CCC.Core.TH09: Runtime Logs are Read by Unauthorized Entities
Threat ID:CCC.Core.TH09
Title:Runtime Logs are Read by Unauthorized Entities
Description:
Unauthorized access to logs may expose valuable information about the system's configuration, operations, and security mechanisms. This could jeopardize system availability through the exposure of vulnerabilities and support the planning of attacks on the service, system, or network. If logs are not adequately sanitized, this may also directly impact the confidentiality of sensitive data.
Related Capabilities
| ID | Title | Description |
|---|---|---|
| CCC.Core.F03 | Access Log Publication | The service automatically publishes structured, verbose records of activities performed within the scope of the service by external actors. |
| CCC.Core.F09 | Metrics Publication | The service automatically publishes structured, numeric, time-series data points related to the performance, availability, and health of the service or its child resources. |
External Mappings
| Reference ID | Entry ID | Strength | Remarks |
|---|---|---|---|
MITRE-ATT&CK | T1003 | 0 | Credential Dumping |
MITRE-ATT&CK | T1007 | 0 | System Service Discovery |
MITRE-ATT&CK | T1018 | 0 | Remote System Discovery |
MITRE-ATT&CK | T1033 | 0 | System Owner/User Discovery |
MITRE-ATT&CK | T1046 | 0 | Network Service Discovery |
MITRE-ATT&CK | T1057 | 0 | Process Discovery |
MITRE-ATT&CK | T1069 | 0 | Permission Groups Discovery |
MITRE-ATT&CK | T1070 | 0 | Indicator Removal |
MITRE-ATT&CK | T1082 | 0 | System Information Discovery |
MITRE-ATT&CK | T1120 | 0 | Peripheral Device Discovery |
MITRE-ATT&CK | T1124 | 0 | System Time Discovery |
MITRE-ATT&CK | T1497 | 0 | Virtualization/Sandbox Evasion |
MITRE-ATT&CK | T1518 | 0 | Software Discovery |
Controls
| ID | Title | Objective | Control Family | Threat Mappings | Guideline Mappings | Assessment Requirements |
|---|---|---|---|---|---|---|
| CCC.ObjStor.C06 | Access Logs are Stored in a Separate Data Store | Ensure that access logs for object storage buckets are stored in a separate data store to protect against unauthorized access, tampering, or deletion of logs (Logbuckets are exempt from this requirement, but must be tlp-red). | Data | 2 | 6 | 1 |
| CCC.Core.C09 | Ensure Integrity of Access Logs | Ensure that access logs are always recorded to an external location that cannot be manipulated from the context of the service(s) it contains logs for. | Data | 3 | 5 | 3 |