevelSafe,TRUE -package#Application,domain#CAS-CurrentRiskCalculation-RemoteDesktop,domain#RemoteDesktop,domain#CurrentRiskCalculation,TRUE,domain#TrustworthinessLevelSafe,TRUE -package#Application,domain#CAS-CurrentRiskCalculation-TextEditor,domain#TextEditor,domain#CurrentRiskCalculation,TRUE,domain#TrustworthinessLevelSafe,TRUE -package#Application,domain#CAS-CurrentRiskCalculation-WebApp,domain#WebApp,domain#CurrentRiskCalculation,TRUE,domain#TrustworthinessLevelSafe,TRUE -package#Application,domain#CAS-CurrentRiskCalculation-WebBrowser,domain#WebBrowser,domain#CurrentRiskCalculation,TRUE,domain#TrustworthinessLevelSafe,TRUE -package#Application,domain#CAS-CurrentRiskCalculation-WebClient,domain#WebClient,domain#CurrentRiskCalculation,TRUE,domain#TrustworthinessLevelSafe,TRUE package#Application,domain#CAS-DisabledProcess-ApplicationProcess,domain#ApplicationProcess,domain#DisabledProcess,TRUE,domain#TrustworthinessLevelSafe,TRUE package#Application,domain#CAS-DisabledProcess-CmdLineProcess,domain#CmdLineProcess,domain#DisabledProcess,TRUE,domain#TrustworthinessLevelSafe,TRUE package#Application,domain#CAS-DisabledProcess-DataService,domain#DataService,domain#DisabledProcess,TRUE,domain#TrustworthinessLevelSafe,TRUE @@ -508,12 +495,6 @@ package#CloudManagement,domain#CAS-ContinuousAuthN-Pod,domain#Pod,domain#Continu package#CloudManagement,domain#CAS-ContinuousAuthN-Worker,domain#Worker,domain#ContinuousAuthN,FALSE,domain#TrustworthinessLevelSafe,TRUE package#CloudManagement,domain#CAS-ContinuousAuthVerifier-APIServer,domain#APIServer,domain#ContinuousAuthVerifier,TRUE,domain#TrustworthinessLevelSafe,TRUE package#CloudManagement,domain#CAS-ContinuousAuthVerifier-Ingress,domain#Ingress,domain#ContinuousAuthVerifier,TRUE,domain#TrustworthinessLevelSafe,TRUE -package#CloudManagement,domain#CAS-CurrentRiskCalculation-APIServer,domain#APIServer,domain#CurrentRiskCalculation,TRUE,domain#TrustworthinessLevelSafe,TRUE -package#CloudManagement,domain#CAS-CurrentRiskCalculation-Container,domain#Container,domain#CurrentRiskCalculation,TRUE,domain#TrustworthinessLevelSafe,TRUE -package#CloudManagement,domain#CAS-CurrentRiskCalculation-Ingress,domain#Ingress,domain#CurrentRiskCalculation,TRUE,domain#TrustworthinessLevelSafe,TRUE -package#CloudManagement,domain#CAS-CurrentRiskCalculation-Master,domain#Master,domain#CurrentRiskCalculation,TRUE,domain#TrustworthinessLevelSafe,TRUE -package#CloudManagement,domain#CAS-CurrentRiskCalculation-Pod,domain#Pod,domain#CurrentRiskCalculation,TRUE,domain#TrustworthinessLevelSafe,TRUE -package#CloudManagement,domain#CAS-CurrentRiskCalculation-Worker,domain#Worker,domain#CurrentRiskCalculation,TRUE,domain#TrustworthinessLevelSafe,TRUE package#CloudManagement,domain#CAS-DeviceCertification-Container,domain#Container,domain#DeviceCertification,TRUE,domain#TrustworthinessLevelSafe,TRUE package#CloudManagement,domain#CAS-DeviceCertification-Master,domain#Master,domain#DeviceCertification,FALSE,domain#TrustworthinessLevelSafe,TRUE package#CloudManagement,domain#CAS-DeviceCertification-Pod,domain#Pod,domain#DeviceCertification,TRUE,domain#TrustworthinessLevelSafe,TRUE @@ -748,10 +729,6 @@ package#IoT,domain#CAS-ContinuousAuthN-Controller,domain#Controller,domain#Conti package#IoT,domain#CAS-ContinuousAuthN-Sensor,domain#Sensor,domain#ContinuousAuthN,FALSE,domain#TrustworthinessLevelSafe,TRUE package#IoT,domain#CAS-ContinuousAuthVerifier-ControlProcess,domain#ControlProcess,domain#ContinuousAuthVerifier,FALSE,domain#TrustworthinessLevelSafe,TRUE package#IoT,domain#CAS-ContinuousAuthVerifier-SensorProcess,domain#SensorProcess,domain#ContinuousAuthVerifier,FALSE,domain#TrustworthinessLevelSafe,TRUE -package#IoT,domain#CAS-CurrentRiskCalculation-Controller,domain#Controller,domain#CurrentRiskCalculation,TRUE,domain#TrustworthinessLevelSafe,TRUE -package#IoT,domain#CAS-CurrentRiskCalculation-ControlProcess,domain#ControlProcess,domain#CurrentRiskCalculation,TRUE,domain#TrustworthinessLevelSafe,TRUE -package#IoT,domain#CAS-CurrentRiskCalculation-Sensor,domain#Sensor,domain#CurrentRiskCalculation,TRUE,domain#TrustworthinessLevelSafe,TRUE -package#IoT,domain#CAS-CurrentRiskCalculation-SensorProcess,domain#SensorProcess,domain#CurrentRiskCalculation,TRUE,domain#TrustworthinessLevelSafe,TRUE package#IoT,domain#CAS-DeviceCertification-Controller,domain#Controller,domain#DeviceCertification,TRUE,domain#TrustworthinessLevelSafe,TRUE package#IoT,domain#CAS-DeviceCertification-Sensor,domain#Sensor,domain#DeviceCertification,TRUE,domain#TrustworthinessLevelSafe,TRUE package#IoT,domain#CAS-DisabledHost-Controller,domain#Controller,domain#DisabledHost,TRUE,domain#TrustworthinessLevelSafe,TRUE @@ -1021,24 +998,6 @@ package#Network,domain#CAS-ContinuousAuthVerifier-LoginService,domain#LoginServi package#Network,domain#CAS-ContinuousAuthVerifier-RemoteTerminal,domain#RemoteTerminal,domain#ContinuousAuthVerifier,TRUE,domain#TrustworthinessLevelSafe,TRUE package#Network,domain#CAS-ContinuousAuthVerifier-SMSClient,domain#SMSClient,domain#ContinuousAuthVerifier,FALSE,domain#TrustworthinessLevelSafe,TRUE package#Network,domain#CAS-ContinuousOccupation-DataCentre,domain#DataCentre,domain#ContinuousOccupation,TRUE,domain#TrustworthinessLevelSafe,TRUE -package#Network,domain#CAS-CurrentRiskCalculation-AuthClient,domain#AuthClient,domain#CurrentRiskCalculation,TRUE,domain#TrustworthinessLevelSafe,TRUE -package#Network,domain#CAS-CurrentRiskCalculation-AuthService,domain#AuthService,domain#CurrentRiskCalculation,TRUE,domain#TrustworthinessLevelSafe,TRUE -package#Network,domain#CAS-CurrentRiskCalculation-Cluster,domain#Cluster,domain#CurrentRiskCalculation,TRUE,domain#TrustworthinessLevelSafe,TRUE -package#Network,domain#CAS-CurrentRiskCalculation-CoreRouter,domain#CoreRouter,domain#CurrentRiskCalculation,TRUE,domain#TrustworthinessLevelSafe,TRUE -package#Network,domain#CAS-CurrentRiskCalculation-EmailClient,domain#EmailClient,domain#CurrentRiskCalculation,TRUE,domain#TrustworthinessLevelSafe,TRUE -package#Network,domain#CAS-CurrentRiskCalculation-EmailService,domain#EmailService,domain#CurrentRiskCalculation,TRUE,domain#TrustworthinessLevelSafe,TRUE -package#Network,domain#CAS-CurrentRiskCalculation-LoginService,domain#LoginService,domain#CurrentRiskCalculation,TRUE,domain#TrustworthinessLevelSafe,TRUE -package#Network,domain#CAS-CurrentRiskCalculation-MobileClient,domain#MobileClient,domain#CurrentRiskCalculation,TRUE,domain#TrustworthinessLevelSafe,TRUE -package#Network,domain#CAS-CurrentRiskCalculation-Notebook,domain#Notebook,domain#CurrentRiskCalculation,TRUE,domain#TrustworthinessLevelSafe,TRUE -package#Network,domain#CAS-CurrentRiskCalculation-RemoteTerminal,domain#RemoteTerminal,domain#CurrentRiskCalculation,TRUE,domain#TrustworthinessLevelSafe,TRUE -package#Network,domain#CAS-CurrentRiskCalculation-RemovableMedia,domain#RemovableMedia,domain#CurrentRiskCalculation,TRUE,domain#TrustworthinessLevelSafe,TRUE -package#Network,domain#CAS-CurrentRiskCalculation-Router,domain#Router,domain#CurrentRiskCalculation,TRUE,domain#TrustworthinessLevelSafe,TRUE -package#Network,domain#CAS-CurrentRiskCalculation-Server,domain#Server,domain#CurrentRiskCalculation,TRUE,domain#TrustworthinessLevelSafe,TRUE -package#Network,domain#CAS-CurrentRiskCalculation-Smartphone,domain#Smartphone,domain#CurrentRiskCalculation,TRUE,domain#TrustworthinessLevelSafe,TRUE -package#Network,domain#CAS-CurrentRiskCalculation-Smartwatch,domain#Smartwatch,domain#CurrentRiskCalculation,TRUE,domain#TrustworthinessLevelSafe,TRUE -package#Network,domain#CAS-CurrentRiskCalculation-SMSClient,domain#SMSClient,domain#CurrentRiskCalculation,TRUE,domain#TrustworthinessLevelSafe,TRUE -package#Network,domain#CAS-CurrentRiskCalculation-Tablet,domain#Tablet,domain#CurrentRiskCalculation,TRUE,domain#TrustworthinessLevelSafe,TRUE -package#Network,domain#CAS-CurrentRiskCalculation-Workstation,domain#Workstation,domain#CurrentRiskCalculation,TRUE,domain#TrustworthinessLevelSafe,TRUE package#Network,domain#CAS-DeviceCertification-Cluster,domain#Cluster,domain#DeviceCertification,FALSE,domain#TrustworthinessLevelSafe,TRUE package#Network,domain#CAS-DeviceCertification-CoreRouter,domain#CoreRouter,domain#DeviceCertification,TRUE,domain#TrustworthinessLevelSafe,TRUE package#Network,domain#CAS-DeviceCertification-MobileClient,domain#MobileClient,domain#DeviceCertification,FALSE,domain#TrustworthinessLevelSafe,TRUE @@ -1672,7 +1631,6 @@ package#Privacy,domain#CAS-ConsentManagement-HealthData,domain#HealthData,domain package#Privacy,domain#CAS-ConsentManagement-SensitiveData,domain#SensitiveData,domain#ConsentManagement,TRUE,domain#TrustworthinessLevelSafe,TRUE package#Privacy,domain#CAS-ConsentManagement-SpamData,domain#SpamData,domain#ConsentManagement,FALSE,domain#TrustworthinessLevelSafe,TRUE package#Privacy,domain#CAS-ContinuousAuthN-HealthSensor,domain#HealthSensor,domain#ContinuousAuthN,FALSE,domain#TrustworthinessLevelSafe,TRUE -package#Privacy,domain#CAS-CurrentRiskCalculation-HealthSensor,domain#HealthSensor,domain#CurrentRiskCalculation,TRUE,domain#TrustworthinessLevelSafe,TRUE package#Privacy,domain#CAS-DeviceCertification-HealthSensor,domain#HealthSensor,domain#DeviceCertification,TRUE,domain#TrustworthinessLevelSafe,TRUE package#Privacy,domain#CAS-DisabledHost-HealthSensor,domain#HealthSensor,domain#DisabledHost,TRUE,domain#TrustworthinessLevelSafe,TRUE package#Privacy,domain#CAS-DisableNetworkProvision-HealthSensor,domain#HealthSensor,domain#DisableNetworkProvision,FALSE,domain#TrustworthinessLevelSafe,TRUE @@ -1742,7 +1700,6 @@ package#ProcessComms,domain#CAS-AddressWhitelisting-ServiceChannel,domain#Servic package#ProcessComms,domain#CAS-ApplicationFW-ServiceProxy,domain#ServiceProxy,domain#ApplicationFW,TRUE,domain#TrustworthinessLevelSafe,TRUE package#ProcessComms,domain#CAS-AuthenticationLimits-ServiceProxy,domain#ServiceProxy,domain#AuthenticationLimits,TRUE,domain#TrustworthinessLevelSafe,TRUE package#ProcessComms,domain#CAS-ContinuousAuthVerifier-ServiceProxy,domain#ServiceProxy,domain#ContinuousAuthVerifier,TRUE,domain#TrustworthinessLevelSafe,TRUE -package#ProcessComms,domain#CAS-CurrentRiskCalculation-ServiceProxy,domain#ServiceProxy,domain#CurrentRiskCalculation,TRUE,domain#TrustworthinessLevelSafe,TRUE package#ProcessComms,domain#CAS-DisableClientAccess-ClientChannel,domain#ClientChannel,domain#DisableClientAccess,TRUE,domain#TrustworthinessLevelSafe,TRUE package#ProcessComms,domain#CAS-DisabledProcess-ServiceProxy,domain#ServiceProxy,domain#DisabledProcess,TRUE,domain#TrustworthinessLevelSafe,TRUE package#ProcessComms,domain#CAS-DisableServiceChannel-ServiceChannel,domain#ServiceChannel,domain#DisableServiceChannel,TRUE,domain#TrustworthinessLevelSafe,TRUE @@ -1816,9 +1773,6 @@ package#Virtualisation,domain#CAS-Clustering-VCluster,domain#VCluster,domain#Clu package#Virtualisation,domain#CAS-ContinuousAuthN-VCluster,domain#VCluster,domain#ContinuousAuthN,FALSE,domain#TrustworthinessLevelSafe,TRUE package#Virtualisation,domain#CAS-ContinuousAuthN-VM,domain#VM,domain#ContinuousAuthN,FALSE,domain#TrustworthinessLevelSafe,TRUE package#Virtualisation,domain#CAS-ContinuousAuthN-VRouter,domain#VRouter,domain#ContinuousAuthN,FALSE,domain#TrustworthinessLevelSafe,TRUE -package#Virtualisation,domain#CAS-CurrentRiskCalculation-VCluster,domain#VCluster,domain#CurrentRiskCalculation,TRUE,domain#TrustworthinessLevelSafe,TRUE -package#Virtualisation,domain#CAS-CurrentRiskCalculation-VM,domain#VM,domain#CurrentRiskCalculation,TRUE,domain#TrustworthinessLevelSafe,TRUE -package#Virtualisation,domain#CAS-CurrentRiskCalculation-VRouter,domain#VRouter,domain#CurrentRiskCalculation,TRUE,domain#TrustworthinessLevelSafe,TRUE package#Virtualisation,domain#CAS-DeviceCertification-VCluster,domain#VCluster,domain#DeviceCertification,FALSE,domain#TrustworthinessLevelSafe,TRUE package#Virtualisation,domain#CAS-DeviceCertification-VM,domain#VM,domain#DeviceCertification,FALSE,domain#TrustworthinessLevelSafe,TRUE package#Virtualisation,domain#CAS-DeviceCertification-VRouter,domain#VRouter,domain#DeviceCertification,TRUE,domain#TrustworthinessLevelSafe,TRUE diff --git a/csv/Control.csv b/csv/Control.csv index bf1ea7e..9ec866c 100644 --- a/csv/Control.csv +++ b/csv/Control.csv @@ -43,7 +43,6 @@ package#Network,domain#Clustering,Clustering,TRUE,"The host represents a class o package#Network,domain#ContinuousAuthN,ContinuousAuthN,TRUE,"The process captures usage characteristics, allowing the user identity to be verified by a suitable authentication service against a previously registered profile.",domain#CostVeryLow,domain#PerformanceImpactVeryLow package#Network,domain#ContinuousAuthNID,ContinuousAuthNID,TRUE,The user has continuous authentication identification characteristics registered with a continuous authentication verification service in the system.,domain#CostVeryLow,domain#PerformanceImpactVeryLow package#Network,domain#ContinuousAuthVerifier,ContinuousAuthVerifier,TRUE,The service has a means to verify the identity of a device user based on continuous authentication data sent by the device.,domain#CostVeryLow,domain#PerformanceImpactVeryLow -package#Network,domain#CurrentRiskCalculation,CurrentRiskCalculation,TRUE,"The risk calculation is a current risk calculation. This control is used in a control strategy to disable threats that represent possible changes in asset status (like the discovery of vulnerabilities) over the long term, which should be ignored in a current risk calculation. This control strategy should not be used in future risk calculations. It is intended for use only by run-time services that need to invoke automated current risk calculations.",domain#CostVeryLow,domain#PerformanceImpactVeryLow package#Network,domain#DeviceCertification,DeviceCertification,TRUE,The device has been independently tested and certified as secure to a suitable evaluation assurance level.,domain#CostVeryLow,domain#PerformanceImpactVeryLow package#Network,domain#DisabledHost,DisabledHost,TRUE,"The host device has been disabled. This is not a contingency plan but a state reached after activation of a contingency plan. It should be selected in current risk calculations to determine the effect of disabling the host, or when runtime monitoring detects the host is not running.",domain#CostVeryLow,domain#PerformanceImpactVeryLow package#Network,domain#DisabledProcess,DisabledProcess,TRUE,"The process has been disabled. This is not a contingency plan but a state reached after activation of a contingency plan. It should be selected in current risk calculations to determine the effect of disabling the process, or when runtime monitoring detects the process is not running.",domain#CostVeryLow,domain#PerformanceImpactVeryLow diff --git a/csv/ControlLocations.csv b/csv/ControlLocations.csv index a9d4c36..e940c60 100644 --- a/csv/ControlLocations.csv +++ b/csv/ControlLocations.csv @@ -48,8 +48,6 @@ package#Network,domain#Clustering,domain#ClusterHost package#Network,domain#ContinuousAuthN,domain#Host package#Network,domain#ContinuousAuthNID,domain#Human package#Network,domain#ContinuousAuthVerifier,domain#Process -package#Network,domain#CurrentRiskCalculation,domain#Host -package#Network,domain#CurrentRiskCalculation,domain#Process package#Network,domain#DeviceCertification,domain#Host package#Network,domain#DisabledHost,domain#Host package#Network,domain#DisabledProcess,domain#Process diff --git a/csv/ControlStrategy.csv b/csv/ControlStrategy.csv index 5b5a048..0e7c78e 100644 --- a/csv/ControlStrategy.csv +++ b/csv/ControlStrategy.csv @@ -98,8 +98,6 @@ package#Network,domain#CSG-ClientX509Authentication,ClientX509Authentication,"Ac package#Network,domain#CSG-ContinuouslyObservedGateway,ContinuouslyObservedGateway,Physical access to host _Gateway_ is controlled by being situated where it can be under constant surveillance in a location that is continuously occupied at times when attacks may occur.,domain#TrustworthinessLevelSafe,TRUE,TRUE package#Network,domain#CSG-ContinuouslyObservedHost,ContinuouslyObservedHost,Physical access to host _Host_ is controlled by being situated where it can be under constant surveillance in a location that is continuously occupied at times when attacks may occur.,domain#TrustworthinessLevelSafe,TRUE,TRUE package#Network,domain#CSG-ContinuousUserAuthentication,ContinuousUserAuthentication,Access to process _Process_ is controlled by authenticating user _Human_ based on their registered usage characteristics captured by a personal device _Host_.,domain#TrustworthinessLevelSafe,TRUE,TRUE -package#Network,domain#CSG-CurrentRiskAtHost,CurrentRiskAtHost,"The control at device _Host_ signifies that this is a current risk calculation, so threats that should only be considered in future risk calculations will be blocked so they have no effect.",domain#TrustworthinessLevelSafe,TRUE,TRUE -package#Network,domain#CSG-CurrentRiskAtProcess,CurrentRiskAtProcess,"The control at process _Process_ signifies that this is a current risk calculation, so threats that should only be considered in future risk calculations will be blocked so they have no effect.",domain#TrustworthinessLevelSafe,TRUE,TRUE package#Network,domain#CSG-DeprioritisedProcess-Runtime,DeprioritisedProcess.Runtime,"The process _Process_ is configured to run with low priority, so it cannot overload its host _Host_, although this means if overloaded it will likely become unavailable instead. This can be configured in advance to block the threat, or implemented as a run-time response to an overload by signalling the manager _HostManager_ of the process host _Host_.",domain#TrustworthinessLevelSafe,TRUE,TRUE package#Network,domain#CSG-DisableGatewayHost-Runtime,DisableGatewayHost.Runtime,"Device _Gateway_ is disabled to prevent it being involved in an attack. This strategy represents a run-time adaptation in response to a threat, which may or may not be following some contingency plan. It also triggers threats representing side effects that would be caused by such an action.",domain#TrustworthinessLevelSafe,TRUE,TRUE package#Network,domain#CSG-DisableHost-Runtime,DisableHost,"Device _Host_ is disabled to prevent it being involved in an attack. This strategy represents a run-time adaptation in response to a threat, which may or may not be following some contingency plan. It also triggers threats representing side effects that would be caused by such an action.",domain#TrustworthinessLevelSafe,TRUE,TRUE diff --git a/csv/ControlStrategyBlocks.csv b/csv/ControlStrategyBlocks.csv index 3ae229a..c0b44b3 100644 --- a/csv/ControlStrategyBlocks.csv +++ b/csv/ControlStrategyBlocks.csv @@ -628,27 +628,6 @@ package#VulnerabilityCVSS,domain#CSG-BlockInterface,domain#H.W.HIoH.3 package#VulnerabilityCVSS,domain#CSG-BlockInterface,domain#H.W.HRoH.3 package#VulnerabilityCVSS,domain#CSG-ClientAddressWhitelisting,domain#P.V.OCAPNoS.2 package#VulnerabilityCVSS,domain#CSG-ClientAddressWhitelisting,domain#P.V.OSAPNaS.3 -package#VulnerabilityCVSS,domain#CSG-CurrentRiskAtHost,domain#H.E-A.TH.8 -package#VulnerabilityCVSS,domain#CSG-CurrentRiskAtHost,domain#H.E-AU.H.8 -package#VulnerabilityCVSS,domain#CSG-CurrentRiskAtHost,domain#H.E-C.TH.8 -package#VulnerabilityCVSS,domain#CSG-CurrentRiskAtHost,domain#H.E-I.TH.8 -package#VulnerabilityCVSS,domain#CSG-CurrentRiskAtHost,domain#H.E-M.SH.8 -package#VulnerabilityCVSS,domain#CSG-CurrentRiskAtHost,domain#H.E-VA.H.8 -package#VulnerabilityCVSS,domain#CSG-CurrentRiskAtHost,domain#H.E-VL.H.8 -package#VulnerabilityCVSS,domain#CSG-CurrentRiskAtHost,domain#H.E-VN.H.8 -package#VulnerabilityCVSS,domain#CSG-CurrentRiskAtHost,domain#H.E-W.GH.8 -package#VulnerabilityCVSS,domain#CSG-CurrentRiskAtProcess,domain#P.E-A.HP-iT.8 -package#VulnerabilityCVSS,domain#CSG-CurrentRiskAtProcess,domain#P.E-AU.HP-iT.8 -package#VulnerabilityCVSS,domain#CSG-CurrentRiskAtProcess,domain#P.E-C.HP-iT.8 -package#VulnerabilityCVSS,domain#CSG-CurrentRiskAtProcess,domain#P.E-I.HP-iT.8 -package#VulnerabilityCVSS,domain#CSG-CurrentRiskAtProcess,domain#P.E-M.SHP-iT.8 -package#VulnerabilityCVSS,domain#CSG-CurrentRiskAtProcess,domain#P.E-QI.HP-iT.8 -package#VulnerabilityCVSS,domain#CSG-CurrentRiskAtProcess,domain#P.E-U.SHP-iT.8 -package#VulnerabilityCVSS,domain#CSG-CurrentRiskAtProcess,domain#P.E-VA.HP-iT.8 -package#VulnerabilityCVSS,domain#CSG-CurrentRiskAtProcess,domain#P.E-VL.HP-iT.8 -package#VulnerabilityCVSS,domain#CSG-CurrentRiskAtProcess,domain#P.E-VN.HP-iT.8 -package#VulnerabilityCVSS,domain#CSG-CurrentRiskAtProcess,domain#P.E-W.HP-iT.8 -package#VulnerabilityCVSS,domain#CSG-CurrentRiskAtProcess,domain#P.E-XS.HP-iT.8 package#VulnerabilityCVSS,domain#CSG-DataStorageEncryption,domain#DS.Auth.HDS.4 package#VulnerabilityCVSS,domain#CSG-DataStorageEncryption,domain#DS.Auth.HPsACDAd-pDS.4 package#VulnerabilityCVSS,domain#CSG-DataStorageEncryption,domain#DS.C.HDS.4 diff --git a/csv/ControlStrategyControls.csv b/csv/ControlStrategyControls.csv index aed276f..2303d64 100644 --- a/csv/ControlStrategyControls.csv +++ b/csv/ControlStrategyControls.csv @@ -216,8 +216,6 @@ package#Network,domain#CSG-ContinuousUserAuthentication,domain#CS-ContinuousAuth package#Network,domain#CSG-ContinuousUserAuthentication,domain#CS-ContinuousAuthNID-Human,FALSE package#Network,domain#CSG-ContinuousUserAuthentication,domain#CS-ContinuousAuthVerifier-Process,FALSE package#Network,domain#CSG-ContinuousUserAuthentication,domain#CS-PersonalDevice-Host,FALSE -package#Network,domain#CSG-CurrentRiskAtHost,domain#CS-CurrentRiskCalculation-Host,FALSE -package#Network,domain#CSG-CurrentRiskAtProcess,domain#CS-CurrentRiskCalculation-Process,FALSE package#Network,domain#CSG-DeprioritisedProcess-Runtime,domain#CS-LowPriority-Process,FALSE package#Network,domain#CSG-DisableGatewayHost-Runtime,domain#CS-DisabledHost-Gateway,FALSE package#Network,domain#CSG-DisableGatewayHost-Runtime,domain#CS-SystemSecurityTraining-HostManager,FALSE From 84ca6b5ce1e2e45c4ccc95fd4b19c7e06ebe7290 Mon Sep 17 00:00:00 2001 From: Mike Surridge <27415349+mike1813@users.noreply.github.com> Date: Mon, 14 Aug 2023 16:59:09 +0100 Subject: [PATCH 4/5] Fixed bug in remote DoS attack threats as updated to address #26, found by regression tests in fixes for #28. --- csv/ThreatEntryPoints.csv | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/csv/ThreatEntryPoints.csv b/csv/ThreatEntryPoints.csv index ea093ec..7a8d703 100644 --- a/csv/ThreatEntryPoints.csv +++ b/csv/ThreatEntryPoints.csv @@ -223,10 +223,10 @@ package#NetworkConnectivity,domain#I.O.DDoH.3,domain#TWAS-NetworkControl-Attacke package#NetworkConnectivity,domain#I.O.HIoH.3.1,domain#TWAS-NetworkUserTW-LogicalSubnet package#NetworkConnectivity,domain#I.O.HIoH.3.2,domain#TWAS-NetworkControl-LogicalSubnet package#NetworkConnectivity,domain#I.O.IoH.3,domain#TWAS-ConnectionsBlocked-NetworkPath -package#NetworkConnectivity,domain#I.O.IoH.3,domain#TWAS-NetworkUserTW-LogicalSubnet +package#NetworkConnectivity,domain#I.O.IoH.3,domain#TWAS-NetworkUserTW-AttackerSubnet package#NetworkConnectivity,domain#I.O.LoH.3,domain#TWAS-NetworkUserTW-LogicalSubnet package#NetworkConnectivity,domain#I.O.RoH.3,domain#TWAS-ConnectionsBlocked-NetworkPath -package#NetworkConnectivity,domain#I.O.RoH.3,domain#TWAS-NetworkUserTW-LogicalSubnet +package#NetworkConnectivity,domain#I.O.RoH.3,domain#TWAS-NetworkUserTW-AttackerSubnet package#NetworkConnectivity,domain#LS.C.WiFiSSoH.3,domain#TWAS-OccupantTW-Space package#NetworkConnectivity,domain#LS.C.WiFiSSoH.3,domain#TWAS-OutOfService-RadioSubnet package#NetworkConnectivity,domain#NP.DA.NPLS.8,domain#TWAS-OutOfService-LogicalSubnet From 91f43260735477b402329ad758d466ac3b2d5861 Mon Sep 17 00:00:00 2001 From: Mike Surridge <27415349+mike1813@users.noreply.github.com> Date: Wed, 16 Aug 2023 18:48:58 +0100 Subject: [PATCH 5/5] Added threat P.O.PILSsSC.0 to propagate DoS overload on an Interface to any Service listening on that Interface. Fills another gap related to issue #26. --- csv/MatchingPattern.csv | 1 + csv/MatchingPatternLinks.csv | 3 +++ csv/MatchingPatternNodes.csv | 2 ++ csv/RootPattern.csv | 1 + csv/RootPatternLinks.csv | 3 +++ csv/RootPatternNodes.csv | 4 ++++ csv/Threat.csv | 1 + csv/ThreatEffects.csv | 1 + csv/ThreatSEC.csv | 2 ++ 9 files changed, 18 insertions(+) diff --git a/csv/MatchingPattern.csv b/csv/MatchingPattern.csv index 5c9cda5..b8e6d6e 100644 --- a/csv/MatchingPattern.csv +++ b/csv/MatchingPattern.csv @@ -688,6 +688,7 @@ package#ProcessComms,domain#MP-PCaTSSCAP,PCaTSSCAP,Finds an attack path path via package#ProcessComms,domain#MP-PCaTSSCCC,PCaTSSCCC,Finds a client channel via a service channel which gives access to a service in a process context.,domain#R-PCaTSSCCC,FALSE,FALSE package#ProcessComms,domain#MP-PCCPCCS,PCCPCCS,"Finds a client that is a specialised service proxy, with access to a service proxy, that in turn has access to a service.",domain#R-PCCPCCS,FALSE,FALSE package#ProcessComms,domain#MP-PDFFA,PDFFA,"Finds a Data Flow, its source and destination processes, a related data use element at the source, and optionally the two process managers.",domain#R-PDFFA,FALSE,FALSE +package#ProcessComms,domain#MP-PILSsSC,PILSsSC,"Finds a Process running on a Host connected via an Interface to a Logical Subnet, where the Process acts as a Service to at least one client communicating over that Interface, any of which is sufficient to cause a threat.",domain#R-PILS,FALSE,FALSE package#ProcessComms,domain#MP-PNacS,PNacS,"Finds a host running a service accessed by an authentication proxy, plus the associated client channel, contexts in which the service can be accessed, and optionally the managers of the client proxy, service and service host.",domain#R-PNacS,FALSE,FALSE package#ProcessComms,domain#MP-PnPnS-U,PnPnS-U,"Finds a client using a service via an authentication proxy (i.e. the proxy forwards credentials), where there is no link yet indicating indirect usage.",domain#R-PnPnS,FALSE,FALSE package#ProcessComms,domain#MP-PurRASuSH,PurRASuSH,"Finds a process acting as a reverse proxy, which can remotely use a remote access service that uses a collocated process.",domain#R-PurRASuSH,FALSE,FALSE diff --git a/csv/MatchingPatternLinks.csv b/csv/MatchingPatternLinks.csv index bfbd1fe..ee60beb 100644 --- a/csv/MatchingPatternLinks.csv +++ b/csv/MatchingPatternLinks.csv @@ -1301,6 +1301,9 @@ package#ProcessComms,domain#MP-PCCPCCS,domain#Link-ServiceManager-manages-Servic package#ProcessComms,domain#MP-PDFFA,domain#Link-DataFlow-flowsViaChannel-ClientChannel,FALSE package#ProcessComms,domain#MP-PDFFA,domain#Link-Human-manages-FlowsFrom,FALSE package#ProcessComms,domain#MP-PDFFA,domain#Link-ProcessManager-manages-FlowsTo,FALSE +package#ProcessComms,domain#MP-PILSsSC,domain#Link-HostManager-manages-SHost,FALSE +package#ProcessComms,domain#MP-PILSsSC,domain#Link-ServiceChannel-channelTo-Service,FALSE +package#ProcessComms,domain#MP-PILSsSC,domain#Link-ServiceChannel-toInterface-Interface,FALSE package#ProcessComms,domain#MP-PNacS,domain#Link-HostManager-manages-SHost,FALSE package#ProcessComms,domain#MP-PNacS,domain#Link-Human-manages-Client,FALSE package#ProcessComms,domain#MP-PNacS,domain#Link-ProcAccess-accessTo-Service,FALSE diff --git a/csv/MatchingPatternNodes.csv b/csv/MatchingPatternNodes.csv index 5927f93..5e558e6 100644 --- a/csv/MatchingPatternNodes.csv +++ b/csv/MatchingPatternNodes.csv @@ -739,6 +739,8 @@ package#ProcessComms,domain#MP-PCCPCCS,domain#Node-ServiceManager-Human,FALSE,FA package#ProcessComms,domain#MP-PDFFA,domain#Node-ClientChannel-ClientChannel,TRUE,FALSE,FALSE package#ProcessComms,domain#MP-PDFFA,domain#Node-Human-Human,FALSE,FALSE,FALSE package#ProcessComms,domain#MP-PDFFA,domain#Node-ProcessManager-Human,FALSE,FALSE,FALSE +package#ProcessComms,domain#MP-PILSsSC,domain#Node-HostManager-Human,FALSE,FALSE,FALSE +package#ProcessComms,domain#MP-PILSsSC,domain#Node-ServiceChannel-ServiceChannel,TRUE,FALSE,TRUE package#ProcessComms,domain#MP-PNacS,domain#Node-HostManager-Human,FALSE,FALSE,FALSE package#ProcessComms,domain#MP-PNacS,domain#Node-Human-Human,FALSE,FALSE,FALSE package#ProcessComms,domain#MP-PNacS,domain#Node-ProcAccess-PContext,TRUE,FALSE,FALSE diff --git a/csv/RootPattern.csv b/csv/RootPattern.csv index 47e1e6b..224d362 100644 --- a/csv/RootPattern.csv +++ b/csv/RootPattern.csv @@ -587,6 +587,7 @@ package#ProcessComms,domain#R-PCaFCSCCC,PCaFCSCCC,Finds a client channel via a s package#ProcessComms,domain#R-PCaTSSCAP,PCaTSSCAP,Finds an attack path path via a service channel on which a service is accessible in a process context.,FALSE,FALSE package#ProcessComms,domain#R-PCaTSSCCC,PCaTSSCCC,Finds a client channel via a service channel which gives access to a service in a process context.,FALSE,FALSE package#ProcessComms,domain#R-PCCPCCS,PCCPCCS,"Finds a client that is a specialised service proxy, with access to a service proxy, that in turn has access to a service.",FALSE,FALSE +package#ProcessComms,domain#R-PILS,PILS,Finds a Process running on a Host connected via an Interface to a Logical Subnet.,FALSE,FALSE package#ProcessComms,domain#R-PNacS,PNacS,"Finds a host running a service accessed by an authentication proxy, plus the associated client channel.",FALSE,FALSE package#ProcessComms,domain#R-PnPnS,PnPnS,Finds a client using a service via an authentication proxy (i.e. the proxy forwards credentials).,FALSE,FALSE package#ProcessComms,domain#R-PurRASuSH,PurRASuSH,"Finds a process acting as a reverse proxy, which can remotely use a remote access service that uses a collocated process.",FALSE,FALSE diff --git a/csv/RootPatternLinks.csv b/csv/RootPatternLinks.csv index 2858f3d..63800f8 100644 --- a/csv/RootPatternLinks.csv +++ b/csv/RootPatternLinks.csv @@ -2632,6 +2632,9 @@ package#ProcessComms,domain#R-PCCPCCS,domain#Link-Client-usesViaAuthenticatingPr package#ProcessComms,domain#R-PCCPCCS,domain#Link-ProxyChannel-channelFrom-Service package#ProcessComms,domain#R-PCCPCCS,domain#Link-ProxyChannel-channelTo-Process package#ProcessComms,domain#R-PCCPCCS,domain#Link-SHost-hosts-Service +package#ProcessComms,domain#R-PILS,domain#Link-Interface-connectsFrom-SHost +package#ProcessComms,domain#R-PILS,domain#Link-Interface-connectsTo-LogicalSubnet +package#ProcessComms,domain#R-PILS,domain#Link-SHost-hosts-Service package#ProcessComms,domain#R-PNacS,domain#Link-ClientChannel-channelFrom-Client package#ProcessComms,domain#R-PNacS,domain#Link-ClientChannel-channelTo-Service package#ProcessComms,domain#R-PNacS,domain#Link-Service-controls-Client diff --git a/csv/RootPatternNodes.csv b/csv/RootPatternNodes.csv index ee76895..a92b5d3 100644 --- a/csv/RootPatternNodes.csv +++ b/csv/RootPatternNodes.csv @@ -2636,6 +2636,10 @@ package#ProcessComms,domain#R-PCCPCCS,domain#Node-Process-Process,TRUE package#ProcessComms,domain#R-PCCPCCS,domain#Node-ProxyChannel-ClientChannel,TRUE package#ProcessComms,domain#R-PCCPCCS,domain#Node-Service-ServiceProxy,TRUE package#ProcessComms,domain#R-PCCPCCS,domain#Node-SHost-Host,TRUE +package#ProcessComms,domain#R-PILS,domain#Node-Interface-Interface,TRUE +package#ProcessComms,domain#R-PILS,domain#Node-LogicalSubnet-LogicalSubnet,TRUE +package#ProcessComms,domain#R-PILS,domain#Node-Service-Process,TRUE +package#ProcessComms,domain#R-PILS,domain#Node-SHost-Host,TRUE package#ProcessComms,domain#R-PNacS,domain#Node-ClientChannel-ClientChannel,TRUE package#ProcessComms,domain#R-PNacS,domain#Node-Client-Process,TRUE package#ProcessComms,domain#R-PNacS,domain#Node-Service-Process,TRUE diff --git a/csv/Threat.csv b/csv/Threat.csv index afc6bb0..1ea54ce 100644 --- a/csv/Threat.csv +++ b/csv/Threat.csv @@ -448,6 +448,7 @@ package#ProcessComms,domain#P.O.CCDFSFS.0,P.O.CCDFSFS.0,domain#Category-DenialOf package#ProcessComms,domain#P.O.CCDFSTS.0,P.O.CCDFSTS.0,domain#Category-DenialOfServiceAttacks,FALSE,FALSE,domain#LikelihoodVeryHigh,TRUE,TRUE,"Excessive flow of data _Data_ via _Client_ overloads _Service_: if the flow of data _Data_ reaching _Service_ via _Client_ is excessive, it may overload _Service_.",domain#MP-CCDFSTS,domain#Role_Service package#ProcessComms,domain#P.O.DDoS.3,P.O.DDoS.3,domain#Category-DenialOfServiceAttacks,FALSE,FALSE,domain#LikelihoodMedium,TRUE,TRUE,Distributed DoS attack on service _Process_ from subnet _LogicalSubnet_: an attacker with control over multiple vulnerable systems connected to _LogicalSubnet_ can use them to send excessive messages via a privileged network paths through firewalls and overload service _Process_. The best defence is to arrange with your ISP to manage and restrict the traffic sent from the Internet (check threat causes for an unrestricted network interface).,domain#MP-DDoS,domain#Role_Process package#ProcessComms,domain#P.O.DoS.3,P.O.DoS.3,domain#Category-DenialOfServiceAttacks,FALSE,FALSE,domain#LikelihoodVeryHigh,TRUE,TRUE,"DoS attack on service _Process_ from subnet _LogicalSubnet_: an attacker with access to _LogicalSubnet_can exploit a privileged network path through firewalls allowing access to service _Process_, sending too many messages and overloading _Process_. The best defence is to manage and restrict the traffic sent to the service at one of the inbound network interfaces (check threat causes for unrestricted network interfaces).",domain#MP-DoS,domain#Role_Process +package#ProcessComms,domain#P.O.PILSsSC.0,P.O.PILSsSC.0,domain#Category-SecondaryThreats,FALSE,FALSE,domain#LikelihoodVeryHigh,TRUE,TRUE,"Service _Service_ running on host _SHost_ overloaded by messages from _LogicalSubnet_: if the interface between _SHost_ and _LogicalSubnet_ is overloaded, and service _Service_ is listening for client messages on that interface, then the overload also affects _Service_.",domain#MP-PILSsSC,domain#Role_Service package#ProcessComms,domain#SAP.IS.CAPSAP.8,SAP.IS.CAPSAP.8,domain#Category-NormalOperation,FALSE,TRUE,domain#LikelihoodVeryHigh,TRUE,TRUE,"Privileged network paths to reach service _Process_ from _Client_ via _LogicalSubnet_ are open: messages can be sent from _LogicalSubnet_ to _Process_ thanks to firewall policy exceptions created to allow access by _Client_, which may be exploited by an attacker.",domain#MP-CAPSAP,domain#Role_ServiceAttackPath package#ProcessComms,domain#SC.A.CCCmSCS.0,SC.A.CCCmSCS.0,domain#Category-SecondaryThreats,TRUE,FALSE,domain#LikelihoodVeryHigh,TRUE,TRUE,Client _Client_ cannot access unavailable service _Service_: loss of availability in the service _Service_ makes the connection from _Client_ unavailable on all channels.,domain#MP-CCCmSCS,domain#Role_ServiceChannel package#ProcessComms,domain#SC.A.CCfImSC.0,SC.A.CCfImSC.0,domain#Category-SecondaryThreats,TRUE,FALSE,domain#LikelihoodVeryHigh,TRUE,TRUE,"Connection from _CHost_ to _LogicalSubnet_ affects communication between _Client_ and _Service_: if the connection of device _CHost_ running _Client_ and subnet _LogicalSubnet_ is not available, this will affect the communication channel between client _Client_ and service _Service_.",domain#MP-CCfImSC,domain#Role_ServiceChannel diff --git a/csv/ThreatEffects.csv b/csv/ThreatEffects.csv index 9742e64..978a74e 100644 --- a/csv/ThreatEffects.csv +++ b/csv/ThreatEffects.csv @@ -432,6 +432,7 @@ package#ProcessComms,domain#P.O.CCDFSFS.0,domain#MS-Overloaded-Service package#ProcessComms,domain#P.O.CCDFSTS.0,domain#MS-Overloaded-Service package#ProcessComms,domain#P.O.DDoS.3,domain#MS-Overloaded-Process package#ProcessComms,domain#P.O.DoS.3,domain#MS-Overloaded-Process +package#ProcessComms,domain#P.O.PILSsSC.0,domain#MS-Overloaded-Service package#ProcessComms,domain#SAP.IS.CAPSAP.8,domain#MS-InService-ServiceAttackPath package#ProcessComms,domain#SC.A.CCCmSCS.0,domain#MS-LossOfConnectivity-ServiceChannel package#ProcessComms,domain#SC.A.CCfImSC.0,domain#MS-LossOfConnectivity-ServiceChannel diff --git a/csv/ThreatSEC.csv b/csv/ThreatSEC.csv index e8a1ed0..6218d83 100644 --- a/csv/ThreatSEC.csv +++ b/csv/ThreatSEC.csv @@ -156,6 +156,8 @@ package#ProcessComms,domain#P.O.CCDFSFS.0,domain#MS-InService-ClientChannel package#ProcessComms,domain#P.O.CCDFSFS.0,domain#MS-Overloaded-DataStep package#ProcessComms,domain#P.O.CCDFSTS.0,domain#MS-InService-ClientChannel package#ProcessComms,domain#P.O.CCDFSTS.0,domain#MS-Overloaded-DataStep +package#ProcessComms,domain#P.O.PILSsSC.0,domain#MS-InService-ServiceChannel +package#ProcessComms,domain#P.O.PILSsSC.0,domain#MS-Overloaded-Interface package#ProcessComms,domain#SC.A.CCCmSCS.0,domain#MS-LossOfAvailability-Service package#ProcessComms,domain#SC.A.CCfImSC.0,domain#MS-LossOfAvailability-Interface package#ProcessComms,domain#SC.A.CCtImSC.0,domain#MS-LossOfAvailability-Interface