Dark Mode
Capec-548 Detail
Contaminate Resource
Meta Software Hardware Likelihood: Low Typical Severity: High
An adversary contaminates organizational information systems (including devices and networks) by causing them to handle information of a classification/sensitivity for which they have not been authorized. When this happens, the contaminated information system, device, or network must be brought offline to investigate and mitigate the data spill, which denies availability of the system until the investigation is complete.
Contamination through email is a very common attack vector. Systems with email servers or personal work systems using email are susceptible to this attack simply by receiving an email that contains a classified document or information. A fake classified document could even be used that is mistaken as true classified material. This would still cause the system to be taken offline until the validity of the classified material is confirmed.
| External ID | Source | Link | Description |
|---|---|---|---|
| CAPEC-548 | capec | https://capec.mitre.org/data/definitions/548.html | |
| REF-742 | reference_from_CAPEC | https://fiswg.research.ucf.edu/Documents/PPT/Manage%20a%20Data%20Spill-Contamination%20September%202015.pptx | Florida Industrial Security Working Group (FISWG), Managing a “Data Spill” |
| REF-743 | reference_from_CAPEC | https://csrc.nist.gov/glossary/term/data_spillage | data spillage |
Not present
- The adversary needs to have real or fake classified/sensitive information to place on a system
Not present
| Low | High |
|---|---|
| The ability to fake a classified document | |
| The ability to obtain a classified document or information |
| Availability | Confidentiality |
|---|---|
| Resource Consumption (Denial of Service) | Read Data (Victims of the attack can be exposed to classified materials) |
- An insider threat was able to obtain a classified document. They have knowledge that a backend server which provides access to a website also runs a mail server. The adversary creates a throwaway email address and sends the classified document to the mail server. When an administrator checks the mail server they notice that it has processed an email with a classified document and the server has to be taken offline while they investigate the contamination. In the meantime, the website has to be taken down as well and access to the website is denied until the backend can be migrated to another server or the investigation is complete.