diff --git a/backend/app/services/compliance_import_service.py b/backend/app/services/compliance_import_service.py index 24f59cb..1d92ddd 100644 --- a/backend/app/services/compliance_import_service.py +++ b/backend/app/services/compliance_import_service.py @@ -361,60 +361,266 @@ def import_cis_controls_v8_mappings(db: Session) -> dict: # ── 2. Control definitions with ATT&CK mappings ─────────────── CIS_CONTROLS = [ - {"control_id": "CIS-1", "title": "Inventory and Control of Enterprise Assets", - "category": "IG1 — Basic", - "techniques": ["T1595", "T1590", "T1018", "T1082"]}, - {"control_id": "CIS-2", "title": "Inventory and Control of Software Assets", - "category": "IG1 — Basic", - "techniques": ["T1518", "T1072", "T1195"]}, - {"control_id": "CIS-3", "title": "Data Protection", - "category": "IG1 — Basic", - "techniques": ["T1005", "T1114", "T1560", "T1048", "T1041"]}, - {"control_id": "CIS-4", "title": "Secure Configuration of Enterprise Assets and Software", - "category": "IG1 — Basic", - "techniques": ["T1574", "T1546", "T1112", "T1543"]}, - {"control_id": "CIS-5", "title": "Account Management", - "category": "IG1 — Basic", - "techniques": ["T1078", "T1136", "T1098", "T1087"]}, - {"control_id": "CIS-6", "title": "Access Control Management", - "category": "IG1 — Basic", - "techniques": ["T1078", "T1548", "T1134", "T1021"]}, - {"control_id": "CIS-7", "title": "Continuous Vulnerability Management", - "category": "IG2 — Foundational", - "techniques": ["T1190", "T1203", "T1068", "T1210"]}, - {"control_id": "CIS-8", "title": "Audit Log Management", - "category": "IG2 — Foundational", - "techniques": ["T1562", "T1070", "T1059"]}, - {"control_id": "CIS-9", "title": "Email and Web Browser Protections", - "category": "IG2 — Foundational", - "techniques": ["T1566", "T1204", "T1189", "T1598"]}, - {"control_id": "CIS-10", "title": "Malware Defenses", - "category": "IG2 — Foundational", - "techniques": ["T1059", "T1204", "T1027", "T1140", "T1497"]}, - {"control_id": "CIS-11", "title": "Data Recovery", - "category": "IG1 — Basic", - "techniques": ["T1486", "T1490", "T1561"]}, - {"control_id": "CIS-12", "title": "Network Infrastructure Management", - "category": "IG2 — Foundational", - "techniques": ["T1557", "T1071", "T1572", "T1571"]}, - {"control_id": "CIS-13", "title": "Network Monitoring and Defense", - "category": "IG2 — Foundational", - "techniques": ["T1071", "T1048", "T1041", "T1105", "T1572"]}, - {"control_id": "CIS-14", "title": "Security Awareness and Skills Training", - "category": "IG1 — Basic", - "techniques": ["T1566", "T1204", "T1598"]}, - {"control_id": "CIS-15", "title": "Service Provider Management", - "category": "IG2 — Foundational", - "techniques": ["T1199", "T1195"]}, - {"control_id": "CIS-16", "title": "Application Software Security", - "category": "IG2 — Foundational", - "techniques": ["T1190", "T1059", "T1203"]}, - {"control_id": "CIS-17", "title": "Incident Response Management", - "category": "IG2 — Foundational", - "techniques": ["T1059", "T1547", "T1053"]}, - {"control_id": "CIS-18", "title": "Penetration Testing", - "category": "IG3 — Organizational", - "techniques": ["T1595", "T1046", "T1190", "T1059"]}, + { + "control_id": "CIS-1", + "title": "Inventory and Control of Enterprise Assets", + "category": "IG1 — Basic", + "description": ( + "Actively manage all enterprise hardware assets — servers, workstations, mobile " + "devices, and network equipment — so that only authorised devices are given access. " + "Attackers routinely perform active scanning (T1595), gather network information " + "(T1590), and enumerate live hosts (T1018) and system details (T1082) to find " + "unmanaged or forgotten devices that can serve as entry points. You cannot protect " + "what you cannot see." + ), + "techniques": ["T1595", "T1590", "T1018", "T1082"], + }, + { + "control_id": "CIS-2", + "title": "Inventory and Control of Software Assets", + "category": "IG1 — Basic", + "description": ( + "Actively manage all software installed on enterprise assets — only authorised " + "software should be installed and executed. Unknown or unauthorised software is a " + "primary indicator of compromise: attackers enumerate installed applications " + "(T1518), abuse software deployment tools (T1072), and introduce malicious code " + "via compromised software supply chains (T1195). An allowlist of approved software " + "makes unauthorised installations immediately detectable." + ), + "techniques": ["T1518", "T1072", "T1195"], + }, + { + "control_id": "CIS-3", + "title": "Data Protection", + "category": "IG1 — Basic", + "description": ( + "Develop processes to identify, classify, and protect sensitive data throughout " + "its lifecycle. Data exfiltration is the primary objective of most targeted " + "attacks: attackers collect local files (T1005), harvest emails (T1114), stage " + "and compress data for extraction (T1560), and exfiltrate via alternative protocols " + "(T1048) or C2 channels (T1041). Understanding where sensitive data lives is the " + "prerequisite for preventing it from leaving." + ), + "techniques": ["T1005", "T1114", "T1560", "T1048", "T1041"], + }, + { + "control_id": "CIS-4", + "title": "Secure Configuration of Enterprise Assets and Software", + "category": "IG1 — Basic", + "description": ( + "Establish and maintain secure configurations for all enterprise assets and software. " + "Default or insecure configurations are exploited by attackers to establish " + "persistence: DLL hijacking and path manipulation (T1574), event-triggered execution " + "hooks (T1546), registry modifications (T1112), and malicious service installation " + "(T1543). CIS Benchmarks provide vendor-specific hardening guidance that significantly " + "raises the bar for attackers." + ), + "techniques": ["T1574", "T1546", "T1112", "T1543"], + }, + { + "control_id": "CIS-5", + "title": "Account Management", + "category": "IG1 — Basic", + "description": ( + "Use processes and tools to assign and manage authorisation for all accounts — " + "including credentials, permissions, and lifecycle management. Poorly managed " + "accounts are the single most exploited attack vector: valid stolen credentials " + "(T1078), creation of backdoor accounts (T1136), modification of existing account " + "privileges (T1098), and enumeration of all accounts to identify high-value targets " + "(T1087). A mature account management programme prevents orphaned, over-privileged, " + "and shared accounts." + ), + "techniques": ["T1078", "T1136", "T1098", "T1087"], + }, + { + "control_id": "CIS-6", + "title": "Access Control Management", + "category": "IG1 — Basic", + "description": ( + "Use processes and tools to create, assign, manage, and revoke access credentials " + "and privileges based on least privilege. After gaining initial access, attackers " + "need to escalate privileges and move laterally — they abuse valid high-privilege " + "accounts (T1078), exploit privilege escalation vulnerabilities (T1548), manipulate " + "access tokens (T1134), and use remote services to reach additional systems (T1021). " + "Least-privilege access control directly constrains all of these techniques." + ), + "techniques": ["T1078", "T1548", "T1134", "T1021"], + }, + { + "control_id": "CIS-7", + "title": "Continuous Vulnerability Management", + "category": "IG2 — Foundational", + "description": ( + "Continuously acquire, assess, and take action on new information about " + "vulnerabilities to remediate and minimise the window of opportunity for attackers. " + "Unpatched vulnerabilities are a primary attack vector for initial access and " + "privilege escalation: exploitation of internet-facing applications (T1190), " + "client-side vulnerabilities (T1203), local privilege escalation flaws (T1068), " + "and network service vulnerabilities (T1210). The average time between vulnerability " + "disclosure and exploitation is now less than 15 days." + ), + "techniques": ["T1190", "T1203", "T1068", "T1210"], + }, + { + "control_id": "CIS-8", + "title": "Audit Log Management", + "category": "IG2 — Foundational", + "description": ( + "Collect, alert, review, and retain audit logs to detect attacks and enable " + "investigations. Audit logs are the primary resource for incident response — " + "and therefore the primary target for attacker cleanup: disabling security tools " + "and logging (T1562), clearing Windows Event Logs, bash history, and syslog " + "entries (T1070), and using command-line tools to execute without leaving " + "traces (T1059). A centralised, write-protected log store is essential." + ), + "techniques": ["T1562", "T1070", "T1059"], + }, + { + "control_id": "CIS-9", + "title": "Email and Web Browser Protections", + "category": "IG2 — Foundational", + "description": ( + "Improve protections and detections of threats from email and web vectors — the " + "primary delivery mechanisms for malware and social engineering. The majority of " + "successful breaches begin with a phishing email (T1566), a user clicking a " + "malicious link or attachment (T1204), a drive-by download from a compromised " + "site (T1189), or spear-phishing for credentials (T1598). Email security, web " + "filtering, and user training form the essential first line of defence." + ), + "techniques": ["T1566", "T1204", "T1189", "T1598"], + }, + { + "control_id": "CIS-10", + "title": "Malware Defenses", + "category": "IG2 — Foundational", + "description": ( + "Prevent or control the installation, spread, and execution of malicious applications, " + "code, or scripts. Malware executes via scripting engines (T1059), user-initiated " + "actions (T1204), and uses obfuscation (T1027) and decoding techniques (T1140) to " + "evade detection tools. Some malware also checks for sandbox environments (T1497) " + "before activating. Effective malware defence requires layered controls — endpoint " + "detection, application control, and behaviour-based analysis." + ), + "techniques": ["T1059", "T1204", "T1027", "T1140", "T1497"], + }, + { + "control_id": "CIS-11", + "title": "Data Recovery", + "category": "IG1 — Basic", + "description": ( + "Establish and maintain data recovery practices sufficient to restore in-scope " + "enterprise assets to a pre-incident state. Modern ransomware specifically targets " + "backup infrastructure to maximise extortion leverage: encrypting all accessible " + "data (T1486), deleting or inhibiting backup and recovery tools (T1490), and " + "wiping disks entirely (T1561). The 3-2-1 backup rule — three copies, two different " + "media, one offsite — with immutable storage and regular recovery tests is the " + "only reliable defence." + ), + "techniques": ["T1486", "T1490", "T1561"], + }, + { + "control_id": "CIS-12", + "title": "Network Infrastructure Management", + "category": "IG2 — Foundational", + "description": ( + "Establish, implement, and actively manage network infrastructure using a " + "comprehensive security process. Attackers abuse weak network infrastructure " + "for man-in-the-middle attacks (T1557), use standard application protocols to " + "blend command-and-control traffic with normal traffic (T1071), tunnel malicious " + "traffic through legitimate protocols (T1572), and use non-standard ports to evade " + "filtering (T1571). Network hardening, firmware management, and network monitoring " + "are the primary safeguards." + ), + "techniques": ["T1557", "T1071", "T1572", "T1571"], + }, + { + "control_id": "CIS-13", + "title": "Network Monitoring and Defense", + "category": "IG2 — Foundational", + "description": ( + "Operate processes and tooling to establish and maintain comprehensive network " + "monitoring and defence against security threats. Without network monitoring, " + "exfiltration goes undetected: data exfiltrated via web protocols (T1071) or " + "alternative channels (T1048, T1041), tool transfer to and from attacker " + "infrastructure (T1105), and protocol tunnelling to bypass controls (T1572). " + "Network detection and response (NDR) tools, combined with IDS signatures and " + "anomaly detection, form the core technical controls." + ), + "techniques": ["T1071", "T1048", "T1041", "T1105", "T1572"], + }, + { + "control_id": "CIS-14", + "title": "Security Awareness and Skills Training", + "category": "IG1 — Basic", + "description": ( + "Establish and maintain a security awareness programme that addresses the full range " + "of threats facing the organisation. Social engineering remains the most effective " + "attack vector because it bypasses technical controls: phishing emails (T1566), " + "malicious attachments (T1204), and credential harvesting via fake login pages " + "(T1598) succeed because users lack the training to recognise them. Regular, " + "scenario-based training with simulated phishing campaigns provides measurable " + "improvement." + ), + "techniques": ["T1566", "T1204", "T1598"], + }, + { + "control_id": "CIS-15", + "title": "Service Provider Management", + "category": "IG2 — Foundational", + "description": ( + "Develop a process to evaluate service providers who hold sensitive data or are " + "responsible for critical IT platforms. Supply chain and third-party attacks have " + "become one of the most impactful threat vectors: adversaries exploit trusted " + "relationships with managed service providers (T1199) and compromise software " + "supply chains to reach downstream targets (T1195). Vendor risk assessments, " + "contractual security requirements, and continuous monitoring are essential." + ), + "techniques": ["T1199", "T1195"], + }, + { + "control_id": "CIS-16", + "title": "Application Software Security", + "category": "IG2 — Foundational", + "description": ( + "Manage the security lifecycle of in-house developed and acquired software in " + "order to prevent, detect, and remediate security weaknesses. Application " + "vulnerabilities are a primary initial access vector: internet-facing application " + "exploitation (T1190), command execution through application weaknesses (T1059), " + "and client-side code execution (T1203). A secure software development lifecycle " + "(SSDLC) with threat modelling, code review, and penetration testing catches " + "vulnerabilities before they reach production." + ), + "techniques": ["T1190", "T1059", "T1203"], + }, + { + "control_id": "CIS-17", + "title": "Incident Response Management", + "category": "IG2 — Foundational", + "description": ( + "Establish a programme to develop and maintain an incident response capability — " + "including a plan, defined roles, training, and exercises. Effective incident " + "response must counter attacker persistence mechanisms before they re-establish " + "footholds: scripted commands (T1059), boot or logon persistence (T1547), and " + "scheduled tasks (T1053) that survive a reboot. A tested incident response plan " + "reduces average dwell time and limits the damage from any breach." + ), + "techniques": ["T1059", "T1547", "T1053"], + }, + { + "control_id": "CIS-18", + "title": "Penetration Testing", + "category": "IG3 — Organizational", + "description": ( + "Test the effectiveness of organisational defences (people, processes, technology) " + "by safely simulating adversary objectives and actions. This is the CIS control " + "most directly aligned with the Aegis Red Team platform. Penetration tests " + "simulate reconnaissance (T1595), service discovery (T1046), exploitation of " + "public-facing applications (T1190), and post-exploitation execution (T1059) to " + "validate whether defensive controls work in practice. Every test executed in Aegis " + "directly contributes to evidence for this control." + ), + "techniques": ["T1595", "T1046", "T1190", "T1059"], + }, ] # Build technique lookup @@ -526,66 +732,163 @@ def import_dora_mappings(db: Session) -> dict: "control_id": "DORA-Art.5", "title": "Governance and Organisation", "category": "Chapter II — ICT Risk Management", + "description": ( + "DORA Article 5 requires the management body of financial entities to define, " + "approve, and oversee ICT risk management. This means executive responsibility " + "for cybersecurity — not just delegation to IT. Governance failures enable " + "credential-based attacks on unmonitored accounts (T1078), creation of " + "unauthorised accounts (T1136), privilege escalation (T1098), and unchecked " + "account enumeration (T1087). Regulators (EBA, ESMA, EIOPA) expect evidence " + "that the board actively monitors ICT risk indicators." + ), "techniques": ["T1078", "T1136", "T1098", "T1087"], }, { "control_id": "DORA-Art.6", "title": "ICT Risk Management Framework", "category": "Chapter II — ICT Risk Management", + "description": ( + "DORA Article 6 requires a comprehensive, documented ICT risk management framework " + "covering identification, protection, detection, response, and recovery. The " + "framework must be tested against realistic threats — active scanning (T1595), " + "network reconnaissance (T1590), employee intelligence gathering (T1589), port " + "scanning (T1046), host enumeration (T1018), and system profiling (T1082). " + "Red Team exercises under DORA's TLPT programme are the primary evidence that " + "the risk framework functions as intended." + ), "techniques": ["T1595", "T1590", "T1589", "T1046", "T1018", "T1082"], }, { "control_id": "DORA-Art.7", "title": "ICT Systems, Protocols and Tools", "category": "Chapter II — ICT Risk Management", + "description": ( + "DORA Article 7 requires financial entities to keep ICT systems up to date, " + "securely configured, and with minimised attack surface. Attackers exploit " + "outdated and misconfigured systems: DLL hijacking (T1574), rogue service " + "installation (T1543), registry manipulation (T1112), event-triggered hooks " + "(T1546), compromised software components (T1195), and abuse of legitimate " + "external remote services (T1133). Hardened, maintained systems are a " + "fundamental DORA compliance requirement." + ), "techniques": ["T1574", "T1543", "T1112", "T1546", "T1195", "T1133"], }, { "control_id": "DORA-Art.8", "title": "Identification", "category": "Chapter II — ICT Risk Management", + "description": ( + "DORA Article 8 requires financial entities to identify and classify all ICT " + "assets, data, and third-party dependencies that support critical functions. " + "Attackers perform the same discovery to understand their target: scanning for " + "live hosts (T1018), querying system information (T1082), finding sensitive " + "files (T1083), enumerating accounts (T1087), and mapping network and " + "infrastructure (T1590, T1592). An entity that knows its own assets better than " + "an attacker does has a fundamental defensive advantage." + ), "techniques": ["T1018", "T1082", "T1083", "T1087", "T1590", "T1592"], }, { "control_id": "DORA-Art.9", "title": "Protection and Prevention", "category": "Chapter II — ICT Risk Management", + "description": ( + "DORA Article 9 requires financial entities to implement continuous protection " + "measures — access controls, network segmentation, patch management, and change " + "management — to prevent ICT incidents. Protection must address the full kill " + "chain: credential abuse (T1078), privilege escalation (T1548, T1134), " + "application exploitation (T1190), persistence via system modifications (T1574, " + "T1543), and lateral movement (T1021). DORA supervisors assess protection " + "effectiveness through scenario-based testing." + ), "techniques": ["T1078", "T1548", "T1134", "T1190", "T1574", "T1543", "T1021"], }, { "control_id": "DORA-Art.10", "title": "Detection", "category": "Chapter II — ICT Risk Management", + "description": ( + "DORA Article 10 requires financial entities to implement mechanisms to promptly " + "detect anomalous activities. The detection capability must specifically identify " + "attacker attempts to: disable security tooling (T1562), clear log evidence " + "(T1070), execute malicious commands (T1059), use scheduled tasks for persistence " + "(T1053), establish boot-time persistence (T1547), and abuse logon scripts " + "(T1037). DORA expects mean time to detect (MTTD) to be measured and improved " + "continuously." + ), "techniques": ["T1562", "T1070", "T1059", "T1053", "T1547", "T1037"], }, { "control_id": "DORA-Art.11", "title": "Response and Recovery", "category": "Chapter II — ICT Risk Management", + "description": ( + "DORA Article 11 requires documented, tested response and recovery plans for ICT " + "incidents, including defined recovery time objectives (RTO) and recovery point " + "objectives (RPO) for critical functions. Financial entities must be able to " + "recover from the most damaging attacks: ransomware (T1486), backup deletion " + "(T1490), disk wiping (T1561), data destruction (T1485), and exfiltration " + "(T1048, T1041). DORA supervisors have the power to require live resilience tests." + ), "techniques": ["T1486", "T1490", "T1561", "T1485", "T1048", "T1041"], }, { "control_id": "DORA-Art.12", "title": "Backup Policies and Recovery Methods", "category": "Chapter II — ICT Risk Management", + "description": ( + "DORA Article 12 specifically mandates backup policies for all data, software, " + "and systems supporting critical functions, with tested recovery procedures. " + "Ransomware groups are acutely aware of this requirement and deliberately target " + "backups: encrypting all accessible data (T1486), deleting shadow copies and " + "inhibiting recovery tools (T1490), wiping disks (T1561), and destroying data " + "entirely (T1485). DORA requires backups to be isolated from the production " + "network and tested at least annually." + ), "techniques": ["T1486", "T1490", "T1561", "T1485"], }, { "control_id": "DORA-Art.13", "title": "Learning and Evolving", "category": "Chapter II — ICT Risk Management", + "description": ( + "DORA Article 13 requires financial entities to learn from ICT incidents — both " + "their own and sector-wide — and continuously improve their ICT risk framework. " + "This includes threat intelligence consumption: understanding current phishing " + "campaigns (T1566), employee data harvesting (T1589), infrastructure reconnaissance " + "(T1590), active scanning of financial sector targets (T1595), and credential " + "phishing (T1598). Threat intelligence feeds directly inform which Red Team " + "scenarios are most relevant." + ), "techniques": ["T1566", "T1589", "T1590", "T1595", "T1598"], }, { "control_id": "DORA-Art.14", "title": "Communication", "category": "Chapter II — ICT Risk Management", + "description": ( + "DORA Article 14 requires crisis communication plans for ICT incidents — covering " + "internal communication, staff notification, and external communication to clients, " + "counterparties, and regulators. Communication channels are themselves an attack " + "vector: attackers harvest email content (T1114), use phishing to impersonate " + "communications (T1566), abuse web services as covert channels (T1102), and use " + "standard web protocols to blend C2 traffic (T1071). Secure, authenticated " + "communication channels are therefore also an ICT risk requirement." + ), "techniques": ["T1114", "T1566", "T1102", "T1071"], }, { "control_id": "DORA-Art.15", "title": "Further Harmonisation of ICT Risk Management Tools", "category": "Chapter II — ICT Risk Management", + "description": ( + "DORA Article 15 mandates that simplified ICT risk management requirements for " + "smaller financial entities still cover the essential controls. Even simplified " + "frameworks must address: credential compromise (T1078), exploitation of " + "internet-facing systems (T1190), remote access abuse (T1133, T1021), and third-party " + "risk (T1199). The proportionality principle does not reduce the required security " + "outcomes — only the implementation complexity." + ), "techniques": ["T1078", "T1190", "T1133", "T1021", "T1199"], }, # ─── Chapter III — ICT-related Incident Management ──────────────── @@ -593,18 +896,44 @@ def import_dora_mappings(db: Session) -> dict: "control_id": "DORA-Art.17", "title": "ICT-related Incidents Classification", "category": "Chapter III — Incident Management", + "description": ( + "DORA Article 17 mandates a classification process for ICT incidents based on " + "criteria including impact on services, clients, and financial stability. " + "Classification must correctly identify high-severity incidents like: DDoS attacks " + "impacting service availability (T1499, T1498), ransomware causing business " + "disruption (T1486), data exfiltration affecting client data (T1041, T1048), and " + "data manipulation affecting transaction integrity (T1565). Misclassification " + "leads to delayed regulatory reporting and supervisory sanctions." + ), "techniques": ["T1499", "T1498", "T1486", "T1041", "T1048", "T1565"], }, { "control_id": "DORA-Art.18", "title": "Major ICT-Related Incidents Reporting", "category": "Chapter III — Incident Management", + "description": ( + "DORA Article 18 requires mandatory reporting of major ICT incidents to competent " + "authorities (ECB, national regulators) within strict timeframes — initial " + "notification within 4 hours, intermediate report within 72 hours, final report " + "within 1 month. Qualifying incidents include ransomware (T1486), significant " + "data exfiltration (T1041, T1048), and availability-impacting attacks (T1499, " + "T1498). Non-compliance with reporting timelines carries significant supervisory " + "and reputational risk." + ), "techniques": ["T1486", "T1041", "T1048", "T1499", "T1498"], }, { "control_id": "DORA-Art.19", "title": "Harmonisation of Reporting Content and Formats", "category": "Chapter III — Incident Management", + "description": ( + "DORA Article 19 requires standardised incident report formats as specified by " + "the Joint Committee of ESAs. Reports must contain technical details about the " + "attack: initial access via phishing (T1566), application vulnerabilities (T1190), " + "execution mechanisms (T1203, T1059), and the full timeline. This requires that " + "the organisation maintains high-fidelity detection and logging capabilities to " + "populate the mandatory report fields accurately." + ), "techniques": ["T1566", "T1190", "T1203", "T1059"], }, # ─── Chapter IV — Digital Operational Resilience Testing ────────── @@ -612,18 +941,47 @@ def import_dora_mappings(db: Session) -> dict: "control_id": "DORA-Art.24", "title": "General Digital Operational Resilience Testing", "category": "Chapter IV — Resilience Testing", + "description": ( + "DORA Article 24 requires ALL financial entities to conduct a comprehensive " + "digital operational resilience testing programme annually — covering vulnerability " + "assessments, network security testing, and scenario-based tests. The testing " + "programme must validate defences against realistic attacks including command " + "execution (T1059), application exploitation (T1190), service discovery (T1046), " + "reconnaissance (T1595), and credential abuse (T1078). Aegis directly supports " + "this requirement by providing evidence of test coverage and outcomes." + ), "techniques": ["T1059", "T1190", "T1046", "T1595", "T1078"], }, { "control_id": "DORA-Art.25", "title": "Testing of ICT Tools and Systems", "category": "Chapter IV — Resilience Testing", + "description": ( + "DORA Article 25 requires testing of ICT systems and tools that support critical " + "and important functions — including penetration testing of production or " + "representative environments. Testing scope must cover exploitation of systems " + "(T1059, T1190, T1046, T1595), credential attacks (T1078), privilege escalation " + "(T1068), and network service exploitation (T1210). Test results must be shared " + "with competent authorities on request, making a structured testing platform " + "with evidence retention (like Aegis) a compliance necessity." + ), "techniques": ["T1059", "T1190", "T1046", "T1595", "T1078", "T1068", "T1210"], }, { "control_id": "DORA-Art.26", "title": "Advanced Testing — Threat-Led Penetration Testing (TLPT)", "category": "Chapter IV — Resilience Testing", + "description": ( + "DORA Article 26 mandates Threat-Led Penetration Testing (TLPT) — equivalent to " + "TIBER-EU — for significant financial entities every 3 years. TLPT is a full " + "Red Team simulation based on real threat intelligence, testing the organisation's " + "ability to detect and respond to a realistic advanced adversary. Techniques " + "covered include: phishing (T1566), user execution (T1204), process injection " + "(T1055), command execution (T1059), lateral movement (T1021), credential abuse " + "(T1078), application exploitation (T1190), service scanning (T1046), privilege " + "escalation (T1548, T1134), and payload obfuscation (T1027). DORA TLPT is the " + "most rigorous regulatory cyber resilience test in the financial sector." + ), "techniques": [ "T1566", "T1204", "T1055", "T1059", "T1021", "T1078", "T1190", "T1046", "T1548", "T1134", "T1027", @@ -633,6 +991,15 @@ def import_dora_mappings(db: Session) -> dict: "control_id": "DORA-Art.27", "title": "Requirements for Testers Carrying Out TLPT", "category": "Chapter IV — Resilience Testing", + "description": ( + "DORA Article 27 sets requirements for the Red Team providers conducting TLPT — " + "they must be independent, technically qualified, and approved by competent " + "authorities. The testing scope must include realistic reconnaissance (T1595), " + "service enumeration (T1046), exploitation (T1190), post-exploitation execution " + "(T1059), and abuse of valid credentials (T1078). TLPT providers must follow " + "TIBER-EU methodology, using actual threat intelligence specific to the target " + "entity's threat landscape." + ), "techniques": ["T1595", "T1046", "T1190", "T1059", "T1078"], }, # ─── Chapter V — ICT Third-Party Risk Management ────────────────── @@ -640,18 +1007,46 @@ def import_dora_mappings(db: Session) -> dict: "control_id": "DORA-Art.28", "title": "General Principles of ICT Third-Party Risk Management", "category": "Chapter V — Third-Party Risk", + "description": ( + "DORA Article 28 requires a comprehensive ICT third-party risk management " + "strategy, including registers of all third-party providers and pre-contractual " + "due diligence. Financial entities have been repeatedly compromised through their " + "supply chains: trusted relationship exploitation (T1199), software supply chain " + "compromise (T1195), credential theft for third-party systems (T1078), and abuse " + "of legitimate remote access tools (T1133). DORA supervisors can examine " + "third-party risk registers during inspections." + ), "techniques": ["T1199", "T1195", "T1078", "T1133"], }, { "control_id": "DORA-Art.30", "title": "Key Contractual Provisions for ICT Services", "category": "Chapter V — Third-Party Risk", + "description": ( + "DORA Article 30 specifies mandatory contract clauses for ICT third-party service " + "agreements — including security requirements, audit rights, incident notification, " + "and exit strategies. Without contractual security obligations, third parties " + "become the weakest link: exploitation of trusted relationships (T1199), " + "compromised software delivered by the vendor (T1195), and credential sharing " + "that allows lateral movement (T1078). DORA requires financial entities to " + "actively enforce these clauses, not merely include them." + ), "techniques": ["T1199", "T1195", "T1078"], }, { "control_id": "DORA-Art.42", "title": "Oversight of Critical ICT Third-Party Providers", "category": "Chapter V — Third-Party Risk", + "description": ( + "DORA Article 42 establishes a new EU-level oversight framework for ICT providers " + "designated as 'critical' — cloud providers, data centres, and core software " + "vendors serving multiple financial entities simultaneously. A compromise of a " + "critical ICT provider would represent systemic risk to financial stability: " + "exploiting trusted relationships (T1199, T1195), leveraging legitimate remote " + "access (T1133), abusing shared credentials (T1078), and exploiting the provider's " + "own internet-facing infrastructure (T1190). DORA Lead Overseers can demand " + "remediation actions from critical providers directly." + ), "techniques": ["T1199", "T1195", "T1133", "T1078", "T1190"], }, # ─── Chapter VI — Information Sharing ──────────────────────────── @@ -659,6 +1054,17 @@ def import_dora_mappings(db: Session) -> dict: "control_id": "DORA-Art.45", "title": "Arrangements for Information Sharing on Cyber Threats", "category": "Chapter VI — Information Sharing", + "description": ( + "DORA Article 45 encourages financial entities to participate in cyber threat " + "information sharing arrangements — sharing indicators of compromise, attack " + "patterns, and tactical intelligence with peers and regulators. Shared intelligence " + "enables the sector to collectively defend against sector-specific threats: " + "phishing campaigns targeting financial firms (T1566), data harvesting on " + "employees (T1589), infrastructure reconnaissance of banking networks (T1590), " + "active scanning of financial sector assets (T1595), and spear-phishing for " + "credentials (T1598). Participation in CERT-level sharing programmes satisfies " + "this requirement." + ), "techniques": ["T1566", "T1589", "T1590", "T1595", "T1598"], }, ] @@ -772,78 +1178,176 @@ def import_iso_27001_mappings(db: Session) -> dict: "control_id": "5.2", "title": "Information Security Roles and Responsibilities", "category": "5 — Organizational Controls", + "description": ( + "Requires that information security responsibilities are clearly defined, allocated, " + "and communicated. Without clear ownership, attackers exploit gaps between teams — " + "for example, using valid accounts (T1078) whose owners are unknown, enumerating " + "accounts (T1087) that no one monitors, or abusing group memberships (T1069) never " + "reviewed after personnel changes." + ), "techniques": ["T1078", "T1087", "T1069"], }, { "control_id": "5.7", "title": "Threat Intelligence", "category": "5 — Organizational Controls", + "description": ( + "Requires the organisation to collect, analyse, and act on information about threats " + "relevant to its assets. This directly counters attackers' reconnaissance activities: " + "phishing campaigns (T1566), harvesting employee data (T1589), mapping the network " + "perimeter (T1590), performing active scanning (T1595), and spear-phishing for " + "credentials (T1598). Effective threat intelligence allows defenders to anticipate " + "and disrupt these activities before they succeed." + ), "techniques": ["T1566", "T1589", "T1590", "T1595", "T1598"], }, { "control_id": "5.9", "title": "Inventory of Information and Other Assets", "category": "5 — Organizational Controls", + "description": ( + "Requires maintaining an accurate, up-to-date inventory of all information assets " + "and their owners. Attackers routinely discover systems that the organisation itself " + "has forgotten — querying system information (T1082), finding forgotten files (T1083), " + "scanning for live hosts (T1018), or gathering infrastructure details (T1592). " + "An asset inventory is the prerequisite for almost every other security control." + ), "techniques": ["T1082", "T1083", "T1018", "T1592"], }, { "control_id": "5.14", "title": "Information Transfer", "category": "5 — Organizational Controls", + "description": ( + "Requires rules and controls for transferring information — whether via email, " + "removable media, cloud sharing, or messaging. It directly addresses data exfiltration " + "paths: non-standard ports (T1048), command-and-control channels (T1041), cloud " + "storage services (T1567), and standard web protocols used to blend with normal " + "traffic (T1071). Without these controls, sensitive data can leave the organisation " + "undetected." + ), "techniques": ["T1048", "T1041", "T1567", "T1071"], }, { "control_id": "5.16", "title": "Identity Management", "category": "5 — Organizational Controls", + "description": ( + "Requires a full lifecycle process for managing digital identities — from creation " + "to deletion. Attackers who compromise an identity gain persistent access; they use " + "valid stolen credentials (T1078), create new accounts (T1136), modify existing " + "account permissions (T1098), and enumerate accounts to find privileged targets " + "(T1087). Strong identity management directly reduces the blast radius of any " + "credential compromise." + ), "techniques": ["T1078", "T1136", "T1098", "T1087"], }, { "control_id": "5.17", "title": "Authentication Information", "category": "5 — Organizational Controls", + "description": ( + "Requires secure management of all authentication secrets — passwords, tokens, " + "certificates, and API keys. Weak authentication is the most common initial access " + "vector: brute force and password spraying (T1110), credential dumping from memory " + "or disk (T1003), use of stolen credentials (T1078), and harvesting secrets from " + "configuration files (T1552). Enforcing strong, unique credentials with MFA " + "neutralises the majority of these attacks." + ), "techniques": ["T1110", "T1003", "T1078", "T1552"], }, { "control_id": "5.20", "title": "Addressing Information Security in Supplier Agreements", "category": "5 — Organizational Controls", + "description": ( + "Requires that security obligations are contractually embedded in all supplier " + "relationships. Supply chain attacks — where adversaries compromise a trusted " + "third-party to reach the target (T1199, T1195) — have caused some of the largest " + "breaches in recent years (e.g., SolarWinds, 3CX). Security clauses in contracts, " + "combined with regular supplier audits, create accountability and reduce this risk." + ), "techniques": ["T1199", "T1195"], }, { "control_id": "5.23", "title": "Information Security for Use of Cloud Services", "category": "5 — Organizational Controls", + "description": ( + "Requires security policies and controls specifically tailored for cloud services, " + "including roles, data classification, and monitoring. Cloud misconfiguration is " + "now the leading cause of data breaches — attackers access data from cloud storage " + "(T1530), exfiltrate to adversary-owned cloud accounts (T1537), abuse cloud " + "credentials (T1078), and exploit internet-facing cloud APIs (T1190). This control " + "establishes the governance layer that prevents these exposures." + ), "techniques": ["T1530", "T1537", "T1078", "T1190"], }, { "control_id": "5.24", "title": "Information Security Incident Management Planning", "category": "5 — Organizational Controls", + "description": ( + "Requires documented, tested incident management procedures so the organisation can " + "respond effectively when an attack occurs. Without a plan, response is slow and " + "inconsistent — attackers establish persistent footholds via scheduled tasks or " + "startup entries (T1059, T1547) or deploy ransomware (T1486) while defenders are " + "still trying to understand what is happening. A tested plan reduces dwell time " + "from months to hours." + ), "techniques": ["T1059", "T1547", "T1486"], }, { "control_id": "5.26", "title": "Response to Information Security Incidents", "category": "5 — Organizational Controls", + "description": ( + "Requires a structured response process — containment, eradication, and recovery — " + "when incidents are confirmed. Effective response must counter attacker persistence " + "mechanisms (T1059, T1547), recover evidence before it is wiped (T1070), and " + "restore disabled monitoring tools (T1562). The Red Team exercises mapped here " + "validate whether detection and response capabilities actually work under realistic " + "attack conditions." + ), "techniques": ["T1059", "T1547", "T1070", "T1562"], }, { "control_id": "5.28", "title": "Collection of Evidence", "category": "5 — Organizational Controls", + "description": ( + "Requires that digital evidence is collected, preserved, and handled in a way that " + "maintains its integrity for potential legal proceedings or regulatory investigations. " + "Attackers deliberately destroy logs (T1070) and tamper with or disable security " + "tools (T1562) to prevent forensic analysis. This control ensures the organisation " + "can prove what happened and who was responsible." + ), "techniques": ["T1562", "T1070"], }, { "control_id": "5.29", "title": "Information Security During Disruption", "category": "5 — Organizational Controls", + "description": ( + "Requires maintaining an acceptable security level even during major disruptions " + "such as disasters, outages, or crises. Ransomware (T1486), disk wipers (T1561), " + "and backup deletion (T1490) are specifically designed to make recovery impossible " + "and extort organisations. Controls must ensure backups are immutable and recovery " + "procedures are tested regularly." + ), "techniques": ["T1486", "T1490", "T1561"], }, { "control_id": "5.30", "title": "ICT Readiness for Business Continuity", "category": "5 — Organizational Controls", + "description": ( + "Requires ICT infrastructure to be resilient enough to continue critical operations " + "after a disruptive event. This addresses destructive attacks — ransomware (T1486), " + "backup inhibition (T1490), and denial-of-service (T1499, T1498) — that aim to " + "make the organisation unable to operate. Business continuity tests that include " + "cyber scenarios are the primary validation mechanism for this control." + ), "techniques": ["T1486", "T1490", "T1499", "T1498"], }, # ── 6. People Controls ─────────────────────────────────────────────── @@ -851,18 +1355,38 @@ def import_iso_27001_mappings(db: Session) -> dict: "control_id": "6.1", "title": "Screening", "category": "6 — People Controls", + "description": ( + "Requires background checks on employees and contractors proportionate to their " + "access level. Insider threats are particularly dangerous because malicious insiders " + "already hold valid credentials (T1078) and can abuse access tokens without " + "triggering external alerts (T1134). Screening before hiring reduces the risk of " + "placing a bad actor in a privileged position." + ), "techniques": ["T1078", "T1134"], }, { "control_id": "6.3", "title": "Information Security Awareness, Education and Training", "category": "6 — People Controls", + "description": ( + "Requires regular, relevant security training for all personnel. The human element " + "is the most exploited attack surface: phishing emails (T1566), malicious " + "attachments or links (T1204), and credential harvesting via fake forms (T1598) " + "succeed primarily because users are not trained to recognise them. Simulated " + "phishing campaigns are the standard method to validate this control's effectiveness." + ), "techniques": ["T1566", "T1204", "T1598"], }, { "control_id": "6.4", "title": "Disciplinary Process", "category": "6 — People Controls", + "description": ( + "Requires a formal, communicated disciplinary process for security policy violations. " + "The existence of clear consequences deters insider misuse of credentials (T1078) " + "and unauthorised modification of account permissions (T1098). It also provides a " + "legally defensible framework when disciplinary action is needed after an incident." + ), "techniques": ["T1078", "T1098"], }, # ── 7. Physical Controls ───────────────────────────────────────────── @@ -870,12 +1394,26 @@ def import_iso_27001_mappings(db: Session) -> dict: "control_id": "7.1", "title": "Physical Security Perimeters", "category": "7 — Physical Controls", + "description": ( + "Requires physical barriers — security zones, badge access, locked server rooms — " + "to prevent unauthorised physical access to information processing facilities. " + "Physical access enables attacks that are impossible remotely, such as connecting " + "rogue hardware devices (T1200) — keyloggers, network implants, or rogue access " + "points — directly to internal systems." + ), "techniques": ["T1200"], }, { "control_id": "7.4", "title": "Physical Security Monitoring", "category": "7 — Physical Controls", + "description": ( + "Requires surveillance and monitoring of physical access to sensitive areas — CCTV, " + "access logs, visitor registers. Attackers with physical access can install hardware " + "implants (T1200) or tamper with authentication components (T1556) that cannot be " + "detected by purely network-based monitoring. Physical monitoring provides the " + "detective control for these scenarios." + ), "techniques": ["T1200", "T1556"], }, # ── 8. Technological Controls ──────────────────────────────────────── @@ -883,120 +1421,278 @@ def import_iso_27001_mappings(db: Session) -> dict: "control_id": "8.2", "title": "Privileged Access Rights", "category": "8 — Technological Controls", + "description": ( + "Requires strict management and minimisation of privileged accounts — administrator, " + "root, service accounts, and emergency access credentials. Privileged accounts are " + "the primary target in every major breach: attackers use valid admin credentials " + "(T1078), escalate from standard user to admin (T1548), or manipulate access tokens " + "to inherit elevated rights (T1134). Reducing the number and exposure of privileged " + "accounts directly limits the damage an attacker can do." + ), "techniques": ["T1078", "T1548", "T1134"], }, { "control_id": "8.3", "title": "Information Access Restriction", "category": "8 — Technological Controls", + "description": ( + "Requires that access to information and systems is restricted based on the " + "principle of least privilege. Overly permissive access allows attackers to move " + "laterally once inside — using remote services (T1021), abusing valid credentials " + "(T1078), bypassing authorisation checks (T1548), or using stolen session tokens " + "(T1550) to access systems the compromised user was never meant to reach." + ), "techniques": ["T1078", "T1021", "T1548", "T1550"], }, { "control_id": "8.5", "title": "Secure Authentication", "category": "8 — Technological Controls", + "description": ( + "Requires strong authentication mechanisms — multi-factor authentication (MFA), " + "password complexity, and session management — for all access to systems and " + "applications. Weak authentication is the root cause of the majority of breaches: " + "credential stuffing and password spraying (T1110), extracting password hashes from " + "memory or disk (T1003), using previously stolen credentials (T1078), and forging " + "Kerberos tickets (T1558). MFA alone blocks over 99% of automated credential " + "attacks." + ), "techniques": ["T1078", "T1110", "T1003", "T1558"], }, { "control_id": "8.7", "title": "Protection Against Malware", "category": "8 — Technological Controls", + "description": ( + "Requires anti-malware controls including detection software, user awareness, " + "and policies on software use. Malware is delivered through multiple vectors: " + "script-based execution (T1059), user-initiated execution of malicious files " + "(T1204), phishing emails (T1566), and obfuscated or packed payloads designed " + "to evade detection (T1027, T1140). Effective anti-malware combines endpoint " + "detection, email filtering, and user training." + ), "techniques": ["T1059", "T1204", "T1027", "T1566", "T1140"], }, { "control_id": "8.8", "title": "Management of Technical Vulnerabilities", "category": "8 — Technological Controls", + "description": ( + "Requires timely identification and remediation of technical vulnerabilities through " + "a structured patch management and vulnerability scanning programme. Unpatched " + "systems are a primary attack vector: exploiting public-facing applications (T1190), " + "client-side vulnerabilities (T1203), local privilege escalation flaws (T1068), and " + "remote service vulnerabilities (T1210). The faster vulnerabilities are patched, " + "the shorter the window of exposure." + ), "techniques": ["T1190", "T1203", "T1068", "T1210"], }, { "control_id": "8.9", "title": "Configuration Management", "category": "8 — Technological Controls", + "description": ( + "Requires secure baseline configurations for all systems, with change control to " + "prevent unauthorised modifications. Attackers exploit insecure configurations to " + "establish persistence: hijacking DLL search paths or environment variables (T1574), " + "abusing event-triggered execution hooks (T1546), modifying registry settings " + "(T1112), or installing malicious services (T1543). A hardened baseline makes these " + "techniques significantly harder to execute." + ), "techniques": ["T1574", "T1546", "T1112", "T1543"], }, { "control_id": "8.12", "title": "Data Leakage Prevention", "category": "8 — Technological Controls", + "description": ( + "Requires technical and procedural controls to prevent unauthorised disclosure of " + "sensitive information. Data exfiltration is the end goal of most targeted attacks — " + "via alternative protocols (T1048), command-and-control channels (T1041), cloud " + "storage services (T1567), or blending with legitimate web traffic (T1071). DLP " + "tools, network monitoring, and egress filtering are the primary technical controls " + "validated by this Red Team coverage metric." + ), "techniques": ["T1048", "T1041", "T1567", "T1071"], }, { "control_id": "8.13", "title": "Information Backup", "category": "8 — Technological Controls", + "description": ( + "Requires regular, tested backups of information and systems, with copies stored " + "separately from the production environment. Ransomware specifically targets backups " + "to maximise leverage — encrypting data (T1486), deleting or inhibiting recovery " + "tools (T1490), and wiping disks (T1561). Immutable, offsite, and regularly tested " + "backups are the only reliable defence against ransomware extortion." + ), "techniques": ["T1486", "T1490", "T1561"], }, { "control_id": "8.15", "title": "Logging", "category": "8 — Technological Controls", + "description": ( + "Requires event logs to be generated, protected, and retained for all relevant " + "systems. Logs are the primary evidence source for incident investigation — and " + "therefore the primary target for attackers covering their tracks: clearing event " + "logs (T1070) and disabling the security tools that generate them (T1562). Sending " + "logs to a centralised, protected SIEM immediately reduces the risk of evidence " + "destruction." + ), "techniques": ["T1562", "T1070"], }, { "control_id": "8.16", "title": "Monitoring Activities", "category": "8 — Technological Controls", + "description": ( + "Requires continuous monitoring of systems, networks, and applications to detect " + "anomalous activity. Without monitoring, attackers can operate undetected for months " + "— executing commands (T1059), using scheduled tasks for persistence (T1053), " + "establishing registry-based persistence (T1547), and disabling defences (T1562) " + "without triggering any alerts. The score on this control directly reflects the " + "organisation's ability to detect an active intrusion." + ), "techniques": ["T1059", "T1053", "T1547", "T1562"], }, { "control_id": "8.18", "title": "Use of Privileged Utility Programs", "category": "8 — Technological Controls", + "description": ( + "Requires that privileged utility tools — system administration tools, scripting " + "engines, diagnostic utilities — are tightly controlled and audited. Attackers " + "routinely abuse built-in system utilities ('living-off-the-land'): command-line " + "interpreters (T1059), privilege escalation tools (T1548, T1134), and system " + "services (T1569). Restricting who can run these tools and logging all usage " + "significantly limits an attacker's post-exploitation options." + ), "techniques": ["T1059", "T1548", "T1134", "T1569"], }, { "control_id": "8.19", "title": "Installation of Software on Operational Systems", "category": "8 — Technological Controls", + "description": ( + "Requires authorisation and verification for any software installed on operational " + "systems, including a software allowlist where practical. Attackers introduce " + "malicious software through multiple channels: compromised software update " + "mechanisms (T1195), deployment systems used as attack vectors (T1072), and " + "persistence via auto-run keys or startup folders (T1546). An authorised software " + "baseline makes unauthorised installations immediately detectable." + ), "techniques": ["T1195", "T1072", "T1546"], }, { "control_id": "8.20", "title": "Networks Security", "category": "8 — Technological Controls", + "description": ( + "Requires network security controls — firewalls, IDS/IPS, network monitoring, and " + "traffic filtering — to protect information in transit and prevent unauthorised " + "network access. Attackers use non-standard ports (T1571), protocol tunnelling " + "(T1572), multi-hop proxies (T1090), and lateral movement via remote services " + "(T1021) to evade network defences. Network controls are the last line of detection " + "before data leaves the organisation." + ), "techniques": ["T1571", "T1572", "T1090", "T1021"], }, { "control_id": "8.22", "title": "Segregation of Networks", "category": "8 — Technological Controls", + "description": ( + "Requires that networks are segmented into separate zones based on trust level and " + "data sensitivity, with controls between zones. Network segmentation limits the " + "blast radius of a breach — without it, attackers move freely between systems using " + "remote services (T1021), abusing alternate authentication material (T1550), or " + "stealing Kerberos tickets to access other network segments (T1558). Effective " + "segmentation forces attackers to 'break through' multiple layers." + ), "techniques": ["T1021", "T1550", "T1558"], }, { "control_id": "8.23", "title": "Web Filtering", "category": "8 — Technological Controls", + "description": ( + "Requires filtering of web access to block malicious or unauthorised sites, " + "protecting users from web-based threats. Phishing links (T1566), drive-by " + "downloads (T1189), and social engineering attacks (T1204) all rely on users " + "reaching malicious web destinations. Web filtering provides a technical backstop " + "that catches threats even when users fail to recognise them." + ), "techniques": ["T1566", "T1204", "T1189"], }, { "control_id": "8.24", "title": "Use of Cryptography", "category": "8 — Technological Controls", + "description": ( + "Requires appropriate use of encryption to protect the confidentiality and integrity " + "of sensitive information. Without encryption, attackers can intercept communications " + "using encrypted channels they control (T1573), extract data from compressed archives " + "(T1022), or obfuscate malicious payloads to evade detection (T1027). Enforcing " + "strong, approved encryption algorithms and key management reduces exposure across " + "all of these scenarios." + ), "techniques": ["T1573", "T1022", "T1027"], }, { "control_id": "8.26", "title": "Application Security Requirements", "category": "8 — Technological Controls", + "description": ( + "Requires that information security requirements are identified and agreed at the " + "start of any application development or procurement. Applications without defined " + "security requirements frequently ship with exploitable vulnerabilities — allowing " + "attackers to exploit public-facing applications (T1190), execute code via " + "vulnerable client-side logic (T1203), or run commands through application " + "weaknesses (T1059). Security requirements must be defined before coding begins, " + "not retrofitted after deployment." + ), "techniques": ["T1190", "T1059", "T1203"], }, { "control_id": "8.28", "title": "Secure Coding", "category": "8 — Technological Controls", + "description": ( + "Requires software development teams to follow secure coding principles, including " + "input validation, output encoding, and security testing as part of the build " + "process. Coding flaws are a primary source of exploitable vulnerabilities — " + "enabling injection attacks (T1059), exploitation of application weaknesses (T1190), " + "and client-side code execution (T1203). A mature secure development lifecycle " + "catches these flaws before they reach production." + ), "techniques": ["T1059", "T1190", "T1203"], }, { "control_id": "8.32", "title": "Change Management", "category": "8 — Technological Controls", + "description": ( + "Requires a formal change management process for all changes to information " + "processing facilities and systems. Unauthorised changes are a key attacker " + "technique for maintaining persistent access — hijacking execution via DLL " + "planting (T1574), registering malicious event handlers (T1546), or modifying " + "registry keys (T1112). Change management with mandatory review and approval " + "makes these modifications immediately visible and attributable." + ), "techniques": ["T1574", "T1546", "T1112"], }, { "control_id": "8.34", "title": "Protection of Information Systems During Audit Testing", "category": "8 — Technological Controls", + "description": ( + "Requires that audit and penetration testing activities are carefully planned and " + "controlled so that tests do not disrupt live systems or become a vector for attack. " + "Poorly controlled audit tests can inadvertently disable security monitoring (T1562) " + "or trigger unintended script execution (T1059). This control also ensures audit " + "access credentials are not reused by attackers after the engagement." + ), "techniques": ["T1562", "T1059"], }, ] @@ -1044,18 +1740,39 @@ def import_iso_42001_mappings(db: Session) -> dict: else: logger.info("ISO/IEC 42001:2023 framework already exists") + # NOTE: ISO/IEC 42001:2023 focuses on AI governance, not cybersecurity controls per se. + # The ATT&CK technique mappings here represent threats to the IT INFRASTRUCTURE that + # supports AI systems (data pipelines, model APIs, ML supply chains), not AI-specific + # attack techniques. MITRE ATT&CK Enterprise v14 does not yet include dedicated + # AI-targeted techniques. These mappings are based on the Centre for Security AI + # research community consensus (2023-2024) pending official CTID guidance. ISO_42001_CONTROLS = [ # ── A.2 Organization's Policies Related to AI ──────────────────────── { "control_id": "A.2.2", "title": "Process to Determine AI Impacts on Individuals", "category": "A.2 — AI Policy", + "description": ( + "Requires a systematic process to identify how AI system decisions or outputs " + "could affect individuals — including employees, customers, and third parties. " + "From a security perspective, an attacker who can map the AI's decision logic " + "or data sources (T1082, T1592, T1590) can design adversarial inputs or " + "manipulation strategies. Understanding AI impacts is therefore also a prerequisite " + "for assessing the business risk of an AI system compromise." + ), "techniques": ["T1082", "T1592", "T1590"], }, { "control_id": "A.2.6", "title": "Responsible Development and Use of AI", "category": "A.2 — AI Policy", + "description": ( + "Requires policies for responsible AI development covering transparency, fairness, " + "and safety. From a Red Team perspective, irresponsible development practices — " + "such as using untrusted open-source components (T1195) or failing to validate " + "AI pipeline scripts (T1059) — create attack surfaces that are difficult to defend. " + "This control establishes the governance foundation for secure AI development." + ), "techniques": ["T1195", "T1059"], }, # ── A.3 Internal Organization ───────────────────────────────────────── @@ -1063,12 +1780,28 @@ def import_iso_42001_mappings(db: Session) -> dict: "control_id": "A.3.2", "title": "Roles and Responsibilities for AI Systems", "category": "A.3 — Internal Organization", + "description": ( + "Requires clear ownership of AI systems — who builds them, who operates them, " + "and who is accountable for their security and ethical use. Without defined " + "ownership, AI system accounts are often orphaned and unmonitored (T1078), " + "account enumeration goes unnoticed (T1087), and excessive group memberships " + "accumulate (T1069). This control ensures someone is accountable for the security " + "posture of every AI component." + ), "techniques": ["T1078", "T1087", "T1069"], }, { "control_id": "A.3.3", "title": "Reporting on AI Performance", "category": "A.3 — Internal Organization", + "description": ( + "Requires regular reporting on AI system performance, including anomalies and " + "incidents. Attackers who manipulate an AI system (e.g., through data poisoning or " + "adversarial inputs) will often disable or tamper with the monitoring systems that " + "would reveal the manipulation (T1562) and clear associated logs (T1070). Robust " + "reporting that is independent of the AI system itself provides resilience against " + "this class of attack." + ), "techniques": ["T1562", "T1070"], }, # ── A.4 Resources for AI Systems ───────────────────────────────────── @@ -1076,12 +1809,30 @@ def import_iso_42001_mappings(db: Session) -> dict: "control_id": "A.4.1", "title": "Resource Management for AI Systems", "category": "A.4 — AI Resources", + "description": ( + "Requires adequate and protected computing resources for AI systems — GPU/CPU " + "clusters, storage, and inference infrastructure. AI systems require significant " + "compute and are therefore targets for resource exhaustion attacks: application-layer " + "denial of service (T1499) and volumetric network flooding (T1498) can prevent " + "AI services from operating or degrade their accuracy. Resource provisioning and " + "DDoS protection are essential safeguards." + ), "techniques": ["T1499", "T1498"], }, { "control_id": "A.4.2", "title": "AI System Supply Chain Management", "category": "A.4 — AI Resources", + "description": ( + "Requires vetting and ongoing management of third-party components used in AI " + "systems — including pre-trained models, ML frameworks (TensorFlow, PyTorch), " + "datasets, and cloud AI services. Supply chain attacks are a growing threat: " + "adversaries compromise software dependencies (T1195), exploit trusted third-party " + "relationships (T1199), or abuse software deployment mechanisms (T1072) to inject " + "malicious behaviour into AI pipelines. Model supply chain integrity is especially " + "critical because a backdoored model may produce correct outputs in testing but " + "behave maliciously in production." + ), "techniques": ["T1195", "T1199", "T1072"], }, # ── A.5 Assessing Impacts of AI Systems ────────────────────────────── @@ -1089,12 +1840,29 @@ def import_iso_42001_mappings(db: Session) -> dict: "control_id": "A.5.2", "title": "AI System Impact Assessment", "category": "A.5 — AI Impact Assessment", + "description": ( + "Requires formal assessment of the risks and impacts of deploying an AI system " + "before it goes live and periodically thereafter. From a threat perspective, " + "attackers perform reconnaissance on AI systems to understand their capabilities, " + "inputs, and data sources: system enumeration (T1082), network infrastructure " + "discovery (T1592), and victim intelligence gathering (T1589). An impact assessment " + "that identifies sensitive inputs and high-value outputs helps prioritise where " + "security controls are most needed." + ), "techniques": ["T1082", "T1592", "T1589"], }, { "control_id": "A.5.4", "title": "AI Risk Treatment", "category": "A.5 — AI Impact Assessment", + "description": ( + "Requires that identified AI risks have defined treatment plans — accepted, " + "mitigated, transferred, or avoided. Risk treatment for AI systems must address " + "exploitation of the AI API or web interface (T1190), privilege escalation within " + "the AI infrastructure (T1068), and client-side attacks targeting users of AI " + "applications (T1203). Untreated risks represent known attack surfaces that " + "adversaries will exploit." + ), "techniques": ["T1190", "T1068", "T1203"], }, # ── A.6 AI System Life Cycle ────────────────────────────────────────── @@ -1102,36 +1870,83 @@ def import_iso_42001_mappings(db: Session) -> dict: "control_id": "A.6.1", "title": "AI System Life Cycle Management", "category": "A.6 — AI Life Cycle", + "description": ( + "Requires security to be embedded throughout the AI system life cycle — from data " + "collection through training, deployment, monitoring, and decommissioning. Each " + "phase introduces distinct attack surfaces: compromised training dependencies " + "(T1195), malicious execution during build pipelines (T1574), and persistence " + "mechanisms introduced via rogue services in the AI infrastructure (T1543). " + "Life cycle security ensures no phase is left unguarded." + ), "techniques": ["T1195", "T1574", "T1543"], }, { "control_id": "A.6.2", "title": "AI Objectives and Requirements", "category": "A.6 — AI Life Cycle", + "description": ( + "Requires that security and privacy requirements are captured alongside functional " + "requirements from the start of an AI project. AI systems built without security " + "requirements frequently expose exploitable APIs (T1190) or allow arbitrary code " + "execution through unvalidated inputs (T1059). Defining security requirements early " + "is far cheaper than remediating vulnerabilities after deployment." + ), "techniques": ["T1190", "T1059"], }, { "control_id": "A.6.3", "title": "AI System Design and Implementation", "category": "A.6 — AI Life Cycle", + "description": ( + "Requires security-conscious design and implementation of AI systems — including " + "input validation, secure API design, and minimal attack surface. Poorly designed " + "AI systems are vulnerable to supply chain attacks on dependencies (T1195), " + "command injection via model prompts or API inputs (T1059), exploitation of the " + "serving infrastructure (T1190), and obfuscated malicious components in model " + "artefacts (T1027). Secure design principles applied during implementation " + "prevent these vulnerabilities from being introduced." + ), "techniques": ["T1195", "T1059", "T1190", "T1027"], }, { "control_id": "A.6.4", "title": "AI System Verification and Validation", "category": "A.6 — AI Life Cycle", + "description": ( + "Requires testing and validation that the AI system performs as intended and does " + "not behave maliciously. Security validation must detect data manipulation in the " + "training or inference pipeline (T1565) — often called 'data poisoning' — and " + "compromised model artefacts from supply chain attacks (T1195). Validation that " + "only checks functional accuracy will miss these attack vectors entirely." + ), "techniques": ["T1565", "T1195"], }, { "control_id": "A.6.5", "title": "AI System Documentation", "category": "A.6 — AI Life Cycle", + "description": ( + "Requires comprehensive documentation of AI system architecture, data flows, model " + "versions, and dependencies. Documentation itself can become an attack vector if " + "not protected: attackers who access internal AI documentation can discover " + "sensitive file locations (T1083) and extract proprietary training data or model " + "weights (T1005). Documentation must be classified, access-controlled, and " + "version-controlled." + ), "techniques": ["T1083", "T1005"], }, { "control_id": "A.6.6", "title": "AI System Monitoring", "category": "A.6 — AI Life Cycle", + "description": ( + "Requires operational monitoring of AI system behaviour — including anomaly " + "detection for unexpected inputs, outputs, and performance degradation. Attackers " + "who successfully compromise an AI system will attempt to disable or manipulate " + "its monitoring (T1562), clear associated operational logs (T1070), and maintain " + "persistence through the system's own execution mechanisms (T1059). Independent, " + "tamper-resistant monitoring is essential for detecting AI-targeted attacks." + ), "techniques": ["T1562", "T1070", "T1059"], }, # ── A.7 Data for AI Systems ─────────────────────────────────────────── @@ -1139,30 +1954,72 @@ def import_iso_42001_mappings(db: Session) -> dict: "control_id": "A.7.2", "title": "Data Acquisition", "category": "A.7 — AI Data", + "description": ( + "Requires that data used to train or operate AI systems is acquired from authorised " + "sources with appropriate consents and security controls. Training datasets " + "represent high-value intellectual property — attackers target them for exfiltration " + "by collecting data directly from systems (T1005), staging it for extraction (T1074), " + "or harvesting it from email and document stores (T1114). Unauthorised data " + "acquisition also violates privacy regulations (GDPR, AI Act)." + ), "techniques": ["T1005", "T1074", "T1114"], }, { "control_id": "A.7.3", "title": "Data Preparation", "category": "A.7 — AI Data", + "description": ( + "Requires secure and auditable data preparation pipelines — cleaning, labelling, " + "feature engineering — with controls to prevent unauthorised modification. " + "Data preparation pipelines are a primary vector for training data poisoning " + "(T1565), where an attacker subtly modifies training samples to cause the model " + "to learn incorrect or backdoored behaviour. Adversarial data scientists have " + "demonstrated that poisoning as little as 0.1% of training data can compromise " + "a model. Pipeline scripts must also be code-reviewed (T1059)." + ), "techniques": ["T1565", "T1059"], }, { "control_id": "A.7.4", "title": "Data Quality", "category": "A.7 — AI Data", + "description": ( + "Requires that data used in AI systems meets defined quality standards and is " + "monitored for drift or degradation. Attackers can degrade AI system performance " + "by manipulating input data quality (T1565) or destroying datasets entirely " + "(T1485). In production, adversarial examples — carefully crafted inputs designed " + "to fool the model — exploit the gap between training data distribution and " + "real-world inputs. Data quality controls include anomaly detection on inputs." + ), "techniques": ["T1565", "T1485"], }, { "control_id": "A.7.5", "title": "Data Provenance", "category": "A.7 — AI Data", + "description": ( + "Requires tracking the origin, transformation history, and custody chain of all " + "data used in AI systems. Without provenance tracking, it is impossible to detect " + "whether a dataset was poisoned in the supply chain (T1195) or maliciously " + "modified during processing (T1565). Data provenance also provides the audit trail " + "needed for regulatory compliance (EU AI Act, GDPR) and incident investigation " + "after an AI system produces unexpected outputs." + ), "techniques": ["T1195", "T1565"], }, { "control_id": "A.7.6", "title": "Data Privacy", "category": "A.7 — AI Data", + "description": ( + "Requires that personal data used in AI systems is processed lawfully, minimised, " + "and protected against unauthorised access. AI training datasets often contain " + "sensitive personal information that is a prime exfiltration target: direct " + "collection from local systems (T1005), harvesting from email (T1114), and " + "exfiltration via alternative protocols (T1048) or C2 channels (T1041). A " + "successful breach that extracts a training dataset typically constitutes a " + "reportable data breach under GDPR." + ), "techniques": ["T1005", "T1114", "T1048", "T1041"], }, # ── A.8 Information About Use of AI Systems ─────────────────────────── @@ -1170,12 +2027,31 @@ def import_iso_42001_mappings(db: Session) -> dict: "control_id": "A.8.1", "title": "Transparency and Explainability of AI Systems", "category": "A.8 — AI Information", + "description": ( + "Requires that AI systems are transparent about their capabilities, limitations, " + "and decision logic to relevant stakeholders. From a security standpoint, lack of " + "explainability makes it harder to detect when an AI system is being manipulated. " + "Attackers gather information about AI system architecture (T1082), map connected " + "infrastructure (T1592), and collect intelligence on the organisation's AI " + "capabilities (T1590) to design targeted exploits. Transparency controls and " + "model cards reduce this information asymmetry for defenders." + ), "techniques": ["T1082", "T1592", "T1590"], }, { "control_id": "A.8.2", "title": "Security of AI Systems", "category": "A.8 — AI Information", + "description": ( + "The core security control of ISO 42001: requires that AI systems are protected " + "against adversarial attacks, unauthorised access, and integrity violations. This " + "covers the full attack surface of an AI system in production: exploitation of " + "the serving API (T1190), command injection or prompt injection attacks (T1059), " + "exploitation of vulnerabilities in the inference framework (T1203), credential " + "attacks on AI platform accounts (T1078), and brute-force attacks on AI service " + "endpoints (T1110). This control must be validated through Red Team exercises " + "that specifically target AI infrastructure." + ), "techniques": ["T1190", "T1059", "T1203", "T1078", "T1110"], }, # ── A.9 Use of AI Systems by Affected Parties ───────────────────────── @@ -1183,12 +2059,30 @@ def import_iso_42001_mappings(db: Session) -> dict: "control_id": "A.9.1", "title": "Intended Use of AI Systems", "category": "A.9 — AI Use", + "description": ( + "Requires that AI systems are only used for their intended, authorised purpose and " + "that users are informed about appropriate use boundaries. Adversaries exploit AI " + "systems for unintended uses — for example, using AI-generated content as a " + "phishing vector (T1566), tricking users into executing AI-generated malicious " + "content (T1204), or using AI tools to automate credential harvesting campaigns " + "(T1598). Controls on intended use reduce the organisation's liability and attack " + "surface simultaneously." + ), "techniques": ["T1566", "T1204", "T1598"], }, { "control_id": "A.9.3", "title": "Human Oversight of AI Systems", "category": "A.9 — AI Use", + "description": ( + "Requires meaningful human oversight for high-risk AI decisions, including the " + "ability to intervene or override AI system outputs. An AI system without human " + "oversight that is compromised by an attacker — through credential theft (T1078), " + "token manipulation (T1134), or disabling its safety monitoring (T1562) — can " + "make autonomous decisions with real-world consequences before anyone notices. " + "Human oversight is both an ethical requirement (EU AI Act) and a critical " + "security control." + ), "techniques": ["T1078", "T1134", "T1562"], }, # ── A.10 Third-Party and Customer Relationships ─────────────────────── @@ -1196,12 +2090,31 @@ def import_iso_42001_mappings(db: Session) -> dict: "control_id": "A.10.1", "title": "Third-Party AI System Governance", "category": "A.10 — Third-Party Relationships", + "description": ( + "Requires governance of third-party AI services, APIs, and models used by the " + "organisation — including due diligence, contractual security requirements, and " + "ongoing monitoring. Third-party AI services are an increasingly attractive attack " + "target: adversaries exploit trusted relationships (T1199), compromise the software " + "supply chain of AI providers (T1195), abuse valid credentials to access third-party " + "AI APIs (T1078), or use legitimate external remote services as exfiltration " + "channels (T1133). This control establishes the security baseline for all AI " + "third-party dependencies." + ), "techniques": ["T1199", "T1195", "T1078", "T1133"], }, { "control_id": "A.10.2", "title": "Customer Relationships for AI Systems", "category": "A.10 — Third-Party Relationships", + "description": ( + "Requires appropriate disclosure to customers about the AI systems used in products " + "or services that affect them, including security and privacy implications. " + "Lack of customer disclosure creates risks when AI-generated content is weaponised " + "against users: AI-crafted phishing messages (T1566), information gathering via AI " + "personas (T1598), and credential harvesting targeting users who trust AI-powered " + "interfaces (T1078). Transparent disclosure allows customers to make informed " + "risk decisions." + ), "techniques": ["T1566", "T1598", "T1078"], }, ] diff --git a/backend/app/services/compliance_service.py b/backend/app/services/compliance_service.py index 696231d..15742ec 100644 --- a/backend/app/services/compliance_service.py +++ b/backend/app/services/compliance_service.py @@ -62,6 +62,7 @@ def _get_control_status(control: ComplianceControl, db: Session) -> dict[str, An return { "control_id": control.control_id, "title": control.title, + "description": control.description, "category": control.category, "status": "not_evaluated", "score": 0, @@ -104,6 +105,7 @@ def _get_control_status(control: ComplianceControl, db: Session) -> dict[str, An return { "control_id": control.control_id, "title": control.title, + "description": control.description, "category": control.category, "status": status, "score": avg_score, diff --git a/frontend/src/api/compliance.ts b/frontend/src/api/compliance.ts index aac5fbc..85e0c19 100644 --- a/frontend/src/api/compliance.ts +++ b/frontend/src/api/compliance.ts @@ -22,6 +22,7 @@ export interface ComplianceTechniqueInfo { export interface ComplianceControlStatus { control_id: string; title: string; + description: string | null; category: string | null; status: "covered" | "partially_covered" | "not_covered" | "not_evaluated"; score: number; diff --git a/frontend/src/components/compliance/ControlsTable.tsx b/frontend/src/components/compliance/ControlsTable.tsx index ba133b6..d0ce1ce 100644 --- a/frontend/src/components/compliance/ControlsTable.tsx +++ b/frontend/src/components/compliance/ControlsTable.tsx @@ -1,6 +1,6 @@ import { useState } from "react"; import { useNavigate } from "react-router-dom"; -import { ChevronDown, ChevronRight, Search, Filter, ExternalLink } from "lucide-react"; +import { ChevronDown, ChevronRight, Search, Filter, ExternalLink, Info, ShieldAlert } from "lucide-react"; import type { ComplianceControlStatus } from "../../api/compliance"; interface ControlsTableProps { @@ -184,51 +184,73 @@ export default function ControlsTable({ controls }: ControlsTableProps) { {/* Expanded detail row */} {isExpanded && ( - - {control.techniques.length === 0 ? ( -

No techniques mapped to this control.

- ) : ( -
-

- Mapped Techniques ({control.techniques.length}) -

-
- {control.techniques.map((tech) => { - const techStyle = - tech.score >= 70 ? "border-green-500/20 bg-green-500/5 text-green-400" - : tech.score >= 30 ? "border-yellow-500/20 bg-yellow-500/5 text-yellow-400" - : tech.score > 0 ? "border-red-500/20 bg-red-500/5 text-red-400" - : "border-gray-700 bg-gray-800/30 text-gray-500"; + +
- return ( -
{ - e.stopPropagation(); - navigate(`/techniques/${tech.mitre_id}`); - }} - > -
- - {tech.mitre_id} - - - {tech.name} - -
-
- - {tech.status.replace(/_/g, " ")} - - -
-
- ); - })} + {/* Executive description */} + {control.description && ( +
+ +
+

+ What this control requires — and why it matters +

+

+ {control.description} +

+
-
- )} + )} + + {/* Techniques grid */} + {control.techniques.length === 0 ? ( +
+ + No ATT&CK techniques mapped to this control yet. +
+ ) : ( +
+

+ ATT&CK techniques covered ({control.techniques.length}) — sorted by coverage score +

+
+ {control.techniques.map((tech) => { + const techStyle = + tech.score >= 70 ? "border-green-500/20 bg-green-500/5 text-green-400" + : tech.score >= 30 ? "border-yellow-500/20 bg-yellow-500/5 text-yellow-400" + : tech.score > 0 ? "border-red-500/20 bg-red-500/5 text-red-400" + : "border-gray-700 bg-gray-800/30 text-gray-500"; + + return ( +
{ + e.stopPropagation(); + navigate(`/techniques/${tech.mitre_id}`); + }} + > +
+ + {tech.mitre_id} + + + {tech.name} + +
+
+ + {tech.score.toFixed(0)} + + +
+
+ ); + })} +
+
+ )} +
)} diff --git a/frontend/src/pages/CompliancePage.tsx b/frontend/src/pages/CompliancePage.tsx index 7247a70..721dff9 100644 --- a/frontend/src/pages/CompliancePage.tsx +++ b/frontend/src/pages/CompliancePage.tsx @@ -1,6 +1,6 @@ import { useState } from "react"; import { useQuery, useMutation, useQueryClient } from "@tanstack/react-query"; -import { Loader2, AlertCircle, Download, FileText, Plus } from "lucide-react"; +import { Loader2, AlertCircle, Download, FileText, Plus, ExternalLink, BookOpen } from "lucide-react"; import { getComplianceFrameworks, getFrameworkStatus, @@ -47,6 +47,7 @@ export default function CompliancePage() { const isLoading = loadingFrameworks || loadingStatus; const summary = frameworkStatus?.summary; const controls = frameworkStatus?.controls || []; + const activeFramework = frameworks?.find((f) => f.id === activeFrameworkId) ?? null; const handleExportCSV = async () => { if (activeFrameworkId) { @@ -166,6 +167,36 @@ export default function CompliancePage() {
+ {/* Framework info banner */} + {activeFramework?.description && ( +
+ +
+
+ {activeFramework.name} + {activeFramework.version && ( + + v{activeFramework.version} + + )} + {activeFramework.url && ( + e.stopPropagation()} + > + + Official standard + + )} +
+

{activeFramework.description}

+
+
+ )} + {/* Summary cards */} {summary && (