The 'Create Snapshot', ‘Create Cloud Instance’, ‘Delete Cloud Instance’, ‘Revert Cloud Instance’ and ‘Modify Cloud Compute Configurations’ features are widely available across major cloud platforms such as AWS, Azure, and GCP. These functionalities are essential for enhancing data resilience, ensuring robust data protection, facilitating quick data recovery, and providing the elasticity and scalability needed for operational flexibility in cloud environments. On the other hand, adversaries take advantage of this five features (as sub-techniques) for their malicious objectives. For example, an APT (Advanced Persistent Threat) group might exploit the snapshot feature to exfiltrate or tamper with data. Subsequently, they could create cloud instances for launching attacks or hosting malicious content, and then delete these instances to cover their tracks. They might also revert instances to earlier states to undo security updates or modify compute configurations to create backdoors. This misuse compromises cloud security and poses significant risks to business operations and data integrity.
To prevent abuse against the use of Snapshot Creation, Instance Creation and Instance Deletion features within cloud environments, security teams and cyber-defenders must ensure that proper monitoring and logging services are enabled across all cloud providers they utilize. This ensure timely detection of anomalous activities and helps in maintaining the security of the cloud environments.
In AWS, it is important for every organization's security team to enable (activate) the CloudTrail logging service
to log and monitor all API calls within their AWS environment, specifically those related to API event calls for:
CreateSnapshot
API call and AWS Backup
events in AWS CloudTrail logs, which indicate snapshot creation on EBS volumes and RDS instances.
{
"eventTime": "2024-04-22T12:00:00Z",
"eventName": "CreateSnapshot",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.168.1.1",
"userAgent": "aws-cli/2.0",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAEXAMPLE",
"arn": "arn:aws:iam::123456789012:user/exampleuser",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "exampleuser"
},
"requestParameters": {
"volumeId": "vol-0123456789abcdef0",
"description": "Daily backup"
},
"responseElements": {
"snapshotId": "snap-1234567890abcdef0"
}
}
RunInstances
API call in AWS CloudTrail logs, which indicate the launching of EC2 instances.
{
"eventTime": "2024-04-22T12:15:00Z",
"eventName": "RunInstances",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.168.1.1",
"userAgent": "AmazonEC2",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAEXAMPLE",
"arn": "arn:aws:iam::123456789012:user/exampleuser",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "exampleuser"
},
"requestParameters": {
"instanceType": "t2.medium",
"imageId": "ami-12345678",
"count": "1"
},
"responseElements": {
"instanceId": "i-0123456789abcdef0"
}
}
TerminateInstances
API call in AWS CloudTrail logs, which indicate the termination of EC2 instances.
{
"eventTime": "2024-04-22T12:30:00Z",
"eventName": "TerminateInstances",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.168.1.1",
"userAgent": "AmazonEC2",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAEXAMPLE",
"arn": "arn:aws:iam::123456789012:user/exampleuser",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "exampleuser"
},
"requestParameters": {
"instanceId": "i-0123456789abcdef0"
}
}
The JSON code above shows API event data captured by CloudTrail logs for CreateSnapshot
, RunInstances
, and TerminateInstances
. This reveals important information's such as the source IP address of the request, the user who initiated it, the time of the request, and other relevant details which may indicate suspicious activity.
In same way for Azure, it is crucial for every organization's security team to enable Azure Activity Logs
to track and log all API calls within their Azure environment. The cloud administrator or security teams should enable the Azure Monitor service with custom alerts for notifications related to specific events to ensure the effective detection of backup restoration activities. It important to check Azure Activity Logs
for API calls specifically related to :
Microsoft.Compute/snapshots/write
API call in Azure Activity Logs, which indicate the creation of a snapshot of a disk.
{
"eventTimestamp": "2024-04-22T12:00:00Z",
"operationName": "Microsoft.Compute/snapshots/write",
"category": "Write",
"region": "West US",
"properties": {
"statusCode": "Succeeded",
"serviceRequestId": "abcd1234-5678-90ef-ghij-klmnopqrstuv"
},
"identity": {
"type": "User",
"principalId": "5678abcd-1234-ef90-ghij-klmnopqrstuv",
"email": "admin@example.com"
},
"userIdentity": {
"principalName": "admin@example.com",
"principalType": "User",
"tenantId": "tenant7890",
"principalId": "5678abcd-1234-ef90-ghij-klmnopqrstuv"
}
}
Microsoft.Compute/virtualMachines/write
event in Azure Activity Logs, which indicate the creation of a Virtual Machine
{
"eventTimestamp": "2024-04-22T12:15:00Z",
"operationName": "Microsoft.Compute/virtualMachines/write",
"category": "Write",
"region": "East US 2",
"properties": {
"statusCode": "Succeeded",
"serviceRequestId": "wxyz1234-5678-90ef-ghij-klmnopqrstuv"
},
"identity": {
"type": "ServicePrincipal",
"principalId": "9012abcd-3456-ef78-ghij-klmnopqrstuv",
"email": "automation@example.com"
},
"userIdentity": {
"principalName": "automation@example.com",
"principalType": "ServicePrincipal",
"tenantId": "tenant1234",
"principalId": "9012abcd-3456-ef78-ghij-klmnopqrstuv"
}
}
Microsoft.Compute/virtualMachines/delete
API call in Azure Activity Logs, which indicate the deletion of a Virtual Machine.
{
"eventTimestamp": "2024-04-22T12:30:00Z",
"operationName": "Microsoft.Compute/virtualMachines/delete",
"category": "Delete",
"region": "Central US",
"properties": {
"statusCode": "Succeeded",
"serviceRequestId": "lmno1234-5678-90ef-ghij-klmnopqrstuv"
},
"identity": {
"type": "User",
"principalId": "2345abcd-6789-ef01-ghij-klmnopqrstuv",
"email": "developer@example.com"
},
"userIdentity": {
"principalName": "developer@example.com",
"principalType": "User",
"tenantId": "tenant4567",
"principalId": "2345abcd-6789-ef01-ghij-klmnopqrstuv"
}
}
The JSON code above shows API event data captured by Azure Activity Logs for Microsoft.Compute/snapshots/write
, Microsoft.Compute/virtualMachines/write
, and Microsoft.Compute/virtualMachines/delete
. This reveals important information such as the source IP address of the request, the user who initiated it, the time of the request, and other relevant details which may indicate suspicious activity in an Azure environment.
Similarly In GCP, it is crucial for every organization's security team to enable Admin Activity audit logs within their Cloud Audit logs service to effectively record and detect operations.
Snapshot Creation: Check for occurrences of the compute.disks.createSnapshot
API call in GCP logs, which indicate the creation of a snapshot. Monitoring should specifically target the gcloud compute instances create
command, particularly with the sourceSnapshot
parameter set to global/snapshots/[BOOT_SNAPSHOT_NAME]
. This is essential for identifying snapshot-related operations, including potentially unauthorized snapshot access or creation.
{
"timestamp": "2024-04-22T12:00:00Z",
"resource": {
"type": "gce_disk",
"name": "projects/project-id/zones/us-central1-a/disks/disk-123"
},
"methodName": "compute.disks.createSnapshot",
"operationName": "operation-1234567890abcdef",
"severity": "NOTICE",
"userIdentity": {
"principalEmail": "user@example.com"
},
"request": {
"name": "snapshot-001",
"sourceDisk": "projects/project-id/zones/us-central1-a/disks/disk-123",
"sourceSnapshot": "global/snapshots/BOOT_SNAPSHOT_NAME"
},
"response": {
"status": "SUCCESS",
"snapshotId": "snapshot-001"
},
"protoPayload": {
"status": "OK"
},
"callerIp": "192.168.1.1"
}
compute.instances.insert
event in Google Cloud Operations logs, which indicate the creation of a new VM instance in Google Compute Engine.
{
"timestamp": "2024-04-22T12:15:00Z",
"resource": {
"type": "gce_instance",
"name": "projects/project-id/zones/us-central1-a/instances/instance-123"
},
"methodName": "compute.instances.insert",
"operationName": "operation-1234567890abcdfg",
"severity": "NOTICE",
"userIdentity": {
"principalEmail": "user@example.com"
},
"request": {
"instance": {
"name": "instance-123",
"machineType": "zones/us-central1-a/machineTypes/n1-standard-1",
"networkInterfaces": [{
"network": "projects/project-id/global/networks/default"
}]
}
},
"response": {
"status": "RUNNING",
"instanceId": "instance-123"
},
"protoPayload": {
"status": "OK"
},
"callerIp": "192.168.1.2"
}
compute.instances.delete
API call in Google Cloud Operations logs, which indicate the deletion of VM instances in Google Compute Engine.
{
"timestamp": "2024-04-22T12:15:00Z",
"resource": {
"type": "gce_instance",
"name": "projects/project-id/zones/us-central1-a/instances/instance-123"
},
"methodName": "compute.instances.insert",
"operationName": "operation-1234567890abcdfg",
"severity": "NOTICE",
"userIdentity": {
"principalEmail": "user@example.com"
},
"request": {
"instance": {
"name": "instance-123",
"machineType": "zones/us-central1-a/machineTypes/n1-standard-1",
"networkInterfaces": [{
"network": "projects/project-id/global/networks/default"
}]
}
},
"response": {
"status": "RUNNING",
"instanceId": "instance-123"
},
"protoPayload": {
"status": "OK"
},
"callerIp": "192.168.1.2"
}
The JSON code above shows API event data captured by Google Cloud Operations logs for compute.disks.createSnapshot
, compute.instances.insert
, and compute.instances.delete
. This reveals important information such as the source IP address of the request, the user who initiated it, the time of the request, and other relevant details which may indicate suspicious activity in a Google Cloud environment.
Additionally, maintaining the security and integrity of virtual instances in a cloud environment requires proactive measures, such as regularly comparing snapshots against a known good state. Security teams and cyber defenders should adhere to best practices by periodically capturing snapshots of virtual instances and comparing them with a verified baseline snapshot that is secure and free of corruption or malicious alterations. This approach helps security teams and cyber defenders to identify unauthorized modifications to virtual machines, facilitating swift detection and mitigation of potential security threats, while also effectively assisting in monitoring the integrity and security of the organization's sensitive data against cyberattacks.
Revert Cloud Instance Detection Strategy
Given the absence of an effective mitigation strategy for the Revert Cloud Instance attack technique, security teams and cyber defenders should focus on implementing detection strategies to identify malicious activities perpetrated by adversaries attempting to evade detection and remove evidence of their presence.
These strategies include:
Modify Cloud Compute Configurations Detection Strategy
Once adversaries compromise a tenant or cloud account, they often attempt to exploit Cloud Service Modification techniques, such as altering quotas, either by utilizing existing core quotas or increasing quotas across all regions. This can lead to resource overutilization or significant costs for the account owners. An effective mitigation strategy for this attack technique involves monitoring for quota increases across all regions, particularly multiple increases within a short period or in unused regions. Additionally, it's crucial to monitor changes to tenant-level settings, such as subscriptions and enabled regions.
Security teams and cyber defenders should implement this mitigation strategy across their three major cloud providers (AWS, Azure, and GCP) by enabling logging and monitoring services provided by each platform, such as CloudTrail, Azure Activity Log, and Google Cloud Audit Logs, respectively. By leveraging these services, organizations can set up security alerts to detect and respond to unauthorized quota modifications and mitigate the risks associated with account compromise leading to unauthorized resource usage.
A generally effective mitigation strategy security teams and cyber-defenders should to adhere to for the Snapshot Creation, Instance Creation, and Instance Deletion cloud features is as follows:
Mitigating the Revert Cloud Instance attack technique presents a significant challenge due to its inherent integration as a legitimate feature within cloud environments. Adversaries can exploit this feature without triggering typical security measures, rendering preventive controls such as firewalls or access controls ineffective in countering such attacks. The intrinsic nature of the Revert Cloud Instance feature complicates efforts to prevent or mitigate associated security risks effectively.
Security teams and cyber defenders should adhere to the following mitigation strategy for the Modify Cloud Compute Configurations attack technique:
It is important for all security teams and cyber defenders to note that effective detection of these attack techniques must be recognized as a continuous process, not merely a one-time task.
Cloud security teams and cyber defenders can utilize Cloud-Native Security Tools provided by cloud providers such as AWS GuardDuty, Azure Security Center, and Google Cloud Security Command Center to effectively detect and mitigate the attack techniques discussed in this blog.
Additionally, they can leverage third-party cloud-based security products like Cloud Workload Protection Platforms (CWPPs) and Cloud Security Posture Management (CSPM) solutions. These tools offer protection for cloud workloads, including virtual machines, by monitoring for vulnerabilities, misconfigurations, and suspicious activities.
The Stratus Red Team is a cloud-based adversary emulation tool that includes various attack techniques mapped to the MITRE ATT&CK framework. Security teams and cyber defenders can use this tool to understand how adversaries might leverage these attack techniques in their cloud environments such as AWS, Azure, and GCP, as highlighted in this blog.
How the Stratus Red Team Tool Empowers Security Teams and Cyber Defenders to Emulate Cloud Feature Attacks and Enhance Cloud Security Postures
One of the major emerging trends in cloud security is abuse of cloud features such as Create Snapshot, Create Cloud Instance, Delete Cloud Instance, Revert Cloud Instance, and Modify Cloud Compute Configurations across major cloud platforms like AWS, Azure, and GCP. Adversaries on the other hand, increasingly exploit these features to bypass security measures and evade detection. For example, they might use 'Revert Cloud Instance' to rollback malicious changes (evidence) after an attack. To stay ahead these threats, organizations, security teams, and cyber defenders must prioritize proactive measures by following the below best practices to future-proof security postures against these attack techniques and safeguard their cloud environments:
In this blog post, we discussed how adversaries can exploit five major cloud features namely Create Snapshot, Create Cloud Instance, Delete Cloud Instance, Revert Cloud Instance, and Modify Cloud Compute Configurations to achieve their malicious purposes and to evade detection.
Organizations and cyber defenders are advised to adopt the mitigation strategies highlighted in this blog. Key measures include implementing stringent access controls and permissions, enabling detailed logging and monitoring services provided by cloud providers to detect and respond swiftly to any unauthorized or suspicious activities. Additionally, regularly reviewing access logs and conducting security audits of cloud environment can further strengthen the security posture and minimize the risk of misuse or abuse of these critical cloud features.