MITRE’s ATT&CK framework is ever evolving. The latest October update extends enterprise coverage to the cloud and adds a considerable list of cloud-specific adversarial techniques. The cloud has seen phenomenal growth over the past few years, as it offers businesses flexibility, reliability and cost-savings. Along with this growth comes new security risks and high value targets for nation state actors and cyber criminals. In 2014, source code hosting provider Code Spaces was forced to shut down after an attacker gained access to its AWS IAM and destroyed its entire cloud infrastructure. More recently, a software engineer was arrested after stealing sensitive data, including details pertaining to 106 million credit card applications, from Capital One though a misconfigured AWS S3 bucket. As the cloud takes over, security practices and understanding needs to evolve. ATT&CK’s enterprise platform categorization now includes Windows, MacOS, Linux, AWS, GCP, Azure, Office 365, Azure AD and SaaS. The 36 initial techniques for cloud include, for example, Data from Cloud Storage Object, which is applicable in the second example above. MITRE's ATT&CK framework has already evolved quite a bit this year. Previously, enterprise ATT&CK was primarily focused on information theft -- confidentiality and data exfiltration. The Impact Tactic was introduced to address destructive, disruptive and resource hijacking techniques — all of which are particularly relevant to cloud applications. Mitigations were changed from text fields to objects, representing independent entities. This is an improvement in the structure of the taxonomy. There are several eagerly anticipated changes and additions on the horizon. PRE-ATT&CK techniques will be classified under two new Tactics, uniting PRE-ATT&CK and ATT&CK. Further, ATT&CK ICS for industrial control systems and — the update I’m most looking forward to — ATT&CK sub-technique restructuring are both in the works. It's notable that community input was the primary driver of the initial set of cloud techniques. We are excited to see the MITRE ATT&CK community grow and share their knowledge of the latest attack behaviors. Here’s the complete list of the 36 techniques with cloud-specific content:
- Application Access Token
- Cloud Instance Metadata API
- Cloud Service Dashboard
- Cloud Service Discovery
- Data from Cloud Storage Object
- Implant Container Image
- Internal Spearphishing
- Revert Cloud Instance
- Steal Application Access Token
- Steal Web Session Cookie
- Transfer Data to Cloud Account
- Unused Cloud Regions
- Web Session Cookie
- Account Discovery
- Account Manipulation
- Brute Force
- Create Account
- Credentials in Files
- Data from Information Repositories
- Data from Local System
- Data Staged
- Drive-by Compromise
- Email Collection
- Exploit Public-Facing Application
- Network Service Scanning
- Network Share Discovery
- Office Application Startup
- Permission Groups Discovery
- Redundant Access
- Remote System Discovery
- Resource Hijacking
- Spearphishing Link
- System Information Discovery
- System Network Connections Discovery
- Trusted Relationship
- Valid Accounts
