There are many well-established attack strategies and models in cybersecurity, including the NIST Cybersecurity Framework or the HITRUST CSF. However, as cloud usage becomes more prevalent, organizations are looking for a security framework especially tailored for cloud computing and its inherent threats.
ATT&CK, from The Mitre Corporation, is ready to fulfill this need. The Mitre ATT&CK framework provides a structure for professionals to identify the strengths and holes in their security program’s ability to detect attacker tactics, techniques and common knowledge.
Some security teams may be familiar with Mitre ATT&CK Matrix for Enterprise, which includes tactics and techniques specific to Windows, Linus and macOS. The updated Mitre ATT&CK Cloud Matrix framework offers guidance on techniques specific to Microsoft 365, Azure, AWS, Google Cloud Platform (GCP) and other cloud providers.
How Mitre ATT&CK cloud tactics and techniques differ
Here, explore the 10 tactics representing Mitre ATT&CK Cloud Matrix and how each tactic’s cloud techniques may vary from traditional methods.
1. Initial access
Threat actors find an initial means of gaining access to an organization’s assets or environment. Many of these access points are similar for on-premises and cloud-focused events, including techniques such as phishing. However, some attempts to access applications may happen entirely in the cloud, or account hijacking may target cloud user and service accounts instead of traditional internal accounts.
This stage involves setting up backdoors and methods to retain access over time on the system or in the environment. With new cloud technologies and services, persistence may now include cloud account manipulation or implantation of containers in a PaaS deployment.
3. Privilege escalation
Threat actors can use dynamic link library injection or shellcode exploits on setuid and setgid bits with the intention of elevating privileges on the local system to gain more thorough control. Privilege escalation in the cloud is typically a result of unauthorized access to and use of cloud accounts and privileges.
4. Defense evasion
Bad actors use the defense evasion tactic to avoid host defenses, such as intrusion detection, malware prevention and logging. Traditional examples include clearing shell history and logs, token manipulation and obfuscating files. In the cloud, this phase includes disabling or modifying cloud firewalls, manipulating cloud workloads, employing unused cloud regions and manipulating cloud accounts or authentication types.
5. Credential access
Classic attempts to access accounts without authorization include brute-force attacks against usernames and passwords, sniffing, accessing private keys and dumping credentials from memory. Threat actors can use these techniques to gain access to new systems or further access in existing systems or applications. Accessing cloud accounts without authorization and abusing cloud metadata APIs for privilege acquisition are common tactics.
The discovery phase is when threat actors look for other types of information to use. This includes user data, privileges, devices, applications, services and data. In the cloud, there are a broad array of new services available, including cloud service dashboards, new APIs and various types of interconnected assets.
7. Lateral movement
At this phase, bad actors look to migrate from one host to others in the environment. They may employ techniques such as “pass the hash” with credentials, remote admin and access tools, remote services and logon scripts. Many lateral movement tactics in the cloud are similar. They may use cloud APIs, access tokens, service accounts and privileges, as well as cloud metadata services.
Bad actors invariably want to collect data, such as clipboard info, input from keyboards and other devices, screen or video captures, and more. Focusing on cloud storage and secrets, such as API keys, is more common.
Threat actors often look to exfiltrate data from the target environment. This may involve encrypting the data, setting up different types of network channels and protocols for moving data out of the network, or scheduling data transfer. For cloud-based scenarios, sending data to a different cloud storage or other account is a common tactic.
Attack end goals vary widely among actors and campaigns. ATT&CK Cloud Matrix identifies four impact techniques, including defacement of accounts and assets, endpoint denial of service, network denial of service and resource hijacking for malicious purposes.
How to successfully use the Mitre ATT&CK cloud framework
The Mitre ATT&CK cloud security framework is applicable in all major IaaS clouds, including AWS, Azure and GCP. It helps security analysts implement or improve detection and response controls and processes in cloud deployments by thinking through the actual attack methods seen in the wild. For example, to compromise a cloud workload, such as an Amazon EC2 server, attackers may try to move laterally by hijacking identity roles assigned to that system. They may also compromise container images in a PaaS environment to mine cryptocurrency.
By using Mitre ATT&CK Cloud Matrix to model potential attack paths and attacker actions in the cloud, security teams can work with DevOps and cloud engineering teams to design and implement more effective cloud guardrails. These guardrails can monitor the environment more thoroughly and potentially automate detection and response.
As the different features and capabilities of each cloud provider evolve, the ATT&CK framework will need to become increasingly customized for each environment. While there are many commonalities in attacks against PaaS and IaaS environments, each provider has unique services and asset types that may offer attackers different potential avenues of exploitation and compromise. Keeping pace with cloud provider updates and features will be critical in order to maintain up-to-date and accurate attack models.