Objective: Exfiltrate Data and/or Disrupt Application Availability
+-----------------------------------------------------+
| Exfiltrate Data and/or Disrupt Application Availability |
+-----------------------------------------------------+
|
+--------------------------------+--------------------------------+--------------------------------+
| Data Exfiltration | Unauthorized Access | Configuration Weaknesses |
+--------------------------------+--------------------------------+--------------------------------+
| | | |
+--------+--------+ +--------+--------+ +--------+--------+ +--------+--------+
| JMX | | CQL | | Auth | | RBAC | | JMX | | Node |
|Exploit| |Injctn | |Bypass | |Bypass | |Miscfg | | Miscfg |
+--------+--------+ +--------+--------+ +--------+--------+ +--------+--------+
| | | | |
+--------+--------+ +--------+--------+ +--------+--------+ +--------+--------+ +--------+--------+
|Unauth | |Bypass | | Weak |{CN}| Weak | | Ex- |{CN}| | Un- |{CN}|
|JMX | |Schema | |Creds | |Roles | |posed | | patched|
|Access | | | | | | | |Ports | | Nodes |
+--------+--------+ +--------+--------+ +--------+--------+ +--------+--------+
| | |
+--------+--------+ +--------+--------+ |
| Read |[HR] | | Mod- |[HR] | |
| Data | | | ify | | |
| | | | Data | | |
+--------+--------+ +--------+--------+ |
|
+-----------+--------+ +--------+--------+
| Default| | | Guess-|
| Creds |[HR] | | able |[HR]
| | | | Creds |
+-----------+--------+ +--------+--------+
Attack Tree Path: Data Exfiltration - JMX Exploit
- JMX Exploit -> Unauthorized JMX Access -> Read Data [HR]
- Description: An attacker gains unauthorized access to the Cassandra cluster through an exposed and unsecured JMX interface. They then use JMX commands to directly read data from tables.
- Likelihood: Medium
- Impact: High
- Effort: Low
- Skill Level: Intermediate
- Detection Difficulty: Medium
- Mitigation:
- Disable unnecessary remote JMX access.
- Enable authentication and authorization for JMX.
- Use TLS for JMX connections.
- Monitor JMX activity for suspicious behavior.
Attack Tree Path: Data Exfiltration - CQL Injection
- CQL Injection -> Bypass Schema -> Read/Modify Data [HR]
- Description: An attacker exploits a vulnerability in the application's handling of user input to craft malicious CQL queries. These queries bypass intended data access restrictions, allowing the attacker to read or modify data they shouldn't have access to.
- Likelihood: Low
- Impact: High
- Effort: Medium
- Skill Level: Advanced
- Detection Difficulty: Hard
- Mitigation:
- Mandatory use of prepared statements for all CQL queries.
- Strict input validation and sanitization.
- Regular code reviews to identify potential injection vulnerabilities.
- Principle of least privilege for database users.
Attack Tree Path: Unauthorized Access - Auth Bypass
- Auth Bypass -> Weak Credentials {CN} -> Default Creds [HR] / Guessable Creds [HR]
- Description: An attacker gains unauthorized access to the Cassandra cluster by using default credentials (that were not changed during setup) or by guessing weak passwords.
- Likelihood: High
- Impact: High
- Effort: Low
- Skill Level: Novice
- Detection Difficulty: Easy
- Mitigation:
- Change all default usernames and passwords immediately after installation.
- Enforce strong password policies (length, complexity, and rotation).
- Consider implementing multi-factor authentication (MFA).
- Monitor for failed login attempts.
Attack Tree Path: Configuration Weaknesses - JMX Miscfg
- JMX Miscfg -> Exposed Ports {CN}
- Description: The Cassandra JMX port (default 7199) is exposed to the public internet or an untrusted network without proper security controls (authentication, authorization, or firewall rules).
- Likelihood: High
- Impact: High
- Effort: Very Low
- Skill Level: Novice
- Detection Difficulty: Very Easy
- Mitigation:
- Restrict network access to the JMX port using firewall rules. Allow access only from trusted hosts/networks.
- Disable remote JMX access if it's not strictly necessary.
- Enable authentication and authorization for JMX.
- Use TLS for JMX connections.
Attack Tree Path: Configuration Weaknesses - Node Miscfg
- Node Miscfg -> Unpatched Nodes {CN}
- Description: Cassandra nodes (or the underlying operating system) are running outdated software with known security vulnerabilities. An attacker exploits these vulnerabilities to gain access or disrupt the system.
- Likelihood: Medium
- Impact: High
- Effort: Medium
- Skill Level: Advanced (depending on the vulnerability)
- Detection Difficulty: Medium
- Mitigation:
- Establish a regular patching schedule for both Cassandra and the operating system.
- Automate patching where possible.
- Use vulnerability scanning tools to identify unpatched systems.
- Implement intrusion detection/prevention systems.