Detection and Mitigation

The 'Create Snapshot', ‘Create Cloud Instance’, ‘Delete Cloud Instance’, ‘Revert Cloud Instance’ and ‘Modify Cloud Compute Configurations’ features are widely available across major cloud platforms such as AWS, Azure, and GCP. These functionalities are essential for enhancing data resilience, ensuring robust data protection, facilitating quick data recovery, and providing the elasticity and scalability needed for operational flexibility in cloud environments. On the other hand, adversaries take advantage of this five features (as sub-techniques) for their malicious objectives. For example, an APT (Advanced Persistent Threat) group might exploit the snapshot feature to exfiltrate or tamper with data. Subsequently, they could create cloud instances for launching attacks or hosting malicious content, and then delete these instances to cover their tracks. They might also revert instances to earlier states to undo security updates or modify compute configurations to create backdoors. This misuse compromises cloud security and poses significant risks to business operations and data integrity.

1. Detection for Snapshot Creation, Instance Creation & Instance Deletion

To prevent abuse against the use of Snapshot Creation, Instance Creation and Instance Deletion features within cloud environments, security teams and cyber-defenders must ensure that proper monitoring and logging services are enabled across all cloud providers they utilize. This ensure timely detection of anomalous activities and helps in maintaining the security of the cloud environments.

In AWS, it is important for every organization's security team to enable (activate) the CloudTrail logging service to log and monitor all API calls within their AWS environment, specifically those related to API event calls for:

• Snapshot Creation: Check for occurrences of the CreateSnapshot API call and AWS Backup events in AWS CloudTrail logs, which indicate snapshot creation on EBS volumes and RDS instances.
  
  

• 
  {
    "eventTime": "2024-04-22T12:00:00Z",
    "eventName": "CreateSnapshot",
    "awsRegion": "us-west-2",
    "sourceIPAddress": "192.168.1.1",
    "userAgent": "aws-cli/2.0",
    "userIdentity": {
      "type": "IAMUser",
      "principalId": "AIDAEXAMPLE",
      "arn": "arn:aws:iam::123456789012:user/exampleuser",
      "accountId": "123456789012",
      "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
      "userName": "exampleuser"
    },
    "requestParameters": {
      "volumeId": "vol-0123456789abcdef0",
      "description": "Daily backup"
    },
    "responseElements": {
      "snapshotId": "snap-1234567890abcdef0"
    }
  }
  
  
  

• Instance Creation: Check for occurrences of the RunInstances API call in AWS CloudTrail logs, which indicate the launching of EC2 instances.
  
  
  

• 
  {
    "eventTime": "2024-04-22T12:15:00Z",
    "eventName": "RunInstances",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "192.168.1.1",
    "userAgent": "AmazonEC2",
    "userIdentity": {
      "type": "IAMUser",
      "principalId": "AIDAEXAMPLE",
      "arn": "arn:aws:iam::123456789012:user/exampleuser",
      "accountId": "123456789012",
      "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
      "userName": "exampleuser"
    },
    "requestParameters": {
      "instanceType": "t2.medium",
      "imageId": "ami-12345678",
      "count": "1"
    },
    "responseElements": {
      "instanceId": "i-0123456789abcdef0"
    }
  }
  
  
  

• Instance Deletion: Check for occurrences of the TerminateInstances API call in AWS CloudTrail logs, which indicate the termination of EC2 instances.
  
  
  

• 
  {
    "eventTime": "2024-04-22T12:30:00Z",
    "eventName": "TerminateInstances",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "192.168.1.1",
    "userAgent": "AmazonEC2",
    "userIdentity": {
      "type": "IAMUser",
      "principalId": "AIDAEXAMPLE",
      "arn": "arn:aws:iam::123456789012:user/exampleuser",
      "accountId": "123456789012",
      "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
      "userName": "exampleuser"
    },
    "requestParameters": {
      "instanceId": "i-0123456789abcdef0"
    }
  }

  
  
  

The JSON code above shows API event data captured by CloudTrail logs for CreateSnapshot, RunInstances, and TerminateInstances. This reveals important information's such as the source IP address of the request, the user who initiated it, the time of the request, and other relevant details which may indicate suspicious activity.

In same way for Azure, it is crucial for every organization's security team to enable Azure Activity Logs to track and log all API calls within their Azure environment. The cloud administrator or security teams should enable the Azure Monitor service with custom alerts for notifications related to specific events to ensure the effective detection of backup restoration activities. It important to check Azure Activity Logs for API calls specifically related to :

• Snapshot Creation: Check for occurrences of the Microsoft.Compute/snapshots/write API call in Azure Activity Logs, which indicate the creation of a snapshot of a disk.

• 
  {
    "eventTimestamp": "2024-04-22T12:00:00Z",
    "operationName": "Microsoft.Compute/snapshots/write",
    "category": "Write",
    "region": "West US",
    "properties": {
      "statusCode": "Succeeded",
      "serviceRequestId": "abcd1234-5678-90ef-ghij-klmnopqrstuv"
    },
    "identity": {
      "type": "User",
      "principalId": "5678abcd-1234-ef90-ghij-klmnopqrstuv",
      "email": "admin@example.com"
    },
    "userIdentity": {
      "principalName": "admin@example.com",
      "principalType": "User",
      "tenantId": "tenant7890",
      "principalId": "5678abcd-1234-ef90-ghij-klmnopqrstuv"
    }
  }

  
  
  

• Instance Creation: Check for occurrences of the Microsoft.Compute/virtualMachines/write event in Azure Activity Logs, which indicate the creation of a Virtual Machine
  
  

• 
  {
    "eventTimestamp": "2024-04-22T12:15:00Z",
    "operationName": "Microsoft.Compute/virtualMachines/write",
    "category": "Write",
    "region": "East US 2",
    "properties": {
      "statusCode": "Succeeded",
      "serviceRequestId": "wxyz1234-5678-90ef-ghij-klmnopqrstuv"
    },
    "identity": {
      "type": "ServicePrincipal",
      "principalId": "9012abcd-3456-ef78-ghij-klmnopqrstuv",
      "email": "automation@example.com"
    },
    "userIdentity": {
      "principalName": "automation@example.com",
      "principalType": "ServicePrincipal",
      "tenantId": "tenant1234",
      "principalId": "9012abcd-3456-ef78-ghij-klmnopqrstuv"
    }
  }
  
  
  

• Instance Deletion: Check for occurrences of the Microsoft.Compute/virtualMachines/delete API call in Azure Activity Logs, which indicate the deletion of a Virtual Machine.

• 
  {
    "eventTimestamp": "2024-04-22T12:30:00Z",
    "operationName": "Microsoft.Compute/virtualMachines/delete",
    "category": "Delete",
    "region": "Central US",
    "properties": {
      "statusCode": "Succeeded",
      "serviceRequestId": "lmno1234-5678-90ef-ghij-klmnopqrstuv"
    },
    "identity": {
      "type": "User",
      "principalId": "2345abcd-6789-ef01-ghij-klmnopqrstuv",
      "email": "developer@example.com"
    },
    "userIdentity": {
      "principalName": "developer@example.com",
      "principalType": "User",
      "tenantId": "tenant4567",
      "principalId": "2345abcd-6789-ef01-ghij-klmnopqrstuv"
    }
  }
  
  
  
  

The JSON code above shows API event data captured by Azure Activity Logs for Microsoft.Compute/snapshots/write, Microsoft.Compute/virtualMachines/write, and Microsoft.Compute/virtualMachines/delete. This reveals important information such as the source IP address of the request, the user who initiated it, the time of the request, and other relevant details which may indicate suspicious activity in an Azure environment.

Similarly In GCP, it is crucial for every organization's security team to enable Admin Activity audit logs within their Cloud Audit logs service to effectively record and detect operations.

• Snapshot Creation: Check for occurrences of the compute.disks.createSnapshot API call in GCP logs, which indicate the creation of a snapshot. Monitoring should specifically target the gcloud compute instances create command, particularly with the sourceSnapshot parameter set to global/snapshots/[BOOT_SNAPSHOT_NAME]. This is essential for identifying snapshot-related operations, including potentially unauthorized snapshot access or creation.

• 
  {
    "timestamp": "2024-04-22T12:00:00Z",
    "resource": {
      "type": "gce_disk",
      "name": "projects/project-id/zones/us-central1-a/disks/disk-123"
    },
    "methodName": "compute.disks.createSnapshot",
    "operationName": "operation-1234567890abcdef",
    "severity": "NOTICE",
    "userIdentity": {
      "principalEmail": "user@example.com"
    },
    "request": {
      "name": "snapshot-001",
      "sourceDisk": "projects/project-id/zones/us-central1-a/disks/disk-123",
      "sourceSnapshot": "global/snapshots/BOOT_SNAPSHOT_NAME"
    },
    "response": {
      "status": "SUCCESS",
      "snapshotId": "snapshot-001"
    },
    "protoPayload": {
      "status": "OK"
    },
    "callerIp": "192.168.1.1"
  }
  
  
  

• Instance Creation: Check for occurrences of the compute.instances.insert event in Google Cloud Operations logs, which indicate the creation of a new VM instance in Google Compute Engine.

• 
  {
    "timestamp": "2024-04-22T12:15:00Z",
    "resource": {
      "type": "gce_instance",
      "name": "projects/project-id/zones/us-central1-a/instances/instance-123"
    },
    "methodName": "compute.instances.insert",
    "operationName": "operation-1234567890abcdfg",
    "severity": "NOTICE",
    "userIdentity": {
      "principalEmail": "user@example.com"
    },
    "request": {
      "instance": {
        "name": "instance-123",
        "machineType": "zones/us-central1-a/machineTypes/n1-standard-1",
        "networkInterfaces": [{
          "network": "projects/project-id/global/networks/default"
        }]
      }
    },
    "response": {
      "status": "RUNNING",
      "instanceId": "instance-123"
    },
    "protoPayload": {
      "status": "OK"
    },
    "callerIp": "192.168.1.2"
  }
  
  
  

• Instance Deletion: Check for occurrences of the compute.instances.delete API call in Google Cloud Operations logs, which indicate the deletion of VM instances in Google Compute Engine.
  
  

• 
  {
    "timestamp": "2024-04-22T12:15:00Z",
    "resource": {
      "type": "gce_instance",
      "name": "projects/project-id/zones/us-central1-a/instances/instance-123"
    },
    "methodName": "compute.instances.insert",
    "operationName": "operation-1234567890abcdfg",
    "severity": "NOTICE",
    "userIdentity": {
      "principalEmail": "user@example.com"
    },
    "request": {
      "instance": {
        "name": "instance-123",
        "machineType": "zones/us-central1-a/machineTypes/n1-standard-1",
        "networkInterfaces": [{
          "network": "projects/project-id/global/networks/default"
        }]
      }
    },
    "response": {
      "status": "RUNNING",
      "instanceId": "instance-123"
    },
    "protoPayload": {
      "status": "OK"
    },
    "callerIp": "192.168.1.2"
  }
  
  
  

The JSON code above shows API event data captured by Google Cloud Operations logs for compute.disks.createSnapshot, compute.instances.insert, and compute.instances.delete. This reveals important information such as the source IP address of the request, the user who initiated it, the time of the request, and other relevant details which may indicate suspicious activity in a Google Cloud environment.

Additionally, maintaining the security and integrity of virtual instances in a cloud environment requires proactive measures, such as regularly comparing snapshots against a known good state. Security teams and cyber defenders should adhere to best practices by periodically capturing snapshots of virtual instances and comparing them with a verified baseline snapshot that is secure and free of corruption or malicious alterations. This approach helps security teams and cyber defenders to identify unauthorized modifications to virtual machines, facilitating swift detection and mitigation of potential security threats, while also effectively assisting in monitoring the integrity and security of the organization's sensitive data against cyberattacks.

2. Detection for Revert Cloud Instance & Modify Cloud Compute Configurations

• Revert Cloud Instance Detection Strategy 

  Given the absence of an effective mitigation strategy for the Revert Cloud Instance attack technique, security teams and cyber defenders should focus on implementing detection strategies to identify malicious activities perpetrated by adversaries attempting to evade detection and remove evidence of their presence.

  These strategies include:

  • Instance metadata tempering: Security teams and cyber defenders should periodically capture snapshots of virtual instances in their cloud environment and compare them with a verified baseline snapshot known to be secure and free of corruption or malicious alterations. This proactive approach effectively enables the identification of unauthorized modifications to virtual machines, enhancing swift detection and mitigation of potential security threats to instance metadata.”
  • Instance Modification || Instance Start || Instance Stop: Security teams and cyber defenders should establish centralized logging of all instance activity to effectively monitor and review instance events comprehensively, even after actions such as reverting to a snapshot, rolling back changes, or altering the persistence/type of storage types. Specifically, they should monitor for events related to snapshots, rollbacks, and VM configuration changes occurring outside of normal activity. This proactive approach helps minimize false positives by integrating known identifiers, such as tags or headers, with valid change management procedures, if supported by the cloud provider. By doing so, security teams can better distinguish between valid and expected events and potential malicious activity.

• Modify Cloud Compute Configurations Detection Strategy 

   

  Once adversaries compromise a tenant or cloud account, they often attempt to exploit Cloud Service Modification techniques, such as altering quotas, either by utilizing existing core quotas or increasing quotas across all regions. This can lead to resource overutilization or significant costs for the account owners. An effective mitigation strategy for this attack technique involves monitoring for quota increases across all regions, particularly multiple increases within a short period or in unused regions. Additionally, it's crucial to monitor changes to tenant-level settings, such as subscriptions and enabled regions.

  Security teams and cyber defenders should implement this mitigation strategy across their three major cloud providers (AWS, Azure, and GCP) by enabling logging and monitoring services provided by each platform, such as CloudTrail, Azure Activity Log, and Google Cloud Audit Logs, respectively. By leveraging these services, organizations can set up security alerts to detect and respond to unauthorized quota modifications and mitigate the risks associated with account compromise leading to unauthorized resource usage.

Mitigation for Snapshot Creation || Instance Creation || Instance Deletion

A generally effective mitigation strategy security teams and cyber-defenders should to adhere to for the Snapshot Creation, Instance Creation, and Instance Deletion cloud features is as follows:

• Perform Security Audits: Security teams and cyber defenders should routinely audit user permissions to ensure that only authorized users have the capability to perform actions such as creating snapshots and backups. This involves regularly reviewing and updating access controls to adhere to the principle of least privilege.
• Implement Effective User Account Management: Security teams and cyber defenders should limit permissions for creating snapshots or backups according to the principle of least privilege. Additionally, they should restrict the number of users within the organization with administrative privileges, minimize permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles, and policies to ensure alignment with their security requirements.

Mitigation for Revert Cloud Instance

Mitigating the Revert Cloud Instance attack technique presents a significant challenge due to its inherent integration as a legitimate feature within cloud environments. Adversaries can exploit this feature without triggering typical security measures, rendering preventive controls such as firewalls or access controls ineffective in countering such attacks. The intrinsic nature of the Revert Cloud Instance feature complicates efforts to prevent or mitigate associated security risks effectively.

Mitigation for Modify Cloud Compute Configurations

Security teams and cyber defenders should adhere to the following mitigation strategy for the Modify Cloud Compute Configurations attack technique:

• Perform Security Audits: Security teams and cyber defenders should routinely monitor user permissions to ensure that only expected users have the capability to request quota adjustments or modify tenant-level compute settings.
• Implement Effective User Account Management: Security teams and cyber defenders should limit permissions to request quotas adjustments or modify tenant-level compute setting to only those required.

Tools and Resources

It is important for all security teams and cyber defenders to note that effective detection of these attack techniques must be recognized as a continuous process, not merely a one-time task.

Cloud security teams and cyber defenders can utilize Cloud-Native Security Tools provided by cloud providers such as AWS GuardDuty, Azure Security Center, and Google Cloud Security Command Center to effectively detect and mitigate the attack techniques discussed in this blog.

Additionally, they can leverage third-party cloud-based security products like Cloud Workload Protection Platforms (CWPPs) and Cloud Security Posture Management (CSPM) solutions. These tools offer protection for cloud workloads, including virtual machines, by monitoring for vulnerabilities, misconfigurations, and suspicious activities.

The Stratus Red Team is a cloud-based adversary emulation tool that includes various attack techniques mapped to the MITRE ATT&CK framework. Security teams and cyber defenders can use this tool to understand how adversaries might leverage these attack techniques in their cloud environments such as AWS, Azure, and GCP, as highlighted in this blog.

How the Stratus Red Team Tool Empowers Security Teams and Cyber Defenders to Emulate Cloud Feature Attacks and Enhance Cloud Security Postures

1. Create Snapshot and Create Cloud Instance: Stratus Red Team can be used to simulate scenarios where an attacker or malicious insider attempts to create unauthorized snapshots or instances. This helps organizations test the effectiveness of permissions settings and alerting mechanisms.
2. Delete Cloud Instance and Revert Cloud Instance: Stratus Red Team can be used to emulate attacks where instances are deleted or reverted to a previous state to disrupt services or erase evidence of malicious activity. This helps organizations verify how well their environment can handle and recover from such disruptions or track changes to instance states.
3. Modify Cloud Compute Configurations: Stratus Red Team can help organizations test how effective their cloud environment detects and responds to unauthorized changes in compute configurations, such as alterations in security groups, network settings, or instance types.
   
   

Useful Resources - check out additional resources

• Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies
• DEV-0537 criminal actor targeting organizations for data exfiltration and destruction
• Backing up and restoring snapshots on Amazon EC2 machines
• Hunt for compromised Azure subscriptions using Microsoft Defender for Cloud Apps
• Microsoft.Compute snapshots
• Microsoft.Compute virtualMachines
• Virtual Machines - Delete
• Send Azure Monitor activity log data
• Cloud Security: Principles, Solutions, and Architectures
• Stratus Red team

Preparing for the Future

One of the major emerging trends in cloud security is abuse of cloud features such as Create Snapshot, Create Cloud Instance, Delete Cloud Instance, Revert Cloud Instance, and Modify Cloud Compute Configurations across major cloud platforms like AWS, Azure, and GCP. Adversaries on the other hand, increasingly exploit these features to bypass security measures and evade detection. For example, they might use 'Revert Cloud Instance' to rollback malicious changes (evidence) after an attack. To stay ahead these threats, organizations, security teams, and cyber defenders must prioritize proactive measures by following the below best practices to future-proof security postures against these attack techniques and safeguard their cloud environments:

• Access Control: Implement stringent access controls such as role-based access control (RBAC) or attribute-based access control (ABAC) and permissions management for snapshot creation, management, and restoration functionalities, ensuring the principle of least privilege is consistently enforced. Regularly review and update access permissions to adapt to changes required and minimize security risks.
• Monitoring and Alerts: Employ cloud monitoring tools provided by cloud service providers, such as AWS CloudTrail or Azure Monitor, to track snapshot and instance activities. Set up automated alerts for anomalies, such as unexpected volumes of snapshots or instances being created, or snapshots being shared with external accounts. Integrate these tools with a centralized security information and event management (SIEM) system to enhance security oversight and incident response.
• Encryption: Encrypt all snapshots and VM storage volumes to ensure the integrity and confidentiality of data. Use managed key services like AWS KMS or Azure Key Vault for robust key management, ensuring that even if an adversary accesses a snapshot or storage volume, the data remains secure and unreadable.
• Regular Audits: Conduct periodic audits of snapshot lifecycle management and associated permissions to ensure compliance with data retention policies and to identify unauthorized or outdated snapshots. These audits should focus on verifying that only necessary snapshots are retained, which helps in reducing both costs and the risk of data exposure. Make adjustments as needed to align with best practices and regulatory requirements.

Conclusion

In this blog post, we discussed how adversaries can exploit five major cloud features namely Create Snapshot, Create Cloud Instance, Delete Cloud Instance, Revert Cloud Instance, and Modify Cloud Compute Configurations to achieve their malicious purposes and to evade detection.

Organizations and cyber defenders are advised to adopt the mitigation strategies highlighted in this blog. Key measures include implementing stringent access controls and permissions, enabling detailed logging and monitoring services provided by cloud providers to detect and respond swiftly to any unauthorized or suspicious activities. Additionally, regularly reviewing access logs and conducting security audits of cloud environment can further strengthen the security posture and minimize the risk of misuse or abuse of these critical cloud features.

Reference Resources

• MITRE ATTACK (T1578) - Modify Cloud Compute Infrastructure
• M-trends-2020
• RhinoSecurityLabs (pacu)
• Amazon - Logging AWS Backup API Calls with AWS CloudTrail.
• Microsoft - Monitor at scale by using Azure Monitor.
• Google - Audit Logs.
• Google - Creating and Starting a VM instance.
• Amazon - Search CloudTrail logs for API calls to EC2 Instances.