This repository was archived by the owner on Apr 3, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 62
/
Copy pathCloudHSM.yaml
89 lines (89 loc) · 3.97 KB
/
CloudHSM.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
version: 1
ATT&CK version: 10
creation date: 04/13/2022
last update: 04/19/2022
name: Cloud Hardware Security Module (HSM)
contact: [email protected]
organization: Center for Threat Informed Defense (CTID)
platform: GCP
tags:
- Encryption
- Data Security
description: >-
Google Cloud's Hardware Security Module (HSM) is a security feature available under Google Cloud
Key Management Service that allows customers to host encryption keys and perform cryptographic
operations in a FIPS 140-2 level 3 certified environment.
techniques:
- id: T1552
name: Unsecured Credentials
technique-scores:
- category: Protect
value: Partial
comments: >-
Google Cloud's HSM may protect against adversary's attempts to leverage unsecured
credentials found on compromised systems. Variations of this technique are difficult to
mitigate, so a partial score was granted for this control's medium to high coverage
factor.
- id: T1553
name: Subvert Trust Controls
technique-scores:
- category: Protect
value: Partial
comments: >-
Google Cloud's HSM may protect against adversary's attempts to undermine trusted controls
and conduct nefarious activity or execute malicious programs. Variations of this technique
are difficult to mitigate, so a partial score was granted for this control's medium to
high coverage factor.
- id: T1588.003
name: Code Signing Certificates
technique-scores:
- category: Protect
value: Partial
comments: >-
Google Cloud's HSM may protect against adversary's attempts to compromise code signing
certificates that can used during targeting to run compromised code and other tampered
executables. Variations of this technique are difficult to mitigate, so a partial score
was granted for this control's medium to high coverage factor.
- id: T1588.004
name: Digital Certificates
technique-scores:
- category: Protect
value: Partial
comments: >-
Google Cloud's HSM may protect against adversary's attempts to compromise digital
certificates that can used to encrypt data-in-transit or tamper with the certificate
owner's communications. Variations of this technique are difficult to mitigate, so a
partial score was granted for this control's medium to high coverage factor.
- id: T1552.004
name: Private Keys
technique-scores:
- category: Protect
value: Partial
comments: >-
Google Cloud's HSM may protect against adversary's attempts to compromise private key
certificate files (e.g., .key, .pgp, .ppk, .p12). Variations of this technique are
difficult to mitigate, so a partial score was granted for this control's medium to high
coverage factor.
- id: T1552.001
name: Credentials In Files
technique-scores:
- category: Protect
value: Partial
comments: >-
Google Cloud's HSM may protect against adversary's attempts to leverage passwords and
unsecure credentials found in files on compromised systems.Variations of this technique
are difficult to mitigate, so a partial score was granted for this control's medium to
high coverage factor.
- id: T1588
name: Obtain Capabilities
technique-scores:
- category: Protect
value: Partial
comments: >-
Google Cloud's HSM may protect against adversary's attempts to obtain capabilities by
compromising code signing certificates that will be used to run compromised code and other
tampered executables. Variations of this technique are difficult to mitigate, so a partial
score was granted for this control's medium to high coverage factor.
comments: This control provides a secure alternative to storing encryption keys in the file system.
references:
- 'https://cloud.google.com/kms/docs/hsm'