Cloud Storage

Monitor for unusual queries to the cloud provider's storage service. Activity originating from unexpected sources may indicate improper permissions are set that is allowing access to data. Additionally, detecting failed attempts by a user for a certain object, followed by escalation of privileges by the same user, and access to the same object may be an indication of suspicious activity.

Monitor for unusual queries to the cloud provider's storage service. Activity originating from unexpected sources may indicate improper permissions are set and are allowing access to data. Additionally, detecting failed attempts by a user for a certain object, followed by escalation of privileges by the same user, and access to the same object may be an indication of suspicious activity.

Monitor for unusual queries to the cloud provider's storage service. Activity originating from unexpected sources may indicate improper permissions are set and are allowing access to data. Additionally, detecting failed attempts by a user for a certain object, followed by escalation of privileges by the same user, and access to the same object may be an indication of suspicious activity.

Monitor account activity for attempts to create and share data, such as snapshots or backups, with untrusted or unusual accounts.

Monitor for unexpected deletion of a cloud storage infrastructure, such as the DeleteDBCluster and DeleteGlobalCluster events in AWS, or a high quantity of data deletion events, such as DeleteBucket. Many of these events within a short period of time may indicate malicious activity.

Monitor for unexpected deletion of a cloud storage objects (ex: AWS DeleteObject), especially those associated with cloud backups.

Monitor cloud logs for API calls and other potentially unusual activity related to cloud data object storage enumeration. Discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained.

Monitor cloud logs for API calls used for file or object enumeration for unusual activity. System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained.

Periodically baseline cloud storage infrastructure to identify malicious modifications or additions.

Monitor for unexpected use of lifecycle policies. Where lifecycle policies are already in use, monitor for changes to cloud storage configurations and policies, such as buckets configured in the policy or unusually short retention periods. In AWS environments, monitor for PutBucketLifecycle events with a requestParameters.LifecycleConfiguration.Rule.Expiration.Days attribute below expected values.^[4]

Monitor for changes made in cloud environments for events that indicate storage objects have been anomalously modified.

Monitor for anomalous file transfer activity between accounts and/or to untrusted/unexpected VPCs.