MITRE ATT&CK Cloud Matrix: New Techniques & Why You Should Care. Part I

The MITRE ATT&CK Framework has become an essential aspect of modern cybersecurity architecture. The framework provides critical information about attacker tactics and techniques imperative for adopting effective defenses. The MITRE ATT&CK Framework v.14 was released in October 2023 with over 18 new techniques. We look at two of the four techniques relevant to the IaaS section of the MITRE ATTACK Matrix for Enterprises. A follow-up blog article will cover the remaining two techniques.

What Is MITRE ATT&CK? 

The MITRE ATT&CK framework is a collection of tactics, techniques, and procedures (TTPs) employed by adversaries to conduct cyberattacks. ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge. The MITRE Corporation develops and maintains the framework, providing a common language and systematic understanding of attacker behavior based on real-world observations, including publicly available cyber-threat intelligence, incident reports, and cybersecurity research. MITRE ATT&CK covers various aspects of the cyber attack lifecycle, including initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, exfiltration, and command and control. The ATT&CK framework includes specific attacker techniques, mitigation strategies, and detection tips.

MITRE ATT&CK matrices visualize the relationship between tactics and techniques, providing an advantageous understanding of attacker behavior and tradecraft for defenders. There are currently three matrices categorized based on technology:  

• MITRE ATT&CK for Enterprises: Covers tactics and techniques relevant to Windows, MacOS, Linux, PRE, Cloud (Azure AD, Office 365, Google Workspace, SaaS, IaaS), Networks, and Containers. More details here: https://attack.mitre.org/matrices/enterprise/.
• MITRE ATT&CK for Mobile: Contains information about tactics and techniques leveraged against mobile devices based on Android and iOS. More details here: https://attack.mitre.org/matrices/mobile/.
• MITRE ATT&CK for ICS: The information about tactics and techniques relevant to Industrial Control Systems are available in this matrix. More information here: https://attack.mitre.org/matrices/ics/.

The latest version of MITRE ATT&CK (v.14) was released in October 2023 with over 18 new techniques across all matrices. Due to the importance of employing the most current techniques, defenders must ensure that their security architecture is updated. Therefore, in the following sections, we examine two of the four new techniques in the IaaS section of the MITRE ATTACK Matrix for Enterprise: Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access, and Credentials from Password Stores: Cloud Secrets Management.

Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access 

Let’s examine the first new technique (actually a sub-technique): “Abuse Elevation Control Mechanism - Temporary Elevated Cloud Access” .  This sub-technique describes how attackers abuse cloud mechanisms designed to thwart unauthorized access, including privilege escalation. These mechanisms are mainly designed around "Just-in-time" access or "short-lived permissions."

For example, the AWS Role Assumption mechanism allows an account owner to provide time-limited access to third-party accounts without issuing long-lived credentials, e.g., access keys. However, an attacker could assume this access via the IAM role created in the owner account, impersonate the legitimate identity, and gain unhindered access. Such malicious access would likely slip under the radar due to the established "trusted relationship."  An immediate danger is an extended attacker dwell time when this attack is successful; thus, early detection requires diligence.

Mitigation

Two recommendations are provided in the sub-technique's documentation:

• Limit the privileges of cloud accounts to assume, create, or impersonate additional roles, policies, and permissions to only those required. 
• Consider requiring manual approval to elevate privileges where just-in-time access is temporarily enabled.

Notably, most of these short-lived permissions are provided for automated access, e.g., by SaaS products, so manual approval is not feasible. Nevertheless, the specific guidance provided by cloud service providers is essential. For example, enforcing the External ID variable would deny efforts to maliciously assume an AWS IAM role. See an example of a denied request via AWS CLI in Figure 02.

Detection

Detecting this attack requires acquiring and analyzing logs containing API calls made to assume, create, or impersonate privileges. For example, in the previous example based on AWS IAM Role Assumption, the Cloudtrail logs that record these calls need to be collected and analyzed to detect such attacks promptly. Figure 03 is an example of a CloudTrail record where an IAM role is successfully assumed. Keeping tabs on the CloudTrail assume-role events allows for quick detection of illegal access, especially when the event has the access denied error code (errorCode:AccessDenied). Like password brute force attacks, attackers might attempt to brute force access to accounts via the assume-role feature.

Credentials from Password Stores: Cloud Secrets Management Stores

You probably have seen a heist movie where criminals target vaults in highly secured banks containing vast sums of money and other valuable items. Despite the risks involved, these daredevils successfully plan and execute these operations. The playbook - high risk, high rewards! The same playbook has been employed in the digital world and is becoming prevalent in cloud attacks; cybercriminals increasingly target secret management systems. Figure 04 illustrates a hypothetical scenario. The risks, though, for these cybercriminals are nothing close to those of real-world heists. You can imagine the levels of motivation!

Luckily, one of the recently added MITRE ATT&CK techniques provides vital information about cloud attacks that leverage this technique - Credentials from Password Stores: Cloud Secrets Management Stores.

This technique describes how adversaries harvest secrets from cloud secret management systems, including AWS Secrets Manager, Azure Key Vault, and Google Clouds Secret Manager. However, the technique can be only successful if an attacker gains sufficient privileges. Two Secret Manager API calls can be abused on AWS to facilitate this attack - GetSecretValue & BatchGetSecretValue. Cloud defenders need to take note of both, especially the latter, which was recently added as a new AWS feature. I wrote about some countermeasures in a recent blog post.

Note that this technique differs from the more popular technique where secrets are extracted from the instance metadata service: Cloud Instance Metadata API :T1552/005/. This specific technique was employed in the high-profile CapitalOne data breach of 2019.

Mitigation

Adopting zero-trust and least-privilege approaches would drastically reduce the possibility of unauthorized access to secret management systems. Access to secrets should be based on the least privilege principle and nothing more; giving broad permissions would allow attackers to access many secrets, whereas least access would enforce a blast radius if access is compromised. Secret rotation could further address scenarios where secrets are compromised; such secrets become useless following a rotation.

Detection

It is critical to swiftly detect compromised secrets or attempts to break into secret vaults, e.g., AWS Secret Manager. Effective monitoring and logging strategies are helpful if well implemented. Logs should capture related API calls, which can be built into detection logic, e.g., using Sigma rules.

Detect Threat Detection Gaps With Mitigant Cloud Attack Emulation

Security teams should ensure that the techniques mentioned above are included in their threat detection systems. Cloud threat detection systems with these techniques, improperly implemented or misconfigured, introduce detection blindspots. Attackers could exploit such blindspots to compromise cloud infrastructure, hence the need for detection validation.

Furthermore, security research from US CISA (and other reputable sources) indicated that threat groups like Scatterd Spider employ these TTPs to attack cloud infrastructure. This further underscores the need to identity and close gaps in threat detection systems. One approach to doing this effectively is by leveraging cloud attack emulation. 

Emulating Credential Harvesting Cloud Attack

An approach to detecting the above detention blindspots is adversary emulation, given it provides practical strategies for using realistic but safe attacks to validate detection efficiently. For example, we have used the Mitigant Cloud Attack Emulation platform to emulate credential harvesting attacks against AWS Secrets Manager. As illustrated in Figure 05, two variants earlier mentioned are employed (GetSecretValue & BatchGetSecretValue). However, it is essential to detect these attacks accurately. We noticed some threat detection systems do not detect the adversary TTPs in the IaaS Matrix. For example, the Datadog Cloud SIEM cannot detect the attack that gets batch Secret Manager secrets by using the  BatchGetSecretValue API. See a screenshot from Datadog SIEM's Investigator in Figure 06. Detection engineers can efficiently remediate this gap; more details are in this blog article.

Adopt A Threat-Informed Defense Strategy 

The Mitigant cloud attack emulation platform empowers organizations to adopt a Threat-Informed Defense strategy. Due to the rapid advancement in attacker tradecraft and the challenging uniqueness of cloud infrastructure, security teams struggle to prioritize alerts. This further worsens the overwhelming alert fatigue issue.

Cloud attack emulation provides a means to validate the efficiency of security mechanisms and prioritize the most critical security issues using Threat-Informed Defense. The Mitigant Cloud Attack Emulation Platform provides an easy-to-use, agentless approach that allows teams of any size to supercharge their detection engineering capabilities and stay ahead of cloud attacks. Sign up for a free trial today at https://www.mitigant.io/sign-up.