It makes sense that defenders’ visibility into cloud environments can be a bit…well, cloudy. We gathered a team of experts to help you clear things up. In the latest installment of our Detection Series, Red Canary’s own Thomas Gardner and Justin Schoenfeld joined MITRE’s Casey Knerr and Atomic Red Team Maintainer Jose Hernandez for an in-depth discussion of the most prevalent cloud techniques.
You can watch the full recording here or check out the clips below.
What’s so special about the cloud anyway?
To kick things off, Thomas examines some key differences between cloud environments and their on-premise counterparts, noting that in the cloud “risk detection is just as important as threat detection.”
Why do adversaries target cloud assets?
Jose provides answers for both the who and the why when it comes to adversaries targeting cloud environments, highlighting the modus operandi of the Scattered Spider, Team TNT, APT 29 and Cloud Wizard threat groups.
How do I improve visibility into cloud techniques?
The short answer? Get to know your logs. Thomas gives a run down of the various log sources available in AWS, as featured in our comprehensive guide on How to increase visibility into AWS and improve cloud security.
Justin then takes on the Microsoft side of things, showcasing log sources available from Azure and Entra ID, including the new Graph API activity logs.
What does a cloud intrusion look like?
With some help from Fantastic Mr. Fox, the gang walks us through each step of a typical cloud intrusion, from initial access to exfiltration. Take note: every phase introduces new detection opportunities.
Initial access
Justin sheds light on various phishing strategies as well as how adversaries exploit public-facing web applications via server-side request forgery (SSRF).
Discovery
To help you thwart an adversary trying to uncover lists of roles and policies, Thomas shares some discovery operations to watch out for in both AWS and Azure.
Privilege escalation
Before diving into the various ways that adversaries gain permissions, Casey points out that privilege escalation is not always necessary in the cloud, as many cloud accounts are configured with overly permissive privileges from the start.
Persistance
Justin walks through how adversaries maintain their elevated privileges and access to AWS and Azure environments.
Defense evasion
Thomas explains how adversaries disable logging and multi-factor authentication (MFA) to stay out of sight in AWS and Azure.
Exfiltration
Jose tackles the final phase of the intrusion cycle, during which adversaries often download valuable assets directly from cloud storage.
What’s new in ATT&CK?
Casey updates everyone on the latest cloud techniques added to the MITRE ATT&CK matrix:
- Account Manipulation (T1098)
- Temporary Elevated Cloud Access (T1548.005)
- Cloud Secrets Management Stores (T1555.006)
- Direct Cloud VM Connections (T1021.008)
- Log Enumeration (T1654)
How can I test my defenses against these techniques?
Jose handpicks some Atomic Red Team tests that will help you validate your detection coverage for disabling cloud logs and data exfiltration via rclone.