Management / Monitoring

Threats

Version:

ID	Title	Description
CCC.Monitor.TH01	Capture Personal Identifiable Information	Unauthorised viewers may get access to PII if it is incorrectly collected by monitoring systems through metrics or tracing.
CCC.Monitor.TH02	Health Checks Used to Identify Attack Targets	Health Checks are used to inform those responsible for maintaining a system that there is a problem, but if that information gets into the hands of a malicious actor, it can be used to target already problematic systems and mask malicious activity.
CCC.Monitor.TH03	External Monitoring DoS	If an external monitoring service is compromised, it can act as a host for instigating denial of service attacks on internal system which otherwise may not be protected against this form of attack.
CCC.Monitor.TH04	External Monitoring Access	If an external monitoring system is compromised, it acts as a trusted external remote service and can then access internal services which would otherwise not be accessible directly.
CCC.Monitor.TH05	Data Exfiltration Through Tampered Metrics	If a malicious actor is able to make changes to the metrics being collected, it could be used to encrypt and or compress sensitive data and bypass controls preventing exfiltration. The data can then be staged in the monitoring system and exfiltrated in bulk at a later point in time
CCC.Monitor.TH06	Cost Exhaustion Through Tampered Alerts or Metrics Collection	Monitoring systems are expected to generate traffic, but it a malicious actor were to change alerts that were being fired at an API which charged per requests or generate large volumes of metric data which would then need to be stored and processed, or even triggering resource scaling, this would cause an increase in cloud bill.
CCC.Monitor.TH07	Trigger Malicious Code	If a malicious actor is able to create new triggers, they would be able to use valid metric data to trigger malicious actions and re-compromise a newly replaced container or compute instance.