Snapshot

A point-in-time copy of cloud volumes (files, settings, etc.) that can be created and/or deployed in cloud environments[1][2]

ID: DS0020
Platform: IaaS
Collection Layer: Cloud Control Plane
Contributors: Center for Threat-Informed Defense (CTID)
Version: 1.0
Created: 20 October 2021
Last Modified: 10 November 2021

Data Components

Snapshot: Snapshot Creation

Initial construction of a new snapshot (ex: AWS create-snapshot)

Snapshot: Snapshot Creation

Initial construction of a new snapshot (ex: AWS create-snapshot)

Domain ID Name Detects
Enterprise T1578 Modify Cloud Compute Infrastructure

Establish centralized logging for the activity of cloud compute infrastructure components. Monitor for suspicious sequences of events, such as the creation of multiple snapshots within a short period of time. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones.

.001 Create Snapshot

The creation of a snapshot is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities such as the creation of one or more snapshots and the restoration of these snapshots by a new user account.In AWS, CloudTrail logs capture the creation of snapshots and all API calls for AWS Backup as events. Using the information collected by CloudTrail, you can determine the request that was made, the IP address from which the request was made, which user made the request, when it was made, and additional details.[3]In Azure, the creation of a snapshot may be captured in Azure activity logs. Backup restoration events can also be detected through Azure Monitor Log Data by creating a custom alert for completed restore jobs.[4]Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of the gcloud compute instances create command to create a new VM disk from a snapshot.[5] It is also possible to detect the usage of the GCP API with the sourceSnapshot parameter pointed to global/snapshots/[BOOT_SNAPSHOT_NAME].[6]

Enterprise T1537 Transfer Data to Cloud Account

Monitor account activity for attempts to create and share data, such as snapshots or backups, with untrusted or unusual accounts.

Snapshot: Snapshot Deletion

Removal of a snapshot (ex: AWS delete-snapshot)

Snapshot: Snapshot Deletion

Removal of a snapshot (ex: AWS delete-snapshot)

Domain ID Name Detects
Enterprise T1485 Data Destruction

Monitor for unexpected deletion of a snapshot (ex: AWS DeleteSnapshot, DeleteDBSnapshot)

Enterprise T1490 Inhibit System Recovery

Monitor for unexpected deletion of snapshots (ex: AWS DeleteSnapshot, DeleteDBSnapshot), especially those associated with cloud backups.

Enterprise T1578 Modify Cloud Compute Infrastructure

Establish centralized logging for the activity of cloud compute infrastructure components. Monitor for suspicious sequences of events, such as the deletion of multiple snapshots within a short period of time. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones.

Snapshot: Snapshot Enumeration

An extracted list of snapshops within a cloud environment (ex: AWS describe-snapshots)

Snapshot: Snapshot Enumeration

An extracted list of snapshops within a cloud environment (ex: AWS describe-snapshots)

Domain ID Name Detects
Enterprise T1580 Cloud Infrastructure Discovery

Monitor cloud logs for API calls and other potentially unusual activity related to snapshot enumeration. Discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained.

Snapshot: Snapshot Metadata

Contextual data about a snapshot, which may include information such as ID, type, and status

Snapshot: Snapshot Metadata

Contextual data about a snapshot, which may include information such as ID, type, and status

Domain ID Name Detects
Enterprise T1578 Modify Cloud Compute Infrastructure

Periodically baseline snapshots to identify malicious modifications or additions.

.001 Create Snapshot

Periodically baseline snapshots to identify malicious modifications or additions.

Enterprise T1537 Transfer Data to Cloud Account

Periodically baseline snapshots to identify malicious modifications or additions.

Snapshot: Snapshot Modification

Changes made to a snapshop, such as metadata and control data (ex: AWS modify-snapshot-attribute)

Snapshot: Snapshot Modification

Changes made to a snapshop, such as metadata and control data (ex: AWS modify-snapshot-attribute)

Domain ID Name Detects
Enterprise T1578 Modify Cloud Compute Infrastructure

Establish centralized logging for the activity of cloud compute infrastructure components. Monitor for suspicious sequences of events, such as the mounting of a snapshot to a new instance by a new or unexpected user. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones.

Enterprise T1537 Transfer Data to Cloud Account

Monitor account activity for attempts to share data, snapshots, or backups with untrusted or unusual accounts on the same cloud service provider. Monitor for anomalous file transfer activity between accounts and to untrusted VPCs.

References