Adversaries may access data from cloud storage.
Many IaaS providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Google Cloud Storage. Similarly, SaaS enterprise platforms such as Office 365 and Google Workspace provide cloud-based document storage to users through services such as OneDrive and Google Drive, while SaaS application providers such as Slack, Confluence, Salesforce, and Dropbox may provide cloud storage solutions as a peripheral or primary use case of their platform.
In some cases, as with IaaS-based cloud storage, there exists no overarching application (such as SQL or Elasticsearch) with which to interact with the stored objects: instead, data from these solutions is retrieved directly though the Cloud API. In SaaS applications, adversaries may be able to collect this data directly from APIs or backend cloud storage objects, rather than through their front-end application or interface (i.e., Data from Information Repositories).
Adversaries may collect sensitive data from these cloud storage solutions. Providers typically offer security guides to help end users configure systems, though misconfigurations are a common problem.(Citation: Amazon S3 Security, 2019)(Citation: Microsoft Azure Storage Security, 2019)(Citation: Google Cloud Storage Best Practices, 2019) There have been numerous incidents where cloud storage has been improperly secured, typically by unintentionally allowing public access to unauthenticated users, overly-broad access by all users, or even access for any anonymous person outside the control of the Identity Access Management system without even needing basic user permissions.
This open access may expose various types of sensitive data, such as credit cards, personally identifiable information, or medical records.(Citation: Trend Micro S3 Exposed PII, 2017)(Citation: Wired Magecart S3 Buckets, 2019)(Citation: HIPAA Journal S3 Breach, 2017)(Citation: Rclone-mega-extortion_05_2021)
Adversaries may also obtain then abuse leaked credentials from source repositories, logs, or other means as a way to gain access to cloud storage objects.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-16 | Security and Privacy Attributes | Protects | T1530 | Data from Cloud Storage | |
| AC-17 | Remote Access | Protects | T1530 | Data from Cloud Storage | |
| AC-18 | Wireless Access | Protects | T1530 | Data from Cloud Storage | |
| AC-19 | Access Control for Mobile Devices | Protects | T1530 | Data from Cloud Storage | |
| AC-02 | Account Management | Protects | T1530 | Data from Cloud Storage | |
| AC-20 | Use of External Systems | Protects | T1530 | Data from Cloud Storage | |
| AC-03 | Access Enforcement | Protects | T1530 | Data from Cloud Storage | |
| AC-04 | Information Flow Enforcement | Protects | T1530 | Data from Cloud Storage | |
| AC-05 | Separation of Duties | Protects | T1530 | Data from Cloud Storage | |
| AC-06 | Least Privilege | Protects | T1530 | Data from Cloud Storage | |
| AC-07 | Unsuccessful Logon Attempts | Protects | T1530 | Data from Cloud Storage | |
| CA-07 | Continuous Monitoring | Protects | T1530 | Data from Cloud Storage | |
| CA-08 | Penetration Testing | Protects | T1530 | Data from Cloud Storage | |
| CM-02 | Baseline Configuration | Protects | T1530 | Data from Cloud Storage | |
| CM-05 | Access Restrictions for Change | Protects | T1530 | Data from Cloud Storage | |
| CM-06 | Configuration Settings | Protects | T1530 | Data from Cloud Storage | |
| CM-07 | Least Functionality | Protects | T1530 | Data from Cloud Storage | |
| CM-08 | System Component Inventory | Protects | T1530 | Data from Cloud Storage | |
| IA-02 | Identification and Authentication (organizational Users) | Protects | T1530 | Data from Cloud Storage | |
| IA-03 | Device Identification and Authentication | Protects | T1530 | Data from Cloud Storage | |
| IA-04 | Identifier Management | Protects | T1530 | Data from Cloud Storage | |
| IA-05 | Authenticator Management | Protects | T1530 | Data from Cloud Storage | |
| IA-06 | Authentication Feedback | Protects | T1530 | Data from Cloud Storage | |
| IA-08 | Identification and Authentication (non-organizational Users) | Protects | T1530 | Data from Cloud Storage | |
| RA-05 | Vulnerability Monitoring and Scanning | Protects | T1530 | Data from Cloud Storage | |
| SC-28 | Protection of Information at Rest | Protects | T1530 | Data from Cloud Storage | |
| SC-04 | Information in Shared System Resources | Protects | T1530 | Data from Cloud Storage | |
| SC-07 | Boundary Protection | Protects | T1530 | Data from Cloud Storage | |
| SI-10 | Information Input Validation | Protects | T1530 | Data from Cloud Storage | |
| SI-12 | Information Management and Retention | Protects | T1530 | Data from Cloud Storage | |
| SI-15 | Information Output Filtering | Protects | T1530 | Data from Cloud Storage | |
| SI-04 | System Monitoring | Protects | T1530 | Data from Cloud Storage | |
| SI-07 | Software, Firmware, and Information Integrity | Protects | T1530 | Data from Cloud Storage | |
| PUR-IP-E5 | Information Protection | Technique Scores | T1530 | Data from Cloud Storage |
Comments
Defender for Cloud Apps file policies allow you to enforce a wide range of automated processes. Policies can be set to provide Information Protection, including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive content shared publicly.
Information Protection Protects from Data from Cloud Storage attacks due to it encrypting files containing personally identifying information and other sensitive data that is shared in a cloud app and applying sensitivity labels to limit access only to employees in your company.
License Requirements:
Microsoft Defender for Office 365 plan 1 and plan 2
References
|
| PUR-AS-E5 | Audit Solutions | Technique Scores | T1530 | Data from Cloud Storage |
Comments
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.
Microsoft's Audit Solutions protects from Data from Cloud Storage attacks due to Audit Solutions providing the visibility to frequently check permissions on cloud storage to ensure proper permissions are set to deny open or unprivileged access to resources.
License Requirements:
Microsoft 365 E3 and E5
References
|
| ME-RBAC-E3 | Role Based Access Control | Technique Scores | T1530 | Data from Cloud Storage |
Comments
The RBAC control can be used to implement the principle of least privilege for cloud data storage access to only those required. This scores Partial for its ability to minimize the attack surface of accounts with storage solution access.
License Requirements:
ME-ID Built-in Roles (Free)
References
|
| ME-MFA-E3 | Multi-factor Authentication | Technique Scores | T1530 | Data from Cloud Storage |
Comments
MFA provides significant protection by enforcing and restricting access to resources (e.g., cloud storage, APIs, etc.).
References
|
| DEF-SecScore-E3 | Secure Score | Technique Scores | T1530 | Data from Cloud Storage |
Comments
Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.
Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.
To help you find the information you need more quickly, Microsoft recommended actions are organized into groups:
Identity (Microsoft Entra accounts & roles)
Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)
Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)
Data (through Microsoft Information Protection)
References
|
| DEF-Quarantine-E3 | Quarantine Policies | Technique Scores | T1530 | Data from Cloud Storage |
Comments
In Exchange Online Protection (EOP) and Microsoft Defender for Office 365, quarantine policies allow admins to define the user experience for quarantined messages.
Traditionally, users have been allowed or denied levels of interactivity with quarantine messages based on why the message was quarantined. For example, users can view and release messages that were quarantined as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing or malware.
The following M365 features are supported by quarantine policies, “Response” to Anti-malware and Anti-Phishing tagged items. Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.
License requirements: M365 E3 (or Defender for Office plan 1)
References
|
| DEF-LM-E5 | Lateral Movements | Technique Scores | T1530 | Data from Cloud Storage |
Comments
Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts.
References
|
| DEF-IR-E5 | Incident Response | Technique Scores | T1530 | Data from Cloud Storage |
Comments
An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.
Microsoft 365 Defender Incident Response responds to Data from Cloud Storage attacks due to Incident Response monitoring for security alerts that represent unusual queries to the cloud provider's storage service.
License Requirements:
Microsoft Defender XDR
References
|
| PUR-PAM-E5 | Privileged Access Management | Technique Scores | T1530 | Data from Cloud Storage |
Comments
Microsoft Purview Privileged Access Management allows granular access control over privileged admin tasks in Office 365. It can help protect your organization from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. Privileged access management requires users to request just-in-time access to complete elevated and privileged tasks through a highly scoped and time-bounded approval workflow. This configuration gives users just-enough-access to perform the task at hand, without risking exposure of sensitive data or critical configuration settings. Microsoft 365 configuration settings. When used with Microsoft Entra Privileged Identity Management, these two features provide access control with just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional Access, JIT, Just Enough Access (with Approval).
License requirements: M365 E5 customers.
References
|