Cloud Storage

Data object storage infrastructure hosted on-premise or by third-party providers, made available to users through network connections and/or APIs[1][2][3]

ID: DS0010
Platform: IaaS
Collection Layer: Cloud Control Plane
Contributors: Center for Threat-Informed Defense (CTID)
Version: 1.0
Created: 20 October 2021
Last Modified: 10 November 2021

Data Components

Cloud Storage: Cloud Storage Access

Opening of a cloud storage infrastructure, typically to collect/read its value (ex: AWS S3 GetObject)

Cloud Storage: Cloud Storage Access

Opening of a cloud storage infrastructure, typically to collect/read its value (ex: AWS S3 GetObject)

Domain ID Name Detects
Enterprise T1619 Cloud Storage Object Discovery

Monitor for unusual queries to the cloud provider's storage service. Activity originating from unexpected sources may indicate improper permissions are set that is allowing access to data. Additionally, detecting failed attempts by a user for a certain object, followed by escalation of privileges by the same user, and access to the same object may be an indication of suspicious activity.

Enterprise T1530 Data from Cloud Storage

Monitor for unusual queries to the cloud provider's storage service. Activity originating from unexpected sources may indicate improper permissions are set and are allowing access to data. Additionally, detecting failed attempts by a user for a certain object, followed by escalation of privileges by the same user, and access to the same object may be an indication of suspicious activity.

Enterprise T1048 Exfiltration Over Alternative Protocol

Monitor for unusual queries to the cloud provider's storage service. Activity originating from unexpected sources may indicate improper permissions are set and are allowing access to data. Additionally, detecting failed attempts by a user for a certain object, followed by escalation of privileges by the same user, and access to the same object may be an indication of suspicious activity.

Cloud Storage: Cloud Storage Creation

Initial construction of new cloud storage infrastructure (ex: AWS S3 CreateBucket)

Cloud Storage: Cloud Storage Creation

Initial construction of new cloud storage infrastructure (ex: AWS S3 CreateBucket)

Domain ID Name Detects
Enterprise T1537 Transfer Data to Cloud Account

Monitor account activity for attempts to create and share data, such as snapshots or backups, with untrusted or unusual accounts.

Cloud Storage: Cloud Storage Deletion

Removal of cloud storage infrastructure (ex: AWS S3 DeleteBucket)

Cloud Storage: Cloud Storage Deletion

Removal of cloud storage infrastructure (ex: AWS S3 DeleteBucket)

Domain ID Name Detects
Enterprise T1485 Data Destruction

Monitor for unexpected deletion of a cloud storage infrastructure, such as the DeleteDBCluster and DeleteGlobalCluster events in AWS, or a high quantity of data deletion events, such as DeleteBucket. Many of these events within a short period of time may indicate malicious activity.

Enterprise T1490 Inhibit System Recovery

Monitor for unexpected deletion of a cloud storage objects (ex: AWS delete-object), especially those associated with cloud backups.

Cloud Storage: Cloud Storage Enumeration

An extracted list of cloud storage infrastructure (ex: AWS S3 ListBuckets or ListObjects)

Cloud Storage: Cloud Storage Enumeration

An extracted list of cloud storage infrastructure (ex: AWS S3 ListBuckets or ListObjects)

Domain ID Name Detects
Enterprise T1580 Cloud Infrastructure Discovery

Monitor cloud logs for API calls and other potentially unusual activity related to cloud data object storage enumeration. Discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained.

Enterprise T1619 Cloud Storage Object Discovery

Monitor cloud logs for API calls used for file or object enumeration for unusual activity. System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained.

Cloud Storage: Cloud Storage Metadata

Contextual data about cloud storage infrastructure and activity around it such as name, size, or owner

Cloud Storage: Cloud Storage Metadata

Contextual data about cloud storage infrastructure and activity around it such as name, size, or owner

Domain ID Name Detects
Enterprise T1537 Transfer Data to Cloud Account

Periodically baseline cloud storage infrastructure to identify malicious modifications or additions.

Cloud Storage: Cloud Storage Modification

Changes made to cloud storage infrastructure, including its settings and/or data (ex: AWS S3 PutObject or PutObjectAcl)

Cloud Storage: Cloud Storage Modification

Changes made to cloud storage infrastructure, including its settings and/or data (ex: AWS S3 PutObject or PutObjectAcl)

Domain ID Name Detects
Enterprise T1486 Data Encrypted for Impact

Monitor for changes made in cloud environments for events that indicate storage objects have been anomalously modified.

Enterprise T1537 Transfer Data to Cloud Account

Monitor for anomalous file transfer activity between accounts and/or to untrusted/unexpected VPCs.

References