Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service.
A defender who is monitoring for large transfers to outside the cloud environment through normal file transfers or over command and control channels may not be watching for data transfers to another account within the same cloud provider. Such transfers may utilize existing cloud provider APIs and the internal address space of the cloud provider to blend into normal traffic or avoid data transfers over external network interfaces.(Citation: TLDRSec AWS Attacks)
Adversaries may also use cloud-native mechanisms to share victim data with adversary-controlled cloud accounts, such as creating anonymous file sharing links or, in Azure, a shared access signature (SAS) URI.(Citation: Microsoft Azure Storage Shared Access Signature)
Incidents have been observed where adversaries have created backups of cloud instances and transferred them to separate accounts.(Citation: DOJ GRU Indictment Jul 2018)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| IAM-16 | Authorization Mechanisms | mitigates | T1537 | Transfer Data to Cloud Account |
Comments
This control requires both CSP and CSC to independently enforce formal approval processes for user access, implement dynamic and explicit authorization mechanisms. The guidance focuses on implementing technical measures to verify authorization and prevent unauthorized access and execution.
References
|
| UEM-05 | Endpoint Management | mitigates | T1537 | Transfer Data to Cloud Account |
Comments
This control provides for the implementation of best practices for endpoint management. Configuring appropriate data sharing restrictions in cloud services can help mitigate the risk of adversaries exfiltrating data by transferring.
References
|
| IPY-03 | Secure Interoperability and Portability Management | mitigates | T1537 | Transfer Data to Cloud Account |
Comments
This control requires the CSP to encrypt communications using industry-standard protocols, securely manage API certificates and keys, and monitor/patch for vulnerabilities. The guidance for CSC requires it to classify API data, encrypt sensitive information during import/export, use secure protocols, and manage encryption keys independently to mitigate risks of data tampering, loss, or unauthorized access.
References
|
| DSP-10 | Sensitive Data Transfer | mitigates | T1537 | Transfer Data to Cloud Account |
Comments
The control describes the implementation of strong technical and procedural safeguards, such as TLS with strong keys)to protect sensitive data during transfer and prevent unauthorized access or interception. For this technique, consider implementing network-based filtering restrictions to prohibit data transfers to untrusted VPCs as a possible mitigation. Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service.
References
|
| DSP-17 | Sensitive Data Protection | mitigates | T1537 | Transfer Data to Cloud Account |
Comments
This control requires the Cloud Service Provider (CSP) to implement robust mitigative controls such as network segmentation and firewalling, encryption, access controls with multi-factor authentication and intrusion detection to ensure sensitive customer data is protected throughout its lifecycle.
For this technique, adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service. In terms of mitigation, implementing network-based filtering restrictions to prohibit data transfers to untrusted VPCs can aid with mitigating this technique.
References
|
| UEM-11 | Data Loss Prevention | mitigates | T1537 | Transfer Data to Cloud Account |
Comments
Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service. This control requires implementing data leakage prevention (DLP) capapbiltities on endpoint devices. This includes classifying and inventorying data, protecting sensitive information in transit and at rest, monitoring for unauthorized disclosures, and responding to policy violations.
References
|
| UEM-14 | Third-Party Endpoint Security Posture | mitigates | T1537 | Transfer Data to Cloud Account |
Comments
This control provides for the implementation of best practices for third-party endpoint management. Configuring appropriate data sharing restrictions in cloud services can help mitigate the risk of adversaries exfiltrating data by transferring.
References
|
| DSP-04 | Data Classification | mitigates | T1537 | Transfer Data to Cloud Account |
Comments
Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service.
This control enforces the classification of data by type, criticality, and sensitivity level to enable appropriate protections (including DLP measures), mitigating attacker techniques such as data exfiltration, unauthorized disclosure, and the misuse of unprotected sensitive information. Certain data loss prevention capabilities can be detect and block data tagged as sensitive from being shared with individuals outside an organization
References
|