Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service.
A defender who is monitoring for large transfers to outside the cloud environment through normal file transfers or over command and control channels may not be watching for data transfers to another account within the same cloud provider. Such transfers may utilize existing cloud provider APIs and the internal address space of the cloud provider to blend into normal traffic or avoid data transfers over external network interfaces.(Citation: TLDRSec AWS Attacks)
Adversaries may also use cloud-native mechanisms to share victim data with adversary-controlled cloud accounts, such as creating anonymous file sharing links or, in Azure, a shared access signature (SAS) URI.(Citation: Microsoft Azure Storage Shared Access Signature)
Incidents have been observed where adversaries have created backups of cloud instances and transferred them to separate accounts.(Citation: DOJ GRU Indictment Jul 2018)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1537 | Transfer Data to Cloud Account |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
|
| PR.PS-01.02 | Least functionality | Mitigates | T1537 | Transfer Data to Cloud Account |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
References
|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1537 | Transfer Data to Cloud Account |
Comments
This diagnostic statement protects against Transfer Data to Cloud Account through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
References
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1537 | Transfer Data to Cloud Account |
Comments
This diagnostic statement protects against Transfer Data to Cloud Account through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
References
|
| PR.DS-01.02 | Data loss prevention | Mitigates | T1537 | Transfer Data to Cloud Account |
Comments
The use of data loss prevention controls may mitigate the techniques related to data leakage and loss from local systems, automated exfiltration, and exfiltration over non-approved services.
References
|
| PR.DS-10.01 | Data-in-use protection | Mitigates | T1537 | Transfer Data to Cloud Account |
Comments
This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats.
References
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1537 | Transfer Data to Cloud Account |
Comments
This diagnostic statement provides protection from Transfer Data to Cloud through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configurations that enforce data sharing restrictions to the cloud and integrity checking can help protect against adversaries attempting to transfer data to a cloud account.
References
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1537 | Transfer Data to Cloud Account |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
References
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1537 | Transfer Data to Cloud Account |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Employing network-based filtering restrictions can mitigate data transfers to untrusted VPCs.
References
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1537 | Transfer Data to Cloud Account |
Comments
This diagnostic statement protects against Transfer Data to Cloud Account through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1537 | Transfer Data to Cloud Account |
Comments
This diagnostic statement protects against Transfer Data to Cloud Account through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1537 | Transfer Data to Cloud Account |
Comments
This diagnostic statement protects against Transfer Data to Cloud Account through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Export data | Export data to another site or system | related-to | T1537 | Transfer Data to Cloud Account | |
| attribute.confidentiality.data_disclosure | None | related-to | T1537 | Transfer Data to Cloud Account |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| defender_for_storage | Microsoft Defender for Cloud: Defender for Storage | technique_scores | T1537 | Transfer Data to Cloud Account |
Comments
This control may alert on unusually large amounts of data being extracted from Azure storage and suspicious access to storage accounts. There are no alerts specifically tied to data transfer between cloud accounts but there are several alerts for anomalous storage access and transfer.
References
|
| azure_policy | Azure Policy | technique_scores | T1537 | Transfer Data to Cloud Account |
Comments
This control may provide recommendations to enable security controls that monitor and prevent malicious transfer of data to cloud accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| vpc_service_controls | VPC Service Controls | technique_scores | T1537 | Transfer Data to Cloud Account |
Comments
This control may mitigate against exfiltration attempts to external cloud accounts by limiting egress of data from accounts and services contained within the VPC network perimeter.
References
|