-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathSecurityCenterRecommendations.yaml
489 lines (475 loc) · 23 KB
/
SecurityCenterRecommendations.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
version: 1
ATT&CK version: 8.2
creation date: 04/07/2021
name: Azure Security Center Recommendations
contact: [email protected]
organization: Center for Threat Informed Defense (CTID)
platform: Azure
tags:
- Azure Security Center
- Azure Security Center Recommendation
description: >-
This feature of Azure Security Center assesses your workloads and raises threat prevention
recommendations and security alerts.
techniques:
- id: T1040
name: Network Sniffing
technique-scores:
- category: Protect
value: Minimal
comments: >-
This control's recommendations related to enforcing the usage of the secure versions of
the HTTP and FTP protocols (HTTPS and FTPS) can lead to encrypting traffic which reduces
the ability for an adversary to gather sensitive data via network sniffing.
This also applies to the "Service Fabric clusters should have the ClusterProtectionLevel
property set to EncryptAndSign", "Enforce SSL connection should be enabled for MySQL
database servers", "Enforce SSL connection should be enabled for PostgreSQL database
servers", "Only secure connections to your Redis Cache should be enabled" and "Secure
transfer to storage accounts should be enabled" recommendations for their respective
protocols.
The "Usage of host networking and ports should be restricted" recommendation for
Kubernetes clusters can also lead to mitigating this technique.
These recommendations are limited to specific technologies on the platform and therefore
its coverage score is Minimal.
- id: T1190
name: Exploit Public-Facing Application
technique-scores:
- category: Protect
value: Minimal
comments: >-
This control's CORS related recommendations can help lead to hardened web applications.
This can reduce the likelihood of an application being exploited to reveal sensitive data
that can lead to the compromise of an environment.
Likewise this control's recommendations related to keeping Java/PHP up to date for
API/Function/Web apps can lead to hardening the public facing content that uses these
runtimes.
This control's recommendations related to disabling Public network access for Azure
databases can lead to reducing the exposure of resources to the public Internet and
thereby reduce the attack surface.
These recommendations are limited to specific technologies (Java, PHP and CORS, SQL DBs)
and therefore provide Minimal coverage leading to a Minimal score.
- id: T1110
name: Brute Force
technique-scores:
- category: Protect
value: Minimal
comments: >-
This control's "Authentication to Linux machines should require SSH keys" recommendation can
lead to obviating SSH Brute Force password attacks. Because this is specific to Linux, the coverage score is
Minimal leading to an overall Minimal score.
sub-techniques-scores:
- sub-techniques:
- id: T1110.001
name: Password Guessing
- id: T1110.003
name: Password Spraying
- id: T1110.004
name: Credential Stuffing
scores:
- category: Protect
value: Minimal
comments: >-
This control's "Authentication to Linux machines should require SSH keys" can obviate
SSH Brute Force password attacks. Because this is specific to Linux, the coverage
score is Minimal leading to an overall Minimal score.
- id: T1542
name: Pre-OS Boot
technique-scores:
- category: Protect
value: Partial
comments: >-
This control provides recommendations for enabling Secure Boot of Linux VMs that can
mitigate a few of the sub-techniques of this technique. Because this is a recommendation
and only limited to a few sub-techniques of this technique, its assessed score is Partial.
sub-techniques-scores:
- sub-techniques:
- id: T1542.001
name: System Firmware
- id: T1542.003
name: Bootkit
scores:
- category: Protect
value: Partial
comments: >-
This control's "Secure Boot should be enabled on your Linux virtual machine" and
"Virtual machines should be attested for boot integrity health" recommendations can
lead to enabling secure boot on Linux VMs to mitigate these sub-techniques. Because
this recommendation is specific to Linux VM and is a recommendation, its score is
capped at Partial.
- id: T1499
name: Endpoint Denial of Service
technique-scores:
- category: Protect
value: Minimal
comments: >-
This control provides recommendations for limiting the CPU and memory resources consumed
by a container to minimize resource exhaustion attacks. Because this control only covers
one sub-technique of this technique, its score is assessed as Minimal.
sub-techniques-scores:
- sub-techniques:
- id: T1499.001
name: OS Exhaustion Flood
scores:
- category: Protect
value: Partial
comments: This control's "Container CPU and memory limits should be enforced" recommendation can lead
to preventing resource exhaustion attacks by recommending enforcing limits for containers to
ensure the runtime prevents the container from using more than the configured resource limit.
Because this is a recommendation, its score is capped at Partial.
- id: T1525
name: Implant Container Image
technique-scores:
- category: Protect
value: Partial
comments: This control's "Container images should be deployed from trusted registries only",
"Container registries should not allow unrestricted network access" and
"Container registries should use private link" recommendations can lead to ensuring
that container images are only loaded from trusted registries thereby mitigating this technique.
- id: T1068
name: Exploitation for Privilege Escalation
technique-scores:
- category: Protect
value: Partial
comments: This control's "Container with privilege escalation should be avoided",
"Least privileged Linux capabilities should be enforced for containers",
"Privileged containers should be avoided", "Running containers as root user should be avoided"
and "Containers sharing sensitive host namespaces should be avoided" recommendations can make
it difficult for adversaries to advance their operation through exploitation of undiscovered
or unpatched vulnerabilities. Because this is a recommendation, the assessed score has
been capped at Partial.
- id: T1098
name: Account Manipulation
technique-scores:
- category: Protect
value: Minimal
comments: >-
This control's "Immutable (read-only) root filesystem should be enforced for containers"
recommendation can prevent modifying the ssh_authorized keys file. Because it is a
recommendation and limited to only one sub-technique, its score is Minimal.
sub-techniques-scores:
- sub-techniques:
- id: T1098.004
name: SSH Authorized Keys
scores:
- category: Protect
value: Minimal
comments: >-
This control's "Immutable (read-only) root filesystem should be enforced for
containers" recommendation can lead to preventing modification of a Kubernetes
container's file system which can mitigate this technique. Because this
recommendation is specific to Kubernetes containers, its score is Minimal.
- id: T1554
name: Compromise Client Software Binary
technique-scores:
- category: Protect
value: Partial
comments: >-
This control's "Immutable (read-only) root filesystem should be enforced for containers"
recommendation can lead to preventing modification of binaries in Kubernetes containers
thereby mitigating this technique. Because this is a recommendation, its score is capped
at Partial.
- id: T1136
name: Create Account
technique-scores:
- category: Protect
value: Minimal
comments: >-
This control's "Immutable (read-only) root filesystem should be enforced for containers"
recommendation can mitigate a sub-technique of this technique. Due to its Minimal
coverage, its score is assessed as Minimal.
sub-techniques-scores:
- sub-techniques:
- id: T1136.001
name: Local Account
scores:
- category: Protect
value: Partial
comments: >-
This control's "Immutable (read-only) root filesystem should be enforced for
containers" recommendation can lead to preventing system files from being modified in
Kubernetes containers thereby mitigating this sub-technique since adding an account
(on Linux) requires modifying system files. Because this is a recommendation, its
score is capped at Partial.
- id: T1543
name: Create or Modify System Process
technique-scores:
- category: Protect
value: Minimal
comments: >-
This control's "Immutable (read-only) root filesystem should be enforced for containers"
recommendation can mitigate a sub-technique of this technique. Due to its Minimal
coverage, its score is assessed as Minimal.
sub-techniques-scores:
- sub-techniques:
- id: T1543.002
name: Systemd Service
scores:
- category: Protect
value: Minimal
comments: >-
This control's "Immutable (read-only) root filesystem should be enforced for
containers" recommendation can lead to preventing the addition or modification of
systemd service files in Kubernetes containers thereby mitigating this sub-technique.
Because this is a recommendation, and specific to Kubernetes containers, its score is
assessed as Minimal.
- id: T1546
name: Event Triggered Execution
technique-scores:
- category: Protect
value: Minimal
comments: >-
This control's "Immutable (read-only) root filesystem should be enforced for containers"
recommendation can mitigate a sub-technique of this technique. Due to its Minimal
coverage, its score is assessed as Minimal.
sub-techniques-scores:
- sub-techniques:
- id: T1546.004
name: .bash_profile and .bashrc
scores:
- category: Protect
value: Minimal
comments: >-
This control's "Immutable (read-only) root filesystem should be enforced for
containers" recommendation can lead to preventing the addition or modification of the
file system in Kubernetes containers thereby mitigating this sub-technique. Because
this is a recommendation, and specific to Kubernetes containers, its score is assessed
as Minimal.
- id: T1505
name: Server Software Component
technique-scores:
- category: Protect
value: Minimal
comments: >-
This control's "Immutable (read-only) root filesystem should be enforced for containers"
recommendation can mitigate a sub-technique of this technique. Due to its Minimal
coverage, its score is assessed as Minimal.
sub-techniques-scores:
- sub-techniques:
- id: T1505.003
name: Web Shell
scores:
- category: Protect
value: Minimal
comments: >-
This control's "Immutable (read-only) root filesystem should be enforced for
containers" recommendation can lead to preventing modifications to the file system in
Kubernetes containers which can mitigate adversaries installing web shells. Because
this is a recommendation, and specific to Kubernetes containers, its score is assessed
as Minimal.
- id: T1222
name: File and Directory Permissions Modification
technique-scores:
- category: Protect
value: Minimal
comments: >-
This control's "Immutable (read-only) root filesystem should be enforced for containers"
recommendation can mitigate a sub-technique of this technique. Due to its Minimal
coverage, its score is assessed as Minimal.
sub-techniques-scores:
- sub-techniques:
- id: T1222.002
name: Linux and Mac File and Directory Permissions Modification
scores:
- category: Protect
value: Minimal
comments: >-
This control's "Immutable (read-only) root filesystem should be enforced for
containers" recommendation can lead to preventing the modification of the file system
permissions in Kubernetes containers thereby mitigating this sub-technique. Because
this is a recommendation, and specific to Kubernetes containers, its score is assessed
as Minimal.
- id: T1564
name: Hide Artifacts
technique-scores:
- category: Protect
value: Minimal
comments: >-
This control's "Immutable (read-only) root filesystem should be enforced for containers"
recommendation can mitigate some of the sub-techniques of this technique. Due to its
partial coverage and Minimal score assessed for its sub-techniques, its score is assessed
as Minimal.
sub-techniques-scores:
- sub-techniques:
- id: T1564.001
name: Hidden Files and Directories
- id: T1564.005
name: Hidden File System
- id: T1564.006
name: Run Virtual Instance
scores:
- category: Protect
value: Minimal
comments: >-
This control's "Immutable (read-only) root filesystem should be enforced for
containers" recommendation can lead to preventing these sub-techniques which result in
changes to the file system directly or indirectly during their execution. Because
this is a recommendation, and specific to Kubernetes containers, its score is assessed
as Minimal.
- id: T1053
name: Scheduled Task/Job
technique-scores:
- category: Protect
value: Minimal
comments: >-
This control's "Immutable (read-only) root filesystem should be enforced for containers"
recommendation can mitigate a few of the sub-techniques of this technique. Due to its
Minimal coverage, its score is assessed as Minimal.
sub-techniques-scores:
- sub-techniques:
- id: T1053.003
name: Cron
- id: T1053.006
name: Systemd Timers
scores:
- category: Protect
value: Minimal
comments: >-
This control's "Immutable (read-only) root filesystem should be enforced for
containers" recommendation can lead to preventing the addition or modification of
config files in Kubernetes containers required to implement the behaviors described in
these sub-techniques. Because this is a recommendation, and specific to Kubernetes
containers, its score is assessed as Minimal.
- id: T1556
name: Modify Authentication Process
technique-scores:
- category: Protect
value: Minimal
comments: >-
This control's "Immutable (read-only) root filesystem should be enforced for containers"
recommendation can mitigate a sub-techniques of this technique. Due to it being a
recommendation and providing minimal coverage, its score is assessed as Minimal.
sub-techniques-scores:
- sub-techniques:
- id: T1556.003
name: Pluggable Authentication Modules
scores:
- category: Protect
value: Minimal
comments: >-
This control's "Immutable (read-only) root filesystem should be enforced for containers"
recommendation can lead to preventing this sub-technique which often modifies
Pluggable Authentication Modules (PAM) components in the file system. Because this is a recommendation,
and specific to Kubernetes containers, its score is assessed as Minimal.
- id: T1080
name: Taint Shared Content
technique-scores:
- category: Protect
value: Partial
comments: This control's "Immutable (read-only) root filesystem should be enforced for containers" and
"Usage of pod HostPath volume mounts should be restricted to a known list to restrict node
access from compromised containers" recommendations can mitigate this technique. Due to it being
a recommendation, its score is capped at Partial.
- id: T1074
name: Data Staged
technique-scores:
- category: Protect
value: Partial
comments: >-
This control's "Immutable (read-only) root filesystem should be enforced for containers"
recommendation can lead to mitigating a sub-technique of this technique by preventing
modification of the local filesystem. Due to it being a recommendation, its score is
capped at Partial.
sub-techniques-scores:
- sub-techniques:
- id: T1074.001
name: Local Data Staging
scores:
- category: Protect
value: Partial
comments: >-
This control's "Immutable (read-only) root filesystem should be enforced for
containers" recommendation can lead to mitigating this sub-technique by preventing
modification of the local filesystem. Due to it being a recommendation, its score is
capped at Partial.
- id: T1485
name: Data Destruction
technique-scores:
- category: Protect
value: Partial
comments: >-
This control's "Immutable (read-only) root filesystem should be enforced for containers"
recommendation can lead to mitigating this technique by preventing modification of the
local filesystem. Due to it being a recommendation, its score is capped at Partial.
- id: T1486
name: Data Encrypted for Impact
technique-scores:
- category: Protect
value: Partial
comments: >-
This control's "Immutable (read-only) root filesystem should be enforced for containers"
recommendation can lead to mitigating this technique by preventing modification of the
local filesystem. Due to it being a recommendation, its score is capped at Partial.
- id: T1565
name: Data Manipulation
technique-scores:
- category: Protect
value: Minimal
comments: >-
This control's "Immutable (read-only) root filesystem should be enforced for containers"
recommendation can lead to mitigating a sub-technique of this technique by preventing
modification of the local filesystem. Due to it being a recommendation and mitigating
only one sub-technique, its score is assessed as Minimal.
sub-techniques-scores:
- sub-techniques:
- id: T1565.001
name: Stored Data Manipulation
scores:
- category: Protect
value: Partial
comments: >-
This control's "Immutable (read-only) root filesystem should be enforced for
containers" recommendation can lead to mitigating this sub-technique by preventing
modification of the local filesystem.
Likewise this control's recommendations related to using customer-managed keys to
encrypt data at rest and enabling transparent data encryption for SQL databases can
mitigate this sub-technique by reducing an adversary's ability to perform tailored
data modifications.
Due to it being a recommendation, its score is capped at Partial.
- id: T1078
name: Valid Accounts
technique-scores:
- category: Protect
value: Minimal
comments: >-
This control's recommendations about removing deprecated and external accounts with
sensitive permissions from your subscription can lead to mitigating the Cloud Accounts
sub-technique of this technique. Because this is a recommendation and has low coverage,
it is assessed as Minimal.
sub-techniques-scores:
- sub-techniques:
- id: T1078.004
name: Cloud Accounts
scores:
- category: Protect
value: Minimal
comments: >-
This control's "Deprecated accounts should be removed from your subscription" and
"Deprecated accounts with owner permissions should be removed from your subscription"
recommendation can lead to removing accounts that should not be utilized from your
subscriptions thereby denying adversaries the usage of these accounts to find ways to
access your data without being noticed.
Likewise, the recommendations related to External account permissions can also
mitigate this sub-technique.
Because these are recommendations and only limited to deprecated and external accounts,
this is scored as Minimal.
- id: T1133
name: External Remote Services
technique-scores:
- category: Protect
value: Partial
comments: >-
This control's "Management ports should be closed on your virtual machines" recommendation
can lead to reducing the attack surface of your Azure VMs by recommending closing
management ports. Because this is a recommendation, its score is limited to Partial.
comments: >-
Security Center recommendations include recommendations to enable security controls that have
already been mapped separately (e.g. "Azure Defender for App Service should be enabled").
Rather than including the (sub-)techniques that these controls map to within this mapping, consult
the mapping files for these controls. To make this latter task easier, we have tagged all such
controls with the "Azure Security Center Recommendation" tag.
All scores are capped at Partial since this control provides recommendations rather than
applying/enforcing the recommended actions.
IoT related recommendations were not included in this mapping.
references:
- 'https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference'
- 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction'