Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, Microsoft OneDrive, or AWS S3 buckets for Exfiltration to Cloud Storage or to Upload Tools. Cloud accounts can also be used in the acquisition of infrastructure, such as Virtual Private Servers or Serverless infrastructure. Additionally, cloud-based messaging services such as Twilio, SendGrid, AWS End User Messaging, AWS SNS (Simple Notification Service), or AWS SES (Simple Email Service) may be leveraged for spam or Phishing.(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022)(Citation: Netcraft SendGrid 2024) Compromising cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud)
A variety of methods exist for compromising cloud accounts, such as gathering credentials via Phishing for Information, purchasing credentials from third-party sites, conducting Password Spraying attacks, or attempting to Steal Application Access Tokens.(Citation: MSTIC Nobelium Oct 2021) Prior to compromising cloud accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation. In some cases, adversaries may target privileged service provider accounts with the intent of leveraging a Trusted Relationship between service providers and their customers.(Citation: MSTIC Nobelium Oct 2021)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| IAM-13 | Uniquely Identifiable Users | mitigates | T1586.003 | Cloud Accounts |
Comments
This control requires both CSP and CSC to independently assign unique, cryptographically secure identifiers to users, ensure traceability and accountability for all access, including shared accounts, implement strong access controls, encryption for user identity data.
These techniques focus on mitigating attacker techniques against user services or machine accounts within cloud environments or identity management system.
References
|
| DSP-15 | Limitation of Production Data Use | mitigates | T1586.003 | Cloud Accounts |
Comments
This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, adversaries may add adversary-controlled credentials to a cloud account to move production data throughout the cloud environment.
In terms of mitigation, consider configuring access controls and firewalls to limit which accounts have access to production critical systems and domain controllers. Most cloud environments support separate virtual private cloud (VPC) instances that enable further segmentation of cloud systems from production and non-production environments.
References
|