andrewbwm
commented
2 years ago This has been implemented in #57.
If an attacker is able to read one of the replicas they are able to read all of the other replicas as well. In order to write/deny/delete a replica all the replicas associated with that Information asset must be disrupted(write/deny/delete), not the same one across all of them, but they must all experience a disturbance.
If all of the replicas have been affected by an attack the disturbances will propagate across the replicas. For example, if two replicas have been denied and one has been deleted then all three experience both the delete and deny disruptions. This is perhaps too pessimistic of an approach and we may want to limit the disruption propagation.
The current implementation does not cover slow poisoning of backup replicas.
We would like to create an association between Information and Data assets to represent that the same information is replicated across multiple backups. This concept is also represented in MITRE documentation under the Data Backup Mitigatigation.
Data assets in such a relationship would trigger a read across all of the replicas if one of them is read. In order to be able to write the Data assets a write must be reached on all of the replicas.
We may also want to add attack steps that represent the attacker slowly poisoning the backups, but this may not be necessary in the first implementation.