An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection.
Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an attacker has sufficient permissions, they can disable logging to avoid detection of their activities. For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| resourcemanager | ResourceManager | technique_scores | T1562.008 | Disable Cloud Logs |
Comments
This control adopts the security principle of least privilege, which grants necessary access to user's resources when justified and needed. This control manages access control and ensures proper user permissions are in place to prevent adversaries that try to modify and/or disable cloud logging capabilities.
References
|
| identityplatform | IdentityPlatform | technique_scores | T1562.008 | Disable Cloud Logs |
Comments
Identity Platform provides Admin APIs to manage users and authentication tokens. To prevent unwanted access to your users and tokens through these APIs, Identity Platform leverages IAM to manage permission to specific Identity Platform APIs. This control will ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security/logging services.
References
|
| security_command_center | Security Command Center | technique_scores | T1562.008 | Disable Cloud Logs |
Comments
SCC detect changes to the configuration which would lead to disable logging on an instance or container. This security solution protects against system modifications used to remove evidence and evade defenses. Because of the near-real time temporal factor this control was graded as significant.
References
|
| policy_intelligence | Policy Intelligence | technique_scores | T1562.008 | Disable Cloud Logs |
Comments
Adversaries that try to disable cloud logging capabilities have the advantage to limit the amount of the data that can be collected and can possibly control not being detected. This control may be used to routinely check role account permissions in IAM audit logs.
References
|