It makes sense that defenders’ visibility into cloud environments can be a bit…well, cloudy. We gathered a team of experts to help you clear things up. In the latest installment of our Detection Series, Red Canary’s own Thomas Gardner and Justin Schoenfeld joined MITRE’s Casey Knerr and Atomic Red Team Maintainer Jose Hernandez for an in-depth discussion of the most prevalent cloud techniques.
To kick things off, Thomas examines some key differences between cloud environments and their on-premise counterparts, noting that in the cloud “risk detection is just as important as threat detection.”
Why do adversaries target cloud assets?
Jose provides answers for both the who and the why when it comes to adversaries targeting cloud environments, highlighting the modus operandi of the Scattered Spider, Team TNT, APT 29 and Cloud Wizard threat groups.
How do I improve visibility into cloud techniques?
Justin then takes on the Microsoft side of things, showcasing log sources available from Azure and Entra ID, including the new Graph API activity logs.
What does a cloud intrusion look like?
With some help from Fantastic Mr. Fox, the gang walks us through each step of a typical cloud intrusion, from initial access to exfiltration. Take note: every phase introduces new detection opportunities.
Justin sheds light on various phishing strategies as well as how adversaries exploit public-facing web applications via server-side request forgery (SSRF).
To help you thwart an adversary trying to uncover lists of roles and policies, Thomas shares some discovery operations to watch out for in both AWS and Azure.
Before diving into the various ways that adversaries gain permissions, Casey points out that privilege escalation is not always necessary in the cloud, as many cloud accounts are configured with overly permissive privileges from the start.
Justin walks through how adversaries maintain their elevated privileges and access to AWS and Azure environments.
Thomas explains how adversaries disable logging and multi-factor authentication (MFA) to stay out of sight in AWS and Azure.
Jose tackles the final phase of the intrusion cycle, during which adversaries often download valuable assets directly from cloud storage.
What’s new in ATT&CK?
Casey updates everyone on the latest cloud techniques added to the MITRE ATT&CK matrix:
Privacy & Cookies Policy
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.