Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory.(Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)
Service or user accounts may be targeted by adversaries through Brute Force, Phishing, or various other means to gain access to the environment. Federated or synced accounts may be a pathway for the adversary to affect both on-premises systems and cloud environments - for example, by leveraging shared credentials to log onto Remote Services. High privileged cloud accounts, whether federated, synced, or cloud-only, may also allow pivoting to on-premises environments by leveraging SaaS-based Software Deployment Tools to run commands on hybrid-joined devices.
An adversary may create long lasting Additional Cloud Credentials on a compromised cloud account to maintain persistence in the environment. Such credentials may also be used to bypass security controls such as multi-factor authentication.
Cloud accounts may also be able to assume Temporary Elevated Cloud Access or other privileges through various means within the environment. Misconfigurations in role assignments or role assumption policies may allow an adversary to use these mechanisms to leverage permissions outside the intended scope of the account. Such over privileged accounts may be used to harvest sensitive data from online storage accounts and databases through Cloud API or other methods. For example, in Azure environments, adversaries may target Azure Managed Identities, which allow associated Azure resources to request access tokens. By compromising a resource with an attached Managed Identity, such as an Azure VM, adversaries may be able to Steal Application Access Tokens to move laterally across the cloud environment.(Citation: SpecterOps Managed Identity 2022)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| IAM-15 | Passwords Management | mitigates | T1078.004 | Cloud Accounts |
Comments
This control requires both CSP and CSC to independently enforce strong password management practices to protect authentication credentials and reduce the risk of unauthorized access. For example, credential access protection mitigation focuses on implementing measures to prevent adversaries from obtaining credentials, such as passwords, hashes, tokens, or keys, that could be used for unauthorized access.
References
|
| IAM-14 | Strong Authentication | mitigates | T1078.004 | Cloud Accounts |
Comments
This control requires both CSP and CSC to independently enforce multi-factor authentication (MFA) for all non-console administrative, remote, sensitive data, and third-party access, implement secure centralized authentication systems and digital certificates, protect credentials, monitor authentication activity, and ensure strong, risk-based authentication measures are consistently applied and reviewed.
References
|
| IAM-13 | Uniquely Identifiable Users | mitigates | T1078.004 | Cloud Accounts |
Comments
This control requires both CSP and CSC to independently assign unique, cryptographically secure identifiers to users, ensure traceability and accountability for all access, including shared accounts, implement strong access controls, encryption for user identity data.
These techniques focus on mitigating attacker techniques against user services or machine accounts within cloud environments or identity management system.
References
|
| IAM-11 | CSCs Approval for Agreed Privileged Access Roles | mitigates | T1078.004 | Cloud Accounts |
Comments
This control requires both CSP and CSC to collaboratively identify high-risk data and privileged roles, enforce formal CSC approval workflows for CSP user access, use secure PAM systems, and implement comprehensive monitoring and reporting to ensure privileged access to sensitive CSC data is tightly controlled and traceable.
Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.This mitigation can be implemented through
account permissions and roles, PAM solutions, or just-In-Time access.
References
|
| IAM-10 | Management of Privileged Access Roles | mitigates | T1078.004 | Cloud Accounts |
Comments
This control requires both CSP and CSC to independently manage privileged access by enforcing time-bound approvals, formal request and justification processes, automated revocation, session restrictions, credential vaulting and rotation, continuous monitoring, and periodic reviews, ensuring privileged access is tightly controlled, monitored, and limited to only what is necessary for specific roles and timeframes.
Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.This mitigation can be implemented through
account permissions and roles, PAM solutions, or just-In-Time access.
References
|
| IAM-09 | Segregation of Privileged Access Roles | mitigates | T1078.004 | Cloud Accounts |
Comments
This control describes the periodic, risk-based, and reviews of privileged accounts and high-risk access configurations, ensuring these are accounts are managed and scrutinized to prevent unauthorized access or excessive privileges.
Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.This mitigation can be implemented through
account permissions and roles, PAM solutions, or just-In-Time access.
References
|
| IAM-07 | User Access Changes and Revocation | mitigates | T1078.004 | Cloud Accounts |
Comments
This control focuses on the secure deprovisioning of user access by automating account removal, detecting and revoking inactive accounts. These mitigative actions reduce the risk of lingering or inappropriate access following employee termination, role changes, or security incidents.
References
|
| IAM-02 | Strong Password Policy and Procedures | mitigates | T1078.004 | Cloud Accounts |
Comments
This control requires the CSP to enforce strong password management practices, implement protections against brute-force attacks, and support secure password reset processes.
For this technique, in terms of mitigation, ensure that cloud accounts, particularly privileged accounts, have complex, unique passwords across all systems on the network. Passwords and access keys should be rotated regularly. This limits the amount of time credentials can be used to access resources if a credential is compromised without your knowledge. Cloud service providers may track access key age to help audit and identify keys that may need to be rotated.
References
|
| AIS-04 | Secure Application Design and Development | mitigates | T1078.004 | Cloud Accounts |
Comments
This control requires both Cloud Service Providers and customers to implement a Secure Software Development Lifecycle (SSDLC) with security practices throughout the entire application development process to protect cloud-based applications from cyber threats. Adversaries may query and search through compromised applications to find and obtain insecurely stored credentials. Secure coding practices and secure credential handling may prevent hardcoded/insecurely stored credentials and ensure the that those cloud accounts are not compromised.
References
|
| AIS-05 | Automated Application Security Testing | mitigates | T1078.004 | Cloud Accounts |
Comments
The control outlines several testing approaches, including the use of automated tools, to identify vulnerabilities throughout the software development lifecycle from development to production. It emphasizes testing for risks such as injection attacks and session hijacking, and recommends alignment with industry standards like the OWASP Top 10 to enhance application security. Adversaries may attempt to exploit default admin or user accounts in cloud services, SaaS platforms, or cloud-deployed databases that weren't properly secured during setup.
References
|
| AIS-02 | Application Security Baseline Requirements | mitigates | T1078.004 | Cloud Accounts |
Comments
This control guidance requires organizations to establish security baseline requirements for different cloud applications. Security requirement examples include access control, encryption, and configuration management for applications. Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Access control and account management related to cloud accounts for web applications may mitigate the abuse of legitimate cloud accounts.
References
|