Skip to main content

CCC.IAM.C10: Alert On Anomalous Behaviour

Control ID:CCC.IAM.C10
Title:Alert On Anomalous Behaviour
Objective:Ensure that logs and associated alerts are generated when anomalous API requests are made by a single identity, such as API requests commonly associated with privilege escalation tactics, originating from an external or malicious IP address or performed by a previously dormant identity, which may indicate that credentals may be compromised, as well as for password brute-force attempts and account lockouts.
Control Family:
Logging and Monitoring

Related Threats

IDTitleDescriptionExternal MappingsCapability MappingsControl Mappings
CCC.IAM.TH01Valid Cloud Credentials AbuseValid identity credentials such as access keys, tokens or passwords are misused or compromised. Examples include public exposure, token theft, unprotected metadata service of a compromised compute instance or brute-force attacks. The use of these credentials can provide unauthorized access to the cloud environment, potentially bypassing other security controls and enabling lateral movement across cloud resources.
1
1
0

Related Capabilities

IDTitleDescription
CCC.IAM.F02IAM UsersAbility to create, manage, list and delete IAM users. IAM user represents a single person or application.
CCC.IAM.F03Long-Term CredentialsAbility to create, manage, list and delete long-term credentials such as access keys and service account keys.
CCC.IAM.F04Password ManagementAbility to create, change and delete IAM user passwords.
CCC.IAM.F07Managed IdentitiesIdentity assigned to cloud resources (e.g., VMs, Functions) which are managed by the cloud vendor.
CCC.IAM.F08Federated Identity - SAMLSupport for user authentication outside the cloud service provider using SAML. Authenticated federated identities can assume IAM roles.
CCC.IAM.F09Federated Identity - OIDCSupport for user authentication outside the cloud service provider using OIDC. Authenticated federated identities can assume IAM roles.

Guideline Mappings

Reference IDEntry IDStrengthRemarks
NIST-CSF
DE.CM-03
0
-
NIST-CSF
DE.CM-06
0
-
NIST-CSF
DE.CM-09
0
-
NIST_800_53
SI-4
0
-
NIST_800_53
SI-5
0
-
NIST_800_53
AC-2
0
-

Assessment Requirements

IDDescriptionApplicability
CCC.IAM.C10.TR01When suspicious API requests are detected, real time alerts MUST be generated to notify security personnel.
tlp-red
CCC.IAM.C09.TR02When suspicious API requests are detected, the associated events MUST be logged, including the source details, time, and nature of the activity.
tlp-green
tlp-amber
tlp-red