On October 31st, MITRE released version 14 of its ATT&CK framework. As detailed in their blog post about the release, some major changes include enhancements to the detection content, new industrial control system (ICS) assets, and the addition of structured detections for mobile. In this blog post, however, we want to focus on a different area of interest: the cloud. We’ll focus on the new cloud-specific techniques that MITRE added to the ATT&CK matrix.
New Techniques
In total, ATT&CK v14 includes 18 new Enterprise techniques. Of these, six techniques are directly tied to Infrastructure-as-a-Service (IaaS) or Container platforms, and three techniques fall under the Software-as-a-Service (SaaS) matrix. This means between IaaS and SaaS techniques, 50% of new enterprise techniques have direct cloud implications, which is not surprising as threat actors are following organizations to the cloud with its increased adoption.
Infrastructure-as-a-Service Techniques
Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005)
The Abuse Elevation Control Mechanism technique focuses on how adversaries can leverage built-in controls designed for granting higher-level permissions as a privilege escalation tactic. The new Temporary Elevated Cloud Access sub-technique is specifically related to the use of cloud access controls such as just-in-time access and account impersonation to gain additional permissions.
Account Manipulation: Additional Container Cluster Roles (T1098.006)
The Account Manipulation technique is used to describe any action taken on an account with the goal of preserving or modifying adversary access. Example procedures include changing password policies or adding users to new groups. The Additional Cloud Credentials (T1098.001) and Additional Cloud Roles (T1098.003) sub-techniques already provided some cloud coverage for this technique, but that coverage is expanded by the new sub-technique, Additional Container Cluster Roles. While containers are not directly a cloud resource, they are heavily leveraged in the cloud and thus highly relevant to cloud security. In this case, adversaries may add roles or permissions to an adversary-controlled account on a container orchestration cluster (such as Kubernetes) to establish persistence.
Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)
Credentials from Password Stores has always been a popular technique in enterprise environments. Credentials saved in browsers, keychains, password managers, and Windows Credential Manager are all targets for threat actors. The new Cloud Secrets Management Stores sub-technique is related to credential access via password stores and highlights the risk of cloud secret managers being targeted by threat actors. Examples of such solutions are AWS Secrets Manager, GCP Secret Manager, and Azure Key Vault. These tools allow cloud services to dynamically acquire credentials rather than hard coding them into environment variables or plain text files, but with sufficient privileges they can still be exposed to threat actors.
Log Enumeration (T1654)
Log Enumeration is a brand-new technique, not just sub-technique, that is relevant to Linux, Windows, macOS, as well as IaaS. It is a discovery tactic through which attackers attempt to find useful information within system and service logs, such as user accounts, software, and system information. Pacu, an AWS exploitation framework, presents an example of this technique through its ability to collect CloudTrail logs. A recent Mandiant report also shows evidence of this technique in the wild, where threat actors used Azure’s VM Agent to collect security logs from cloud-hosted infrastructure.
Modify Cloud Compute Infrastructure: Modify Cloud Compute Configurations (T1578.005)
The Modify Cloud Compute Infrastructure technique’s existing sub-techniques involved creating snapshots as well as creating, deleting, and reverting cloud instances. The newly added sub-technique, Modify Cloud Compute Configurations, focuses instead on how changing the configuration of the organization’s compute environment can allow threat actors to further their attack. One example is modifications that allow for higher resource quotas to enable more profitable resource hijacking without causing alerts about quota limits being reached. Another example involves allowing resources to be deployed in unused regions to hide from administrators.
Remote Services: Direct Cloud VM Connections (T1021.008)
Once a threat actor has access to an organization’s cloud console, they may attempt to pivot through the environment and carry out post-compromise actions via compute infrastructure. The new sub-technique, Direct Cloud VM Connections, highlights how threat actors can establish interactive connections with cloud VMs through cloud-native methods such as the Azure Serial Console, AWS EC2 Instance Connect, or AWS Systems Manager using compromised credentials, (e.g., a password, access token, or SSH key).
Software-as-a-Service Techniques
Exfiltration Over Web Service: Exfiltration Over Webhook (T1567.004)
More and more web services are enabling communication between clients and servers based on action triggers via webhooks. For example, chat services like Discord and Slack can receive messages based on actions taken in Github, Jira, or Trello. MITRE added the Exfiltration Over Webhook sub-technique to address threat actors’ use of webhooks like this to link their infrastructure with victim SaaS services for either automated or manual exfiltration of emails, chat messages, and other data. This is an ideal exfiltration method for threat actors because webhooks operate over HTTPS, which means this traffic often blends in with legitimate traffic.
Financial Theft (T1657)
Impact tactics focus on an adversary's end goal and how it affects the victim. Financial Theft is a new technique associated with this tactic. As the name implies, adversaries may attempt to steal monetary resources through their attacks. This is often done via social engineering especially over email, hence its categorization as a SaaS-based technique, as well as being applicable to Windows, macOS, and Linux platforms.
Impersonation (T1656)
The final new SaaS technique, Impersonation, is also tied to the main operating system platforms. Adversaries attempting to social engineer a target in a business email compromise or email fraud campaign will often claim to be a trusted person or organization in an attempt to convince the target to take some action. For those leveraging a SaaS service for email, this will be a commonly observed technique in phishing attempts.
Updated Techniques
Along with these new techniques, MITRE is constantly making updates to existing techniques. An extensive list of updated techniques can be found in the October 2023 release notes. Most changes include expanding descriptions, adding new references, and introducing new procedure examples, mitigations, and detections. Patches typically involve fixing typos and don’t include any significant changes to the content of the technique details.
Summary
With more than 50% of the new techniques being associated with IaaS or SaaS platforms, it is clear that MITRE’s intent is to ensure the cloud is not neglected when discussing threat actor tactics, techniques, and procedures (TTPs). Cloud defenders will benefit greatly from regularly reviewing the new techniques added to the ATT&CK database, as they are not hypothetical, but real-world threats being actively leveraged in-the-wild.
To learn more about operationalizing the cloud techniques described in MITRE ATT&CK, SEC541: Cloud Security Attacker Techniques, Monitoring, and Threat Detection provides extensive content on how cloud-focused ATT&CK TTPs are implemented in cloud attacks and how analysts and defenders can use that knowledge to defend their organization.
