T1537 Transfer Data to Cloud Account
Adversaries may exfiltrate data by transferring the data, including backups of cloud environments, to another cloud account they control on the same service to avoid typical file transfers/downloads and network-based exfiltration detection.
A defender who is monitoring for large transfers to outside the cloud environment through normal file transfers or over command and control channels may not be watching for data transfers to another account within the same cloud provider. Such transfers may utilize existing cloud provider APIs and the internal address space of the cloud provider to blend into normal traffic or avoid data transfers over external network interfaces.
Incidents have been observed where adversaries have created backups of cloud instances and transferred them to separate accounts.4
| Item | Value |
|---|---|
| ID | T1537 |
| Sub-techniques | |
| Tactics | TA0010 |
| Platforms | IaaS |
| Version | 1.3 |
| Created | 30 August 2019 |
| Last Modified | 16 June 2022 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1037 | Filter Network Traffic | Implement network-based filtering restrictions to prohibit data transfers to untrusted VPCs. |
| M1027 | Password Policies | Consider rotating access keys within a certain number of days to reduce the effectiveness of stolen credentials. |
| M1018 | User Account Management | Limit user account and IAM policies to the least privileges required. Consider using temporary credentials for accounts that are only valid for a certain period of time to reduce the effectiveness of compromised accounts. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0010 | Cloud Storage | Cloud Storage Creation |
| DS0029 | Network Traffic | Network Traffic Content |
| DS0020 | Snapshot | Snapshot Creation |
References
-
Amazon Web Services. (n.d.). Share an Amazon EBS snapshot. Retrieved March 2, 2022. ↩
-
Microsoft Azure. (2021, December 29). Blob snapshots. Retrieved March 2, 2022. ↩
-
Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018. ↩