This repository was archived by the owner on Apr 3, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 62
/
Copy pathPolicyIntelligence.yaml
189 lines (189 loc) · 8.85 KB
/
PolicyIntelligence.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
version: 1
ATT&CK version: 10
creation date: 03/02/2022
last update: 06/07/2022
name: Policy Intelligence
contact: [email protected]
organization: Center for Threat Informed Defense (CTID)
platform: GCP
tags:
- Identity
- Role Based Access Control
- Access Management
- Credentials
description: >-
Policy Intelligence helps enterprises understand and manage their policies to reduce their risk.
By utilizing machine learning and analytics, policy intelligence provides more visibility and
automation and customers can increase their workload.
techniques:
- id: T1087.004
name: Cloud Account
technique-scores:
- category: Protect
value: Partial
comments: >-
This control can be used to limit permissions to discover cloud accounts in accordance
with least privilege principles and thereby limits the accounts that can be used for
account discovery.
- id: T1580
name: Cloud Infrastructure Discovery
technique-scores:
- category: Protect
value: Minimal
comments: >-
IAM Recommender helps admins remove unwanted access to GCP resources by using machine
learning to make smart access control recommendations. With Recommender, security teams
can automatically detect overly permissive access and rightsize them based on similar
users in the organization and their access patterns. This control may mitigate adversaries
that try to enumerate users access keys through VM or snapshots.
- id: T1530
name: Data from Cloud Storage Object
technique-scores:
- category: Protect
value: Partial
comments: >-
Recommender generates policy insights by comparing the permissions that each principal
used during the past 90 days with the total permissions the principal has. This can be
used to limit the permissions associated with creating and modifying platform images or
containers that adversaries may try to access.
- category: Detect
value: Minimal
comments: >-
Adversaries may attempt to implant cloud or container images with malicious code to gain
access to an environment. The IAM audit logs can be used to receive data access and
activity logs who has accessed to certain resources.
- id: T1538
name: Cloud Service Dashboard
technique-scores:
- category: Protect
value: Partial
comments: >-
This control may limit the number of users that have privileges to discover cloud
infrastructure and may limit the discovery value of the dashboard in the event of a
compromised account.
- id: T1578
name: Modify Cloud Compute Infrastructure
technique-scores:
- category: Protect
value: Partial
comments: >-
IAM Recommender helps admins remove unwanted access to GCP resources by using machine
learning to make smart access control recommendations. With Recommender, security teams
can automatically detect overly permissive access and rightsize them based on similar
users in the organization and their access patterns. This control may mitigate adversaries
that try to gain access to permissions from modifying infrastructure components.
- id: T1548.002
name: Bypass User Account Control
technique-scores:
- category: Protect
value: Partial
comments: >-
Adversaries may bypass UAC mechanisms to elevate process privileges. This control can be
used to help enforce least privilege principals to ensure that permission levels are
properly managed. Along with this, Policy Analyzer lets users know what principals have
access to resources based on its corresponding IAM allow policies.
- id: T1068
name: Exploitation for Privilege Escalation
technique-scores:
- category: Protect
value: Partial
comments: >-
IAM Recommender helps admins remove unwanted access to GCP resources by using machine
learning to make smart access control recommendations. With Recommender, security teams
can automatically detect overly permissive access and rightsize them based on similar
users in the organization and their access patterns. This control may mitigate adversaries
that try to perform privilege escalation via permission levels and software exploitation.
- id: T1562
name: Impair Defenses
technique-scores:
- category: Protect
value: Partial
comments: >-
Adversaries that try to disable cloud logging capabilities have the advantage to limit the
amount of the data that can be collected and can possibly control not being detected. This
control may be used to ensure that permissions are in place to prevent adversaries from
disabling or interfering with security/logging services.
- id: T1078.004
name: Cloud Accounts
technique-scores:
- category: Protect
value: Partial
comments: >-
Adversaries may obtain and abuse credentials of a cloud account by gaining access through
means of Initial Access, Persistence, Privilege Escalation, or Defense Evasion. IAM
Recommender helps enforce least privilege principals to ensure that permission levels are
properly managed.
- category: Detect
value: Minimal
- id: T1562.008
name: Disable Cloud Logs
technique-scores:
- category: Detect
value: Minimal
comments: >-
Adversaries that try to disable cloud logging capabilities have the advantage to limit the
amount of the data that can be collected and can possibly control not being detected. This
control may be used to routinely check role account permissions in IAM audit logs.
- id: T1212
name: Exploitation for Credential Access
technique-scores:
- category: Protect
value: Partial
comments: >-
IAM Recommender helps admins remove unwanted access to GCP resources by using machine
learning to make smart access control recommendations. With Recommender, security teams
can automatically detect overly permissive access and rightsize them based on similar
users in the organization and their access patterns. This control may mitigate adversaries
that try to perform privilege escalation via permission levels and software exploitation.
- id: T1078
name: Valid Accounts
technique-scores:
- category: Protect
value: Partial
comments: >-
Adversaries may obtain and abuse credentials of a cloud account by gaining access through
means of Initial Access, Persistence, Privilege Escalation, or Defense Evasion. IAM
Recommender helps enforce least privilege principals to ensure that permission levels are
properly managed.
- id: T1087
name: Account Discovery
technique-scores:
- category: Protect
value: Partial
comments: >-
This control can be used to limit permissions to discover user accounts in accordance with
least privilege principles and thereby limits the accounts that can be used for account
discovery.
- id: T1098.001
name: Additional Cloud Credentials
technique-scores:
- category: Protect
value: Partial
comments: >-
Utilization and enforcement of MFA for user accounts to ensure that IAM policies are
implemented properly shall mitigate adversaries so that they may not gain access to user
accounts. Enforce the principle of least privilege by ensuring that principals have only
the permissions that they actually need.
- id: T1098
name: Account Manipulation
technique-scores:
- category: Protect
value: Partial
comments: >-
Utilization and enforcement of MFA for user accounts to ensure that IAM policies are
implemented properly shall mitigate adversaries so that they may not gain access to user
accounts. Enforce the principle of least privilege by ensuring that principals have only
the permissions that they actually need.
- id: T1222
name: File and Directory Permissions Modification
technique-scores:
- category: Protect
value: Partial
comments: >-
Adversaries may modify file or directory permissions/attributes to evade access control
lists (ACLs) and access protected files. Enforcing the principle of least privilege
through IAM Recommender role recommendations help admins identify and remove excess
permissions from users' principals, improving their resources' security configurations.
comments: 'Similar to Azure Role based access control and Azure policy '
references:
- 'https://cloud.google.com/policy-intelligence'