rvlsoft - Fotolia


How to use the Mitre ATT&CK framework for cloud security

Learn how to use the Mitre ATT&CK security framework to keep your enterprise cloud environment -- whether AWS, GCP, Azure, Azure AD or Microsoft 365 -- secure.

There are many well-established attack strategies and models in cybersecurity, including the NIST Cybersecurity Framework or the HITRUST CSF. However, as cloud usage becomes more prevalent, organizations are looking for a security framework especially tailored for cloud computing and its inherent threats.

ATT&CK, from The Mitre Corporation, is ready to fulfill this need. The Mitre ATT&CK framework provides a structure for professionals to identify the strengths and holes in their security program's ability to detect attacker tactics, techniques and common knowledge.

Some security teams may be familiar with Mitre ATT&CK Matrix for Enterprise, which includes tactics and techniques specific to Windows, Linux and macOS. The updated Mitre ATT&CK Cloud Matrix framework offers guidance on techniques specific to Microsoft 365, Azure, AWS, Google Cloud Platform (GCP) and other cloud providers.

How Mitre ATT&CK cloud tactics and techniques differ

Here, explore the 10 tactics representing Mitre ATT&CK Cloud Matrix and how each tactic's cloud techniques may vary from traditional methods.

1. Initial access

Threat actors find an initial means of gaining access to an organization's assets or environment. Many of these access points are similar for on-premises and cloud-focused events, including techniques such as phishing. However, some attempts to access applications may happen entirely in the cloud, or account hijacking may target cloud user and service accounts instead of traditional internal accounts.

2. Persistence

This stage involves setting up backdoors and methods to retain access over time on the system or in the environment. With new cloud technologies and services, persistence may now include cloud account manipulation or implantation of containers in a PaaS deployment.

3. Privilege escalation

Threat actors can use dynamic link library injection or shellcode exploits on setuid and setgid bits with the intention of elevating privileges on the local system to gain more thorough control. Privilege escalation in the cloud is typically a result of unauthorized access to and use of cloud accounts and privileges.

Graphic featuring 10 cyber attack tactics and techniques covered by the Mitre ATT&CK framework for cloud.
Mitre ATT&CK® Cloud Matrix includes 10 cloud-based cyber attack tactics and subtechniques for AWS, GCP, Azure, Azure AD, Microsoft 365 and SaaS platforms.

4. Defense evasion

Bad actors use the defense evasion tactic to avoid host defenses, such as intrusion detection, malware prevention and logging. Traditional examples include clearing shell history and logs, token manipulation and obfuscating files. In the cloud, this phase includes disabling or modifying cloud firewalls, manipulating cloud workloads, employing unused cloud regions and manipulating cloud accounts or authentication types.

5. Credential access

Classic attempts to access accounts without authorization include brute-force attacks against usernames and passwords, sniffing, accessing private keys and dumping credentials from memory. Threat actors can use these techniques to gain access to new systems or further access in existing systems or applications. Accessing cloud accounts without authorization and abusing cloud metadata APIs for privilege acquisition are common tactics.

The updated Mitre ATT&CK Cloud Matrix framework offers guidance on techniques specific to Microsoft 365, Azure, AWS, GCP and other cloud providers.

6. Discovery

The discovery phase is when threat actors look for other types of information to use. This includes user data, privileges, devices, applications, services and data. In the cloud, there are a broad array of new services available, including cloud service dashboards, new APIs and various types of interconnected assets.

7. Lateral movement

At this phase, bad actors look to migrate from one host to others in the environment. They may employ techniques such as "pass the hash" with credentials, remote admin and access tools, remote services and logon scripts. Many lateral movement tactics in the cloud are similar. They may use cloud APIs, access tokens, service accounts and privileges, as well as cloud metadata services.

8. Collection

Bad actors invariably want to collect data, such as clipboard info, input from keyboards and other devices, screen or video captures, and more. Focusing on cloud storage and secrets, such as API keys, is more common.

9. Exfiltration

Threat actors often look to exfiltrate data from the target environment. This may involve encrypting the data, setting up different types of network channels and protocols for moving data out of the network, or scheduling data transfer. For cloud-based scenarios, sending data to a different cloud storage or other account is a common tactic.

10. Impact

Attack end goals vary widely among actors and campaigns. ATT&CK Cloud Matrix identifies four impact techniques, including defacement of accounts and assets, endpoint denial of service, network denial of service and resource hijacking for malicious purposes.

How to successfully use the Mitre ATT&CK cloud framework

The Mitre ATT&CK cloud security framework is applicable in all major IaaS clouds, including AWS, Azure and GCP. It helps security analysts implement or improve detection and response controls and processes in cloud deployments by thinking through the actual attack methods seen in the wild. For example, to compromise a cloud workload, such as an Amazon EC2 server, attackers may try to move laterally by hijacking identity roles assigned to that system. They may also compromise container images in a PaaS environment to mine cryptocurrency.

By using Mitre ATT&CK Cloud Matrix to model potential attack paths and attacker actions in the cloud, security teams can work with DevOps and cloud engineering teams to design and implement more effective cloud guardrails. These guardrails can monitor the environment more thoroughly and potentially automate detection and response.

As the different features and capabilities of each cloud provider evolve, the ATT&CK framework will need to become increasingly customized for each environment. While there are many commonalities in attacks against PaaS and IaaS environments, each provider has unique services and asset types that may offer attackers different potential avenues of exploitation and compromise. Keeping pace with cloud provider updates and features will be critical in order to maintain up-to-date and accurate attack models.

Dig Deeper on Compliance

Enterprise Desktop
Cloud Computing