Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add CSPM Severity Framework to Docs Site #20954

Merged
merged 31 commits into from
Dec 18, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
31 commits
Select commit Hold shift + click to select a range
243ba09
Added initial likelihood matrix to test table look
Frichetten Dec 7, 2023
370498e
Added additional matrices
Frichetten Dec 8, 2023
7c8e62b
Made table headers bold
Frichetten Dec 8, 2023
986993e
Added severity scoring exammples
Frichetten Dec 8, 2023
980b141
Moved severity matrix up a level
Frichetten Dec 11, 2023
1e1c9c7
Fixed the link numbers in severity_scoring.md
Frichetten Dec 11, 2023
6819e58
Removed unused links from misconfigurations index
Frichetten Dec 11, 2023
22594c0
Reformatted severity scoring page
Frichetten Dec 11, 2023
fb7cceb
Added aliases
Frichetten Dec 11, 2023
9f4addf
Added additional docs for other producs to severity scoring
Frichetten Dec 11, 2023
2678be7
Added severity scoring page to menu
Frichetten Dec 11, 2023
951258a
Removed threats from the severity scoring page
Frichetten Dec 12, 2023
a040fce
Update content/en/security/severity_scoring.md
Frichetten Dec 12, 2023
5555c01
Added more links to further_reading for severity_scoring
Frichetten Dec 12, 2023
b47131a
Merge branch 'nick.frichette/add_cspm_severity_framework' of github.c…
Frichetten Dec 12, 2023
68618c0
Fixed some minor issues with severity_scoring
Frichetten Dec 12, 2023
8d9d975
Moved the Severity Scoring page to be under CSM
Frichetten Dec 12, 2023
ed90d03
Changed the headers of severity_scoring
Frichetten Dec 12, 2023
cc3aab1
Fixed some minor issues with severity_scoring
Frichetten Dec 12, 2023
a9d0d82
Added CSM Vulnerabilities section for severity_scoring
Frichetten Dec 13, 2023
9588c8a
Removed temporal language from severity_scoring
Frichetten Dec 13, 2023
ef1f9ae
Minor edits
drichards-87 Dec 15, 2023
d29f93e
Changed the format of the matrices in severity_scoring
Frichetten Dec 18, 2023
cadfd05
Fix merge conflict
drichards-87 Dec 18, 2023
3af048a
Merge branch 'master' into nick.frichette/add_cspm_severity_framework
drichards-87 Dec 18, 2023
a37d427
Minor edits
drichards-87 Dec 18, 2023
1b09aa0
Added introduction to severity_scoring
Frichetten Dec 18, 2023
97f7d32
Update menu
drichards-87 Dec 18, 2023
6c21cab
Merge branch 'master' into nick.frichette/add_cspm_severity_framework
Frichetten Dec 18, 2023
b18f6ae
Minor update to intro
drichards-87 Dec 18, 2023
f129a38
Merge branch 'master' into nick.frichette/add_cspm_severity_framework
Frichetten Dec 18, 2023
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions config/_default/menus/menus.en.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3387,6 +3387,11 @@ main:
parent: csm
identifier: csm_workflow_automation
weight: 23
- name: Severity Scoring
url: security/cloud_security_management/severity_scoring/
parent: csm
identifier: csm_severity_scoring
weight: 24
- name: Guides
url: security/cloud_security_management/guide/
parent: csm
Expand Down
137 changes: 137 additions & 0 deletions content/en/security/cloud_security_management/severity_scoring.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,137 @@
---
title: Severity Scoring
kind: documentation
further_reading:
- link: "/security/misconfigurations/"
tag: "Documentation"
text: "Start tracking misconfigurations with CSM Misconfigurations"
- link: "/security/identity_risks/"
tag: "Documentation"
text: "Understand your identity landscape with CSM Identity Risks"
- link: "/security/vulnerabilities/"
tag: "Documentation"
text: "Learn more about CSM Vulnerabilities"
---

Accurate severity scores help security teams understand the risks that vulnerabilities pose to their environment. This guide explains how Cloud Security Management (CSM) uses different measures of severity to calculate the scores.

## CSM severity scoring framework

Check warning on line 18 in content/en/security/cloud_security_management/severity_scoring.md

View workflow job for this annotation

GitHub Actions / vale

Datadog.headings

'CSM severity scoring framework' should use sentence-style capitalization.

CSM Misconfigurations, CSM Identity Risks, and Security Inbox misconfigurations use the CSM severity scoring framework to determine the severity of a finding. The framework compares the likelihood that an adversary would take advantage of a misconfiguration to the risk posed to your environment. By weighting both of these aspects, findings can be prioritized more accurately by real-world risks. The matrices below show how a misconfiguration's severity score is computed based on its likelihood of abuse and impact.

### Likelihood

The likelihood component is made up of two subcomponents:

* **Attack vector**: The means through which a misconfiguration can be exploited.
* **Accessibility**: If the resource is publicly accessible or not.

#### Attack vector

The attack vector is determined by the following criteria:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The attack vector is determined by the following criteria:
#### Attack vector
The attack vector is determined by the following criteria:


| Attack Vector | Definition |
|:-------------------:|:------------------------------------------------------------------------------------------------------------------------------------:|
| Required Privileges | Requires specific privileges or access to abuse. |
| Vulnerability | Requires a vulnerable component to abuse, such as a software vulnerability on a compute instance or a leaked password or access key. |
| No Authorization | Requires no authorization or authentication to abuse. |

#### Accessibility

Accessibility is determined by the following criteria:

| Accessibility | Definition |
|:-------------:|:---------------------------------------------------------------------:|
| Private | The vulnerable component or resource is in a private network. |
| Public | The vulnerable component or resource is accessible from the internet. |

#### Likelihood score

Together, the attack vector and accessibility determine the Likelihood score:

| Attack Vector | Accessibility | |
|-------------------------|---------------|-----------------|
| | **Private** | **Public** |
| **Required Privileges** | Improbable | Possible |
| **Vulnerability** | Possible | Probable |
| **No Authorization** | Probable | Highly Probable |

### Impact

The impact component is how damaging the exploitation of the misconfiguration would be to the environment.

| Impact | Definition |
|:--------:|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------:|
| Low | This misconfiguration is related to security hardening, hygiene, resource metadata, or industry best practice configurations. By itself, this misconfiguration represents little to no impact to the environment. |
| Medium | Abusing this misconfiguration results in an impact to the confidentiality, integrity, or availability of the vulnerable component or its directly associated resources. |
| High | Abusing this misconfiguration results in an impact to the confidentiality, integrity, or availability of the vulnerable component and impacts a significant number of other resources. For example, an identity with the `S3FullAccess` policy attached. |
| Critical | Abusing this misconfiguration results in complete control of all resources in the account. For example, an identity with the `AdministratorAccess` policy attached. |

### Severity scoring matrix

The likelihood and impact components are used to compute the overall severity score for a misconfiguration.

| Likelihood | Impact | | | |
|---------------------|---------|------------|----------|--------------|
| | **Low** | **Medium** | **High** | **Critical** |
| **Improbable** | Low | Low | Medium | Medium |
| **Possible** | Low | Medium | High | High |
| **Probable** | Medium | High | High | Critical |
| **Highly Probable** | Medium | High | Critical | Critical |

### Examples

To explain how the framework is used here are a few examples.

#### Example 1: SNS Topic should have access restrictions set for subscription

The detection rule for [SNS Topic should have access restrictions set for subscription][1] checks if the SNS topic has a resource-based policy that contains a `Principal` of `*`, and an `Action` with the `sns:Subscribe` permission. This combination gives anyone the ability to subscribe to the SNS topic and receive its notifications.

Check notice on line 88 in content/en/security/cloud_security_management/severity_scoring.md

View workflow job for this annotation

GitHub Actions / vale

Datadog.sentencelength

Suggestion: Try to keep your sentence length to 25 words or fewer.

Using the CSM severity scoring framework, the rule would be scored as follows:

- **Likelihood score**: Highly Probable
- **Attack vector**: No Authorization
- The Attack Vector is marked as "No Authorization" because the resource-based policy contains a `*`. This wildcard grants anyone the ability to act on the resource. No authentication or authorization is required to exploit the misconfiguration.
- **Accessibility**: Public
- Accessibility is marked as "Public" because the misconfiguration can be exploited over the internet through its resource-based policy. No specific network access is required.
- **Impact**: Medium
- Impact is marked as "Medium" due to the fact that the confidentiality of the resource is impacted. An adversary who exploits this misconfiguration can receive messages sent by the SNS topic.
- **Severity score**: Highly Probable x Medium = High
- The final severity score is High. This is because a Highly Probable likelihood mixed with a Medium impact results in an overall score of High.

#### Example 2: EC2 instances should enforce IMDSv2

Check warning on line 102 in content/en/security/cloud_security_management/severity_scoring.md

View workflow job for this annotation

GitHub Actions / vale

Datadog.headings

'Example 2: EC2 instances should enforce IMDSv2' should use sentence-style capitalization.

The detection rule for [EC2 instances should enforce IMDSv2][2] checks if an EC2 instance is using the Instance Metadata Service Version 1 ([IMDSv1][3]), which is vulnerable to common web application attacks. If exploited, an adversary can obtain access to the IAM credentials stored in the IMDS and use them to access resources in the AWS account.

Check notice on line 104 in content/en/security/cloud_security_management/severity_scoring.md

View workflow job for this annotation

GitHub Actions / vale

Datadog.sentencelength

Suggestion: Try to keep your sentence length to 25 words or fewer.

Using the CSM severity scoring framework, the rule would be scored as follows:

- **Likelihood score**: Possible
- **Attack vector**: Vulnerability
- The attack vector is marked as "Vulnerability". This is because the exploitation of this misconfiguration requires the resource to contain a vulnerable component, such as vulnerable software running on the EC2 instance that can be abused to perform [server side request forgery][4] attacks.
- **Accessibility**: Private
- Accessibility is marked as "Private", because the EC2 instance has not explicitly been made public.
- **Impact**: Medium
- Impact is marked as "Medium" due to the impacts to the confidentiality of the EC2 instance. An adversary would be able to access the IMDS and potentially pull IAM credentials associated with the resource.
- **Severity score**: Possible x Medium = Medium
- The final severity score is "Medium". This is because a possible likelihood mixed with a Medium impact results in an overall score of Medium.

## CVSS 3.0

Check warning on line 118 in content/en/security/cloud_security_management/severity_scoring.md

View workflow job for this annotation

GitHub Actions / vale

Datadog.headings

'CVSS 3.0' should use sentence-style capitalization.

CSM Vulnerabilities uses Common Vulnerability Scoring System version 3.0 ([CVSS 3.0][5]) to determine a base score for a vulnerability. It then modifies the base score to take into account the following:

- Whether the underlying infrastructure is running and how wide-spread the impact is.
- The environment in which the underlying infrastructure is running. For example, if the environment is not production, the severity is downgraded.
- Whether there is an active exploit for a given vulnerability from sources such as [CISA KEV catalog][6].
- The exploitation probability, calculated and verified using [EPSS][7].

## Further Reading

{{< partial name="whats-next/whats-next.html" >}}

[1]: https://docs.datadoghq.com/security/default_rules/aws-sns-subscription/
[2]: https://docs.datadoghq.com/security/default_rules/aws-ec2-imdsv2/
[3]: https://hackingthe.cloud/aws/general-knowledge/intro_metadata_service/
[4]: https://hackingthe.cloud/aws/exploitation/ec2-metadata-ssrf/
[5]: https://www.first.org/cvss/v3-0/
[6]: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
[7]: https://www.first.org/epss/
Loading