T1530 Data from Cloud Storage Mappings

Adversaries may access data from cloud storage.

Many IaaS providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Google Cloud Storage. Similarly, SaaS enterprise platforms such as Office 365 and Google Workspace provide cloud-based document storage to users through services such as OneDrive and Google Drive, while SaaS application providers such as Slack, Confluence, Salesforce, and Dropbox may provide cloud storage solutions as a peripheral or primary use case of their platform.

In some cases, as with IaaS-based cloud storage, there exists no overarching application (such as SQL or Elasticsearch) with which to interact with the stored objects: instead, data from these solutions is retrieved directly though the Cloud API. In SaaS applications, adversaries may be able to collect this data directly from APIs or backend cloud storage objects, rather than through their front-end application or interface (i.e., Data from Information Repositories).

Adversaries may collect sensitive data from these cloud storage solutions. Providers typically offer security guides to help end users configure systems, though misconfigurations are a common problem.(Citation: Amazon S3 Security, 2019)(Citation: Microsoft Azure Storage Security, 2019)(Citation: Google Cloud Storage Best Practices, 2019) There have been numerous incidents where cloud storage has been improperly secured, typically by unintentionally allowing public access to unauthenticated users, overly-broad access by all users, or even access for any anonymous person outside the control of the Identity Access Management system without even needing basic user permissions.

This open access may expose various types of sensitive data, such as credit cards, personally identifiable information, or medical records.(Citation: Trend Micro S3 Exposed PII, 2017)(Citation: Wired Magecart S3 Buckets, 2019)(Citation: HIPAA Journal S3 Breach, 2017)(Citation: Rclone-mega-extortion_05_2021)

Adversaries may also obtain then abuse leaked credentials from source repositories, logs, or other means as a way to gain access to cloud storage objects.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-16 Security and Privacy Attributes Protects T1530 Data from Cloud Storage
AC-17 Remote Access Protects T1530 Data from Cloud Storage
AC-18 Wireless Access Protects T1530 Data from Cloud Storage
AC-19 Access Control for Mobile Devices Protects T1530 Data from Cloud Storage
AC-02 Account Management Protects T1530 Data from Cloud Storage
AC-20 Use of External Systems Protects T1530 Data from Cloud Storage
AC-03 Access Enforcement Protects T1530 Data from Cloud Storage
AC-04 Information Flow Enforcement Protects T1530 Data from Cloud Storage
AC-05 Separation of Duties Protects T1530 Data from Cloud Storage
AC-06 Least Privilege Protects T1530 Data from Cloud Storage
AC-07 Unsuccessful Logon Attempts Protects T1530 Data from Cloud Storage
CA-07 Continuous Monitoring Protects T1530 Data from Cloud Storage
CA-08 Penetration Testing Protects T1530 Data from Cloud Storage
CM-02 Baseline Configuration Protects T1530 Data from Cloud Storage
CM-05 Access Restrictions for Change Protects T1530 Data from Cloud Storage
CM-06 Configuration Settings Protects T1530 Data from Cloud Storage
CM-07 Least Functionality Protects T1530 Data from Cloud Storage
CM-08 System Component Inventory Protects T1530 Data from Cloud Storage
IA-02 Identification and Authentication (organizational Users) Protects T1530 Data from Cloud Storage
IA-03 Device Identification and Authentication Protects T1530 Data from Cloud Storage
IA-04 Identifier Management Protects T1530 Data from Cloud Storage
IA-05 Authenticator Management Protects T1530 Data from Cloud Storage
IA-06 Authentication Feedback Protects T1530 Data from Cloud Storage
IA-08 Identification and Authentication (non-organizational Users) Protects T1530 Data from Cloud Storage
RA-05 Vulnerability Monitoring and Scanning Protects T1530 Data from Cloud Storage
SC-28 Protection of Information at Rest Protects T1530 Data from Cloud Storage
SC-04 Information in Shared System Resources Protects T1530 Data from Cloud Storage
SC-07 Boundary Protection Protects T1530 Data from Cloud Storage
SI-10 Information Input Validation Protects T1530 Data from Cloud Storage
SI-12 Information Management and Retention Protects T1530 Data from Cloud Storage
SI-15 Information Output Filtering Protects T1530 Data from Cloud Storage
SI-04 System Monitoring Protects T1530 Data from Cloud Storage
SI-07 Software, Firmware, and Information Integrity Protects T1530 Data from Cloud Storage
PUR-IP-E5 Information Protection Technique Scores T1530 Data from Cloud Storage
PUR-AS-E5 Audit Solutions Technique Scores T1530 Data from Cloud Storage
ME-RBAC-E3 Role Based Access Control Technique Scores T1530 Data from Cloud Storage
ME-MFA-E3 Multi-factor Authentication Technique Scores T1530 Data from Cloud Storage
DEF-SecScore-E3 Secure Score Technique Scores T1530 Data from Cloud Storage
DEF-Quarantine-E3 Quarantine Policies Technique Scores T1530 Data from Cloud Storage
DEF-LM-E5 Lateral Movements Technique Scores T1530 Data from Cloud Storage
DEF-IR-E5 Incident Response Technique Scores T1530 Data from Cloud Storage
PUR-PAM-E5 Privileged Access Management Technique Scores T1530 Data from Cloud Storage