diff --git a/attack-tracks/service-destruction.json b/attack-tracks/service-destruction.json index 745b81164..6590c2404 100644 --- a/attack-tracks/service-destruction.json +++ b/attack-tracks/service-destruction.json @@ -7,10 +7,12 @@ "spec": { "version": "1.0", "data": { - "name": "Workload Exposure", + "name": "Initial Access", + "description": "An attacker can access the Kubernetes environment.", "subSteps": [ { - "name": "Service Destruction" + "name": "Denial of service", + "description": "An attacker can overload the workload, making it unavailable." } ] } diff --git a/attack-tracks/workload-external-track.json b/attack-tracks/workload-external-track.json index 0203face5..53ba61cb4 100644 --- a/attack-tracks/workload-external-track.json +++ b/attack-tracks/workload-external-track.json @@ -7,29 +7,37 @@ "spec": { "version": "1.0", "data": { - "name": "Workload Exposure", + "name": "Initial Access", + "description": "An attacker can access the Kubernetes environment.", "subSteps": [ { - "name": "Vulnerable Image", + "name": "Execution (Vulnerable Image)", + "description": "An attacker can execute malicious code by exploiting vulnerable images.", "checksVulnerabilities": true, "subSteps": [ { - "name": "Data Access" + "name": "Data Collection", + "description": "An attacker can gather data." }, { - "name": "Secret Access" + "name": "Secret Access", + "description": "An attacker can steal secrets." }, { - "name": "Credential access" + "name": "Credential access", + "description": "An attacker can steal account names and passwords." }, { - "name": "Potential Node exposure" + "name": "Privilege Escalation (Node)", + "description": "An attacker can gain permissions and access node resources." }, { - "name": "Persistence" + "name": "Persistence", + "description": "An attacker can create a foothold." }, { - "name": "Network" + "name": "Lateral Movement (Network)", + "description": "An attacker can move through the network." } ] } diff --git a/controls/C-0009-resourcelimits.json b/controls/C-0009-resourcelimits.json index 09d935436..242d2c725 100644 --- a/controls/C-0009-resourcelimits.json +++ b/controls/C-0009-resourcelimits.json @@ -9,7 +9,7 @@ { "attackTrack": "service-destruction", "categories": [ - "Service Destruction" + "Denial of service" ] } ] diff --git a/controls/C-0041-hostnetworkaccess.json b/controls/C-0041-hostnetworkaccess.json index 1be0a86aa..844d464f8 100644 --- a/controls/C-0041-hostnetworkaccess.json +++ b/controls/C-0041-hostnetworkaccess.json @@ -10,7 +10,7 @@ { "attackTrack": "workload-external-track", "categories": [ - "Network" + "Lateral Movement (Network)" ] } ] diff --git a/controls/C-0044-containerhostport.json b/controls/C-0044-containerhostport.json index 3c626ec7a..d129973d7 100644 --- a/controls/C-0044-containerhostport.json +++ b/controls/C-0044-containerhostport.json @@ -11,13 +11,13 @@ { "attackTrack": "workload-external-track", "categories": [ - "Workload Exposure" + "Initial Access" ] }, { "attackTrack": "service-destruction", "categories": [ - "Workload Exposure" + "Initial Access" ] } ] diff --git a/controls/C-0045-writablehostpathmount.json b/controls/C-0045-writablehostpathmount.json index c14e6343b..46942b1c4 100644 --- a/controls/C-0045-writablehostpathmount.json +++ b/controls/C-0045-writablehostpathmount.json @@ -16,7 +16,7 @@ { "attackTrack": "workload-external-track", "categories": [ - "Potential Node exposure" + "Privilege Escalation (Node)" ] } ] diff --git a/controls/C-0046-insecurecapabilities.json b/controls/C-0046-insecurecapabilities.json index 5af858943..c1bb39d89 100644 --- a/controls/C-0046-insecurecapabilities.json +++ b/controls/C-0046-insecurecapabilities.json @@ -11,7 +11,7 @@ { "attackTrack": "workload-external-track", "categories": [ - "Potential Node exposure" + "Privilege Escalation (Node)" ] } ] diff --git a/controls/C-0048-hostpathmount.json b/controls/C-0048-hostpathmount.json index ad931324a..b7a747aa6 100644 --- a/controls/C-0048-hostpathmount.json +++ b/controls/C-0048-hostpathmount.json @@ -13,7 +13,7 @@ { "attackTrack": "workload-external-track", "categories": [ - "Potential Node exposure" + "Privilege Escalation (Node)" ] } ] diff --git a/controls/C-0211-applysecuritycontexttoyourpodsandcontainers.json b/controls/C-0211-applysecuritycontexttoyourpodsandcontainers.json index 77a8e9cb8..700f9c67f 100644 --- a/controls/C-0211-applysecuritycontexttoyourpodsandcontainers.json +++ b/controls/C-0211-applysecuritycontexttoyourpodsandcontainers.json @@ -19,7 +19,7 @@ { "attackTrack": "workload-external-track", "categories": [ - "Potential Node exposure" + "Privilege Escalation (Node)" ] } ] diff --git a/controls/C-0256-exposuretointernet.json b/controls/C-0256-exposuretointernet.json index 1067fc53b..cc35d4e7b 100644 --- a/controls/C-0256-exposuretointernet.json +++ b/controls/C-0256-exposuretointernet.json @@ -9,13 +9,13 @@ { "attackTrack": "workload-external-track", "categories": [ - "Workload Exposure" + "Initial Access" ] }, { "attackTrack": "service-destruction", "categories": [ - "Workload Exposure" + "Initial Access" ] } ] diff --git a/controls/C-0257-pvcaccess.json b/controls/C-0257-pvcaccess.json index de95b7d71..19a1b77f7 100644 --- a/controls/C-0257-pvcaccess.json +++ b/controls/C-0257-pvcaccess.json @@ -9,7 +9,7 @@ { "attackTrack": "workload-external-track", "categories": [ - "Data Access" + "Data Collection" ] } ] diff --git a/controls/C-0258-configmapaccess.json b/controls/C-0258-configmapaccess.json index b0a52d5b0..2b15ba4d7 100644 --- a/controls/C-0258-configmapaccess.json +++ b/controls/C-0258-configmapaccess.json @@ -9,7 +9,7 @@ { "attackTrack": "workload-external-track", "categories": [ - "Data Access" + "Data Collection" ] } ] diff --git a/controls/C-0260-missingnetworkpolicy.json b/controls/C-0260-missingnetworkpolicy.json index e967f5b4f..f51ad8c42 100644 --- a/controls/C-0260-missingnetworkpolicy.json +++ b/controls/C-0260-missingnetworkpolicy.json @@ -9,7 +9,7 @@ { "attackTrack": "workload-external-track", "categories": [ - "Network" + "Lateral Movement (Network)" ] } ]