ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引页]

译者: 林妙倩(清华大学网络研究院网络空间安全实习生)、戴亦仑(赛宁网安) 原创翻译作品,如果需要转载请取得翻译作者同意。

数据来源:ATT&CK Matrices

原文: https://attack.mitre.org/techniques/T1530

术语表: /attack/glossary

云存储对象的数据

攻击者可能会从安全保护不当的云存储中访问数据对象。

许多云服务提供商都提供在线数据存储解决方案,例如Amazon S3,Azure存储和Google Cloud Storage。这些解决方案与其他存储解决方案(例如SQL或Elasticsearch)的不同之处在于,没有总体应用程序。这些解决方案中的数据可以使用云提供商的API直接检索。解决方案提供商通常会提供安全指南,以帮助最终用户配置系统。

最终用户的配置错误是一个普遍的问题。发生过很多事件,云存储的保护不当(通常是无意中允许未经身份验证的用户进行公共访问,或者所有用户都过分访问),从而允许对信用卡,个人身份信息,病历和其他敏感信息的开放访问。攻击者还可以在源存储库,日志或其他方式中获取泄漏的凭据,以获取对具有访问权限控制的云存储对象的访问权。

Data from Cloud Storage Object

Adversaries may access data objects from improperly secured cloud storage.

Many cloud service providers offer solutions for online data storage such as Amazon S3, Azure Storage, and Google Cloud Storage. These solutions differ from other storage solutions (such as SQL or Elasticsearch) in that there is no overarching application. Data from these solutions can be retrieved directly using the cloud provider's APIs. Solution providers typically offer security guides to help end users configure systems.[1][2][3]

Misconfiguration by end users is a common problem. There have been numerous incidents where cloud storage has been improperly secured (typically by unintentionally allowing public access by unauthenticated users or overly-broad access by all users), allowing open access to credit cards, personally identifiable information, medical records, and other sensitive information.[4][5][6] Adversaries may also obtain leaked credentials in source repositories, logs, or other means as a way to gain access to cloud storage objects that have access permission controls.

标签

ID编号: T1530

策略: 收集

平台: AWS,GCP,Azure

所需权限: user

数据源: Stackdriver日志,Azure活动日志,AWS CloudTrail日志

缓解措施

减轻 描述
审计(M1047) 经常检查对云存储的权限,以确保将正确的权限设置为拒绝对资源的开放或非特权访问。
加密敏感信息(M1041) 加密静态存储在云存储中的数据。大多数提供商可以轮流管理加密密钥。至少要确保针对存储违规的事件响应计划包括旋转密钥并测试对客户端应用程序的影响。
过滤网络流量(M1037) 云服务提供商在访问云资源时支持基于IP的限制。考虑将IP白名单与用户帐户管理一起使用,以确保数据访问不仅限于有效用户,而且仅限于预期的IP范围,以减少使用窃取的凭据访问数据。
多因素认证(M1032) 考虑使用多因素身份验证来限制对资源和云存储API的访问。
限制文件和目录权限(M1022) 在存储系统和对象上使用访问控制列表。
用户帐号管理(M1018) 配置用户权限组和角色以访问云存储。实施严格的身份和访问管理(IAM)控件,以防止访问除需要访问的应用程序,用户和服务以外的存储解决方案。确保发出临时访问令牌,而不是颁发永久证书,尤其是在授予内部安全边界之外的实体访问权限时。
Mitigation Description
Audit (M1047) Frequently check permissions on cloud storage to ensure proper permissions are set to deny open or unprivileged access to resources.
Encrypt Sensitive Information(M1041) Encrypt data stored at rest in cloud storage. Managed encryption keys can be rotated by most providers. At a minimum, ensure an incident response plan to storage breach includes rotating the keys and test for impact on client applications.
Filter Network Traffic (M1037) Cloud service providers support IP-based restrictions when accessing cloud resources. Consider using IP whitelisting along with user account management to ensure that data access is restricted not only to valid users but only from expected IP ranges to mitigate the use of stolen credentials to access data.
Multi-factor Authentication(M1032) Consider using multi-factor authentication to restrict access to resources and cloud storage APIs.
Restrict File and Directory Permissions (M1022) Use access control lists on storage systems and objects.
User Account Management(M1018) Configure user permissions groups and roles for access to cloud storage. Implement strict Identity and Access Management (IAM) controls to prevent access to storage solutions except for the applications, users, and services that require access. Ensure that temporary access tokens are issued rather than permanent credentials, especially when access is being granted to entities outside of the internal security boundary.

检测

监视对云提供商的存储服务的异常查询。来自意外来源的活动可能表明设置了不正确的权限,从而允许访问数据。另外,检测到用户针对某个对象的失败尝试,然后检测到同一用户的特权提升以及对同一对象的访问,可能表示可疑活动。

Monitor for unusual queries to the cloud provider's storage service. Activity originating from unexpected sources may indicate improper permissions are set that is allowing access to data. Additionally, detecting failed attempts by a user for a certain object, followed by escalation of privileges by the same user, and access to the same object may be an indication of suspicious activity.