Adversaries may access data from cloud storage.
Many IaaS providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Google Cloud Storage. Similarly, SaaS enterprise platforms such as Office 365 and Google Workspace provide cloud-based document storage to users through services such as OneDrive and Google Drive, while SaaS application providers such as Slack, Confluence, Salesforce, and Dropbox may provide cloud storage solutions as a peripheral or primary use case of their platform.
In some cases, as with IaaS-based cloud storage, there exists no overarching application (such as SQL or Elasticsearch) with which to interact with the stored objects: instead, data from these solutions is retrieved directly though the Cloud API. In SaaS applications, adversaries may be able to collect this data directly from APIs or backend cloud storage objects, rather than through their front-end application or interface (i.e., Data from Information Repositories).
Adversaries may collect sensitive data from these cloud storage solutions. Providers typically offer security guides to help end users configure systems, though misconfigurations are a common problem.(Citation: Amazon S3 Security, 2019)(Citation: Microsoft Azure Storage Security, 2019)(Citation: Google Cloud Storage Best Practices, 2019) There have been numerous incidents where cloud storage has been improperly secured, typically by unintentionally allowing public access to unauthenticated users, overly-broad access by all users, or even access for any anonymous person outside the control of the Identity Access Management system without even needing basic user permissions.
This open access may expose various types of sensitive data, such as credit cards, personally identifiable information, or medical records.(Citation: Trend Micro S3 Exposed PII, 2017)(Citation: Wired Magecart S3 Buckets, 2019)(Citation: HIPAA Journal S3 Breach, 2017)(Citation: Rclone-mega-extortion_05_2021)
Adversaries may also obtain then abuse leaked credentials from source repositories, logs, or other means as a way to gain access to cloud storage objects.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| IAM-16 | Authorization Mechanisms | mitigates | T1530 | Data from Cloud Storage |
Comments
This control requires both CSP and CSC to independently enforce formal approval processes for user access, implement dynamic and explicit authorization mechanisms. The guidance focuses on implementing technical measures to verify authorization and prevent unauthorized access and execution.
References
|
| IAM-14 | Strong Authentication | mitigates | T1530 | Data from Cloud Storage |
Comments
This control requires both CSP and CSC to independently enforce multi-factor authentication (MFA) for all non-console administrative, remote, sensitive data, and third-party access, implement secure centralized authentication systems and digital certificates, protect credentials, monitor authentication activity, and ensure strong, risk-based authentication measures are consistently applied and reviewed.
References
|
| IAM-08 | User Access Review | mitigates | T1530 | Data from Cloud Storage |
Comments
This control describes the periodic review and validation of user access by centralizing access management, automating review processes, and continuously monitoring for unauthorized activities. These mitigative actions ensure that access rights remain appropriate, obsolete or excessive privileges are removed, and potential security access risks are promptly identified and mitigated. For this technique, conduct automated permissions reviewing on cloud storage to ensure proper permissions are set to deny open or unprivileged access to resources.
References
|
| IAM-06 | User Access Provisioning | mitigates | T1530 | Data from Cloud Storage |
Comments
This control describes the implementation of a secure and controlled user access provisioning process. Proper user account management reduces the attack surface by limiting unauthorized access to data, assets, and systems. Managing account access authorizations can reduce the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions.
References
|
| UEM-08 | Storage Encryption | mitigates | T1530 | Data from Cloud Storage |
Comments
This control provides for implementation of endpoint storage encryption. Encrypting data stored at rest in cloud storage can mitigate adversary access to data from cloud storage.
References
|
| I&S-07 | Migration to Cloud Environments | mitigates | T1530 | Data from Cloud Storage |
Comments
This control provides for the use of secure and encrypted communication
channels when migrating to cloud environments. Encrypting data at all stages, from storage to transmission, ensures the confidentiality of data and can mitigate adversary access to information of value in cloud storage.
References
|
| CEK-03 | Data Encryption | mitigates | T1530 | Data from Cloud Storage |
Comments
This control provides mechanisms for encryption of at-rest data, and for managing encryption keys securely, ensuring they are regularly rotated and not exposed to unauthorized parties. Encrypting data stored at rest in cloud storage and rotating managed encryption keys can mitigate adversary access to data from cloud storage.
References
|
| IPY-03 | Secure Interoperability and Portability Management | mitigates | T1530 | Data from Cloud Storage |
Comments
This control requires the CSP to encrypt communications using industry-standard protocols, securely manage API certificates and keys, and monitor/patch for vulnerabilities. The guidance for CSC requires it to classify API data, encrypt sensitive information during import/export, use secure protocols, and manage encryption keys independently to mitigate risks of data tampering, loss, or unauthorized access.
References
|
| HRS-03 | Clean Desk Policy and Procedures | mitigates | T1530 | Data from Cloud Storage |
Comments
This control can help prevent adversaries attempting to access data from cloud storage through using multi-factor authentication to restrict access to resources and cloud storage APIs.
References
|
| IAM-07 | User Access Changes and Revocation | mitigates | T1530 | Data from Cloud Storage |
Comments
This control focuses on the secure deprovisioning of user access by automating account removal, detecting and revoking inactive accounts. These mitigative actions reduce the risk of lingering or inappropriate access following employee termination, role changes, or security incidents.
References
|
| IAM-05 | Least Privilege | mitigates | T1530 | Data from Cloud Storage |
Comments
This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data.
Adversaries has been observed using this technique to directly download cloud user data such as OneDrive files. For this technique, in terms of mitigation, Configure user permissions groups and roles for access to cloud storage. Implement strict Identity and Access Management (IAM) controls to prevent access to storage solutions except for the applications, users, and services that require access. Ensure that temporary access tokens are issued rather than permanent credentials, especially when access is being granted to entities outside of the internal security boundary.
References
|
| DSP-15 | Limitation of Production Data Use | mitigates | T1530 | Data from Cloud Storage |
Comments
This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, many IaaS providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Google Cloud Storage. In terms of mitigation, enforcing access control lists on storage systems and objects to block the unauthorized access of which production data could be replicated in non-production environments.
References
|
| DSP-10 | Sensitive Data Transfer | mitigates | T1530 | Data from Cloud Storage |
Comments
The control describes the implementation of strong technical and procedural safeguards, such as TLS with strong keys)to protect sensitive data during transfer and prevent unauthorized access or interception. For this technique, adversaries may collect on and exfiltrate on sensitive data stored in cloud storage. In terms of mitigation, the use of IP allowlisting along with user account management to ensure that data access is restricted not only to valid users but only from expected IP ranges could mitigate the use of stolen credentials to access data.
References
|
| DSP-08 | Data Privacy by Design and Default | mitigates | T1530 | Data from Cloud Storage |
Comments
Privacy by design and default is emphasized in this control, integrating privacy measures at every stage of the SDLC and across all components. This includes implementing controls for encrypting sensitive information to ensure the confidentiality and integrity of data, preventing unauthorized access or tampering. For this technique, encrypt data stored at rest in cloud storage for mitigation. Managed encryption keys can be rotated by most providers.
References
|
| DSP-17 | Sensitive Data Protection | mitigates | T1530 | Data from Cloud Storage |
Comments
This control requires the Cloud Service Provider (CSP) to implement robust mitigative controls such as network segmentation and firewalling, encryption, access controls with multi-factor authentication and intrusion detection to ensure sensitive customer data is protected throughout its lifecycle.
For this technique, adversaries may collect sensitive data from these cloud storage solutions. Providers typically offer security guides to help end users configure systems, though misconfigurations are a common problem. Many IaaS providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Google Cloud Storage.
References
|
| AIS-02 | Application Security Baseline Requirements | mitigates | T1530 | Data from Cloud Storage |
Comments
This control guidance requires organizations to establish security baseline requirements for different cloud applications. Security requirement examples include access control, encryption, and configuration management for applications. Adversaries may collect sensitive data from cloud storage solutions used for cloud applications.
References
|