Adversaries may access data objects from improperly secured cloud storage.
Many cloud service providers offer solutions for online data storage such as Amazon S3, Azure Storage, and Google Cloud Storage. These solutions differ from other storage solutions (such as SQL or Elasticsearch) in that there is no overarching application. Data from these solutions can be retrieved directly using the cloud provider's APIs. Solution providers typically offer security guides to help end users configure systems.(Citation: Amazon S3 Security, 2019)(Citation: Microsoft Azure Storage Security, 2019)(Citation: Google Cloud Storage Best Practices, 2019)
Misconfiguration by end users is a common problem. There have been numerous incidents where cloud storage has been improperly secured (typically by unintentionally allowing public access by unauthenticated users or overly-broad access by all users), allowing open access to credit cards, personally identifiable information, medical records, and other sensitive information.(Citation: Trend Micro S3 Exposed PII, 2017)(Citation: Wired Magecart S3 Buckets, 2019)(Citation: HIPAA Journal S3 Breach, 2017) Adversaries may also obtain leaked credentials in source repositories, logs, or other means as a way to gain access to cloud storage objects that have access permission controls.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| beyondcorp_enterprise | BeyondCorp Enterprise | technique_scores | T1530 | Data from Cloud Storage Object |
Comments
Access Context Manager allows Google Cloud organization administrators to define fine-grained, attribute based access control for projects and resources. Access levels applied on resources with IAM Conditions enforce fine-grained access control based on a variety of attributes, including IP subnetworks. Adversaries may obtain leaked credentials; however, this control can block specific adversaries from gaining access permission controls by admins granting an access level based on the IP address of the originating request.
References
|
| chronicle | Chronicle | technique_scores | T1530 | Data from Cloud Storage Object |
Comments
Chronicle is able to trigger an alert to notify personnel of GCP resources (e.g., storage buckets) that are publicly accessible to unauthenticated users.
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/main/gcp_cloudaudit/gcp_gcs_public_accessible.yaral
References
|
| access_transparency | Access Transparency | technique_scores | T1530 | Data from Cloud Storage Object |
Comments
This control may expose and detect malicious access of data from cloud storage by compromised Google personnel accounts.
References
|
| firewalls | Firewalls | technique_scores | T1530 | Data from Cloud Storage Object |
Comments
Google Cloud Firewalls can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block adversaries from accessing resources such as cloud storage objects by implementing restrictions on which IP addresses and domains can access the resources (e.g., allow lists). However, since cloud storage objects are located outside the virtual private cloud where Google Cloud Firewalls protect, the mapping is only given a score of Partial.
References
|
| security_command_center | Security Command Center | technique_scores | T1530 | Data from Cloud Storage Object |
Comments
SCC detect suspicious activity when accessing cloud storage objects (e.g., new IPs accessing storage objects or enumeration from unfamiliar user identities). Because of the real time temporal factor when detecting access to secure storage objects this control was graded as partial.
References
|
| cloud_storage | Cloud Storage | technique_scores | T1530 | Data from Cloud Storage Object |
Comments
The cloud service provider's default encryption setting for data stored and written to disk in the cloud may protect against adversary's attempt to access data from improperly secured cloud storage. This technique was rated as significant due to the high protect coverage factor.
References
|
| cloud_data_loss_prevention | Cloud Data Loss Prevention | technique_scores | T1530 | Data from Cloud Storage Object |
Comments
This control is able to scan cloud storage objects for sensitive data and transform that data into a secure or nonsensitive form. It is able to scan for a variety of common sensitive data types, such as API keys, credentials, or credit card numbers. This control is able to be scheduled daily, weekly, etc and can scan new changes to data. This control is able to scan Google Cloud Storage, BigQuery tables, and Datastore.
References
|
| advancedprotectionprogram | AdvancedProtectionProgram | technique_scores | T1530 | Data from Cloud Storage Object |
Comments
Advanced Protection Program enables the use of a security key for multi-factor authentication. Restricting access via MFA provides significant protection against adversaries accessing data objects from cloud storage.
References
|
| policy_intelligence | Policy Intelligence | technique_scores | T1530 | Data from Cloud Storage Object |
Comments
Recommender generates policy insights by comparing the permissions that each principal used during the past 90 days with the total permissions the principal has. This can be used to limit the permissions associated with creating and modifying platform images or containers that adversaries may try to access.
References
|
| policy_intelligence | Policy Intelligence | technique_scores | T1530 | Data from Cloud Storage Object |
Comments
Adversaries may attempt to implant cloud or container images with malicious code to gain access to an environment. The IAM audit logs can be used to receive data access and activity logs who has accessed to certain resources.
References
|
| vpc_service_controls | VPC Service Controls | technique_scores | T1530 | Data from Cloud Storage Object |
Comments
This control may mitigate against access to cloud storage objects by limiting access to accounts and services contained within the VPC network perimeter that contains those cloud storage objects.
References
|