>_AYSOLI SECURITY HUB
THREAT AREA

Legacy Modernization

Many companies operate business-critical applications that are technologically outdated and do not support modern security mechanisms.

Your Strategy

Avoid making direct changes to the source code of the old app. Protect the system with a modern security mantle: use a WAF for virtual patching and an identity proxy for MFA.

Best Practices

  • Isolation: Run the legacy app in a separate network VLAN.
  • Hardening: Enforce state-of-the-art TLS 1.3 at the load balancer, even if the app only supports TLS 1.0.
  • Monitoring: Monitor every request for anomalies, as the app itself often does not provide adequate logs.

STRIDE-LM Design Risks

SpoofingS-01

Identity Spoofing

Attacker impersonates a legitimate user or partner.

TamperingT-LEG-01

Vulnerable Legacy Components

Use of outdated libraries with known vulnerabilities.

RepudiationR-01

Audit Log Manipulation

Deleting or altering traces of an action.

Information DisclosureI-WEB-01

Sensitive PII Exposure

Disclosure of personally identifiable information (GDPR risk).

Denial of ServiceD-01

Resource Exhaustion

Overloading systems through massive requests or resource hogging.

Elevation of PrivilegeE-01

Privilege Escalation

Gaining privileges beyond what is intended.

Lateral MovementL-01

Lateral Movement

Accessing further internal systems after initial login.

Monitoring GapsM-01

Insufficient Logging

Missing or inadequate recording of security-relevant events.

MITRE ATT&CK® Techniques

Reconnaissance
T1592

Gather Victim Digital Network Information

ATT&CK

Collecting information about the target infrastructure.

Mitigated by
Data Anonymization (Differential Privacy)Extended ProtectionHigh
NIST: PR.PT-3
Output Content FilteringBaseline ProtectionLow
NIST: AI-1.2OWASP: LLM02
T1595

Active Scanning

ATT&CK

Active scanning of web infrastructure for vulnerabilities.

Mitigated by
Virtual Patching via WAFExtended ProtectionMedium
CIS: 16.11OWASP: A06:2021
Advanced Threat Protection (WAF)Extended ProtectionMedium
CIS: 16.11OWASP: API8
Regular Penetration TestingExtended ProtectionHigh
CIS: 18.1NIST: AI-5.1
Initial Access
T1190

Exploit Public-Facing Application

ATT&CK

Exploiting vulnerabilities in internet-facing services.

Mitigated by
Virtual Patching via WAFExtended ProtectionMedium
CIS: 16.11OWASP: A06:2021
Advanced Threat Protection (WAF)Extended ProtectionMedium
CIS: 16.11OWASP: API8
Input Validation & SanitizationBaseline ProtectionMedium
CIS: 16.11OWASP: A03:2021
Strict Transport Security (TLS 1.3)Baseline ProtectionLow
CIS: 6.3OWASP: A02:2021
Regular Penetration TestingExtended ProtectionHigh
CIS: 18.1NIST: AI-5.1
Dynamic Application Security Testing (DAST)Extended ProtectionMedium
CIS: 18.1OWASP: ASVS
T1078

Valid Accounts

ATT&CK

Exploiting existing credentials for access.

Mitigated by
Conditional Access PoliciesBaseline ProtectionMedium
CIS: 6.1NIST: PR.AC-7OWASP: API2
Regular Access ReviewsBaseline ProtectionLow
CIS: 6.6NIST: PR.AC-1OWASP: A01:2021
Privileged Identity Management (PIM)Baseline ProtectionMedium
CIS: 6.2NIST: PR.AC-1OWASP: A01:2021
Persistence
T1505-003

Web Shell

ATT&CK

Installation of a backdoor on the web server.

Mitigated by
Input Validation & SanitizationBaseline ProtectionMedium
CIS: 16.11OWASP: A03:2021
Regular Penetration TestingExtended ProtectionHigh
CIS: 18.1NIST: AI-5.1
Dynamic Application Security Testing (DAST)Extended ProtectionMedium
CIS: 18.1OWASP: ASVS
Privilege Escalation
T1548

Abuse Elevation Control Mechanism

ATT&CK

Bypassing mechanisms for privilege escalation (e.g., UAC).

Mitigated by
Privileged Identity Management (PIM)Baseline ProtectionMedium
CIS: 6.2NIST: PR.AC-1OWASP: A01:2021
Credential Access
T1110

Brute Force

ATT&CK

Attempts to gain access to accounts or API keys through systematic trial and error.

Mitigated by
Virtual Patching via WAFExtended ProtectionMedium
CIS: 16.11OWASP: A06:2021
Advanced Threat Protection (WAF)Extended ProtectionMedium
CIS: 16.11OWASP: API8
T1552

Credentials from Password Stores

ATT&CK

Extracting passwords from web browsers or password managers.

Mitigated by
Output Content FilteringBaseline ProtectionLow
NIST: AI-1.2OWASP: LLM02
T1539

Steal Web Session Cookie

ATT&CK

Capturing active session tokens to bypass authentication.

Mitigated by
Conditional Access PoliciesBaseline ProtectionMedium
CIS: 6.1NIST: PR.AC-7OWASP: API2
HTTP Strict Transport Security (HSTS)Baseline ProtectionLow
CIS: 16.11OWASP: A05:2021
Strict Transport Security (TLS 1.3)Baseline ProtectionLow
CIS: 6.3OWASP: A02:2021
Lateral Movement
T1021

Remote Services

ATT&CK

Use of legitimate remote services for lateral movement within the network.

Mitigated by
Regular Access ReviewsBaseline ProtectionLow
CIS: 6.6NIST: PR.AC-1OWASP: A01:2021

Is your scenario more complex?

AYSOLI experts support you in implementing your specific security requirements.

Free consultation