>_AYSOLI SECURITY HUB
THREAT AREA

Secrets Management

Secrets such as API keys, passwords, and private keys are the most valuable targets for attackers. Their unprotected storage in the source code is the most common cause of cloud compromises.

Your Strategy

Establish a "secretless infrastructure." Applications should no longer know static passwords but instead use managed identities. Where this is not possible, secrets must be stored in a central vault and rotated regularly and automatically.

Best Practices

  • Code Hygiene: Scan repositories on every push for accidentally committed secrets.
  • Dynamic Secrets: Use short-lived credentials that are generated only at the time of use.
  • Rotation: Enforce the automated renewal (rotation) of cryptographic material (certificates, API keys).

STRIDE-LM Design Risks

SpoofingS-01

Identity Spoofing

Attacker impersonates a legitimate user or partner.

TamperingT-01

Data Tampering

Unauthorized modification of shared data or configurations.

RepudiationR-01

Audit Log Manipulation

Deleting or altering traces of an action.

Information DisclosureI-GOV-01

Hardcoded Secrets in Source Code

API keys or passwords in source code or scripts.

Information DisclosureI-GOV-02

Cryptographic Material Leakage

Leakage of private keys or root certificates.

Denial of ServiceD-01

Resource Exhaustion

Overloading systems through massive requests or resource hogging.

Elevation of PrivilegeE-01

Privilege Escalation

Gaining privileges beyond what is intended.

Monitoring GapsM-01

Insufficient Logging

Missing or inadequate recording of security-relevant events.

MITRE ATT&CK® Techniques

Reconnaissance
T1592

Gather Victim Digital Network Information

ATT&CK

Collecting information about the target infrastructure.

Mitigated by
Data Anonymization (Differential Privacy)Extended ProtectionHigh
NIST: PR.PT-3
Initial Access
T1078

Valid Accounts

ATT&CK

Exploiting existing credentials for access.

Mitigated by
Centralized Secrets VaultingExtended ProtectionMedium
CIS: 6.12NIST: PR.DS-1
Least Privilege PrincipleBaseline ProtectionMedium
CIS: 6.2NIST: PR.AC-6OWASP: A01:2021
Privileged Identity Management (PIM)Baseline ProtectionMedium
CIS: 6.2NIST: PR.AC-1OWASP: A01:2021
Regular Access ReviewsBaseline ProtectionLow
CIS: 6.6NIST: PR.AC-1OWASP: A01:2021
Conditional Access PoliciesBaseline ProtectionMedium
CIS: 6.1NIST: PR.AC-7OWASP: API2
T1190

Exploit Public-Facing Application

ATT&CK

Exploiting vulnerabilities in internet-facing services.

Mitigated by
Code Scanning (SAST / Secret Scanning)Extended ProtectionMedium
CIS: 16.3OWASP: A06:2021
Persistence
T1098

Account Manipulation

ATT&CK

Changing permissions or creating new accounts.

Mitigated by
Privileged Identity Management (PIM)Baseline ProtectionMedium
CIS: 6.2NIST: PR.AC-1OWASP: A01:2021
Regular Access ReviewsBaseline ProtectionLow
CIS: 6.6NIST: PR.AC-1OWASP: A01:2021
Credential Access
T1552

Credentials from Password Stores

ATT&CK

Extracting passwords from web browsers or password managers.

Mitigated by
Centralized Secrets VaultingExtended ProtectionMedium
CIS: 6.12NIST: PR.DS-1
Code Scanning (SAST / Secret Scanning)Extended ProtectionMedium
CIS: 16.3OWASP: A06:2021
T1528

Steal Application Access Token

ATT&CK

Theft of tokens to bypass authentication.

Mitigated by
Centralized Secrets VaultingExtended ProtectionMedium
CIS: 6.12NIST: PR.DS-1
T1003

OS Credential Dumping

ATT&CK

Extracting credentials from the operating system.

Mitigated by
Privileged Access Workstation (PAW)Extended ProtectionHigh
CIS: 6.4NIST: PR.AC-3
Discovery
T1580

Shadow IT Asset Discovery

ATT&CK

Finding unmanaged resources in the network.

Mitigated by
Least Privilege PrincipleBaseline ProtectionMedium
CIS: 6.2NIST: PR.AC-6OWASP: A01:2021
Lateral Movement
T1550

Use Alternate Authentication Material

ATT&CK

Using stolen tokens or hashes to authenticate without a password.

Mitigated by
Automated Certificate RotationExtended ProtectionMedium
CIS: 12.7NIST: PR.DS-2
Exfiltration
T1020

Automated Exfiltration

ATT&CK

Automated exfiltration of data via interfaces.

Mitigated by
Data Anonymization (Differential Privacy)Extended ProtectionHigh
NIST: PR.PT-3

Is your scenario more complex?

AYSOLI experts support you in implementing your specific security requirements.

Free consultation