Merge pull request #8 from 5GSEC/shivkb/oran-mitre-threats

Additional Threats
5GSEC · Mar 7, 2024 · 8f01f6d · 8f01f6d
2 parents 7e274c8 + 476553d
commit 8f01f6d
Show file tree

Hide file tree

Showing 20 changed files with 439 additions and 29 deletions.
diff --git a/README.md b/README.md
@@ -39,9 +39,9 @@ mitigationMethods: # Mechanisms to mitigate the threat
       - accuknox/ax0015
     description: desc
     url: https://...
-securityIntents:
-  - sample-si-1.yaml
-  - sample-si-2.yaml
+securityActions:
+  - sample-sa-1.yaml
+  - sample-sa-2.yaml
 securityIntentBinding: # Set of labels, annotations describing workloads who would be impacted by this threat
   - sample-si-binding.yaml
 preDeploymentConsiderations: [ ] # Anything that can be done in CI/CD pipelines that can alleviate this threat
@@ -54,8 +54,19 @@ references:
 
 ## Security Threats
 
-| Title | Description | Severity | Security Intents | References |
+| Title | Description | Severity | Security Actions | References |
 |:-----:|-------------|----------|------------|------------|
+   | [DNS Manipulation](threats/mitre/dnsManipulation.yaml) | An adversary can manipulate DNS requests to redirect network traffic and potentially reveal end user activity. | high | [accuknox/preventLocalDNSHijack](actions/accuknox/preventLocalDNSHijack), [mitre/integrityProtection](actions/mitre/integrityProtection), [mitre/networkTraffic](actions/mitre/networkTraffic) |[MITRE FiGHT](https://fight.mitre.org/techniques/FGT5006) |
+   | [Exploit Public-Facing Application](threats/mitre/exploitPublicFacingApplication.yaml) |  | High |  |[FGT1190](https://fight.mitre.org/techniques/FGT1190) |
+   | [Exploit Semi-public Facing Application](threats/mitre/exploitSemiPublicFacingApplication.yaml) |  | High | [mitre/networkTraffic](actions/mitre/networkTraffic) |[FGT5029](https://fight.mitre.org/techniques/FGT5029) |
+   | [gNodeB Component Manipulation](threats/mitre/gNodeBComponentManipulation.yaml) | An adversary may compromise a component of gNodeB to affect radio network configuration | high |  |[MITRE FiGHT](https://fight.mitre.org/techniques/FGT5032) |
+   | [Protocol Tunneling](threats/mitre/protocolTunnelling.yaml) | Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. | High | [mitre/encryptSensitiveInformation](actions/mitre/encryptSensitiveInformation), [mitre/networkTraffic](actions/mitre/networkTraffic) |[FGT1572.501](https://fight.mitre.org/techniques/FGT1572.501) |
+   | [Regitration of Malicious Network Functions](threats/mitre/registrationMaliciousNetworkFunctions.yaml) | An adversary, such as an insider to the MNO or vendor, could install a malicious NF into the core network, in order to launch other attacks or get access to information. | high | [mitre/networkSegmentation](actions/mitre/networkSegmentation) |[MITRE FiGHT](https://fight.mitre.org/techniques/FGT5006) |
+   | [Rogue xApps unauthorized access](threats/mitre/rogueXappsUnauthAccess.yaml) | Malicious xApps may gain unauthorized access to near-RT RIC and E2 nodes | High | [mitre/credentialAccessProtection](actions/mitre/credentialAccessProtection), [mitre/networkSegmentation](actions/mitre/networkSegmentation) |[FGT5034](https://fight.mitre.org/techniques/FGT5034) |
+   | [Software Deployment Tools](threats/mitre/softwareDeploymentTools.yaml) | Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. | High | [accuknox/preventPkgInstall](actions/accuknox/preventPkgInstall) |[FGT1072](https://fight.mitre.org/techniques/FGT1072) |
+   | [SupplyChainCompromise](threats/mitre/supplyChainCompromise.yaml) | Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. | High |  |[FGT1195](https://fight.mitre.org/techniques/FGT51195) |
+   | [Unauthorized access to Network Exposure Function (NEF) via token fraud](threats/mitre/unAuthAccessNEFTokenFraud.yaml) | An adversary controlling an (external) Application Function (AF) presents a fraudulent OAuth access token to access Network Exposure Function (NEF) services | High |  |[FGT5011](https://fight.mitre.org/techniques/FGT5011) |
+   | [Valid Accounts](threats/mitre/validAccounts.yaml) |  | High |  |[FGT1078](https://fight.mitre.org/techniques/FGT1078) |
 
 ## Contributions welcome...
 
@@ -67,13 +78,13 @@ references:
    ```shell
    cp res/threatTemplate.yaml threats/execution/threat-name.yaml
     ```
-3. Create the Security Intent file(s) you listed in the `.securityIntents` field of the `threat-name.yaml` file, and
-   place them within the [intents](intents) directory. For e.g.,
+3. Create the Security Actions file(s) you listed in the `.securityActions` field of the `threat-name.yaml` file, and
+   place them within the [actions](actions) directory. For e.g.,
    ```yaml
    ...
-   securityIntents:
-    - sample-si.yaml 
-    - sample-si-2.yaml 
+   securityActions:
+    - sample-sa-1.yaml 
+    - sample-sa-2.yaml 
    ...
    ```
 4. Run `make`

diff --git a/actions/accuknox/preventLocalDNSHijack b/actions/accuknox/preventLocalDNSHijack
@@ -0,0 +1,12 @@
+title: preventLocalDNSHijack
+description: This attack consists of modifying the /etc/resolv.conf file
+to point to a malicious DNS server. The mitigation consists of having an security engine rule preventing writes to /etc/resolv.conf file
+severity: high
+tags: [5gcore, edge, accuknox]
+references:
+  - name: MITRE FiGHT
+    url: https://fight.mitre.org/techniques/FGT5006
+  - name: Hellfire
+    url: https://hellfire0x01.medium.com/get-familiar-with-dns-hijacking-2215a0a318d4
+  - name: SecurityTrails
+    url: https://securitytrails.com/blog/preventing-domain-hijacking-10-steps-to-increase-your-domain-security
diff --git a/actions/mitre/integrityProtection b/actions/mitre/integrityProtection
@@ -0,0 +1,16 @@
+title: integrityProtection
+description: There are multiple contexts here:
+DNS Manipulation: In this context, integrity protection refers to ensuring
+that the DNS responses integrity. Currently, there is no way to for security
+ engines to do this on the cluster. There are techniques to use DNSSEC 
+[ibm, microsoft] to secure DNS data validating the digital signatures. 
+of the 
+severity: high
+tags: [5gcore, edge, mitre]
+references:
+  - name: mitre
+    url: https://fight.mitre.org/mitigations/FGM1557
+  - name: ibm
+    url: https://www.ibm.com/docs/en/i/7.3?topic=support-domain-name-system-security-extensions-dnssec
+  - name: microsoft
+    url: https://learn.microsoft.com/en-us/windows-server/networking/dns/validate-dnssec-responses
diff --git a/actions/mitre/networkTraffic b/actions/mitre/networkTraffic
@@ -0,0 +1,9 @@
+title: networkTraffic
+description: Malware uses DNS as a transport to communicate with the command-and-control servers [infloBlox]. Hence the packets contents need to be checked for data exfiltration. Basic checks can be implemented by the security engines on the DNS packets
+severity: high
+tags: [5gcore, edge, mitre]
+references:
+  - name: mitre
+    url: https://fight.mitre.org/data%20sources/DS0029
+  - name: infoBlox 
+    url: https://www.infoblox.com/dns-security-resource-center/dns-security-faq/what-is-dns-protection/