CCC Monitoring
Provides the ability to continuously observe, track, and analyze the performance, availability, and health of the service resources or applications.
Release Details
Version:
DEV
Assurance Level:
Release Manager:
DB
Development Build
Contributors
DT
Development Team
Change Log
- Development build - no formal changelog available
Capabilities
| ID | Title | Description | Threat Mappings |
|---|---|---|---|
| CCC.Monitor.F01 | Metric collection | Gathering numerical (quantitative) data points about the performance, health, or behaviour of systems, applications or infrastructure. | 0 |
| CCC.Monitor.F02 | Tracing | An observability technique providing an end-to-end view of a request or transaction flow through a complex system to enable a single action to be linked to resulting events in multiple downstream systems. | 0 |
| CCC.Monitor.F03 | Reporting | Summarised view of metrics in a structured, sharable format. | 0 |
| CCC.Monitor.F04 | Health Checks | A type of monitoring that focuses on the operational status and readiness of components or entire systems. | 0 |
| CCC.Monitor.F05 | SLO Monitoring | Define and monitor Service Level Objectives (SLO) using Service Level Indicators (SLI) based on metrics. | 0 |
| CCC.Monitor.F06 | Synthetic Monitoring | Proactively checking sample user interactions to identify issues before real users are impacted. | 0 |
| CCC.Monitor.F07 | Uptime Monitoring | Checking whether a specific service or application is accessible from an external perspective. | 0 |
| CCC.Monitor.F08 | Application Performance Monitoring (APM) | A comprehensive approach to monitoring the performance, availability and user experience of an application through multiple levels of data collection | 0 |
| CCC.Monitor.F09 | Dashboard | A visual representation of the health of systems being monitored. Pulling together metrics, current alerts, SLO/SLI's, health checks and other monitoring features into a single location to enable a view of the health of the overall system. | 0 |
| CCC.Monitor.F10 | Triggering | Automatically initiating actions like alerts, notifications or automated workflows based on pre-defined conditions being met. | 0 |
| CCC.Monitor.F11 | Integration with Third-Party Tools | Monitoring tools are able to integrate with a number of downstream systems in order to send notifications and alerts, raise tickets and create incident reports. | 0 |
| CCC.Core.F03 | Access Log Publication | The service automatically publishes structured, verbose records of activities performed within the scope of the service by external actors. | 3 |
| CCC.Core.F06 | Access Control | The service automatically enforces user configurations to restrict or allow access to a specific component or a child resource based on factors such as user identities, roles, groups, or attributes. | 1 |
| CCC.Core.F07 | Event Publication | The service automatically publishes a structured state-change record upon creation, deletion, or modification of data, configuration, components, or child resources. | 2 |
| CCC.Core.F09 | Metrics Publication | The service automatically publishes structured, numeric, time-series data points related to the performance, availability, and health of the service or its child resources. | 3 |
| CCC.Core.F10 | Log Publication | The service automatically publishes structured, verbose records of activities, operations, or events that occur within the service. | 2 |
| CCC.Core.F14 | API Access | The service exposes a port enabling external actors to interact programmatically with the service and its resources using HTTP protocol methods such as GET, POST, PUT, and DELETE. | 1 |
| CCC.Core.F15 | Cost Management | The service monitors data published by child or networked resources to infer usage patterns and generate cost reports for the service. | 1 |
| CCC.Core.F17 | Alerting | The service may be configured to emit a notification based on a user-defined condition related to the data published by a child or networked resource. | 2 |
Threats
| ID | Title | Description | External Mappings | Capability Mappings | Control Mappings |
|---|---|---|---|---|---|
| CCC.Monitor.TH01 | Capture Personal Identifiable Information | Unauthorised viewers may get access to PII if it is incorrectly collected by monitoring systems through metrics or tracing. | 1 | 1 | 0 |
| CCC.Monitor.TH02 | Health Checks Used to Identify Attack Targets | Health Checks are used to inform those responsible for maintaining a system that there is a problem, but if that information gets into the hands of a malicious actor, it can be used to target already problematic systems and mask malicious activity. | 1 | 1 | 1 |
| CCC.Monitor.TH03 | External Monitoring DoS | If an external monitoring service is compromised, it can act as a host for instigating denial of service attacks on internal system which otherwise may not be protected against this form of attack. | 1 | 1 | 1 |
| CCC.Monitor.TH04 | External Monitoring Access | If an external monitoring system is compromised, it acts as a trusted external remote service and can then access internal services which would otherwise not be accessible directly. | 1 | 1 | 1 |
| CCC.Monitor.TH05 | Data Exfiltration Through Tampered Metrics | If a malicious actor is able to make changes to the metrics being collected, it could be used to encrypt and or compress sensitive data and bypass controls preventing exfiltration. The data can then be staged in the monitoring system and exfiltrated in bulk at a later point in time | 1 | 1 | 1 |
| CCC.Monitor.TH06 | Cost Exhaustion Through Tampered Alerts or Metrics Collection | Monitoring systems are expected to generate traffic, but it a malicious actor were to change alerts that were being fired at an API which charged per requests or generate large volumes of metric data which would then need to be stored and processed, or even triggering resource scaling, this would cause an increase in cloud bill. | 1 | 1 | 1 |
| CCC.Monitor.TH07 | Trigger Malicious Code | If a malicious actor is able to create new triggers, they would be able to use valid metric data to trigger malicious actions and re-compromise a newly replaced container or compute instance. | 1 | 1 | 0 |
| CCC.Core.TH01 | Access is Granted to Unauthorized Users | Logic designed to give different permissions to different entities may be misconfigured or manipulated, allowing unauthorized entities to access restricted parts of the service, its data, or its child resources. This could result in a loss of data confidentiality or tolerance of unauthorized actions which impact the integrity and availability of resources and data. | 1 | 1 | 4 |
| CCC.Core.TH07 | Logs are Tampered With or Deleted | Tampering or deletion of service logs will reduce the system's ability to maintain an accurate record of events. Any actions that compromise the integrity of logs could disrupt system availability by disrupting monitoring, hindering forensic investigations, and reducing the accuracy of audit trails. | 1 | 1 | 1 |
| CCC.Core.TH08 | Runtime Metrics are Manipulated | Manipulation of runtime metrics can lead to inaccurate representations of system performance and resource utilization. This compromised data integrity may also impact system availability through misinformed scaling decisions, budget exhaustion, financial losses, and hindered incident detection. | 1 | 1 | 0 |
| CCC.Core.TH09 | Runtime Logs are Read by Unauthorized Entities | Unauthorized access to logs may expose valuable information about the system's configuration, operations, and security mechanisms. This could jeopardize system availability through the exposure of vulnerabilities and support the planning of attacks on the service, system, or network. If logs are not adequately sanitized, this may also directly impact the confidentiality of sensitive data. | 1 | 1 | 1 |
| CCC.Core.TH10 | State-change Events are Read by Unauthorized Entities | Unauthorized access to state-change events can reveal information about the system's design and usage patterns. This opens the system up to attacks of opportunity and support the planning of attacks on the service, system, or network. | 1 | 1 | 1 |
| CCC.Core.TH11 | Publications are Incorrectly Triggered | Incorrectly triggered publications may disseminate inaccurate or misleading information, creating a data integrity risk. Such misinformation can cause unintended operations to be initiated, conceal legitimate issues, and disrupt the availability or reliability of systems and their data. | 1 | 1 | 0 |
| CCC.Core.TH15 | Automated Enumeration and Reconnaissance by Non-human Entities | Automated processes may be used to gather details about service and child resource elements such as APIs, file systems, or directories. This information can reveal vulnerabilities, misconfigurations, and the network topology, which can be used to plan an attack against the system, the service, or its child resources. | 1 | 1 | 1 |
| CCC.Core.TH16 | Publications are Disabled | Publication of events, metrics, and runtime logs may be disabled, leading to a lack of expected security and operational information being shared. This can impact system availability by delaying the detection of incidents while also impacting system design decisions and enforcement of operational thresholds, such as autoscaling or cost management. | 1 | 1 | 1 |
Controls
| ID | Title | Objective | Control Family | Threat Mappings | Guideline Mappings | Assessment Requirements |
|---|---|---|---|---|---|---|
| CCC.Monitor.C01 | Rate Limiting on External Monitoring | Prevent DoS attacks using External Monitoring tools. | Logging & Monitoring | 1 | 4 | 1 |
| CCC.Monitor.C02 | Rate Limiting on Metric Generation | Prevent Malicious Actor or misconfiguration from flooding services with metric data. | Logging & Monitoring | 1 | 4 | 1 |
| CCC.Core.C04 | Log All Access and Changes | Ensure that all access attempts are logged to maintain a detailed audit trail for security and compliance purposes. | Logging & Monitoring | 1 | 5 | 3 |
| CCC.Core.C07 | Alert on Unusual Enumeration Activity | Ensure that logs and associated alerts are generated when unusual enumeration activity is detected that may indicate reconnaissance activities. | Logging & Monitoring | 1 | 4 | 2 |
| CCC.Monitor.C03 | Access External Monitoring | Control access to Synthetic monitoring solutions using API keys or Certificate based authentication to ensure they don't become an attack path, preventing monitoring systems from forging network requests to gain access to internal systems. | Identity and Access Management | 1 | 4 | 1 |
| CCC.Monitor.C04 | Restrict access to Monitoring Dashboards | Control access to Monitoring Dashboards and reports to ensure they don't highlight an attack path. | Identity and Access Management | 1 | 4 | 1 |
| CCC.Monitor.C05 | Restrict access to silence or acknowledge an alert | Ensure only a subset of users can silence or acknowledge alerts to prevent attackers hiding their activity. | Identity and Access Management | 1 | 3 | 1 |
| CCC.Monitor.C06 | Metrics pushed for authorised services only | Use IAM to control which types of metrics or traces can be pushed by different system to avoid a compromised system pushing fabricated metrics about a different service | Identity and Access Management | 1 | 2 | 1 |
| CCC.Core.C03 | Implement Multi-factor Authentication (MFA) for Access | Ensure that all sensitive activities require two or more identity factors during authentication to prevent unauthorized access. | Identity and Access Management | 1 | 6 | 4 |
| CCC.Core.C05 | Prevent Access from Untrusted Entities | Ensure that secure access controls enforce the principle of least privilege to restrict access to authorized entities from explicitly trusted sources only. | Identity and Access Management | 1 | 8 | 6 |
| CCC.Core.C02 | Encrypt Data for Storage | Ensure that all data stored is encrypted at rest using strong encryption algorithms. | Data | 1 | 7 | 1 |
| CCC.Core.C09 | Ensure Integrity of Access Logs | Ensure that access logs are always recorded to an external location that cannot be manipulated from the context of the service(s) it contains logs for. | Data | 3 | 5 | 3 |
| CCC.Core.C11 | Protect Encryption Keys | Ensure that encryption keys are managed securely by enforcing the use of approved algorithms, regular key rotation, and customer-managed encryption keys (CMEKs). | Data | 1 | 7 | 6 |