Cloud Infrastructure Discovery
Cloud Infrastructure Discovery [T1580]
Last updated
Cloud Infrastructure Discovery [T1580]
Last updated
Name: Cloud Infrastructure Discovery
ID: T1580
Tactics:
Cloud Infrastructure Discovery (Technique ID: T1580) within the MITRE ATT&CK framework refers to adversary actions aimed at identifying and enumerating cloud resources, services, and configurations within an organization's cloud environment. Attackers perform this discovery to gather actionable intelligence, map out the cloud infrastructure, and identify potential vulnerabilities or misconfigurations to exploit in subsequent attack phases. This technique is critical for adversaries seeking to escalate privileges, maintain persistence, or move laterally within cloud environments.
Cloud Infrastructure Discovery involves systematic enumeration and reconnaissance of cloud services and resources. Attackers typically leverage built-in cloud provider APIs, command-line interfaces (CLI), and third-party open-source tools to perform this reconnaissance. The goal is to identify cloud assets, understand their configurations, and reveal sensitive information that may facilitate further exploitation.
Common execution methods and mechanisms include:
Cloud Provider APIs and CLI Tools:
AWS CLI commands like aws ec2 describe-instances, aws s3 ls, aws iam list-users.
Azure CLI commands such as az vm list, az storage account list.
Google Cloud commands like gcloud compute instances list, gsutil ls.
Automated Enumeration Scripts and Tools:
Open-source tools such as Pacu, Scout Suite, CloudMapper, and CloudSploit.
Custom scripts to enumerate permissions, roles, and network configurations.
Metadata Service Queries:
Accessing instance metadata services (e.g., AWS EC2 metadata service at http://169.254.169.254) to reveal sensitive instance-level information including IAM roles, keys, or tokens.
Misconfiguration Exploitation:
Leveraging overly permissive IAM roles or policies for enumeration.
Exploiting publicly exposed storage buckets, databases, or misconfigured services for information gathering.
Real-world procedures typically involve:
Enumerating cloud storage resources (e.g., AWS S3 buckets, Azure Blob storage).
Listing compute instances, serverless functions, and container services.
Identifying IAM roles, policies, users, and groups.
Mapping network topology, VPC configurations, firewall rules, and security groups.
Discovering logging, monitoring, and alerting strategies.
Cloud Infrastructure Discovery can appear at multiple stages of an attack lifecycle, primarily during initial reconnaissance, but also during lateral movement and persistence phases. Typical scenarios include:
Initial Reconnaissance:
Attackers perform cloud infrastructure enumeration after initial credential compromise or gaining initial foothold through phishing, credential stuffing, or leaked API keys.
External attackers scan publicly accessible cloud resources to identify misconfigured or exposed assets.
Privilege Escalation and Lateral Movement:
After initial compromise, attackers enumerate cloud resources and IAM roles to escalate privileges or identify pathways for lateral movement within the cloud environment.
Persistence and Data Exfiltration:
Attackers periodically enumerate cloud resources to maintain persistence, monitor changes, and identify sensitive data storage locations for exfiltration.
Pre-Attack Reconnaissance:
Threat actors perform enumeration against publicly available cloud assets during pre-attack planning to identify potential entry points or vulnerable configurations.
Detection of Cloud Infrastructure Discovery involves monitoring and analyzing cloud provider logs, API calls, and network traffic. Effective detection strategies and tools include:
Cloud Provider Logging and Monitoring:
AWS CloudTrail, Azure Activity Logs, GCP Audit Logs to monitor API calls and detect anomalous enumeration patterns.
Monitoring for high volumes of List or Describe API requests, especially from unusual or unauthorized sources.
Behavioral Analytics and Anomaly Detection:
Implementing security monitoring solutions (e.g., AWS GuardDuty, Azure Sentinel, GCP Security Command Center) that leverage machine learning and behavioral analytics to identify abnormal patterns indicative of enumeration.
Detecting unusual access patterns, such as API calls from new IP addresses, unusual geographic locations, or previously unseen user agents.
Network Traffic Monitoring:
Network intrusion detection systems (IDS) or cloud-native security tools examining traffic to metadata service endpoints (e.g., http://169.254.169.254) from unexpected sources or at unusual frequencies.
Specific Indicators of Compromise (IoCs):
High frequency or repeated API requests such as DescribeInstances, ListBuckets, ListUsers, or similar enumeration calls.
Access attempts to instance metadata endpoints from suspicious processes or external IP addresses.
Detection of known reconnaissance tools (Pacu, Scout Suite, CloudMapper) signatures in logs or endpoint telemetry.
Detecting Cloud Infrastructure Discovery is critical because it often represents the initial phases of a broader attack campaign. Early detection can significantly reduce the risk of severe impacts, including:
Preventing Privilege Escalation and Lateral Movement:
Early identification of reconnaissance attempts enables defenders to quickly remediate vulnerabilities and misconfigurations before attackers escalate privileges or move laterally.
Reducing Data Breach Risk:
Attackers often enumerate cloud infrastructure to locate sensitive data stores. Early detection helps prevent data exfiltration and protect sensitive organizational information.
Mitigating Financial and Operational Impact:
Cloud compromise can lead to unauthorized resource usage, increased costs, resource tampering, or denial of service. Early detection reduces the likelihood and impact of these scenarios.
Maintaining Compliance and Trust:
Early detection and response to reconnaissance activities help organizations maintain regulatory compliance, protect customer data, and preserve trust and reputation.
Enhancing Incident Response Capabilities:
Early detection provides incident responders with critical intelligence to proactively investigate and mitigate potential threats, reducing response and recovery time.
Real-world examples demonstrating Cloud Infrastructure Discovery include:
Capital One Data Breach (2019):
Attack Scenario: An attacker exploited a misconfigured firewall to access AWS EC2 instance metadata service, enumerating IAM roles and credentials.
Tools and Techniques: AWS CLI, instance metadata queries, enumeration of S3 buckets and data stores.
Impact: Exposure of personal information of approximately 106 million customers, significant financial and reputational damage.
TeamTNT Group Campaigns (2020-2021):
Attack Scenario: TeamTNT targeted exposed Docker and Kubernetes servers, enumerating cloud metadata endpoints to steal cloud credentials and perform further enumeration.
Tools and Techniques: Automated scripts, metadata endpoint queries, enumeration of cloud resources, and IAM credentials.
Impact: Unauthorized crypto-mining, lateral movement within cloud environments, and persistent unauthorized access.
RedLock CSI Team Discovery (2018):
Attack Scenario: Attackers exploited publicly exposed Kubernetes dashboards to enumerate cloud infrastructure and credentials.
Tools and Techniques: Kubernetes dashboard enumeration, cloud API queries, reconnaissance tools.
Impact: Unauthorized crypto-mining operations, increased cloud resource costs, potential data exfiltration risks.
"Meow" Attack on Unsecured Databases (2020):
Attack Scenario: Attackers enumerated publicly exposed cloud databases and storage buckets, deleting data and replacing it with "meow" strings.
Tools and Techniques: Automated scanning and enumeration scripts, cloud storage enumeration.
Impact: Data loss, operational disruption, reputational damage, and highlighting the risks of misconfigured cloud resources.
These examples demonstrate the critical importance of securing cloud infrastructure, proactively detecting enumeration attempts, and rapidly responding to reconnaissance activities to prevent further exploitation and damage.