Powerful Cloud Permissions You Should Know: Part 5
MITRE ATT&CK Stage: Defensive Evasion
This blog is the fifth publication in a series exploring the most powerful cloud permissions and how they map to the MITRE ATT&CK Framework. If you have not yet read the first blog on the Initial Access stage, you can find it here and follow along the series.
–
A lot of activity in the cloud is traceable. Most organizations know it is best practice to enable logging and security tools to help in auditing or protection practices. However, there are a few actions one can take to disable these processes or cover their tracks.
Once an attacker is in your cloud, they are looking to stay there undetected for as long as they can. The following permissions are examples of sensitive actions that could be used to evade detection.
Powerful Permissions in AWS
Permission: PutLifecyclePolicy
Service: Elastic Container Registry (ECR)
Context: This permission allows one to create or update a lifecycle policy on a specified repository. ECR lifecycle policies allow control over lifecycle management of images in private repositories by defining when images should expire.
So What?
If a bad actor were to create an ECR image, with this permission in hand, they could create a policy that sets their desired expiration criteria for the image – allowing them to auto clean up after themselves.
Alternatively, an employee with this permission could accidentally misconfigure a policy, resulting in deleting golden images or other images your team does not want to lose.
Powerful Permissions in Azure
Permission: Microsoft.Automanage/configurationProfileAssignments/Delete
Service: Automanage for Virtual Machines
Context: Automanage allows you to create custom profiles for flexibility in settings. This permission allows one to delete configuration profile assignments on compute instances.
So What?
With this permission in hand, a bad actor could delete the configuration profile assignment for any given Virtual Machine and disable any antimalware. With antimalware disabled, the bad actor could execute their own malware payloads undetected. Deleting the profile assignment can also remove drift detection capabilities that were put in place.
Perhaps an employee ended up with this permission – they could accidentally or without knowing the consequences, delete a profile and disable integral backups on a production workload.
Powerful Permissions in GCP
Permission: logging.exclusions.create
Service: Logging
Context: This permission allows creating log exclusions in Google Cloud, which specify what log data should not be collected.
So What?
What’s better for a malicious actor than the ability to disable logging? A bad actor can exclude the identity or resources they’re using in their attack from logging, making catching them far more challenging.
In the case of an internal threat – perhaps an employee with this permission could make exclusions in billing logs for their desired resources to evade getting in trouble.
With some entries excluded from logs, troubleshooting any sort of error is extremely difficult for the organization.
Permission: securitycenter.muteconfigs.create
Service: Security Center
Context: This permission allows creating mute configurations in Security Center, which can suppress specified security findings.
So What?
With this permission, an attacker can mute security findings for resources or files they’re using to evade detection – this doesn’t mean the finding doesn’t exist, it’s just muted.
Less malicious – an employee with this permission could bypass approval processes to use certain applications that are policy violations.
Permission: vpcaccess.connectors.update
Service: VPC Access
Context: This permission enables updating existing VPC connectors in Google Cloud. One would configure a VPC access connector to enable a service or job to send traffic to a VPC network.
So What?
A bad actor could configure the connector to allow or disallow connections from specific addresses. Consider an organization out of Europe with a region in the U.S. that is enabled, but mostly unused due to data compliance standards. The attacker could allow a connection to an address in the U.S. region and ‘hide out’ there once they realize it is unused after some basic recon. With insufficient monitoring in place, the organization may not realize or detect this activity.
Managing Sensitive Permissions
As per our last blog, here are some ways you can get started on strengthening your protection over cloud permissions:
AWS IAM Access Analyzer: Access Analyzer identifies the resources like storage objects or roles that are shared externally. It works with logic-based reasoning to analyze resource-based policies and identify what external principals have unintended access and offers findings. Beyond that it can identify some unused access, enforce policy checks, and use CloudTrail logs for policy recommendations.
Least Privilege: Least Privilege is a well known security standard many enterprises work towards. Nearly impossible to do manually, a solution that offers least privilege can help by monitoring identity permission usage to gain an understanding of what they need to do their job. Excessive or unnecessary privilege can then be stripped away and a suggested better suited policy is recommended.
CIEM: Cloud Infrastructure Entitlement Management solutions are the best option for granularly managing permissions. They are able to ‘see’ all possible permissions tied to cloud identities – machine and human – even the ones accessible through inheritance. This visibility allows a CIEM to rightsize permissions by alerting to potential risks like lateral movement, privilege escalation, unintended access, and more – so your team can remediate within the platform.
Stay Tuned
Continue following the MITRE ATT&CK path as the final blog in this series comes out; Powerful Cloud Permissions You Should Know: Part 6, Exfiltration and Impact.
*** This is a Security Bloggers Network syndicated blog from Sonrai | Enterprise Cloud Security Platform authored by Tally Shea. Read the original post at: https://sonraisecurity.com/blog/powerful-cloud-permissions-you-should-know-part-5/
