Adversaries may modify the lifecycle policies of a cloud storage bucket to destroy all objects stored within.
Cloud storage buckets often allow users to set lifecycle policies to automate the migration, archival, or deletion of objects after a set period of time.(Citation: AWS Storage Lifecycles)(Citation: GCP Storage Lifecycles)(Citation: Azure Storage Lifecycles) If a threat actor has sufficient permissions to modify these policies, they may be able to delete all objects at once.
For example, in AWS environments, an adversary with the PutLifecycleConfiguration permission may use the PutBucketLifecycle API call to apply a lifecycle policy to an S3 bucket that deletes all objects in the bucket after one day.(Citation: Palo Alto Cloud Ransomware) In addition to destroying data for purposes of extortion and Financial Theft, adversaries may also perform this action on buckets storing cloud logs for Indicator Removal.(Citation: Datadog S3 Lifecycle CloudTrail Logs)
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1485.001 | Lifecycle-Triggered Deletion |
Comments
This diagnostic statement protects against Lifecycle-Triggered Deletion through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
References
|
| PR.DS-11.01 | Data backup and replication | Mitigates | T1485.001 | Lifecycle-Triggered Deletion |
Comments
This diagnostic statement provides protection from adversaries that may modify lifecycle policies of cloud storage bucket to destroy all objects stored within. Implementing data backup or disaster recovery plan can be used to restore organizational data.
References
|
| ID.IM-02.06 | Accurate data recovery | Mitigates | T1485.001 | Lifecycle-Triggered Deletion |
Comments
This diagnostic statement emphasizes the facilitation of data recovery through the implementation of robust data backup strategies, comprehensive disaster recovery plans, and effective business continuity frameworks, specifically designed to address scenarios in which adversaries may attempt to modify policies of cloud storage and data within it.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1485.001 | Lifecycle-Triggered Deletion |
Comments
This diagnostic statement protects against Lifecycle-Triggered Deletion through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CP-10 | System Recovery and Reconstitution | mitigates | T1485.001 | Lifecycle-Triggered Deletion | |
| CP-09 | System Backup | mitigates | T1485.001 | Lifecycle-Triggered Deletion | |
| SI-07 | Software, Firmware, and Information Integrity | mitigates | T1485.001 | Lifecycle-Triggered Deletion | |
| AC-02 | Account Management | mitigates | T1485.001 | Lifecycle-Triggered Deletion | |
| AC-03 | Access Enforcement | mitigates | T1485.001 | Lifecycle-Triggered Deletion | |
| AC-06 | Least Privilege | mitigates | T1485.001 | Lifecycle-Triggered Deletion |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Destroy data | Destroy or corrupt stored data | related-to | T1485.001 | Lifecycle-Triggered Deletion | |
| attribute.availability.variety.Destruction | Destruction | related-to | T1485.001 | Lifecycle-Triggered Deletion | |
| attribute.availability.variety.Interruption | Interruption | related-to | T1485.001 | Lifecycle-Triggered Deletion |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| azure_backup | Azure Backup | technique_scores | T1485.001 | Lifecycle-Triggered Deletion |
Comments
Data backups provide a significant response to data destruction by enabling the restoration of data from backup.
References
|
| azure_policy | Azure Policy | technique_scores | T1485.001 | Lifecycle-Triggered Deletion |
Comments
This control may provide recommendations that protect from lifecycle-triggered deletion.
References
|
| azure_role_based_access_control | Azure Role-Based Access Control | technique_scores | T1485.001 | Lifecycle-Triggered Deletion |
Comments
This control can provide protection against life-cycle triggered deletion by restricting access to those functions.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| backup_and_dr_actifiogo | Backup and DR-Actifio GO | technique_scores | T1485.001 | Lifecycle-Triggered Deletion |
Comments
Backup and DR-Actifio GO is a copy data management plaform that virtualizes application data to improve an organizations resiliency and cloud mobility. This capability allows an organization to take regular backups and provides several methods of restoring applications and/or VM data to a previous state. This provides significant ability to respond to a Data Destruction event since an organization could easily restore lost data back to the latest backup.
References
|