Modify Cloud Resource Hierarchy
Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service (IaaS) environments in order to evade defenses. IaaS environments often group resources into a hierarchy, enabling improved resource management and application of policies to relevant groups. Hierarchical structures differ among cloud providers. For example, in AWS environments, multiple accounts can be grouped under a single organization, while in Azure environments, multiple subscriptions can be grouped under a single management group.(Citation: AWS Organizations)(Citation: Microsoft Azure Resources) Adversaries may add, delete, or otherwise modify resource groups within an IaaS hierarchy. For example, in Azure environments, an adversary who has gained access to a Global Administrator account may create new subscriptions in which to deploy resources. They may also engage in subscription hijacking by transferring an existing pay-as-you-go subscription from a victim tenant to an adversary-controlled tenant. This will allow the adversary to use the victim’s compute resources without generating logs on the victim tenant.(Citation: Microsoft Peach Sandstorm 2023)(Citation: Microsoft Subscription Hijacking 2022) In AWS environments, adversaries with appropriate permissions in a given account may call the `LeaveOrganization` API, causing the account to be severed from the AWS Organization to which it was tied and removing any Service Control Policies, guardrails, or restrictions imposed upon it by its former Organization. Alternatively, adversaries may call the `CreateAccount` API in order to create a new account within an AWS Organization. This account will use the same payment methods registered to the payment account but may not be subject to existing detections or Service Control Policies.(Citation: AWS RE:Inforce Threat Detection 2024)
Mitigations |
|
| Mitigation | Description |
|---|---|
| Software Configuration |
Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates. |
| User Account Management |
Manage the creation, modification, use, and permissions associated to user accounts. |
| Audit |
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. |
References
- Microsoft Threat Intelligence. (2023, September 14). Peach Sandstorm password spray campaigns enable intelligence collection at high-value targets. Retrieved September 18, 2023.
- Microsoft Azure. (2024, May 31). Organize your Azure resources effectively. Retrieved September 25, 2024.
- Dor Edry. (2022, August 24). Hunt for compromised Azure subscriptions using Microsoft Defender for Cloud Apps. Retrieved September 5, 2023.
- Ben Fletcher and Steve de Vera. (2024, June). New tactics and techniques for proactive threat detection. Retrieved September 25, 2024.
- AWS. (n.d.). Terminology and concepts for AWS Organizations. Retrieved September 25, 2024.
- Microsoft Azure. (2024, March 21). Manage Azure subscription policies. Retrieved September 25, 2024.
- Microsoft Threat Intelligence. (2023, July 25). Cryptojacking: Understanding and defending against cloud compute resource abuse. Retrieved September 5, 2023.
- AWS. (n.d.). Best practices for the management account. Retrieved October 16, 2024.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.