Definition: Abuse of Functions involves an attacker manipulating the intended functionality of software or systems for malicious purposes. This includes misusing legitimate features or configurations beyond their designed scope.
Generic Vulnerability: The scope of software and functions. More scope means a larger attack surface, which an attacker can exploit to their advantage.
Context: This threat addresses the functional domain which the software is designed to perform. It's the unintended use of software capabilities that becomes the weak point.
Sub-Threats Examples: Data Poisoning, Abuse of document sharing functions, BGP Hijacking, Misuse of API functionalities
Control Examples: Patching, Hardening, Stripping, Detection rules for LOLBins
Attacker's View: "I abuse a functionality, not a coding issue."
Asset Type: Software
Definition: An attacker targets vulnerabilities in server-side software to manipulate server behavior using exploit code.
Generic Vulnerability: The presence of exploitable flaws in server-side software code, including input validation errors, logic flaws, and other programming mistakes that can be leveraged to execute unintended operations.
Context: A server is a software program or system that waits to receive requests from clients and responds to them. It "serves" the requirements of the client. Exploit code is used to take advantage of a specific vulnerability or set of vulnerabilities.
Sub-Threats Examples: SQL Injections, Buffer Overflows
Control Examples:Secure coding practices, Web Application Firewall (WAF/Reverse Proxy), Patching ("the World of CVE"), Vulnerability Scans, Detection Rules, MITIGATE: Reducing lateral damage with Zones
Attacker's View: "I abuse a coding issue on the server side."
Asset Type: Software
Definition: An attacker targets vulnerabilities in client-side software to manipulate client behavior using exploit code, often when the client accesses a malicious resource.
Generic Vulnerability: The presence of exploitable flaws in any client-side software or agent that processes external data. This includes web browsers, email clients, database clients, API consumers, automated services, and background processes.
Context: A client is a software program or system that sends a request to another system (the server) to perform a certain task or function. "Client" here refers to the software, not the physical device. Exploit code in this context is designed to take advantage of specific client-side vulnerabilities.
Sub-Threats Examples: Browser Exploits, PDF Reader Exploits, Office Document Exploits
Control Examples:Secure coding practices, Forward Proxy (blocking), Web isolation, Whitelist, Sandbox, Patching ASAP
Attacker's View: "I abuse a coding issue on the client side. If no interaction from the user is required, it is sometimes called 'drive-by infection.'"
Asset Type: Software
Definition: An attacker targets weaknesses in identity and access management to acquire and misuse legitimate credentials.
Generic Vulnerability: Weak Identity Management Processes and/or credential protection mechanisms. This covers inadequate procedures in handling the entire lifecycle of identities and lax credential management.
Context: This threat relates to "design weaknesses in the use of software (and hardware) for identification and authentication." It's distinct from obtaining identities and credentials via other threat clusters (e.g., via exploit).
Sub-Threats Examples: Credential Stuffing, Password Spraying
Control Examples:Multi-Factor Authentication (MFA) with Out-of-Band (OOB) verification, robust identity lifecycle management, patching
Attacker's View: "I abuse credentials to operate as a legitimate identity or process."
Asset Type: Software
Definition: An attacker intercepts and potentially alters communication between two parties.
Generic Vulnerability: The lack of control over communication flow/path.
Context: This threat is often a precursor to Identity Theft, but it's distinct because it involves getting in between communication first.
Sub-Threats Examples: Wi-Fi Eavesdropping, Rogue VPN
Control Examples:End-to-end encryption, Certificate pinning
Attacker's View: "I abuse my position between communicating parties."
Asset Type: Software
Definition: An attacker overwhelms system resources and capacity limits, leading to disruption of normal operations.
Generic Vulnerability: Capacity limitations.
Context: This threat is related to the risk event type "loss of availability." It's distinct from exploits that target non-availability through flaws.
Sub-Threats Examples: SYN Flood, Layer 7 DDoS
Control Examples:Network Provider Solution or specialized services like Cloudflare, Web Application Firewall (WAF)
Attacker's View: "I abuse the circumstance of always limited capacity in software and systems."
Asset Type: Software
Definition: An attacker abuses the inherent ability of software to execute foreign (malware) code. This includes any software that has code execution as a built-in function (e.g., office/vbscript, pdf/javascript).
Generic Vulnerability: The ability to execute 'foreign code' by design from the perspective of our software.
Context: Unlike exploit code which targets specific vulnerabilities, malware code is designed to perform malicious actions by leveraging intended functionalities. The challenge is to recognize and block the execution of malicious code within otherwise legitimate contexts.
Sub-Threats Examples: Ransomware, Trojans, Spyware, Keyloggers
Control Examples:Blocking file types on mail and web proxy, Application control, Anti-malware scanners, Behavioral analysis
Attacker's View: "I abuse the opportunity provided by the environment to allow execution of my code."
Asset Type: Software
Definition: An attacker gains unauthorized physical interference with hardware, devices, or facilities.
Generic Vulnerability: The physical accessibility of hardware and the exploitability of Layer 1 (Physical Layer) communications in the OSI model. This includes vulnerabilities in on-premises equipment, cabling, and wireless signals.
Context: The physical layer in cybersecurity refers to the means by which data is converted into physical form for transmission. Attacks on this layer can involve direct physical access to tangible components or manipulation of the intangible signals themselves.
Sub-Threats:Direct Physical Access Attacks: Hardware Tampering, Port Access, Physical Device Theft
Indirect Physical Access Attacks: TEMPEST, Signal Jamming, Wireless Interception
Control Examples:Physical access control, Signal encryption, Shielding, Tamper-evident measures, Signal anomaly mitigation
Attacker's View: "I abuse the physical accessibility of hardware and devices."
Asset Type: Physical
Definition: An attacker manipulates people into performing actions that compromise the security of systems or (business-) processes.
Generic Vulnerability: The generic vulnerability in humans is their gullibility, ignorance, or compromisability.
Context: This threat focuses on the human element in cybersecurity, recognizing that people can be manipulated or deceived.
Sub-Threats Examples: Phishing, Pretexting, Baiting
Control Examples:Security awareness training, Simulated phishing exercises
Attacker's View: "I abuse human trust and psychology to deceive individuals."
Asset Type: Human
Definition: An attacker compromises systems by targeting vulnerabilities in third-party software, hardware, or services that an organization relies on. This includes targeting vulnerabilities in an organization's external suppliers or service providers.
Generic Vulnerability: The necessary reliance on and implicit trust in incorporated third-party components, services, or vendors within the supply chain, creating potential points of compromise outside direct control.
Context: This threat cluster is an initial vector for compromises, such as a compromised update server. It's closely related to third-party risk management.
Sub-Threats Examples: Compromised Libraries or Dependencies, Tampered Software Updates
Control Examples: Inventory of 3rd party software, Trusted repositories with signature/hash checks, Isolated environment for testing and monitoring third-party components
Attacker's View: "I abuse the trust in third-party components, services, or vendors."
Asset Type: Software, Hardware, Services