#1 Abuse of Functions
Definition: An attacker abuses the logic or scope of existing, legitimate software functions, features, or configurations for malicious purposes. This manipulation occurs through standard interfaces using expected input types (data, parameters, configurations, sequence of actions), but in a way that subverts the intended purpose or security controls.
The scope, complexity, or inherent trust placed in legitimate software functions, features, and configurations. More scope/complexity can create a larger attack surface.
Context: This threat addresses the manipulation of the functional domain itself – what the software is designed to do. The attacker misuses capabilities intentionally built into the system, often exceeding implicit boundaries or leveraging overly permissive designs via standard interfaces using expected input types (data, parameters, configurations, sequence of actions). Crucially, this does not involve executing foreign Malware Code (unlike #7), nor does it rely on exploiting specific implementation flaws/bugs (unlike #2/#3 Exploiting Server/Client). When initiated via Social Engineering (#9), this often involves tricking a user into enabling, disabling, or misconfiguring legitimate, existing features (e.g., enabling RDP access, creating firewall exceptions, changing security settings), rather than installing new software (which would facilitate #7).
Sub-Threats Examples: Data Poisoning, Abuse of document sharing functions, BGP Hijacking, Misuse of API functionalities, Parameter Tampering (exploiting logic), Enabling insecure configurations
Input validation (for logic), Strong configuration management, Least privilege for functions/APIs, Feature usage monitoring, Business logic checks, Multi-step approvals for sensitive configurations
"I abuse a functionality, not a coding issue."
Asset Type: Software (Its functions and configuration)
#2 Exploiting Server
Definition: An attacker targets and leverages flaws originating directly within the server-side application's source code implementation. These vulnerabilities (e.g., improper input handling, insecure API usage, resource leaks, logic errors introduced during coding) allow manipulation of server behavior or unauthorized access using Exploit Code.
The presence of exploitable flaws within the server-side source code implementation and its resulting logic, stemming from insecure coding practices.
Context: This cluster isolates vulnerabilities that are fundamentally mistakes made by developers during coding on the server side. It addresses the direct consequences of insecure software development practices related to how code handles data, manages resources, or implements application logic. An attacker uses Exploit Code to trigger these specific code-level bugs. This focus on source code implementation flaws distinguishes it from:
- #1 Abuse of Functions, which misuses the intended design and logic of correctly coded functions.
- #7 Malware, which executes malicious code via a designed execution capability, not a bug in the application code.
- #3 Exploiting Client, which targets flaws in the client-side source code implementation.
Sub-Threats Examples: SQL Injection (coding flaw in query building), Buffer Overflows (coding flaw in memory handling), RCE via Deserialization (coding flaw in data processing), SSRF (coding flaw in URL processing), XXE Injection (coding flaw in XML parsing), Stored/Reflected XSS (coding flaw in handling output)
Secure Coding Training & Standards, Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Manual Code Review, Input Validation/Sanitization Libraries, Output Encoding, Content Security Policy (CSP), Secure Component Usage, Patching, WAF
"I abuse a flaw in the application's source code on the server side."
Asset Type: Software (Specifically, the server-side application source code implementation)
#3 Exploiting Client
Definition: An attacker targets and leverages flaws originating directly within the source code implementation of any software acting in a client role (requesting/processing data from a server or resource). These vulnerabilities (e.g., improper handling of responses or local data, insecure interaction with local resources, logic errors introduced during coding) allow manipulation of client behavior, unauthorized access to client resources, or information disclosure using Exploit Code, often when the client interacts with malicious content, servers, or manipulated local state.
The presence of exploitable flaws within the source code implementation of software acting as a client, stemming from insecure coding practices related to processing external data/responses, rendering UI, or managing client-side state and resources.
Context: This cluster isolates vulnerabilities that are fundamentally mistakes made by developers during coding within any software component performing a client function – receiving and processing data/responses. Examples include web browsers, mobile apps, desktop applications, document readers, command-line clients (SSH, SQL), client libraries (e.g., HTTP, database connectors), API consumers, and background services acting as clients. It addresses insecure development practices in how this client code handles data, interacts with APIs, or renders information. An attacker uses Exploit Code to trigger these code-level bugs. This focus on client-role source code implementation flaws distinguishes it from:
- #1 Abuse of Functions, which misuses the intended design and logic.
- #7 Malware, which executes malicious code via a designed execution capability.
- #2 Exploiting Server, which targets flaws on the server side.
Sub-Threats Examples: DOM-Based XSS (client script coding flaw), Client Library Buffer Overflows (e.g., in libcurl handling responses), Insecure Deserialization in Client/API Consumer, Command-line Client argument/response handling flaws, Exploits targeting browser/plugin rendering engines.
Secure Coding Training & Standards (Client-Side Focus), SAST/DAST for client code/libraries, Framework/Library Protections, Secure handling of data from all external sources (servers, files, URLs, APIs), Avoiding dangerous functions, Keeping all client software/libraries patched.
"I abuse a flaw in the source code of software acting as a client." (Often triggered by crafted input/data/response)
Asset Type: Software (Specifically, the source code implementation of software acting in a client role)
#4 Identity Theft
Definition: An attacker targets weaknesses in identity and access management processes or credential protection mechanisms to illegitimately acquire, steal, or misuse authentication credentials (e.g., passwords, tokens, keys, session identifiers, biometrics) to impersonate a legitimate identity (human or technical).
Weak Identity Management Processes and/or inadequate credential protection mechanisms throughout the identity lifecycle (issuance, storage, transmission, validation, revocation), allowing credentials to be illegitimately acquired or misused.
Context: This cluster focuses specifically on the compromise of the authentication process itself through the theft or unauthorized acquisition/use of credentials. It includes the technical mechanisms designed solely to capture credentials, such as credential harvesting websites (phishing forms). While the delivery of such a form often relies on #9 Social Engineering (to trick the user into visiting and trusting the form), the form itself represents an attack targeting the credential acquisition process and thus falls under #4. The subsequent use of captured credentials is also #4. This focus on credential compromise distinguishes it from:
- #1/#2/#3 Exploiting Functions/Server/Client: Where credentials might be exposed secondarily due to function abuse or code flaws.
- #7 Malware: Which might be a tool used to steal credentials (e.g., keylogger), facilitating #4.
Note: Bypassing authentication without compromising credentials typically maps to #1 or #2.
Sub-Threats Examples: Credential Stuffing, Password Spraying, Session Hijacking, Pass-the-Hash/Ticket attacks, Stealing API Keys/Secrets, Credential Harvesting Forms/Websites
Multi-Factor Authentication (MFA), Strong password policies, Credential rotation, Secure credential storage, Session management, Anti-phishing training (#9) & technical controls (URL filtering, browser warnings against known #4 harvesting sites), Monitoring for credential abuse
"I abuse credentials, the mechanisms designed to steal them, or the processes managing them to operate as a legitimate identity."
Asset Type: Software (Identity/Access Management Systems, Credential Harvesting Mechanisms), Data (Credentials)
#5 Man in the Middle (MitM)
Definition: An attacker intercepts, eavesdrops on, modifies, or relays communication between two parties without their knowledge or consent, by exploiting a privileged position on the communication path. This position might be gained locally (e.g., on shared Wi-Fi) or by leveraging control over existing network intermediaries.
The lack of sufficient control, integrity protection, or confidentiality over the communication channel/path, including the implicit trust placed in local networks (like public Wi-Fi) and intermediate network infrastructure in standard IP networking.
Context: This cluster describes attacks enabled by an attacker controlling a point on the communication path. Common examples familiar to end-users include attackers on the same public Wi-Fi network intercepting traffic, or potentially a compromised VPN service acting maliciously. More broadly, in standard Internet (IP) communication, intermediaries (routers, ISPs) always exist, creating potential MitM points if compromised (e.g., via BGP hijacking - #1). #5 focuses on the actions possible from this intermediary position (local or remote): eavesdropping, modification, injection, replay, protocol downgrades. This cluster is distinct from the methods used to initially gain the position (which fall under #1, #8, etc.). Network architectures like SCION aim to mitigate vulnerabilities in intermediate path infrastructure.
Sub-Threats Examples: Public Wi-Fi Eavesdropping/Injection, SSL/TLS Interception (via rogue AP or compromised intermediary), Session Hijacking (via intercepted cookies on insecure networks), DNS Spoofing from local network attacker, Malicious VPN Traffic Manipulation, Modifying data via compromised router
End-to-End Encryption (E2EE), Using trusted VPNs, Transport Layer Security (TLS) with strong validation (HSTS, Cert Pinning), Avoiding untrusted public Wi-Fi for sensitive tasks, Network path monitoring, Data integrity checks, Architectures providing path control (e.g., SCION)
"I abuse my position (on the local network or via control over an intermediary) between communicating parties."
Asset Type: Network/Communication Channel & Path Infrastructure (including local networks)
#6 Flooding Attack
Definition: An attacker intentionally overwhelms system resources or exceeds capacity limits through a high volume of requests, data, or operations, leading to disruption, degradation, or denial of service for legitimate users.
Finite capacity limitations inherent in any system component (e.g., network bandwidth, CPU, memory, storage, database limits, application quotas, API rate limits, process/thread pools).
Context: This cluster covers attacks whose primary goal is to exhaust a specific, limited resource required for service operation. While often associated with network-level Distributed Denial of Service (DDoS), it generically applies to overwhelming any capacity constraint. This includes application-level attacks like flooding databases with excessive posts/data, exhausting API rate limits, filling log storage, or triggering computationally expensive operations en masse. The attack leverages volume or intensity, often via legitimate protocols or application functions (sometimes scaled via #1 Abuse of Functions), rather than exploiting specific code flaws (#2/#3) or executing malware (#7). The outcome is typically Loss of Availability.
Sub-Threats Examples: Network DDoS (SYN Flood, UDP Flood, Amplification Attacks), Application Layer DDoS (HTTP Flood, Slowloris), Database Storage Exhaustion via excessive writes, Log Volume Attacks filling disk space, API Rate Limit Flooding, Computationally Expensive Request Flood
Network Traffic Filtering/Scrubbing (DDoS Mitigation Services), Rate Limiting (Network & Application Level), Resource Quotas (Disk, DB storage, API calls), Efficient Resource Management in Code, Connection Pooling Limits, Input validation to prevent overly large/complex requests, Scalable Infrastructure Design, Anomaly Detection (Volume-based)
"I abuse the circumstance of always limited capacity in software and systems."
Asset Type: Software, Network, Hardware (Their finite resources/capacity)
#7 Malware
Definition: An attacker abuses the inherent ability of a software environment to execute foreign executable content, including inherently malicious Malware Code or legitimate tools/scripts used for malicious purposes ("dual-use" / LOLBAS).
The software environment's designed capability to execute potentially untrusted 'foreign' code, scripts, or binaries.
Context: This cluster deals with unauthorized execution achieved via an environment's intended execution capabilities. This includes running inherently malicious Malware Code AND the malicious use of legitimate "dual-use" tools or scripts (e.g., PowerShell, PsExec, legitimate remote admin tools) introduced or invoked by the attacker. In both cases, the attacker leverages the design of the software environment to run executable content for malicious ends. When initiated via Social Engineering (#9), this often involves tricking a user into downloading and executing new, foreign software/scripts, rather than just reconfiguring existing system features (which would be #1). This is distinct from:
- #2/#3 Exploiting Server/Client, which utilize Exploit Code targeting implementation flaws.
- #1 Abuse of Functions, which manipulates the logic of existing functions using data/parameters, without executing foreign code/scripts/binaries.
Sub-Threats Examples: Ransomware, Trojans, Malicious Macros, Execution via PowerShell scripts, Use of PsExec for lateral movement, Malicious use of legitimate Remote Desktop tools (when installed by attacker/victim)
Blocking file types, Application control/allow-listing (critical for dual-use tools), Anti-malware scanners, Script/macro execution policies, Behavioral analysis (detecting legitimate tools used abnormally), Sandboxing, PowerShell Constrained Language Mode
"I abuse the environment's designed capability to execute Malware Code, malicious scripts, or legitimate tools for my purposes."
Asset Type: Software (The execution environment, Dual-Use Tools)
#8 Physical Attack
Definition: An attacker gains unauthorized physical interaction with or causes physical interference to hardware, devices, facilities, or data transmission media (including wireless signals).
The physical accessibility of hardware, facilities, and communication media (cabling, wireless spectrum), and the exploitability of Layer 1 (Physical Layer) communications and hardware interfaces.
Context: This cluster covers threats involving manipulation or disruption at the physical level. It encompasses two main types based on the interaction required:
1. Direct Physical Access Attacks: Require the attacker to physically touch or interact directly with the hardware, device, or its immediate secure environment (e.g., tampering, theft, connecting unauthorized devices, physical intrusion into facilities).
2. Indirect Physical Access Attacks: Exploit physical properties or emanations without requiring direct contact with the core device (e.g., electromagnetic eavesdropping like TEMPEST, signal jamming, environmental disruption, acoustic attacks).
Physical access can often bypass logical security controls and may be a precursor to other attacks (e.g., installing malware via USB - #7, stealing devices with credentials - #4).
Sub-Threats Examples: Hardware Tampering, Port Access (e.g., unauthorized USB/network connection), Physical Device Theft, Facility Intrusion, TEMPEST attacks, Signal Jamming, Wireless Interception (passive), Cutting Cables, USB Baiting
Physical access controls (locks, guards, secure facilities), Device security (cable locks, port security), Data encryption at rest, Tamper detection/seals, Shielding against emanations (for TEMPEST), Wireless security protocols & monitoring, Secure hardware disposal
"I abuse the physical accessibility or properties of hardware, devices, and signals."
Asset Type: Physical (Hardware, Facilities, Media, Signals)
#9 Social Engineering
Definition: An attacker psychologically manipulates individuals into performing actions counter to their or their organization's best interests, such as divulging confidential information, granting access, executing code, or bypassing security procedures.
Human psychological factors: gullibility, trust, ignorance, fear, urgency, authority bias, curiosity, or general compromisability.
Context: This cluster focuses exclusively on exploiting the human element through deception, manipulation, or influence. It leverages psychological triggers rather than technical vulnerabilities in code or systems. Social Engineering is very often the initial vector for more complex attacks, tricking users into actions that enable other threat clusters:
- Tricking a user to reveal credentials used in #4 Identity Theft.
- Tricking a user to install/run malicious code, enabling #7 Malware.
- Tricking a user to misconfigure systems or enable features, facilitating #1 Abuse of Functions.
Crucially, technical vulnerabilities (e.g., CVEs) are never mapped to this cluster; #9 is purely about human manipulation leading to an unsafe action.
Sub-Threats Examples: Phishing (lure/deception phase), Pretexting, Baiting, Quid Pro Quo, Tailgating, Spear Phishing, Whaling, Vishing, Smishing, Water holing (luring users to a compromised site)
Security Awareness Training, Phishing Simulations, Clear procedures for handling requests (esp. for sensitive info/actions), Multi-person approvals for critical actions, Technical anti-phishing controls (email/URL filtering), Caller ID / Sender verification
"I abuse human trust and psychology to deceive individuals."
Asset Type: Human
#10 Supply Chain Attack
Definition: An attacker compromises systems by targeting vulnerabilities within an organization's supply chain. This involves compromising third-party software components, hardware, services, or distribution/update mechanisms that are trusted and integrated into the organization's own environment or products.
The necessary reliance on, and implicit trust placed in, external suppliers, vendors, components, libraries, hardware, services, and their associated development or distribution processes.
Context: This cluster focuses on attacks where the initial vector leverages the trust relationship with external entities whose products or services are incorporated into the target's systems or development lifecycle. It's distinct from merely using a compromised third-party platform for attacks (e.g., using a compromised cloud server for C2 is not #10 unless the cloud service itself delivered malware via its trusted updates). Key vectors include:
1. Development Vector (Pre-Deployment): Compromising source code repositories, build systems, testing environments, or injecting vulnerabilities into third-party libraries/components before they are integrated by the target.
2. Update Vector (Post-Deployment): Compromising legitimate update mechanisms or distribution channels to deliver malicious updates for software, firmware, or hardware already in use.
3. Hardware Vector: Compromising hardware components or manufacturing processes.
A successful #10 attack often leads to #7 Malware deployment or other cluster activities within the target environment via the trusted channel.
Sub-Threats Examples: Compromised Software Updates (e.g., SolarWinds), Malicious Code in Third-Party Libraries/Dependencies (e.g., Log4j scenario if intentionally malicious), Backdoored Hardware Components, Compromised Build/CI/CD Pipelines injecting code, Tampered installation media.
Third-Party Risk Management (TPRM), Software Composition Analysis (SCA), Software Bill of Materials (SBOM), Secure CI/CD pipeline practices, Code signing & verification of updates/dependencies, Hardware integrity checks, Vendor security assessments
"I abuse the trust in third-party components, services, or vendors incorporated by the target."
Asset Type: Software, Hardware, Services (Specifically, the third-party elements and distribution mechanisms integrated by the target)