1. Home
  2. ATT&CK Techniques
  3. T1530 Data from Cloud Storage Object

T1530 Data from Cloud Storage Object Mappings

Adversaries may access data objects from improperly secured cloud storage.

Many cloud service providers offer solutions for online data storage such as Amazon S3, Azure Storage, and Google Cloud Storage. These solutions differ from other storage solutions (such as SQL or Elasticsearch) in that there is no overarching application. Data from these solutions can be retrieved directly using the cloud provider's APIs. Solution providers typically offer security guides to help end users configure systems.(Citation: Amazon S3 Security, 2019)(Citation: Microsoft Azure Storage Security, 2019)(Citation: Google Cloud Storage Best Practices, 2019)

Misconfiguration by end users is a common problem. There have been numerous incidents where cloud storage has been improperly secured (typically by unintentionally allowing public access by unauthenticated users or overly-broad access by all users), allowing open access to credit cards, personally identifiable information, medical records, and other sensitive information.(Citation: Trend Micro S3 Exposed PII, 2017)(Citation: Wired Magecart S3 Buckets, 2019)(Citation: HIPAA Journal S3 Breach, 2017) Adversaries may also obtain leaked credentials in source repositories, logs, or other means as a way to gain access to cloud storage objects that have access permission controls.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-16 Security and Privacy Attributes Protects T1530 Data from Cloud Storage Object
AC-17 Remote Access Protects T1530 Data from Cloud Storage Object
AC-18 Wireless Access Protects T1530 Data from Cloud Storage Object
AC-19 Access Control for Mobile Devices Protects T1530 Data from Cloud Storage Object
AC-2 Account Management Protects T1530 Data from Cloud Storage Object
AC-20 Use of External Systems Protects T1530 Data from Cloud Storage Object
AC-3 Access Enforcement Protects T1530 Data from Cloud Storage Object
AC-4 Information Flow Enforcement Protects T1530 Data from Cloud Storage Object
AC-5 Separation of Duties Protects T1530 Data from Cloud Storage Object
AC-6 Least Privilege Protects T1530 Data from Cloud Storage Object
AC-7 Unsuccessful Logon Attempts Protects T1530 Data from Cloud Storage Object
CA-7 Continuous Monitoring Protects T1530 Data from Cloud Storage Object
CA-8 Penetration Testing Protects T1530 Data from Cloud Storage Object
CM-2 Baseline Configuration Protects T1530 Data from Cloud Storage Object
CM-5 Access Restrictions for Change Protects T1530 Data from Cloud Storage Object
CM-6 Configuration Settings Protects T1530 Data from Cloud Storage Object
CM-7 Least Functionality Protects T1530 Data from Cloud Storage Object
CM-8 System Component Inventory Protects T1530 Data from Cloud Storage Object
IA-2 Identification and Authentication (organizational Users) Protects T1530 Data from Cloud Storage Object
IA-3 Device Identification and Authentication Protects T1530 Data from Cloud Storage Object
IA-4 Identifier Management Protects T1530 Data from Cloud Storage Object
IA-5 Authenticator Management Protects T1530 Data from Cloud Storage Object
IA-6 Authentication Feedback Protects T1530 Data from Cloud Storage Object
IA-8 Identification and Authentication (non-organizational Users) Protects T1530 Data from Cloud Storage Object
RA-5 Vulnerability Monitoring and Scanning Protects T1530 Data from Cloud Storage Object
SC-28 Protection of Information at Rest Protects T1530 Data from Cloud Storage Object
SC-4 Information in Shared System Resources Protects T1530 Data from Cloud Storage Object
SC-7 Boundary Protection Protects T1530 Data from Cloud Storage Object
SI-10 Information Input Validation Protects T1530 Data from Cloud Storage Object
SI-12 Information Management and Retention Protects T1530 Data from Cloud Storage Object
SI-15 Information Output Filtering Protects T1530 Data from Cloud Storage Object
SI-4 System Monitoring Protects T1530 Data from Cloud Storage Object
SI-7 Software, Firmware, and Information Integrity Protects T1530 Data from Cloud Storage Object
azure_defender_for_storage Azure Defender for Storage technique_scores T1530 Data from Cloud Storage Object
Comments
A variety of alerts may be generated by malicious access and enumeration of Azure Storage.
References
  1. https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction
  2. https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage
azure_sentinel Azure Sentinel technique_scores T1530 Data from Cloud Storage Object
Comments
The Azure Sentinel Hunting "Anomalous Data Access" query identifies all users performing out-of-profile read operations regarding data or files, which may be indicative of adversarial collection from cloud storage objects.
References
  1. https://docs.microsoft.com/en-us/azure/sentinel/overview
  2. https://docs.microsoft.com/en-us/azure/sentinel/hunting
role_based_access_control Role Based Access Control technique_scores T1530 Data from Cloud Storage Object
Comments
This control can be used to limit the number of users that have access to storage solutions except for the applications, users, and services that require access, thereby reducing the attack surface.
References
  1. https://docs.microsoft.com/en-us/azure/role-based-access-control/overview
azure_policy Azure Policy technique_scores T1530 Data from Cloud Storage Object
Comments
This control may provide recommendations to enable Azure Defender for Storage and other security controls to prevent access to data from cloud storage objects.
References
  1. https://docs.microsoft.com/en-us/azure/governance/policy/overview
  2. https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir
conditional_access Conditional Access technique_scores T1530 Data from Cloud Storage Object
Comments
Conditional Access, when granting (risky) users access to cloud storage, specifically OneDrive, can restrict what they can do in these applications using its app-enforced restrictions. For example, it can enforce that users on unmanaged devices will have browser-only access to OneDrive with no ability to download, print, or sync files. This can impede an adversary's ability to exfiltrate data from OneDrive. The protection coverage provided by this control is Minimal as it doesn't provide protection for other storage services available on Azure such as the Azure Storage service.
References
  1. https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview
cloud_app_security_policies Cloud App Security Policies technique_scores T1530 Data from Cloud Storage Object
Comments
This control can detect use of unsanctioned business apps and data exfil to unsanctioned storage apps.
References
  1. https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery
  2. https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection
  3. https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts