Scenario S-002 - Unauthorized administrative access to infrastructure
| Element | Description |
|---|---|
| Scenario ID | S-002 |
| Target asset | Proxmox Host and Teleport Bastion administrative interfaces |
| Threat source | External attacker or malicious insider |
| Attack vector | Exposed administrative interface or compromise of privileged credentials |
| Potential impact | Full administrative control of the virtualized infrastructure including virtual machines, containers, and network configuration |
| Likelihood | 🟨 Medium - administrative interfaces are frequent targets for attackers when exposed or weakly protected |
| Impact rating | 🟥 High - compromise of infrastructure management systems grants control over hosted services and critical components |
| Risk rating | 🟥 High |
Mitigation:
- Restrict access to administrative interfaces through VPN or bastion host.
- Enforce multi-factor authentication for privileged accounts.
- Disable direct root login and use role-based access control.
- Apply network segmentation to isolate infrastructure management interfaces.
- Monitor authentication attempts and administrative actions via central logging platform.
Owners:
- Ops - infrastructure provisioning, access restrictions, system maintenance.
- Sec - privileged access policies, monitoring, detection rules.
References:
- ISO 27001 - Control 8.2 Privileged access rights.
- ISO 27001 - Control 8.3 Information access restriction.
- ISO 27001 - Control 8.15 Logging
- ISO 27001 - Control 8.16 Monitoring activities.
- NIST CSF - PR.AC Identity Management and Access Control.
- NIST CSF - DE.CM Continuous Monitoring.
- NIST CSF - RS.AN Incident Analysis.
- EBIOS RM - Threat scenarios involving compromise or misuse of privileged access.
Response actions:
- Containment - Immediately disable compromised accounts and restrict access to the management interfaces.
- Eradication - Reset privileged credentials and review authentication logs to identify the intrusion vector.
- Recovery - Restore affected systems to a trusted configuration and verify integrity of hosted workloads.
- Post-incident - Review access control policies, strengthen authentication mechanisms, and update monitoring rules.