From 243ba09a4e8ee611a3db6d52490726d1f4de992d Mon Sep 17 00:00:00 2001 From: Nick Frichette Date: Thu, 7 Dec 2023 15:58:06 -0600 Subject: [PATCH 01/25] Added initial likelihood matrix to test table look --- .../en/security/misconfigurations/_index.md | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/content/en/security/misconfigurations/_index.md b/content/en/security/misconfigurations/_index.md index e5b2e12dd69b9..6cc36ebd927fd 100644 --- a/content/en/security/misconfigurations/_index.md +++ b/content/en/security/misconfigurations/_index.md @@ -51,6 +51,36 @@ Investigate details using the [Misconfigurations Explorer][10]. View detailed in {{< img src="security/cspm/misconfigurations_explorer.png" alt="CSM Misconfigurations Explorer page" width="100%">}} +## Severity score framework + +Starting in early 2024, all CSM Misconfigurations and Identity Risk rules will use our severity score framework. This framework is designed to compare the likelihood that an adversary will take advantage of a misconfiguration to the risk posed to your environment. The matrix below shows how these two factors are computed. + +### Likelihood + +Likelihood is computed as a factor of an attack vector and the resource's accessibility. + +| | | Accessibility | | +|---------------|---------------------|---------------|----------| +| | | Private | Public | +| Attack Vector | Required Privileges | Low | Medium | +| | Vulnerability | Medium | High | +| | No Authorization | High | Critical | + +The attack vector is determined by the following criteria: + +| Attack Vector | Definition | +|:-------------------:|:---------------------------------------------------------------------------------------------------------:| +| Required Privileges | Requires specific privileges or access to abuse. | +| Vulnerability | Requires a vulnerable component to abuse, such as a software vulnerability or leaked password/access key. | +| No Authorization | Requires no authorization/authentication to abuse. | + +The accessibility is determined by the following criteria: + +| Accessibility | Definition | +|:-------------:|:------------------------------------------------------------------:| +| Private | The vulnerable component/resource is in a private network. | +| Public | The vulnerable component/resource is accessible from the internet. | + ## Get started {{< whatsnext >}} From 370498ecd06b51f5e0867a186849006cf7dcbc98 Mon Sep 17 00:00:00 2001 From: Nick Frichette Date: Fri, 8 Dec 2023 09:11:23 -0600 Subject: [PATCH 02/25] Added additional matrices --- .../en/security/misconfigurations/_index.md | 31 ++++++++++++++++--- 1 file changed, 27 insertions(+), 4 deletions(-) diff --git a/content/en/security/misconfigurations/_index.md b/content/en/security/misconfigurations/_index.md index 6cc36ebd927fd..900fcb2f588f3 100644 --- a/content/en/security/misconfigurations/_index.md +++ b/content/en/security/misconfigurations/_index.md @@ -53,16 +53,16 @@ Investigate details using the [Misconfigurations Explorer][10]. View detailed in ## Severity score framework -Starting in early 2024, all CSM Misconfigurations and Identity Risk rules will use our severity score framework. This framework is designed to compare the likelihood that an adversary will take advantage of a misconfiguration to the risk posed to your environment. The matrix below shows how these two factors are computed. +Starting in early 2024, all CSM Misconfigurations and Identity Risk rules will migrate to our severity score framework. This framework is designed to compare the likelihood that an adversary will take advantage of a misconfiguration to the risk posed to your environment. By weighting both of these aspects, findings can be prioritized more accurately by their real-world risks. The matrices below show how to compute a misconfiguration's severity score depending on certain criteria. ### Likelihood -Likelihood is computed as a factor of an attack vector and the resource's accessibility. +The likelihood component is made up of two subcomponents; The attack vector, the means through which a misconfiguration can be exploited, and the accessibility, if the resource is publicly accessible or not. | | | Accessibility | | |---------------|---------------------|---------------|----------| | | | Private | Public | -| Attack Vector | Required Privileges | Low | Medium | +| **Attack Vector** | Required Privileges | Low | Medium | | | Vulnerability | Medium | High | | | No Authorization | High | Critical | @@ -71,7 +71,7 @@ The attack vector is determined by the following criteria: | Attack Vector | Definition | |:-------------------:|:---------------------------------------------------------------------------------------------------------:| | Required Privileges | Requires specific privileges or access to abuse. | -| Vulnerability | Requires a vulnerable component to abuse, such as a software vulnerability or leaked password/access key. | +| Vulnerability | Requires a vulnerable component to abuse, such as a software vulnerability on a compute instance or a leaked password/access key. | | No Authorization | Requires no authorization/authentication to abuse. | The accessibility is determined by the following criteria: @@ -81,6 +81,29 @@ The accessibility is determined by the following criteria: | Private | The vulnerable component/resource is in a private network. | | Public | The vulnerable component/resource is accessible from the internet. | +### Impact + +The impact component is how damaging the exploitation of the misconfiguration would be to the environment. + +| Impact | Definition | +|:--------:|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------:| +| Low | This misconfiguration is related to security hardening, hygiene, resource metadata, or industry best practice configurations. | +| Medium | Abusing this misconfiguration results in an impact to the confidentiality, integrity, or availability of the vulnerable component or its directly associated resources. | +| High | Abusing this misconfiguration results in an impact to the following: confidentiality, integrity or availability of the vulnerable component and impacts a significant number of other resources (E.G. S3FullAccess, EC2FullAccess, etc.). | +| Critical | Abusing this misconfiguration results in complete control of all resources in the account (E.G. AdministratorAccess) | + +### Severity Matrix + +These two subcomponent scores combined compute the overall severity score for a misconfiguration. + +| | | Impact | | | | +|------------|----------|--------|--------|----------|----------| +| | | Low | Medium | High | Critical | +| **Likelihood** | Low | Low | Low | Medium | Medium | +| | Medium | Low | Medium | High | High | +| | High | Medium | High | High | Critical | +| | Critical | Medium | High | Critical | Critical | + ## Get started {{< whatsnext >}} From 7c8e62b89930b3bd5989177862349f330473d047 Mon Sep 17 00:00:00 2001 From: Nick Frichette Date: Fri, 8 Dec 2023 09:32:33 -0600 Subject: [PATCH 03/25] Made table headers bold --- .../en/security/misconfigurations/_index.md | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/content/en/security/misconfigurations/_index.md b/content/en/security/misconfigurations/_index.md index 900fcb2f588f3..6f8a64d741011 100644 --- a/content/en/security/misconfigurations/_index.md +++ b/content/en/security/misconfigurations/_index.md @@ -61,10 +61,10 @@ The likelihood component is made up of two subcomponents; The attack vector, the | | | Accessibility | | |---------------|---------------------|---------------|----------| -| | | Private | Public | -| **Attack Vector** | Required Privileges | Low | Medium | -| | Vulnerability | Medium | High | -| | No Authorization | High | Critical | +| | | **Private** | **Public** | +| **Attack Vector** | **Required Privileges** | Low | Medium | +| | **Vulnerability** | Medium | High | +| | **No Authorization** | High | Critical | The attack vector is determined by the following criteria: @@ -87,7 +87,7 @@ The impact component is how damaging the exploitation of the misconfiguration wo | Impact | Definition | |:--------:|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------:| -| Low | This misconfiguration is related to security hardening, hygiene, resource metadata, or industry best practice configurations. | +| Low | This misconfiguration is related to security hardening, hygiene, resource metadata, or industry best practice configurations. By itself, this misconfiguration represents little to no impact to the environment. | | Medium | Abusing this misconfiguration results in an impact to the confidentiality, integrity, or availability of the vulnerable component or its directly associated resources. | | High | Abusing this misconfiguration results in an impact to the following: confidentiality, integrity or availability of the vulnerable component and impacts a significant number of other resources (E.G. S3FullAccess, EC2FullAccess, etc.). | | Critical | Abusing this misconfiguration results in complete control of all resources in the account (E.G. AdministratorAccess) | @@ -98,11 +98,11 @@ These two subcomponent scores combined compute the overall severity score for a | | | Impact | | | | |------------|----------|--------|--------|----------|----------| -| | | Low | Medium | High | Critical | -| **Likelihood** | Low | Low | Low | Medium | Medium | -| | Medium | Low | Medium | High | High | -| | High | Medium | High | High | Critical | -| | Critical | Medium | High | Critical | Critical | +| | | **Low** | **Medium** | **High** | **Critical** | +| **Likelihood** | **Low** | Low | Low | Medium | Medium | +| | **Medium** | Low | Medium | High | High | +| | **High** | Medium | High | High | Critical | +| | **Critical** | Medium | High | Critical | Critical | ## Get started From 986993e7553b823c2b601fd2ba7c6c7bd8b8601d Mon Sep 17 00:00:00 2001 From: Nick Frichette Date: Fri, 8 Dec 2023 10:08:57 -0600 Subject: [PATCH 04/25] Added severity scoring exammples --- .../en/security/misconfigurations/_index.md | 41 +++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/content/en/security/misconfigurations/_index.md b/content/en/security/misconfigurations/_index.md index 6f8a64d741011..575e1da150945 100644 --- a/content/en/security/misconfigurations/_index.md +++ b/content/en/security/misconfigurations/_index.md @@ -104,6 +104,43 @@ These two subcomponent scores combined compute the overall severity score for a | | **High** | Medium | High | High | Critical | | | **Critical** | Medium | High | Critical | Critical | +### Examples + +To explain how the framework is used here are a few examples. + +#### Example 1: SNS Topic should have access restrictions set for subscription + +The detection rule for [SNS Topic should have access restrictions set for subscription][14] checks if the SNS topic has a resource-based policy that contains a `Principal` of `*`, and an `Action` with the `sns:Subscribe` permission. This combination would allow anyone the ability to subscribe to the SNS topic and receive its notifications. We score this rule as follows: + +- Likelihood: Critical + - Attack Vector: No Authorization + - The Attack Vector is marked as "No Authorization" because the resource-based policy contains a `*`. This wildcard permits anyone the ability to act on the resource. No authentication/authorization is required to exploit the misconfiguration. + - Accessibility: Public + - The Accessibility is marked as "Public" because the misconfiguration can be exploited over the internet. No specific network access is required. + +- Impact: Medium + - Impact is marked as "Medium" due to the fact that the confidentiality of the resource is impacted. An adversary who has exploited this misconfiguration can receive messages as they are sent by the SNS topic. + +- Severity Score: Critical x Medium = High + - The final severity score is High. This is because a Critical likelihood mixed with a Medium impact results in an overall score of High. + +#### Example 2: EC2 instances should enforce IMDSv2 + +The detection rule for [EC2 instances should enforce IMDSv2][15] checks if an EC2 instance is using the instance metadata service version 1 ([IMDSv1][16]), which is vulnerable to common web application attacks. If exploited, an adversary would be able to access the IAM credentials stored in the IMDS and use them to access resources in the AWS account. We score this rule as follows: + +- Likelihood: Medium + - Attack Vector: Vulnerability + - The Attack Vector is marked as "Vulnerability". This is because the exploitation of this misconfiguration requires the resource to contain a vulnerable component, such as vulnerable software running on the EC2 instance that can be abused to perform [server side request forgery][17]. + - Accessibility: Private + - The Accessibility is marked as "Private" because the EC2 instance has not explicitly been made public. + +- Impact: Medium + - Impact is marked as "Medium" due to the impacts to the confidentiality of the EC2 instance. An adversary would be able to access the IMDS and potentially pull IAM credentials associated with the resource. + +- Severity Score: Medium x Medium = Medium + - The final severity score is Medium. This is because a Medium likelihood mixed with a Medium impact results in an overall score of Medium. + + ## Get started {{< whatsnext >}} @@ -130,3 +167,7 @@ These two subcomponent scores combined compute the overall severity score for a [11]: /security/default_rules/#cat-posture-management-infra [12]: https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security [13]: /security/cloud_security_management/mute_issues +[14]: https://docs.datadoghq.com/security/default_rules/aws-sns-subscription/ +[15]: https://docs.datadoghq.com/security/default_rules/aws-ec2-imdsv2/ +[16]: https://hackingthe.cloud/aws/general-knowledge/intro_metadata_service/ +[17]: https://hackingthe.cloud/aws/exploitation/ec2-metadata-ssrf/ From 980b141123f1e89131b14c7c5714883d37768675 Mon Sep 17 00:00:00 2001 From: Nick Frichette Date: Mon, 11 Dec 2023 13:15:30 -0600 Subject: [PATCH 05/25] Moved severity matrix up a level --- .../en/security/misconfigurations/_index.md | 90 ------------------ content/en/security/severity_scoring.md | 94 +++++++++++++++++++ 2 files changed, 94 insertions(+), 90 deletions(-) create mode 100644 content/en/security/severity_scoring.md diff --git a/content/en/security/misconfigurations/_index.md b/content/en/security/misconfigurations/_index.md index 575e1da150945..81929eea2cdde 100644 --- a/content/en/security/misconfigurations/_index.md +++ b/content/en/security/misconfigurations/_index.md @@ -51,96 +51,6 @@ Investigate details using the [Misconfigurations Explorer][10]. View detailed in {{< img src="security/cspm/misconfigurations_explorer.png" alt="CSM Misconfigurations Explorer page" width="100%">}} -## Severity score framework - -Starting in early 2024, all CSM Misconfigurations and Identity Risk rules will migrate to our severity score framework. This framework is designed to compare the likelihood that an adversary will take advantage of a misconfiguration to the risk posed to your environment. By weighting both of these aspects, findings can be prioritized more accurately by their real-world risks. The matrices below show how to compute a misconfiguration's severity score depending on certain criteria. - -### Likelihood - -The likelihood component is made up of two subcomponents; The attack vector, the means through which a misconfiguration can be exploited, and the accessibility, if the resource is publicly accessible or not. - -| | | Accessibility | | -|---------------|---------------------|---------------|----------| -| | | **Private** | **Public** | -| **Attack Vector** | **Required Privileges** | Low | Medium | -| | **Vulnerability** | Medium | High | -| | **No Authorization** | High | Critical | - -The attack vector is determined by the following criteria: - -| Attack Vector | Definition | -|:-------------------:|:---------------------------------------------------------------------------------------------------------:| -| Required Privileges | Requires specific privileges or access to abuse. | -| Vulnerability | Requires a vulnerable component to abuse, such as a software vulnerability on a compute instance or a leaked password/access key. | -| No Authorization | Requires no authorization/authentication to abuse. | - -The accessibility is determined by the following criteria: - -| Accessibility | Definition | -|:-------------:|:------------------------------------------------------------------:| -| Private | The vulnerable component/resource is in a private network. | -| Public | The vulnerable component/resource is accessible from the internet. | - -### Impact - -The impact component is how damaging the exploitation of the misconfiguration would be to the environment. - -| Impact | Definition | -|:--------:|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------:| -| Low | This misconfiguration is related to security hardening, hygiene, resource metadata, or industry best practice configurations. By itself, this misconfiguration represents little to no impact to the environment. | -| Medium | Abusing this misconfiguration results in an impact to the confidentiality, integrity, or availability of the vulnerable component or its directly associated resources. | -| High | Abusing this misconfiguration results in an impact to the following: confidentiality, integrity or availability of the vulnerable component and impacts a significant number of other resources (E.G. S3FullAccess, EC2FullAccess, etc.). | -| Critical | Abusing this misconfiguration results in complete control of all resources in the account (E.G. AdministratorAccess) | - -### Severity Matrix - -These two subcomponent scores combined compute the overall severity score for a misconfiguration. - -| | | Impact | | | | -|------------|----------|--------|--------|----------|----------| -| | | **Low** | **Medium** | **High** | **Critical** | -| **Likelihood** | **Low** | Low | Low | Medium | Medium | -| | **Medium** | Low | Medium | High | High | -| | **High** | Medium | High | High | Critical | -| | **Critical** | Medium | High | Critical | Critical | - -### Examples - -To explain how the framework is used here are a few examples. - -#### Example 1: SNS Topic should have access restrictions set for subscription - -The detection rule for [SNS Topic should have access restrictions set for subscription][14] checks if the SNS topic has a resource-based policy that contains a `Principal` of `*`, and an `Action` with the `sns:Subscribe` permission. This combination would allow anyone the ability to subscribe to the SNS topic and receive its notifications. We score this rule as follows: - -- Likelihood: Critical - - Attack Vector: No Authorization - - The Attack Vector is marked as "No Authorization" because the resource-based policy contains a `*`. This wildcard permits anyone the ability to act on the resource. No authentication/authorization is required to exploit the misconfiguration. - - Accessibility: Public - - The Accessibility is marked as "Public" because the misconfiguration can be exploited over the internet. No specific network access is required. - -- Impact: Medium - - Impact is marked as "Medium" due to the fact that the confidentiality of the resource is impacted. An adversary who has exploited this misconfiguration can receive messages as they are sent by the SNS topic. - -- Severity Score: Critical x Medium = High - - The final severity score is High. This is because a Critical likelihood mixed with a Medium impact results in an overall score of High. - -#### Example 2: EC2 instances should enforce IMDSv2 - -The detection rule for [EC2 instances should enforce IMDSv2][15] checks if an EC2 instance is using the instance metadata service version 1 ([IMDSv1][16]), which is vulnerable to common web application attacks. If exploited, an adversary would be able to access the IAM credentials stored in the IMDS and use them to access resources in the AWS account. We score this rule as follows: - -- Likelihood: Medium - - Attack Vector: Vulnerability - - The Attack Vector is marked as "Vulnerability". This is because the exploitation of this misconfiguration requires the resource to contain a vulnerable component, such as vulnerable software running on the EC2 instance that can be abused to perform [server side request forgery][17]. - - Accessibility: Private - - The Accessibility is marked as "Private" because the EC2 instance has not explicitly been made public. - -- Impact: Medium - - Impact is marked as "Medium" due to the impacts to the confidentiality of the EC2 instance. An adversary would be able to access the IMDS and potentially pull IAM credentials associated with the resource. - -- Severity Score: Medium x Medium = Medium - - The final severity score is Medium. This is because a Medium likelihood mixed with a Medium impact results in an overall score of Medium. - - ## Get started {{< whatsnext >}} diff --git a/content/en/security/severity_scoring.md b/content/en/security/severity_scoring.md new file mode 100644 index 0000000000000..49733460b19bb --- /dev/null +++ b/content/en/security/severity_scoring.md @@ -0,0 +1,94 @@ +--- +title: Severity Scoring +kind: documentation +disable_toc: false +--- + +## CSM Misconfigurations and Identity Risks + +Starting in early 2024, all CSM Misconfigurations and Identity Risk rules will migrate to our severity score framework. This framework is designed to compare the likelihood that an adversary will take advantage of a misconfiguration to the risk posed to your environment. By weighting both of these aspects, findings can be prioritized more accurately by their real-world risks. The matrices below show how to compute a misconfiguration's severity score depending on certain criteria. + +### Likelihood + +The likelihood component is made up of two subcomponents; The attack vector, the means through which a misconfiguration can be exploited, and the accessibility, if the resource is publicly accessible or not. + +| | | Accessibility | | +|---------------|---------------------|---------------|----------| +| | | **Private** | **Public** | +| **Attack Vector** | **Required Privileges** | Low | Medium | +| | **Vulnerability** | Medium | High | +| | **No Authorization** | High | Critical | + +The attack vector is determined by the following criteria: + +| Attack Vector | Definition | +|:-------------------:|:---------------------------------------------------------------------------------------------------------:| +| Required Privileges | Requires specific privileges or access to abuse. | +| Vulnerability | Requires a vulnerable component to abuse, such as a software vulnerability on a compute instance or a leaked password/access key. | +| No Authorization | Requires no authorization/authentication to abuse. | + +The accessibility is determined by the following criteria: + +| Accessibility | Definition | +|:-------------:|:------------------------------------------------------------------:| +| Private | The vulnerable component/resource is in a private network. | +| Public | The vulnerable component/resource is accessible from the internet. | + +### Impact + +The impact component is how damaging the exploitation of the misconfiguration would be to the environment. + +| Impact | Definition | +|:--------:|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------:| +| Low | This misconfiguration is related to security hardening, hygiene, resource metadata, or industry best practice configurations. By itself, this misconfiguration represents little to no impact to the environment. | +| Medium | Abusing this misconfiguration results in an impact to the confidentiality, integrity, or availability of the vulnerable component or its directly associated resources. | +| High | Abusing this misconfiguration results in an impact to the following: confidentiality, integrity or availability of the vulnerable component and impacts a significant number of other resources (E.G. S3FullAccess, EC2FullAccess, etc.). | +| Critical | Abusing this misconfiguration results in complete control of all resources in the account (E.G. AdministratorAccess) | + +### Severity Matrix + +These two subcomponent scores combined compute the overall severity score for a misconfiguration. + +| | | Impact | | | | +|------------|----------|--------|--------|----------|----------| +| | | **Low** | **Medium** | **High** | **Critical** | +| **Likelihood** | **Low** | Low | Low | Medium | Medium | +| | **Medium** | Low | Medium | High | High | +| | **High** | Medium | High | High | Critical | +| | **Critical** | Medium | High | Critical | Critical | + +### Examples + +To explain how the framework is used here are a few examples. + +#### Example 1: SNS Topic should have access restrictions set for subscription + +The detection rule for [SNS Topic should have access restrictions set for subscription][14] checks if the SNS topic has a resource-based policy that contains a `Principal` of `*`, and an `Action` with the `sns:Subscribe` permission. This combination would allow anyone the ability to subscribe to the SNS topic and receive its notifications. We score this rule as follows: + +- Likelihood: Critical + - Attack Vector: No Authorization + - The Attack Vector is marked as "No Authorization" because the resource-based policy contains a `*`. This wildcard permits anyone the ability to act on the resource. No authentication/authorization is required to exploit the misconfiguration. + - Accessibility: Public + - The Accessibility is marked as "Public" because the misconfiguration can be exploited over the internet. No specific network access is required. + +- Impact: Medium + - Impact is marked as "Medium" due to the fact that the confidentiality of the resource is impacted. An adversary who has exploited this misconfiguration can receive messages as they are sent by the SNS topic. + +- Severity Score: Critical x Medium = High + - The final severity score is High. This is because a Critical likelihood mixed with a Medium impact results in an overall score of High. + +#### Example 2: EC2 instances should enforce IMDSv2 + +The detection rule for [EC2 instances should enforce IMDSv2][15] checks if an EC2 instance is using the instance metadata service version 1 ([IMDSv1][16]), which is vulnerable to common web application attacks. If exploited, an adversary would be able to access the IAM credentials stored in the IMDS and use them to access resources in the AWS account. We score this rule as follows: + +- Likelihood: Medium + - Attack Vector: Vulnerability + - The Attack Vector is marked as "Vulnerability". This is because the exploitation of this misconfiguration requires the resource to contain a vulnerable component, such as vulnerable software running on the EC2 instance that can be abused to perform [server side request forgery][17]. + - Accessibility: Private + - The Accessibility is marked as "Private" because the EC2 instance has not explicitly been made public. + +- Impact: Medium + - Impact is marked as "Medium" due to the impacts to the confidentiality of the EC2 instance. An adversary would be able to access the IMDS and potentially pull IAM credentials associated with the resource. + +- Severity Score: Medium x Medium = Medium + - The final severity score is Medium. This is because a Medium likelihood mixed with a Medium impact results in an overall score of Medium. \ No newline at end of file From 1e1c9c7aa1aaa0c06b76ee25cdae3347a0fbd546 Mon Sep 17 00:00:00 2001 From: Nick Frichette Date: Mon, 11 Dec 2023 13:21:00 -0600 Subject: [PATCH 06/25] Fixed the link numbers in severity_scoring.md --- content/en/security/severity_scoring.md | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/content/en/security/severity_scoring.md b/content/en/security/severity_scoring.md index 49733460b19bb..33b3cd1f89ffa 100644 --- a/content/en/security/severity_scoring.md +++ b/content/en/security/severity_scoring.md @@ -63,7 +63,7 @@ To explain how the framework is used here are a few examples. #### Example 1: SNS Topic should have access restrictions set for subscription -The detection rule for [SNS Topic should have access restrictions set for subscription][14] checks if the SNS topic has a resource-based policy that contains a `Principal` of `*`, and an `Action` with the `sns:Subscribe` permission. This combination would allow anyone the ability to subscribe to the SNS topic and receive its notifications. We score this rule as follows: +The detection rule for [SNS Topic should have access restrictions set for subscription][1] checks if the SNS topic has a resource-based policy that contains a `Principal` of `*`, and an `Action` with the `sns:Subscribe` permission. This combination would allow anyone the ability to subscribe to the SNS topic and receive its notifications. We score this rule as follows: - Likelihood: Critical - Attack Vector: No Authorization @@ -79,11 +79,11 @@ The detection rule for [SNS Topic should have access restrictions set for subscr #### Example 2: EC2 instances should enforce IMDSv2 -The detection rule for [EC2 instances should enforce IMDSv2][15] checks if an EC2 instance is using the instance metadata service version 1 ([IMDSv1][16]), which is vulnerable to common web application attacks. If exploited, an adversary would be able to access the IAM credentials stored in the IMDS and use them to access resources in the AWS account. We score this rule as follows: +The detection rule for [EC2 instances should enforce IMDSv2][2] checks if an EC2 instance is using the instance metadata service version 1 ([IMDSv1][3]), which is vulnerable to common web application attacks. If exploited, an adversary would be able to access the IAM credentials stored in the IMDS and use them to access resources in the AWS account. We score this rule as follows: - Likelihood: Medium - Attack Vector: Vulnerability - - The Attack Vector is marked as "Vulnerability". This is because the exploitation of this misconfiguration requires the resource to contain a vulnerable component, such as vulnerable software running on the EC2 instance that can be abused to perform [server side request forgery][17]. + - The Attack Vector is marked as "Vulnerability". This is because the exploitation of this misconfiguration requires the resource to contain a vulnerable component, such as vulnerable software running on the EC2 instance that can be abused to perform [server side request forgery][4]. - Accessibility: Private - The Accessibility is marked as "Private" because the EC2 instance has not explicitly been made public. @@ -91,4 +91,9 @@ The detection rule for [EC2 instances should enforce IMDSv2][15] checks if an EC - Impact is marked as "Medium" due to the impacts to the confidentiality of the EC2 instance. An adversary would be able to access the IMDS and potentially pull IAM credentials associated with the resource. - Severity Score: Medium x Medium = Medium - - The final severity score is Medium. This is because a Medium likelihood mixed with a Medium impact results in an overall score of Medium. \ No newline at end of file + - The final severity score is Medium. This is because a Medium likelihood mixed with a Medium impact results in an overall score of Medium. + +[1]: https://docs.datadoghq.com/security/default_rules/aws-sns-subscription/ +[2]: https://docs.datadoghq.com/security/default_rules/aws-ec2-imdsv2/ +[3]: https://hackingthe.cloud/aws/general-knowledge/intro_metadata_service/ +[4]: https://hackingthe.cloud/aws/exploitation/ec2-metadata-ssrf/ From 6819e58dba6c6ccf7bb961a1112ef225a06b327b Mon Sep 17 00:00:00 2001 From: Nick Frichette Date: Mon, 11 Dec 2023 13:22:11 -0600 Subject: [PATCH 07/25] Removed unused links from misconfigurations index --- content/en/security/misconfigurations/_index.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/content/en/security/misconfigurations/_index.md b/content/en/security/misconfigurations/_index.md index 81929eea2cdde..e5b2e12dd69b9 100644 --- a/content/en/security/misconfigurations/_index.md +++ b/content/en/security/misconfigurations/_index.md @@ -77,7 +77,3 @@ Investigate details using the [Misconfigurations Explorer][10]. View detailed in [11]: /security/default_rules/#cat-posture-management-infra [12]: https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security [13]: /security/cloud_security_management/mute_issues -[14]: https://docs.datadoghq.com/security/default_rules/aws-sns-subscription/ -[15]: https://docs.datadoghq.com/security/default_rules/aws-ec2-imdsv2/ -[16]: https://hackingthe.cloud/aws/general-knowledge/intro_metadata_service/ -[17]: https://hackingthe.cloud/aws/exploitation/ec2-metadata-ssrf/ From 22594c015fd0ff475bfb2f667d6695745e73ed77 Mon Sep 17 00:00:00 2001 From: Nick Frichette Date: Mon, 11 Dec 2023 13:37:20 -0600 Subject: [PATCH 08/25] Reformatted severity scoring page --- content/en/security/severity_scoring.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/content/en/security/severity_scoring.md b/content/en/security/severity_scoring.md index 33b3cd1f89ffa..30250961ac856 100644 --- a/content/en/security/severity_scoring.md +++ b/content/en/security/severity_scoring.md @@ -1,7 +1,10 @@ --- title: Severity Scoring kind: documentation -disable_toc: false +further_reading: +- link: "/security/misconfigurations/" + tag: "Documentation" + text: "Learn more about CSM Misconfigurations" --- ## CSM Misconfigurations and Identity Risks @@ -93,6 +96,10 @@ The detection rule for [EC2 instances should enforce IMDSv2][2] checks if an EC2 - Severity Score: Medium x Medium = Medium - The final severity score is Medium. This is because a Medium likelihood mixed with a Medium impact results in an overall score of Medium. +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} + [1]: https://docs.datadoghq.com/security/default_rules/aws-sns-subscription/ [2]: https://docs.datadoghq.com/security/default_rules/aws-ec2-imdsv2/ [3]: https://hackingthe.cloud/aws/general-knowledge/intro_metadata_service/ From fb7cceb5c935e954b45e257512a47bff60672839 Mon Sep 17 00:00:00 2001 From: Nick Frichette Date: Mon, 11 Dec 2023 13:48:51 -0600 Subject: [PATCH 09/25] Added aliases --- content/en/security/severity_scoring.md | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/content/en/security/severity_scoring.md b/content/en/security/severity_scoring.md index 30250961ac856..31fbffe30f07b 100644 --- a/content/en/security/severity_scoring.md +++ b/content/en/security/severity_scoring.md @@ -1,10 +1,8 @@ --- title: Severity Scoring kind: documentation -further_reading: -- link: "/security/misconfigurations/" - tag: "Documentation" - text: "Learn more about CSM Misconfigurations" +aliases: + - /security/serverity_scoring --- ## CSM Misconfigurations and Identity Risks @@ -96,10 +94,6 @@ The detection rule for [EC2 instances should enforce IMDSv2][2] checks if an EC2 - Severity Score: Medium x Medium = Medium - The final severity score is Medium. This is because a Medium likelihood mixed with a Medium impact results in an overall score of Medium. -## Further Reading - -{{< partial name="whats-next/whats-next.html" >}} - [1]: https://docs.datadoghq.com/security/default_rules/aws-sns-subscription/ [2]: https://docs.datadoghq.com/security/default_rules/aws-ec2-imdsv2/ [3]: https://hackingthe.cloud/aws/general-knowledge/intro_metadata_service/ From 9f4addf09e32e7acb34bd5a10c434a31cebc1e08 Mon Sep 17 00:00:00 2001 From: Nick Frichette Date: Mon, 11 Dec 2023 13:55:13 -0600 Subject: [PATCH 10/25] Added additional docs for other producs to severity scoring --- content/en/security/severity_scoring.md | 42 +++++++++++++++++++------ 1 file changed, 33 insertions(+), 9 deletions(-) diff --git a/content/en/security/severity_scoring.md b/content/en/security/severity_scoring.md index 31fbffe30f07b..7b9256c6171cb 100644 --- a/content/en/security/severity_scoring.md +++ b/content/en/security/severity_scoring.md @@ -1,15 +1,19 @@ --- title: Severity Scoring kind: documentation -aliases: - - /security/serverity_scoring +further_reading: +- link: "/security/misconfigurations/" + tag: "Documentation" + text: "Learn more about CSM Misconfigurations" --- -## CSM Misconfigurations and Identity Risks +## Cloud Security Management + +### Misconfigurations and Identity Risks Starting in early 2024, all CSM Misconfigurations and Identity Risk rules will migrate to our severity score framework. This framework is designed to compare the likelihood that an adversary will take advantage of a misconfiguration to the risk posed to your environment. By weighting both of these aspects, findings can be prioritized more accurately by their real-world risks. The matrices below show how to compute a misconfiguration's severity score depending on certain criteria. -### Likelihood +#### Likelihood The likelihood component is made up of two subcomponents; The attack vector, the means through which a misconfiguration can be exploited, and the accessibility, if the resource is publicly accessible or not. @@ -35,7 +39,7 @@ The accessibility is determined by the following criteria: | Private | The vulnerable component/resource is in a private network. | | Public | The vulnerable component/resource is accessible from the internet. | -### Impact +#### Impact The impact component is how damaging the exploitation of the misconfiguration would be to the environment. @@ -46,7 +50,7 @@ The impact component is how damaging the exploitation of the misconfiguration wo | High | Abusing this misconfiguration results in an impact to the following: confidentiality, integrity or availability of the vulnerable component and impacts a significant number of other resources (E.G. S3FullAccess, EC2FullAccess, etc.). | | Critical | Abusing this misconfiguration results in complete control of all resources in the account (E.G. AdministratorAccess) | -### Severity Matrix +#### Severity Matrix These two subcomponent scores combined compute the overall severity score for a misconfiguration. @@ -58,11 +62,11 @@ These two subcomponent scores combined compute the overall severity score for a | | **High** | Medium | High | High | Critical | | | **Critical** | Medium | High | Critical | Critical | -### Examples +#### Examples To explain how the framework is used here are a few examples. -#### Example 1: SNS Topic should have access restrictions set for subscription +##### Example 1: SNS Topic should have access restrictions set for subscription The detection rule for [SNS Topic should have access restrictions set for subscription][1] checks if the SNS topic has a resource-based policy that contains a `Principal` of `*`, and an `Action` with the `sns:Subscribe` permission. This combination would allow anyone the ability to subscribe to the SNS topic and receive its notifications. We score this rule as follows: @@ -78,7 +82,7 @@ The detection rule for [SNS Topic should have access restrictions set for subscr - Severity Score: Critical x Medium = High - The final severity score is High. This is because a Critical likelihood mixed with a Medium impact results in an overall score of High. -#### Example 2: EC2 instances should enforce IMDSv2 +##### Example 2: EC2 instances should enforce IMDSv2 The detection rule for [EC2 instances should enforce IMDSv2][2] checks if an EC2 instance is using the instance metadata service version 1 ([IMDSv1][3]), which is vulnerable to common web application attacks. If exploited, an adversary would be able to access the IAM credentials stored in the IMDS and use them to access resources in the AWS account. We score this rule as follows: @@ -94,6 +98,26 @@ The detection rule for [EC2 instances should enforce IMDSv2][2] checks if an EC2 - Severity Score: Medium x Medium = Medium - The final severity score is Medium. This is because a Medium likelihood mixed with a Medium impact results in an overall score of Medium. +### Threats + +**threats goes here** + +### Vulnerabilities + +**vulns go here** + +## Cloud SIEM + +**cloud siem goes here** + +## Application Security Management + +**ASM goes here** + +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} + [1]: https://docs.datadoghq.com/security/default_rules/aws-sns-subscription/ [2]: https://docs.datadoghq.com/security/default_rules/aws-ec2-imdsv2/ [3]: https://hackingthe.cloud/aws/general-knowledge/intro_metadata_service/ From 2678be73bd30dcb4d944843b9367a9ac25d60a1e Mon Sep 17 00:00:00 2001 From: Nick Frichette Date: Mon, 11 Dec 2023 14:15:24 -0600 Subject: [PATCH 11/25] Added severity scoring page to menu --- config/_default/menus/menus.en.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/config/_default/menus/menus.en.yaml b/config/_default/menus/menus.en.yaml index 82ddd7def1c0f..b3ca5302fe80d 100644 --- a/config/_default/menus/menus.en.yaml +++ b/config/_default/menus/menus.en.yaml @@ -3200,6 +3200,11 @@ main: parent: security_platform identifier: security_audit_trail weight: 10 + - name: Severity Scoring + url: security/severity_scoring + parent: security_platform + identifier: security_severity_scoring + weight: 11 - name: Cloud SIEM url: security/cloud_siem/ pre: siem From 951258a8050ad7553e2172b50f4a05a1326315b7 Mon Sep 17 00:00:00 2001 From: Nick Frichette Date: Tue, 12 Dec 2023 09:33:15 -0600 Subject: [PATCH 12/25] Removed threats from the severity scoring page --- content/en/security/severity_scoring.md | 8 -------- 1 file changed, 8 deletions(-) diff --git a/content/en/security/severity_scoring.md b/content/en/security/severity_scoring.md index 7b9256c6171cb..a94eea37b8466 100644 --- a/content/en/security/severity_scoring.md +++ b/content/en/security/severity_scoring.md @@ -98,18 +98,10 @@ The detection rule for [EC2 instances should enforce IMDSv2][2] checks if an EC2 - Severity Score: Medium x Medium = Medium - The final severity score is Medium. This is because a Medium likelihood mixed with a Medium impact results in an overall score of Medium. -### Threats - -**threats goes here** - ### Vulnerabilities **vulns go here** -## Cloud SIEM - -**cloud siem goes here** - ## Application Security Management **ASM goes here** From a040fceb552b826d1166980f47ec6ec8dd7db52a Mon Sep 17 00:00:00 2001 From: Nick Frichette <10386884+Frichetten@users.noreply.github.com> Date: Tue, 12 Dec 2023 10:24:08 -0600 Subject: [PATCH 13/25] Update content/en/security/severity_scoring.md Co-authored-by: Christophe Tafani-Dereeper --- content/en/security/severity_scoring.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/content/en/security/severity_scoring.md b/content/en/security/severity_scoring.md index a94eea37b8466..a06fb3c5dcc60 100644 --- a/content/en/security/severity_scoring.md +++ b/content/en/security/severity_scoring.md @@ -15,7 +15,10 @@ Starting in early 2024, all CSM Misconfigurations and Identity Risk rules will m #### Likelihood -The likelihood component is made up of two subcomponents; The attack vector, the means through which a misconfiguration can be exploited, and the accessibility, if the resource is publicly accessible or not. +The likelihood component is made up of two subcomponents: + +* The attack vector, the means through which a misconfiguration can be exploited; +* The accessibility, if the resource is publicly accessible or not. | | | Accessibility | | |---------------|---------------------|---------------|----------| From 5555c01f83c0d6a0be91bb5b71123b1f2129fb19 Mon Sep 17 00:00:00 2001 From: Nick Frichette Date: Tue, 12 Dec 2023 10:25:00 -0600 Subject: [PATCH 14/25] Added more links to further_reading for severity_scoring --- content/en/security/severity_scoring.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/content/en/security/severity_scoring.md b/content/en/security/severity_scoring.md index a94eea37b8466..2f1bc869891f7 100644 --- a/content/en/security/severity_scoring.md +++ b/content/en/security/severity_scoring.md @@ -4,7 +4,13 @@ kind: documentation further_reading: - link: "/security/misconfigurations/" tag: "Documentation" - text: "Learn more about CSM Misconfigurations" + text: "Start tracking misconfigurations with CSM Misconfigurations" +- link: "/security/identity_risks/" + tag: "Documentation" + text: "Understand your identity landscape with CSM Identity Risks" +- link: "/security/vulnerabilities/" + tag: "Documentation" + text: "Learn more about CSM Vulnerabilities" --- ## Cloud Security Management From 68618c0755ea141f896568315c38612942049e50 Mon Sep 17 00:00:00 2001 From: Nick Frichette Date: Tue, 12 Dec 2023 10:57:11 -0600 Subject: [PATCH 15/25] Fixed some minor issues with severity_scoring --- content/en/security/severity_scoring.md | 54 +++++++++++++------------ 1 file changed, 28 insertions(+), 26 deletions(-) diff --git a/content/en/security/severity_scoring.md b/content/en/security/severity_scoring.md index d3cfb69cbd815..e4f04fc3f9277 100644 --- a/content/en/security/severity_scoring.md +++ b/content/en/security/severity_scoring.md @@ -17,7 +17,7 @@ further_reading: ### Misconfigurations and Identity Risks -Starting in early 2024, all CSM Misconfigurations and Identity Risk rules will migrate to our severity score framework. This framework is designed to compare the likelihood that an adversary will take advantage of a misconfiguration to the risk posed to your environment. By weighting both of these aspects, findings can be prioritized more accurately by their real-world risks. The matrices below show how to compute a misconfiguration's severity score depending on certain criteria. +Starting in early 2024, all CSM Misconfigurations and Identity Risk rules will migrate to the following severity score framework. This framework is designed to compare the likelihood that an adversary would take advantage of a misconfiguration to the risk posed to your environment. By weighting both of these aspects, findings can be prioritized more accurately by their real-world risks. The matrices below show how to compute a misconfiguration's severity score depending on certain criteria. #### Likelihood @@ -26,13 +26,6 @@ The likelihood component is made up of two subcomponents: * The attack vector, the means through which a misconfiguration can be exploited; * The accessibility, if the resource is publicly accessible or not. -| | | Accessibility | | -|---------------|---------------------|---------------|----------| -| | | **Private** | **Public** | -| **Attack Vector** | **Required Privileges** | Low | Medium | -| | **Vulnerability** | Medium | High | -| | **No Authorization** | High | Critical | - The attack vector is determined by the following criteria: | Attack Vector | Definition | @@ -48,6 +41,15 @@ The accessibility is determined by the following criteria: | Private | The vulnerable component/resource is in a private network. | | Public | The vulnerable component/resource is accessible from the internet. | +These subcomponents determine the Likelihood score: + +| | | Accessibility | | +|---------------|---------------------|---------------|----------| +| | | **Private** | **Public** | +| **Attack Vector** | **Required Privileges** | Improbable | Possible | +| | **Vulnerability** | Possible | Probable | +| | **No Authorization** | Probable | Highly Probable | + #### Impact The impact component is how damaging the exploitation of the misconfiguration would be to the environment. @@ -56,20 +58,20 @@ The impact component is how damaging the exploitation of the misconfiguration wo |:--------:|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------:| | Low | This misconfiguration is related to security hardening, hygiene, resource metadata, or industry best practice configurations. By itself, this misconfiguration represents little to no impact to the environment. | | Medium | Abusing this misconfiguration results in an impact to the confidentiality, integrity, or availability of the vulnerable component or its directly associated resources. | -| High | Abusing this misconfiguration results in an impact to the following: confidentiality, integrity or availability of the vulnerable component and impacts a significant number of other resources (E.G. S3FullAccess, EC2FullAccess, etc.). | -| Critical | Abusing this misconfiguration results in complete control of all resources in the account (E.G. AdministratorAccess) | +| High | Abusing this misconfiguration results in an impact to the confidentiality, integrity, or availability of the vulnerable component and impacts a significant number of other resources. For example, an identity with the `S3FullAccess` policy attached. | +| Critical | Abusing this misconfiguration results in complete control of all resources in the account. For example, an identity with the `AdministratorAccess` policy attached. | -#### Severity Matrix +#### Severity matrix -These two subcomponent scores combined compute the overall severity score for a misconfiguration. +These two submatrices combined compute the overall severity score for a misconfiguration. | | | Impact | | | | |------------|----------|--------|--------|----------|----------| | | | **Low** | **Medium** | **High** | **Critical** | -| **Likelihood** | **Low** | Low | Low | Medium | Medium | -| | **Medium** | Low | Medium | High | High | -| | **High** | Medium | High | High | Critical | -| | **Critical** | Medium | High | Critical | Critical | +| **Likelihood** | **Improbable** | Low | Low | Medium | Medium | +| | **Possible** | Low | Medium | High | High | +| | **Probable** | Medium | High | High | Critical | +| | **Highly Probable** | Medium | High | Critical | Critical | #### Examples @@ -77,35 +79,35 @@ To explain how the framework is used here are a few examples. ##### Example 1: SNS Topic should have access restrictions set for subscription -The detection rule for [SNS Topic should have access restrictions set for subscription][1] checks if the SNS topic has a resource-based policy that contains a `Principal` of `*`, and an `Action` with the `sns:Subscribe` permission. This combination would allow anyone the ability to subscribe to the SNS topic and receive its notifications. We score this rule as follows: +The detection rule for [SNS Topic should have access restrictions set for subscription][1] checks if the SNS topic has a resource-based policy that contains a `Principal` of `*`, and an `Action` with the `sns:Subscribe` permission. This combination would allow anyone the ability to subscribe to the SNS topic and receive its notifications. This rule would be scored as follows: -- Likelihood: Critical +- Likelihood: Highly Probable - Attack Vector: No Authorization - The Attack Vector is marked as "No Authorization" because the resource-based policy contains a `*`. This wildcard permits anyone the ability to act on the resource. No authentication/authorization is required to exploit the misconfiguration. - Accessibility: Public - - The Accessibility is marked as "Public" because the misconfiguration can be exploited over the internet. No specific network access is required. + - The Accessibility is marked as "Public" because the misconfiguration can be exploited over the internet through its resource-based policy. No specific network access is required. - Impact: Medium - Impact is marked as "Medium" due to the fact that the confidentiality of the resource is impacted. An adversary who has exploited this misconfiguration can receive messages as they are sent by the SNS topic. -- Severity Score: Critical x Medium = High - - The final severity score is High. This is because a Critical likelihood mixed with a Medium impact results in an overall score of High. +- Severity Score: Highly Probable x Medium = High + - The final severity score is High. This is because a Highly Probable likelihood mixed with a Medium impact results in an overall score of High. ##### Example 2: EC2 instances should enforce IMDSv2 -The detection rule for [EC2 instances should enforce IMDSv2][2] checks if an EC2 instance is using the instance metadata service version 1 ([IMDSv1][3]), which is vulnerable to common web application attacks. If exploited, an adversary would be able to access the IAM credentials stored in the IMDS and use them to access resources in the AWS account. We score this rule as follows: +The detection rule for [EC2 instances should enforce IMDSv2][2] checks if an EC2 instance is using the instance metadata service version 1 ([IMDSv1][3]), which is vulnerable to common web application attacks. If exploited, an adversary would be able to access the IAM credentials stored in the IMDS and use them to access resources in the AWS account. This rule would be scored as follows: -- Likelihood: Medium +- Likelihood: Possible - Attack Vector: Vulnerability - - The Attack Vector is marked as "Vulnerability". This is because the exploitation of this misconfiguration requires the resource to contain a vulnerable component, such as vulnerable software running on the EC2 instance that can be abused to perform [server side request forgery][4]. + - The Attack Vector is marked as "Vulnerability". This is because the exploitation of this misconfiguration requires the resource to contain a vulnerable component, such as vulnerable software running on the EC2 instance that can be abused to perform [server side request forgery][4] attacks. - Accessibility: Private - The Accessibility is marked as "Private" because the EC2 instance has not explicitly been made public. - Impact: Medium - Impact is marked as "Medium" due to the impacts to the confidentiality of the EC2 instance. An adversary would be able to access the IMDS and potentially pull IAM credentials associated with the resource. -- Severity Score: Medium x Medium = Medium - - The final severity score is Medium. This is because a Medium likelihood mixed with a Medium impact results in an overall score of Medium. +- Severity Score: Possible x Medium = Medium + - The final severity score is Medium. This is because a Possible likelihood mixed with a Medium impact results in an overall score of Medium. ### Vulnerabilities From 8d9d975c44868337800c55fe7aa72a8f18b5382f Mon Sep 17 00:00:00 2001 From: Nick Frichette Date: Tue, 12 Dec 2023 11:10:53 -0600 Subject: [PATCH 16/25] Moved the Severity Scoring page to be under CSM --- config/_default/menus/menus.en.yaml | 10 +++++----- .../severity_scoring.md | 4 ---- 2 files changed, 5 insertions(+), 9 deletions(-) rename content/en/security/{ => cloud_security_management}/severity_scoring.md (99%) diff --git a/config/_default/menus/menus.en.yaml b/config/_default/menus/menus.en.yaml index b3ca5302fe80d..a72a06171e64f 100644 --- a/config/_default/menus/menus.en.yaml +++ b/config/_default/menus/menus.en.yaml @@ -3200,11 +3200,6 @@ main: parent: security_platform identifier: security_audit_trail weight: 10 - - name: Severity Scoring - url: security/severity_scoring - parent: security_platform - identifier: security_severity_scoring - weight: 11 - name: Cloud SIEM url: security/cloud_siem/ pre: siem @@ -3362,6 +3357,11 @@ main: parent: csm identifier: csm_troubleshooting weight: 30 + - name: Severity Scoring + url: security/cloud_security_management/severity_scoring/ + parent: csm + identifier: csm_severity_scoring + weight: 35 - name: Application Security Management url: security/application_security/ parent: security_platform_heading diff --git a/content/en/security/severity_scoring.md b/content/en/security/cloud_security_management/severity_scoring.md similarity index 99% rename from content/en/security/severity_scoring.md rename to content/en/security/cloud_security_management/severity_scoring.md index e4f04fc3f9277..0141754be1b0a 100644 --- a/content/en/security/severity_scoring.md +++ b/content/en/security/cloud_security_management/severity_scoring.md @@ -113,10 +113,6 @@ The detection rule for [EC2 instances should enforce IMDSv2][2] checks if an EC2 **vulns go here** -## Application Security Management - -**ASM goes here** - ## Further Reading {{< partial name="whats-next/whats-next.html" >}} From ed90d03bc316fb544fe6818b61449dcb87b430b3 Mon Sep 17 00:00:00 2001 From: Nick Frichette Date: Tue, 12 Dec 2023 11:27:26 -0600 Subject: [PATCH 17/25] Changed the headers of severity_scoring --- .../severity_scoring.md | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/content/en/security/cloud_security_management/severity_scoring.md b/content/en/security/cloud_security_management/severity_scoring.md index 0141754be1b0a..f7858b2b465b6 100644 --- a/content/en/security/cloud_security_management/severity_scoring.md +++ b/content/en/security/cloud_security_management/severity_scoring.md @@ -13,13 +13,11 @@ further_reading: text: "Learn more about CSM Vulnerabilities" --- -## Cloud Security Management - -### Misconfigurations and Identity Risks +## Misconfigurations and Identity Risks Starting in early 2024, all CSM Misconfigurations and Identity Risk rules will migrate to the following severity score framework. This framework is designed to compare the likelihood that an adversary would take advantage of a misconfiguration to the risk posed to your environment. By weighting both of these aspects, findings can be prioritized more accurately by their real-world risks. The matrices below show how to compute a misconfiguration's severity score depending on certain criteria. -#### Likelihood +### Likelihood The likelihood component is made up of two subcomponents: @@ -50,7 +48,7 @@ These subcomponents determine the Likelihood score: | | **Vulnerability** | Possible | Probable | | | **No Authorization** | Probable | Highly Probable | -#### Impact +### Impact The impact component is how damaging the exploitation of the misconfiguration would be to the environment. @@ -61,7 +59,7 @@ The impact component is how damaging the exploitation of the misconfiguration wo | High | Abusing this misconfiguration results in an impact to the confidentiality, integrity, or availability of the vulnerable component and impacts a significant number of other resources. For example, an identity with the `S3FullAccess` policy attached. | | Critical | Abusing this misconfiguration results in complete control of all resources in the account. For example, an identity with the `AdministratorAccess` policy attached. | -#### Severity matrix +### Severity matrix These two submatrices combined compute the overall severity score for a misconfiguration. @@ -73,11 +71,11 @@ These two submatrices combined compute the overall severity score for a misconfi | | **Probable** | Medium | High | High | Critical | | | **Highly Probable** | Medium | High | Critical | Critical | -#### Examples +### Examples To explain how the framework is used here are a few examples. -##### Example 1: SNS Topic should have access restrictions set for subscription +#### Example 1: SNS Topic should have access restrictions set for subscription The detection rule for [SNS Topic should have access restrictions set for subscription][1] checks if the SNS topic has a resource-based policy that contains a `Principal` of `*`, and an `Action` with the `sns:Subscribe` permission. This combination would allow anyone the ability to subscribe to the SNS topic and receive its notifications. This rule would be scored as follows: @@ -93,7 +91,7 @@ The detection rule for [SNS Topic should have access restrictions set for subscr - Severity Score: Highly Probable x Medium = High - The final severity score is High. This is because a Highly Probable likelihood mixed with a Medium impact results in an overall score of High. -##### Example 2: EC2 instances should enforce IMDSv2 +#### Example 2: EC2 instances should enforce IMDSv2 The detection rule for [EC2 instances should enforce IMDSv2][2] checks if an EC2 instance is using the instance metadata service version 1 ([IMDSv1][3]), which is vulnerable to common web application attacks. If exploited, an adversary would be able to access the IAM credentials stored in the IMDS and use them to access resources in the AWS account. This rule would be scored as follows: @@ -109,7 +107,7 @@ The detection rule for [EC2 instances should enforce IMDSv2][2] checks if an EC2 - Severity Score: Possible x Medium = Medium - The final severity score is Medium. This is because a Possible likelihood mixed with a Medium impact results in an overall score of Medium. -### Vulnerabilities +## Vulnerabilities **vulns go here** From cc3aab12ba3c00192205345bf391b41b5bbfee32 Mon Sep 17 00:00:00 2001 From: Nick Frichette Date: Tue, 12 Dec 2023 13:03:02 -0600 Subject: [PATCH 18/25] Fixed some minor issues with severity_scoring --- .../en/security/cloud_security_management/severity_scoring.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/en/security/cloud_security_management/severity_scoring.md b/content/en/security/cloud_security_management/severity_scoring.md index f7858b2b465b6..0577d616834c2 100644 --- a/content/en/security/cloud_security_management/severity_scoring.md +++ b/content/en/security/cloud_security_management/severity_scoring.md @@ -21,8 +21,8 @@ Starting in early 2024, all CSM Misconfigurations and Identity Risk rules will m The likelihood component is made up of two subcomponents: -* The attack vector, the means through which a misconfiguration can be exploited; -* The accessibility, if the resource is publicly accessible or not. +* Attack vector: The means through which a misconfiguration can be exploited. +* Accessibility: If the resource is publicly accessible or not. The attack vector is determined by the following criteria: From a9d0d82e21d265da1d842226548eb903a81bf3cd Mon Sep 17 00:00:00 2001 From: Nick Frichette Date: Wed, 13 Dec 2023 09:09:36 -0600 Subject: [PATCH 19/25] Added CSM Vulnerabilities section for severity_scoring --- .../cloud_security_management/severity_scoring.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/content/en/security/cloud_security_management/severity_scoring.md b/content/en/security/cloud_security_management/severity_scoring.md index 0577d616834c2..185c095a32e9c 100644 --- a/content/en/security/cloud_security_management/severity_scoring.md +++ b/content/en/security/cloud_security_management/severity_scoring.md @@ -109,7 +109,12 @@ The detection rule for [EC2 instances should enforce IMDSv2][2] checks if an EC2 ## Vulnerabilities -**vulns go here** +CSM Vulnerabilities uses [CVSS 3.0][5] to determine a base score and modifies it to take into account the following: + +- Whether the underlying infrastructure is running and how wide-spread the impact is. +- The environment in which the underlying infrastructure is running. For example, if the environment is not production, the severity is downgraded. +- Whether there is an active exploit for a given vulnerability from sources such as [CISA KEV catalog][6]. +- The exploitation probability, calculated and verified using [EPSS][7]. ## Further Reading @@ -119,3 +124,6 @@ The detection rule for [EC2 instances should enforce IMDSv2][2] checks if an EC2 [2]: https://docs.datadoghq.com/security/default_rules/aws-ec2-imdsv2/ [3]: https://hackingthe.cloud/aws/general-knowledge/intro_metadata_service/ [4]: https://hackingthe.cloud/aws/exploitation/ec2-metadata-ssrf/ +[5]: https://www.first.org/cvss/v3-0/ +[6]: https://www.cisa.gov/known-exploited-vulnerabilities-catalog +[7]: https://www.first.org/epss/ From 9588c8a216f628bab612f5ad3d8ffd0d4d3ad4d3 Mon Sep 17 00:00:00 2001 From: Nick Frichette Date: Wed, 13 Dec 2023 13:53:53 -0600 Subject: [PATCH 20/25] Removed temporal language from severity_scoring --- .../en/security/cloud_security_management/severity_scoring.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/en/security/cloud_security_management/severity_scoring.md b/content/en/security/cloud_security_management/severity_scoring.md index 185c095a32e9c..191a94ef947cd 100644 --- a/content/en/security/cloud_security_management/severity_scoring.md +++ b/content/en/security/cloud_security_management/severity_scoring.md @@ -13,9 +13,9 @@ further_reading: text: "Learn more about CSM Vulnerabilities" --- -## Misconfigurations and Identity Risks +## Misconfigurations, Identity Risks, and Security Inbox Misconfigurations -Starting in early 2024, all CSM Misconfigurations and Identity Risk rules will migrate to the following severity score framework. This framework is designed to compare the likelihood that an adversary would take advantage of a misconfiguration to the risk posed to your environment. By weighting both of these aspects, findings can be prioritized more accurately by their real-world risks. The matrices below show how to compute a misconfiguration's severity score depending on certain criteria. +This framework is designed to compare the likelihood that an adversary would take advantage of a misconfiguration to the risk posed to your environment. By weighting both of these aspects, findings can be prioritized more accurately by their real-world risks. The matrices below show how to compute a misconfiguration's severity score depending on certain criteria. ### Likelihood From ef1f9ae44ba661732a4d2752c1a7110f892e3acc Mon Sep 17 00:00:00 2001 From: DeForest Richards Date: Fri, 15 Dec 2023 17:22:46 -0500 Subject: [PATCH 21/25] Minor edits --- .../severity_scoring.md | 74 +++++++++++-------- 1 file changed, 42 insertions(+), 32 deletions(-) diff --git a/content/en/security/cloud_security_management/severity_scoring.md b/content/en/security/cloud_security_management/severity_scoring.md index 191a94ef947cd..2de9f881902c9 100644 --- a/content/en/security/cloud_security_management/severity_scoring.md +++ b/content/en/security/cloud_security_management/severity_scoring.md @@ -13,9 +13,9 @@ further_reading: text: "Learn more about CSM Vulnerabilities" --- -## Misconfigurations, Identity Risks, and Security Inbox Misconfigurations +## CSM severity scoring framework -This framework is designed to compare the likelihood that an adversary would take advantage of a misconfiguration to the risk posed to your environment. By weighting both of these aspects, findings can be prioritized more accurately by their real-world risks. The matrices below show how to compute a misconfiguration's severity score depending on certain criteria. +CSM Misconfigurations, CSM Identity Risks, and Security Inbox misconfigurations use the CSM severity scoring framework to determine the severity of a finding. The framework compares the likelihood that an adversary would take advantage of a misconfiguration to the risk posed to your environment. By weighting both of these aspects, findings can be prioritized more accurately based on their real-world risks. The matrices below show how to compute a misconfiguration's severity score depending on certain criteria. ### Likelihood @@ -24,29 +24,35 @@ The likelihood component is made up of two subcomponents: * Attack vector: The means through which a misconfiguration can be exploited. * Accessibility: If the resource is publicly accessible or not. +#### Attack vector + The attack vector is determined by the following criteria: -| Attack Vector | Definition | -|:-------------------:|:---------------------------------------------------------------------------------------------------------:| -| Required Privileges | Requires specific privileges or access to abuse. | -| Vulnerability | Requires a vulnerable component to abuse, such as a software vulnerability on a compute instance or a leaked password/access key. | -| No Authorization | Requires no authorization/authentication to abuse. | +| Attack Vector | Definition | +|:-------------------:|:------------------------------------------------------------------------------------------------------------------------------------:| +| Required Privileges | Requires specific privileges or access to abuse. | +| Vulnerability | Requires a vulnerable component to abuse, such as a software vulnerability on a compute instance or a leaked password or access key. | +| No Authorization | Requires no authorization or authentication to abuse. | + +#### Accessibility + +Accessibility is determined by the following criteria: -The accessibility is determined by the following criteria: +| Accessibility | Definition | +|:-------------:|:---------------------------------------------------------------------:| +| Private | The vulnerable component or resource is in a private network. | +| Public | The vulnerable component or resource is accessible from the internet. | -| Accessibility | Definition | -|:-------------:|:------------------------------------------------------------------:| -| Private | The vulnerable component/resource is in a private network. | -| Public | The vulnerable component/resource is accessible from the internet. | +#### Likelihood score -These subcomponents determine the Likelihood score: +Together, the attack vector and accessibility subcomponents determine the Likelihood score: -| | | Accessibility | | -|---------------|---------------------|---------------|----------| -| | | **Private** | **Public** | -| **Attack Vector** | **Required Privileges** | Improbable | Possible | -| | **Vulnerability** | Possible | Probable | -| | **No Authorization** | Probable | Highly Probable | +| | | Accessibility | | +|-------------------|-------------------------|---------------|-----------------| +| | | **Private** | **Public** | +| **Attack Vector** | **Required Privileges** | Improbable | Possible | +| | **Vulnerability** | Possible | Probable | +| | **No Authorization** | Probable | Highly Probable | ### Impact @@ -59,17 +65,17 @@ The impact component is how damaging the exploitation of the misconfiguration wo | High | Abusing this misconfiguration results in an impact to the confidentiality, integrity, or availability of the vulnerable component and impacts a significant number of other resources. For example, an identity with the `S3FullAccess` policy attached. | | Critical | Abusing this misconfiguration results in complete control of all resources in the account. For example, an identity with the `AdministratorAccess` policy attached. | -### Severity matrix +### Severity scoring matrix -These two submatrices combined compute the overall severity score for a misconfiguration. +The likelihood and impact components are used to compute the overall severity score for a misconfiguration. -| | | Impact | | | | -|------------|----------|--------|--------|----------|----------| -| | | **Low** | **Medium** | **High** | **Critical** | -| **Likelihood** | **Improbable** | Low | Low | Medium | Medium | -| | **Possible** | Low | Medium | High | High | -| | **Probable** | Medium | High | High | Critical | -| | **Highly Probable** | Medium | High | Critical | Critical | +| | | Impact | | | | +|----------------|---------------------|---------|------------|----------|--------------| +| | | **Low** | **Medium** | **High** | **Critical** | +| **Likelihood** | **Improbable** | Low | Low | Medium | Medium | +| | **Possible** | Low | Medium | High | High | +| | **Probable** | Medium | High | High | Critical | +| | **Highly Probable** | Medium | High | Critical | Critical | ### Examples @@ -77,7 +83,9 @@ To explain how the framework is used here are a few examples. #### Example 1: SNS Topic should have access restrictions set for subscription -The detection rule for [SNS Topic should have access restrictions set for subscription][1] checks if the SNS topic has a resource-based policy that contains a `Principal` of `*`, and an `Action` with the `sns:Subscribe` permission. This combination would allow anyone the ability to subscribe to the SNS topic and receive its notifications. This rule would be scored as follows: +The detection rule for [SNS Topic should have access restrictions set for subscription][1] checks if the SNS topic has a resource-based policy that contains a `Principal` of `*`, and an `Action` with the `sns:Subscribe` permission. This combination gives anyone the ability to subscribe to the SNS topic and receive its notifications. + +Using the severity scoring framework, the rule would be scored as follows: - Likelihood: Highly Probable - Attack Vector: No Authorization @@ -93,7 +101,9 @@ The detection rule for [SNS Topic should have access restrictions set for subscr #### Example 2: EC2 instances should enforce IMDSv2 -The detection rule for [EC2 instances should enforce IMDSv2][2] checks if an EC2 instance is using the instance metadata service version 1 ([IMDSv1][3]), which is vulnerable to common web application attacks. If exploited, an adversary would be able to access the IAM credentials stored in the IMDS and use them to access resources in the AWS account. This rule would be scored as follows: +The detection rule for [EC2 instances should enforce IMDSv2][2] checks if an EC2 instance is using the Instance Metadata Service Version 1 ([IMDSv1][3]), which is vulnerable to common web application attacks. If exploited, an adversary would be able to access the IAM credentials stored in the IMDS and use them to access resources in the AWS account. + +Using the severity scoring framework, the rule would be scored as follows: - Likelihood: Possible - Attack Vector: Vulnerability @@ -107,9 +117,9 @@ The detection rule for [EC2 instances should enforce IMDSv2][2] checks if an EC2 - Severity Score: Possible x Medium = Medium - The final severity score is Medium. This is because a Possible likelihood mixed with a Medium impact results in an overall score of Medium. -## Vulnerabilities +## CVSS 3.0 -CSM Vulnerabilities uses [CVSS 3.0][5] to determine a base score and modifies it to take into account the following: +CSM Vulnerabilities uses Common Vulnerability Scoring System version 3.0 ([CVSS 3.0][5]) to determine a base score for a vulnerability. It then modifies the base score to take into account the following: - Whether the underlying infrastructure is running and how wide-spread the impact is. - The environment in which the underlying infrastructure is running. For example, if the environment is not production, the severity is downgraded. From d29f93e333b79d9f79374a7e9eb398e27d3a7465 Mon Sep 17 00:00:00 2001 From: Nick Frichette Date: Mon, 18 Dec 2023 08:52:32 -0600 Subject: [PATCH 22/25] Changed the format of the matrices in severity_scoring --- .../severity_scoring.md | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/content/en/security/cloud_security_management/severity_scoring.md b/content/en/security/cloud_security_management/severity_scoring.md index 191a94ef947cd..9c0729f8fcc3b 100644 --- a/content/en/security/cloud_security_management/severity_scoring.md +++ b/content/en/security/cloud_security_management/severity_scoring.md @@ -41,12 +41,12 @@ The accessibility is determined by the following criteria: These subcomponents determine the Likelihood score: -| | | Accessibility | | -|---------------|---------------------|---------------|----------| -| | | **Private** | **Public** | -| **Attack Vector** | **Required Privileges** | Improbable | Possible | -| | **Vulnerability** | Possible | Probable | -| | **No Authorization** | Probable | Highly Probable | +| Attack Vector | Accessibility | | +|---------------------|---------------|----------| +| | **Private** | **Public** | +| **Required Privileges** | Improbable | Possible | +| **Vulnerability** | Possible | Probable | +| **No Authorization** | Probable | Highly Probable | ### Impact @@ -63,13 +63,13 @@ The impact component is how damaging the exploitation of the misconfiguration wo These two submatrices combined compute the overall severity score for a misconfiguration. -| | | Impact | | | | -|------------|----------|--------|--------|----------|----------| -| | | **Low** | **Medium** | **High** | **Critical** | -| **Likelihood** | **Improbable** | Low | Low | Medium | Medium | -| | **Possible** | Low | Medium | High | High | -| | **Probable** | Medium | High | High | Critical | -| | **Highly Probable** | Medium | High | Critical | Critical | +| Likelihood | Impact | | | | +|----------|--------|--------|----------|----------| +| | **Low** | **Medium** | **High** | **Critical** | +| **Improbable** | Low | Low | Medium | Medium | +| **Possible** | Low | Medium | High | High | +| **Probable** | Medium | High | High | Critical | +| **Highly Probable** | Medium | High | Critical | Critical | ### Examples From a37d42777a2694e8d3c9470898961779917514d7 Mon Sep 17 00:00:00 2001 From: DeForest Richards Date: Mon, 18 Dec 2023 12:41:36 -0500 Subject: [PATCH 23/25] Minor edits --- .../severity_scoring.md | 52 +++++++++---------- 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/content/en/security/cloud_security_management/severity_scoring.md b/content/en/security/cloud_security_management/severity_scoring.md index bdac07e3d32e6..cccf26321738b 100644 --- a/content/en/security/cloud_security_management/severity_scoring.md +++ b/content/en/security/cloud_security_management/severity_scoring.md @@ -15,14 +15,14 @@ further_reading: ## CSM severity scoring framework -CSM Misconfigurations, CSM Identity Risks, and Security Inbox misconfigurations use the CSM severity scoring framework to determine the severity of a finding. The framework compares the likelihood that an adversary would take advantage of a misconfiguration to the risk posed to your environment. By weighting both of these aspects, findings can be prioritized more accurately based on their real-world risks. The matrices below show how to compute a misconfiguration's severity score depending on certain criteria. +CSM Misconfigurations, CSM Identity Risks, and Security Inbox misconfigurations use the CSM severity scoring framework to determine the severity of a finding. The framework compares the likelihood that an adversary would take advantage of a misconfiguration to the risk posed to your environment. By weighting both of these aspects, findings can be prioritized more accurately by real-world risks. The matrices below show how to a misconfiguration's severity score is computed based on certain criteria. ### Likelihood The likelihood component is made up of two subcomponents: -* Attack vector: The means through which a misconfiguration can be exploited. -* Accessibility: If the resource is publicly accessible or not. +* **Attack vector**: The means through which a misconfiguration can be exploited. +* **Accessibility**: If the resource is publicly accessible or not. #### Attack vector @@ -43,6 +43,10 @@ Accessibility is determined by the following criteria: | Private | The vulnerable component or resource is in a private network. | | Public | The vulnerable component or resource is accessible from the internet. | +#### Likelihood score + +Together, the attack vector and accessibility determine the Likelihood score: + | Attack Vector | Accessibility | | |-------------------------|---------------|-----------------| | | **Private** | **Public** | @@ -81,37 +85,33 @@ To explain how the framework is used here are a few examples. The detection rule for [SNS Topic should have access restrictions set for subscription][1] checks if the SNS topic has a resource-based policy that contains a `Principal` of `*`, and an `Action` with the `sns:Subscribe` permission. This combination gives anyone the ability to subscribe to the SNS topic and receive its notifications. -Using the severity scoring framework, the rule would be scored as follows: - -- Likelihood: Highly Probable - - Attack Vector: No Authorization - - The Attack Vector is marked as "No Authorization" because the resource-based policy contains a `*`. This wildcard permits anyone the ability to act on the resource. No authentication/authorization is required to exploit the misconfiguration. - - Accessibility: Public - - The Accessibility is marked as "Public" because the misconfiguration can be exploited over the internet through its resource-based policy. No specific network access is required. +Using the CSM severity scoring framework, the rule would be scored as follows: -- Impact: Medium - - Impact is marked as "Medium" due to the fact that the confidentiality of the resource is impacted. An adversary who has exploited this misconfiguration can receive messages as they are sent by the SNS topic. - -- Severity Score: Highly Probable x Medium = High +- **Likelihood score**: Highly Probable + - **Attack vector**: No Authorization + - The Attack Vector is marked as "No Authorization" because the resource-based policy contains a `*`. This wildcard grants anyone the ability to act on the resource. No authentication or authorization is required to exploit the misconfiguration. + - **Accessibility**: Public + - Accessibility is marked as "Public" because the misconfiguration can be exploited over the internet through its resource-based policy. No specific network access is required. +- **Impact**: Medium + - Impact is marked as "Medium" due to the fact that the confidentiality of the resource is impacted. An adversary who exploits this misconfiguration can receive messages sent by the SNS topic. +- **Severity score**: Highly Probable x Medium = High - The final severity score is High. This is because a Highly Probable likelihood mixed with a Medium impact results in an overall score of High. #### Example 2: EC2 instances should enforce IMDSv2 -The detection rule for [EC2 instances should enforce IMDSv2][2] checks if an EC2 instance is using the Instance Metadata Service Version 1 ([IMDSv1][3]), which is vulnerable to common web application attacks. If exploited, an adversary would be able to access the IAM credentials stored in the IMDS and use them to access resources in the AWS account. - -Using the severity scoring framework, the rule would be scored as follows: +The detection rule for [EC2 instances should enforce IMDSv2][2] checks if an EC2 instance is using the Instance Metadata Service Version 1 ([IMDSv1][3]), which is vulnerable to common web application attacks. If exploited, an adversary can obtain access to the IAM credentials stored in the IMDS and use them to access resources in the AWS account. -- Likelihood: Possible - - Attack Vector: Vulnerability - - The Attack Vector is marked as "Vulnerability". This is because the exploitation of this misconfiguration requires the resource to contain a vulnerable component, such as vulnerable software running on the EC2 instance that can be abused to perform [server side request forgery][4] attacks. - - Accessibility: Private - - The Accessibility is marked as "Private" because the EC2 instance has not explicitly been made public. +Using the CSM severity scoring framework, the rule would be scored as follows: -- Impact: Medium +- **Likelihood score**: Possible + - **Attack vector**: Vulnerability + - The attack vector is marked as "Vulnerability". This is because the exploitation of this misconfiguration requires the resource to contain a vulnerable component, such as vulnerable software running on the EC2 instance that can be abused to perform [server side request forgery][4] attacks. + - **Accessibility**: Private + - Accessibility is marked as "Private", because the EC2 instance has not explicitly been made public. +- **Impact**: Medium - Impact is marked as "Medium" due to the impacts to the confidentiality of the EC2 instance. An adversary would be able to access the IMDS and potentially pull IAM credentials associated with the resource. - -- Severity Score: Possible x Medium = Medium - - The final severity score is Medium. This is because a Possible likelihood mixed with a Medium impact results in an overall score of Medium. +- **Severity score**: Possible x Medium = Medium + - The final severity score is "Medium". This is because a possible likelihood mixed with a Medium impact results in an overall score of Medium. ## CVSS 3.0 From 1b09aa0c2e6e8cee4963aed8d216084ccecd65e1 Mon Sep 17 00:00:00 2001 From: Nick Frichette Date: Mon, 18 Dec 2023 13:18:48 -0600 Subject: [PATCH 24/25] Added introduction to severity_scoring --- .../en/security/cloud_security_management/severity_scoring.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/content/en/security/cloud_security_management/severity_scoring.md b/content/en/security/cloud_security_management/severity_scoring.md index cccf26321738b..bca889e7e25e4 100644 --- a/content/en/security/cloud_security_management/severity_scoring.md +++ b/content/en/security/cloud_security_management/severity_scoring.md @@ -13,9 +13,11 @@ further_reading: text: "Learn more about CSM Vulnerabilities" --- +Accurate severity scores help security teams understand the risk vulnerabilities pose to their environment. Cloud Security Management (CSM) uses different measures of severity depending on the type of issue. + ## CSM severity scoring framework -CSM Misconfigurations, CSM Identity Risks, and Security Inbox misconfigurations use the CSM severity scoring framework to determine the severity of a finding. The framework compares the likelihood that an adversary would take advantage of a misconfiguration to the risk posed to your environment. By weighting both of these aspects, findings can be prioritized more accurately by real-world risks. The matrices below show how to a misconfiguration's severity score is computed based on certain criteria. +CSM Misconfigurations, CSM Identity Risks, and Security Inbox misconfigurations use the CSM severity scoring framework to determine the severity of a finding. The framework compares the likelihood that an adversary would take advantage of a misconfiguration to the risk posed to your environment. By weighting both of these aspects, findings can be prioritized more accurately by real-world risks. The matrices below show how a misconfiguration's severity score is computed based on its likelihood of abuse and impact. ### Likelihood From 97f7d32a18f7a917cd8ac876ff0b0892e144c1d1 Mon Sep 17 00:00:00 2001 From: DeForest Richards Date: Mon, 18 Dec 2023 14:25:37 -0500 Subject: [PATCH 25/25] Update menu --- config/_default/menus/menus.en.yaml | 10 +++++----- .../cloud_security_management/severity_scoring.md | 2 ++ 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/config/_default/menus/menus.en.yaml b/config/_default/menus/menus.en.yaml index 519f7040b6e78..677d0414fae72 100644 --- a/config/_default/menus/menus.en.yaml +++ b/config/_default/menus/menus.en.yaml @@ -3427,6 +3427,11 @@ main: parent: csm identifier: csm_workflow_automation weight: 23 + - name: Severity Scoring + url: security/cloud_security_management/severity_scoring/ + parent: csm + identifier: csm_severity_scoring + weight: 24 - name: Guides url: security/cloud_security_management/guide/ parent: csm @@ -3437,11 +3442,6 @@ main: parent: csm identifier: csm_troubleshooting weight: 30 - - name: Severity Scoring - url: security/cloud_security_management/severity_scoring/ - parent: csm - identifier: csm_severity_scoring - weight: 35 - name: Application Security Management url: security/application_security/ parent: security_platform_heading diff --git a/content/en/security/cloud_security_management/severity_scoring.md b/content/en/security/cloud_security_management/severity_scoring.md index cccf26321738b..75b003956cd0a 100644 --- a/content/en/security/cloud_security_management/severity_scoring.md +++ b/content/en/security/cloud_security_management/severity_scoring.md @@ -13,6 +13,8 @@ further_reading: text: "Learn more about CSM Vulnerabilities" --- +This guide explain how severity scores are calculated for findings in Cloud Security Management (CSM). + ## CSM severity scoring framework CSM Misconfigurations, CSM Identity Risks, and Security Inbox misconfigurations use the CSM severity scoring framework to determine the severity of a finding. The framework compares the likelihood that an adversary would take advantage of a misconfiguration to the risk posed to your environment. By weighting both of these aspects, findings can be prioritized more accurately by real-world risks. The matrices below show how to a misconfiguration's severity score is computed based on certain criteria.