Skip to main content

Scenario S-007 - Compromise of bastion access platform

Element	Description
Scenario ID	S-007
Target asset	Teleport Bastion providing centralized administrative access to infrastructure
Threat source	External attacker or malicious insider
Attack vector	Stolen credentials or bypass of multi-factor authentication mechanisms
Potential impact	Broad administrative access to infrastructure systems enabling unauthorized management actions
Likelihood	🟨 Medium - credential theft and MFA bypass attempts are common attack techniques targeting access gateways
Impact rating	🟥 High - compromise of the bastion host can expose multiple systems to administrative takeover
Risk rating	🟥 High

Mitigation:

Enforce strong authentication with mandatory multi-factor authentication.
Restrict bastion access to trusted networks or VPN endpoints.
Apply role-based access control to limit administrative privileges.
Enable session recording and audit logging for administrative activities.
Monitor authentication events and access anomalies via centralized logging and SIEM.

Owners:

Ops - bastion infrastructure deployment and maintenance.
Sec - access policies, monitoring rules, and audit review.

References:

ISO 27001 - Control 8.2 Privileged access rights.
ISO 27001 - Control 8.3 Information access restriction.
ISO 27001 - Control 8.16 Monitoring activities.
NIST CSF - PR.AC Access Control.
NIST CSF - DE.CM Continuous Monitoring.
NIST CSF - PR.PT Protective Technology.
EBIOS RM - Threat scenarios targeting bastion platforms and privileged access compromise.

Response actions:

Containment - Immediately disable compromised accounts and restrict bastion access.
Eradication - Reset affected credentials and investigate authentication logs to determine intrusion vector.
Recovery - Re-establish secure bastion configuration and validate integrity of administrative access policies.
Post-incident - Conduct access reviews, strengthen authentication mechanisms, and update monitoring rules.