Security Intents for Intent Driven Security

January 8, 2024 ยท View on GitHub

CI status

Repository to hold Security Intents in standard template format.

Security Threat Template

title: Scenario-title
description: Detailed description of the scenario
severity: High/Medium/Low
tags:
  - oran
  - 5gcore
  - generic
detectionMethods: # Mechanisms to detect the threat
  - name: Application log
    tag:
      - mitre/ds0015
    description: Description # Optional
    url: https://...
  - name: Process
    tag:
      - accuknox/ax0015
    description: Description # Optional
    url: https://...
mitigationMethods: # Mechanisms to mitigate the threat
  - name: Update Software
    tag:
      - mitre/ds0015
    description: desc
    url: https://...
  - name: User Account Management
    tag:
      - accuknox/ax0015
    description: desc
    url: https://...
securityActions:
  - sample-sa-1.yaml
  - sample-sa-2.yaml
securityIntentBinding: # Set of labels, annotations describing workloads who would be impacted by this threat
  - sample-si-binding.yaml
preDeploymentConsiderations: [ ] # Anything that can be done in CI/CD pipelines that can alleviate this threat
references:
  - name: ref1
    url: https://...
  - name: ref2
    url: https://...

Security Threats

TitleDescriptionSeveritySecurity ActionsReferences
DNS ManipulationAn adversary can manipulate DNS requests to redirect network traffic and potentially reveal end user activity.highaccuknox/preventLocalDNSHijack, mitre/integrityProtection, mitre/networkTrafficMITRE FiGHT
Exploit Public-Facing ApplicationHighFGT1190
Exploit Semi-public Facing ApplicationHighmitre/networkTrafficFGT5029
gNodeB Component ManipulationAn adversary may compromise a component of gNodeB to affect radio network configurationhighMITRE FiGHT
Protocol TunnelingAdversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems.Highmitre/encryptSensitiveInformation, mitre/networkTrafficFGT1572.501
Regitration of Malicious Network FunctionsAn adversary, such as an insider to the MNO or vendor, could install a malicious NF into the core network, in order to launch other attacks or get access to information.highmitre/networkSegmentationMITRE FiGHT
Rogue xApps unauthorized accessMalicious xApps may gain unauthorized access to near-RT RIC and E2 nodesHighmitre/credentialAccessProtection, mitre/networkSegmentationFGT5034
Software Deployment ToolsAdversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network.Highaccuknox/preventPkgInstallFGT1072
SupplyChainCompromiseAdversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.HighFGT1195
Unauthorized access to Network Exposure Function (NEF) via token fraudAn adversary controlling an (external) Application Function (AF) presents a fraudulent OAuth access token to access Network Exposure Function (NEF) servicesHighFGT5011
Valid AccountsHighFGT1078

Contributions welcome...

Adding a new Security Threat

  1. Fork and clone this repository
  2. Copy res/threatTemplate.yaml template file in threats/tactic directory and edit the file's contents to accurately reflect the specific threat information. For e.g., execution tactic from MITRE FiGHT.
    cp res/threatTemplate.yaml threats/execution/threat-name.yaml
    
  3. Create the Security Actions file(s) you listed in the .securityActions field of the threat-name.yaml file, and place them within the actions directory. For e.g.,
    ...
    securityActions:
     - sample-sa-1.yaml 
     - sample-sa-2.yaml 
    ...
    
  4. Run make
  5. Raise a PR