From 0566eee442dbe605f04be63b5d9b2d8384486289 Mon Sep 17 00:00:00 2001 From: Yash Ramani Date: Mon, 13 Apr 2026 16:31:49 -0400 Subject: [PATCH] Create threats.yaml for tracing vulnerabilities Added YAML file defining imported threats and tracing vulnerabilities. --- catalogs/management/tracing/threats.yaml | 334 +++++++++++++++++++++++ 1 file changed, 334 insertions(+) create mode 100644 catalogs/management/tracing/threats.yaml diff --git a/catalogs/management/tracing/threats.yaml b/catalogs/management/tracing/threats.yaml new file mode 100644 index 00000000..b93c184b --- /dev/null +++ b/catalogs/management/tracing/threats.yaml @@ -0,0 +1,334 @@ +imported-threats: + - reference-id: CCC + entries: + - reference-id: CCC.Core.TH01 + strength: 0 # Not yet specified + remarks: Access Control is Misconfigured + - reference-id: CCC.Core.TH02 + strength: 0 # Not yet specified + remarks: Data is Intercepted in Transit + - reference-id: CCC.Core.TH06 + strength: 0 # Not yet specified + remarks: Data is Lost or Corrupted + - reference-id: CCC.Core.TH07 + strength: 0 # Not yet specified + remarks: Logs are Tampered With or Deleted + - reference-id: CCC.Core.TH09 + strength: 0 # Not yet specified + remarks: Logs or Monitoring Data are Read by Unauthorized Users + - reference-id: CCC.Core.TH11 + strength: 0 # Not yet specified + remarks: Event Notifications are Incorrectly Triggered + - reference-id: CCC.Core.TH12 + strength: 0 # Not yet specified + remarks: Resource Constraints are Exhausted + - reference-id: CCC.Core.TH15 + strength: 0 # Not yet specified + remarks: Automated Enumeration and Reconnaissance by Non-Human Entities + - reference-id: CCC.Core.TH16 + strength: 0 # Not yet specified + remarks: Logging and Monitoring are Disabled + +threats: + - id: CCC.Tracing.TH01 + title: Sensitive Data Leakage via Span Attributes + description: | + Instrumented application code inadvertently includes sensitive values + such as passwords, tokens, PII, or health data as span tags or + attributes during telemetry collection or context propagation. Anyone + with read access to the tracing backend can extract this data, violating + data minimisation and compliance requirements. + capabilities: + - reference-id: CCC.Tracing + entries: + - reference-id: CCC.Tracing.CP01 + strength: 0 # Not yet specified + remarks: Distributed Telemetry Collection + - reference-id: CCC.Tracing.CP03 + strength: 0 # Not yet specified + remarks: Distributed Context Propagation + - reference-id: CCC.Tracing.CP09 + strength: 0 # Not yet specified + remarks: Trace Retention + external-mappings: + - reference-id: MITRE-ATT&CK + entries: + - reference-id: T1530 + strength: 0 # Not yet specified + remarks: Data from Cloud Storage + - reference-id: T1552 + strength: 0 # Not yet specified + remarks: Unsecured Credentials + - reference-id: T1048 + strength: 0 # Not yet specified + remarks: Exfiltration Over Alternative Protocol + - reference-id: OWASPTOP10 + entries: + - reference-id: A02:2021 + - reference-id: CWE + entries: + - reference-id: CWE-312 + - reference-id: CWE-532 + + - id: CCC.Tracing.TH02 + title: Trace or Span Data Injection + description: | + A malicious actor injects forged or manipulated trace events, spans, + or context headers into the collection pipeline or across service + boundaries. This causes the tracing backend to record false execution + paths, fabricated latency data, or spoofed service identities, + undermining the reliability of diagnostics, alerting, and root cause + analysis. + capabilities: + - reference-id: CCC.Tracing + entries: + - reference-id: CCC.Tracing.CP01 + strength: 0 # Not yet specified + remarks: Distributed Telemetry Collection + - reference-id: CCC.Tracing.CP03 + strength: 0 # Not yet specified + remarks: Distributed Context Propagation + - reference-id: CCC.Tracing.CP05 + strength: 0 # Not yet specified + remarks: Error Correlation + - reference-id: CCC.Tracing.CP10 + strength: 0 # Not yet specified + remarks: Assistance for Root Cause Analysis + external-mappings: + - reference-id: MITRE-ATT&CK + entries: + - reference-id: T1565 + strength: 0 # Not yet specified + remarks: Data Manipulation + - reference-id: T1001.001 + strength: 0 # Not yet specified + remarks: "Data Obfuscation: Junk Data" + - reference-id: OWASPTOP10 + entries: + - reference-id: A03:2021 + - reference-id: CWE + entries: + - reference-id: CWE-117 + - reference-id: CWE-20 + + - id: CCC.Tracing.TH03 + title: Trace Context Propagated to Untrusted Systems + description: | + Trace and span identifier headers are forwarded beyond the internal + trust boundary to external or third-party services that are not + authorised to receive them. This leaks internal transaction structure, + service identities, and correlation identifiers to external parties, + enabling topology reconnaissance and correlation attacks. + capabilities: + - reference-id: CCC.Tracing + entries: + - reference-id: CCC.Tracing.CP03 + strength: 0 # Not yet specified + remarks: Distributed Context Propagation + - reference-id: CCC.Tracing.CP02 + strength: 0 # Not yet specified + remarks: Dependency Mapping and Visualization + external-mappings: + - reference-id: MITRE-ATT&CK + entries: + - reference-id: T1040 + strength: 0 # Not yet specified + remarks: Network Sniffing + - reference-id: T1557 + strength: 0 # Not yet specified + remarks: Adversary-in-the-Middle + - reference-id: T1018 + strength: 0 # Not yet specified + remarks: Remote System Discovery + + - id: CCC.Tracing.TH04 + title: Sampling Configuration Manipulation + description: | + An unauthorised user modifies sampling rules or manipulates incoming + trace context headers to alter sampling decisions. This can be used to + force full recording of targeted transactions for surveillance, suppress + sampling of security-sensitive traces to evade detection, or cause + storage exhaustion by setting sampling rates to 100% across all traffic. + capabilities: + - reference-id: CCC.Tracing + entries: + - reference-id: CCC.Tracing.CP06 + strength: 0 # Not yet specified + remarks: Sampling + external-mappings: + - reference-id: MITRE-ATT&CK + entries: + - reference-id: T1565 + strength: 0 # Not yet specified + remarks: Data Manipulation + - reference-id: T1562 + strength: 0 # Not yet specified + remarks: Impair Defenses + - reference-id: T1499 + strength: 0 # Not yet specified + remarks: Endpoint Denial of Service + + - id: CCC.Tracing.TH05 + title: Security Event Loss Due to Aggressive Downsampling + description: | + Overly aggressive cost-driven or misconfigured sampling rates cause + security-relevant traces such as authentication failures, privilege + escalation attempts, or data access anomalies to be discarded. The + resulting gaps in trace data hinder incident reconstruction and reduce + the effectiveness of forensic investigation. + capabilities: + - reference-id: CCC.Tracing + entries: + - reference-id: CCC.Tracing.CP06 + strength: 0 # Not yet specified + remarks: Sampling + - reference-id: CCC.Tracing.CP09 + strength: 0 # Not yet specified + remarks: Trace Retention + external-mappings: + - reference-id: MITRE-ATT&CK + entries: + - reference-id: T1562.008 + strength: 0 # Not yet specified + remarks: "Impair Defenses: Disable Cloud Logs" + - reference-id: T1070 + strength: 0 # Not yet specified + remarks: Indicator Removal + + - id: CCC.Tracing.TH06 + title: Premature Deletion of Trace Evidence + description: | + Short or misconfigured retention TTL policies, or deliberate deletion + of trace partitions by a malicious insider, cause trace data relevant + to an ongoing or unreported security incident to be removed before + investigators can access it. This destroys forensic evidence and + prevents complete incident reconstruction. + capabilities: + - reference-id: CCC.Tracing + entries: + - reference-id: CCC.Tracing.CP09 + strength: 0 # Not yet specified + remarks: Trace Retention + external-mappings: + - reference-id: MITRE-ATT&CK + entries: + - reference-id: T1070.004 + strength: 0 # Not yet specified + remarks: "Indicator Removal on Host: File Deletion" + - reference-id: T1485 + strength: 0 # Not yet specified + remarks: Data Destruction + - reference-id: T1562.008 + strength: 0 # Not yet specified + remarks: "Impair Defenses: Disable Cloud Logs" + + - id: CCC.Tracing.TH07 + title: Topology Information Disclosure via Dependency Map + description: | + The dependency map exposes the full internal service graph, including + internal addresses, service names, database endpoints, call + relationships, and health signals. Unauthorised access to this map + provides an attacker with a detailed attack surface inventory that + can be used to plan targeted exploitation or denial-of-service attacks. + capabilities: + - reference-id: CCC.Tracing + entries: + - reference-id: CCC.Tracing.CP02 + strength: 0 # Not yet specified + remarks: Dependency Mapping and Visualization + external-mappings: + - reference-id: MITRE-ATT&CK + entries: + - reference-id: T1580 + strength: 0 # Not yet specified + remarks: Cloud Infrastructure Discovery + - reference-id: T1046 + strength: 0 # Not yet specified + remarks: Network Service Discovery + - reference-id: T1018 + strength: 0 # Not yet specified + remarks: Remote System Discovery + + - id: CCC.Tracing.TH08 + title: Profiling Data Exposes Timing Side Channels + description: | + Detailed execution timing data including per-operation durations and + call counts is accessible to insufficiently authorised users. This can + reveal internal business logic, algorithm behaviour, or discriminate + between code paths in ways that facilitate targeted attacks, such as + timing attacks against authentication or cryptographic operations. + capabilities: + - reference-id: CCC.Tracing + entries: + - reference-id: CCC.Tracing.CP04 + strength: 0 # Not yet specified + remarks: Performance Profiling + - reference-id: CCC.Tracing.CP07 + strength: 0 # Not yet specified + remarks: Trace Querying & Filtering + external-mappings: + - reference-id: MITRE-ATT&CK + entries: + - reference-id: T1007 + strength: 0 # Not yet specified + remarks: System Service Discovery + - reference-id: T1082 + strength: 0 # Not yet specified + remarks: System Information Discovery + - reference-id: CWE + entries: + - reference-id: CWE-208 + + - id: CCC.Tracing.TH09 + title: Bulk Trace Data Exfiltration via Query Interface + description: | + An attacker with valid read credentials uses the trace query and + filtering interface to perform bulk extraction of all stored trace data, + exfiltrating the full history of application behaviour, user activity + patterns, internal service topology, and error details that collectively + provide a comprehensive picture of the system. + capabilities: + - reference-id: CCC.Tracing + entries: + - reference-id: CCC.Tracing.CP07 + strength: 0 # Not yet specified + remarks: Trace Querying & Filtering + - reference-id: CCC.Tracing.CP08 + strength: 0 # Not yet specified + remarks: Integration with Logs and Metrics + external-mappings: + - reference-id: MITRE-ATT&CK + entries: + - reference-id: T1048 + strength: 0 # Not yet specified + remarks: Exfiltration Over Alternative Protocol + - reference-id: T1567 + strength: 0 # Not yet specified + remarks: Exfiltration Over Web Service + - reference-id: T1020 + strength: 0 # Not yet specified + remarks: Automated Exfiltration + + - id: CCC.Tracing.TH10 + title: Cross-Signal Privilege Escalation via Shared Identifiers + description: | + A user with read access to one telemetry signal type exploits shared + correlation identifiers such as trace IDs or span IDs to pivot to a + more sensitive signal type that they are not authorised to access. + The unified observability interface amplifies this risk by correlating + all three signal types in a single query response. + capabilities: + - reference-id: CCC.Tracing + entries: + - reference-id: CCC.Tracing.CP08 + strength: 0 # Not yet specified + remarks: Integration with Logs and Metrics + external-mappings: + - reference-id: MITRE-ATT&CK + entries: + - reference-id: T1078 + strength: 0 # Not yet specified + remarks: Valid Accounts + - reference-id: T1548 + strength: 0 # Not yet specified + remarks: Abuse Elevation Control Mechanism