Adversaries may access data objects from improperly secured cloud storage.
Many cloud service providers offer solutions for online data storage such as Amazon S3, Azure Storage, and Google Cloud Storage. These solutions differ from other storage solutions (such as SQL or Elasticsearch) in that there is no overarching application. Data from these solutions can be retrieved directly using the cloud provider's APIs. Solution providers typically offer security guides to help end users configure systems.(Citation: Amazon S3 Security, 2019)(Citation: Microsoft Azure Storage Security, 2019)(Citation: Google Cloud Storage Best Practices, 2019)
Misconfiguration by end users is a common problem. There have been numerous incidents where cloud storage has been improperly secured (typically by unintentionally allowing public access by unauthenticated users or overly-broad access by all users), allowing open access to credit cards, personally identifiable information, medical records, and other sensitive information.(Citation: Trend Micro S3 Exposed PII, 2017)(Citation: Wired Magecart S3 Buckets, 2019)(Citation: HIPAA Journal S3 Breach, 2017) Adversaries may also obtain leaked credentials in source repositories, logs, or other means as a way to gain access to cloud storage objects that have access permission controls.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| azure_defender_for_storage | Azure Defender for Storage | technique_scores | T1530 | Data from Cloud Storage Object |
Comments
A variety of alerts may be generated by malicious access and enumeration of Azure Storage.
References
|
| azure_sentinel | Azure Sentinel | technique_scores | T1530 | Data from Cloud Storage Object |
Comments
The Azure Sentinel Hunting "Anomalous Data Access" query identifies all users performing out-of-profile read operations regarding data or files, which may be indicative of adversarial collection from cloud storage objects.
References
|
| role_based_access_control | Role Based Access Control | technique_scores | T1530 | Data from Cloud Storage Object |
Comments
This control can be used to limit the number of users that have access to storage solutions except for the applications, users, and services that require access, thereby reducing the attack surface.
References
|
| azure_policy | Azure Policy | technique_scores | T1530 | Data from Cloud Storage Object |
Comments
This control may provide recommendations to enable Azure Defender for Storage and other security controls to prevent access to data from cloud storage objects.
References
|
| conditional_access | Conditional Access | technique_scores | T1530 | Data from Cloud Storage Object |
Comments
Conditional Access, when granting (risky) users access to cloud storage, specifically OneDrive, can restrict what they can do in these applications using its app-enforced restrictions. For example, it can enforce that users on unmanaged devices will have browser-only access to OneDrive with no ability to download, print, or sync files. This can impede an adversary's ability to exfiltrate data from OneDrive. The protection coverage provided by this control is Minimal as it doesn't provide protection for other storage services available on Azure such as the Azure Storage service.
References
|
| cloud_app_security_policies | Cloud App Security Policies | technique_scores | T1530 | Data from Cloud Storage Object |
Comments
This control can detect use of unsanctioned business apps and data exfil to unsanctioned storage apps.
References
|