Full Report
We introduce a novel method that maps cloud alert trends to MITRE ATT&CK techniques. The patterns created could identify threat actors by behavior. The post Novel Technique to Detect Cloud Threat Actor Operations appeared first on Unit 42.
Analysis Summary
# Tool/Technique: Cloud Sequence-Based Threat Mapping (CSTM)
## Overview
This technique involves mapping sequences of cloud provider alerts (such as GuardDuty or Prisma Cloud) directly to MITRE ATT&CK techniques to identify recurring behavioral patterns. By analyzing the chronological "fingerprints" of alerts, defenders can identify specific threat actor operations even when indicators of compromise (IoCs) like IP addresses or file hashes change.
## Technical Details
- **Type**: Detection Technique / Behavioral Framework
- **Platform**: Cloud Environments (AWS, Azure, GCP)
- **Capabilities**: Translates raw cloud security alerts into structured MITRE ATT&CK kill chains; identifies actor-specific "behavioral signatures."
- **First Seen**: July 2024 (Published by Unit 42)
## MITRE ATT&CK Mapping
- **TA0006 - Credential Access**
- T1552 - Unsecured Credentials
- **TA0007 - Discovery**
- T1087 - Account Discovery
- T1526 - Cloud Service Discovery
- T1580 - Cloud Infrastructure Discovery
- **TA0009 - Collection**
- T1530 - Data from Cloud Storage
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- **Alert Normalization**: Aggregates disparate cloud alerts (e.g., "Impact:IAMUser/AnomalousBehavior") and maps them to standardized ATT&CK techniques.
- **Sequence Modeling**: Tracks the order of operations (e.g., Discovery -> Credential Access -> Exfiltration) to differentiate between random noise and targeted campaigns.
- **Actor Profiling**: identifies consistent patterns unique to specific groups (e.g., "Actor A always performs T1580 immediately followed by T1530").
### Advanced Features
- **Temporal Analysis**: Measures the "velocity" of an attack, distinguishing between manual exploration and automated script/tool execution.
- **Pattern Matching**: Compares active alert sequences against a library of known threat actor "playbooks."
## Indicators of Compromise
*Note: This technique focuses on Behavioral Indicators (BIs) rather than static IoCs.*
- **Behavioral Indicators**:
- Sequence: `DescribeInstances` -> `GetCallerIdentity` -> `ListBuckets` -> `GetObject`.
- High-frequency API calls originating from TOR exit nodes or known VPN headends.
- Unexpected cross-region resource enumeration.
## Associated Threat Actors
- **TeamTNT**: Known for automated cloud discovery and credential harvesting.
- **LUCR-3 (Scattered Spider)**: Observed using specific sequences for cloud identity manipulation and data theft.
- **Kinsing**: Focuses on initial access via misconfigurations followed by lateral movement to cloud metadata services.
## Detection Methods
- **Behavioral Detection**: Monitoring for specific sequences of "Informational" or "Low" severity alerts that, when combined in order, represent a high-confidence threat.
- **Log Correlation**: Correlating CloudTrail/Flow Logs with endpoint-level telemetry.
- **Sequence Anomaly Detection**: Identifying patterns that deviate from the established "normal" administrative sequence for a specific IAM role.
## Mitigation Strategies
- **Least Privilege Access**: Enforce strict IAM policies to break the "Discovery" phase of the sequence.
- **Service Control Policies (SCPs)**: Restrict API calls in regions or services not utilized by the business.
- **MFA Enforcement**: Neutralize the "Credential Access" phase even if credentials are leaked.
## Related Tools/Techniques
- **T1580 (Cloud Infrastructure Discovery)**: The most frequent starting point for cloud sequences.
- **CloudConsolidate**: Tools used to aggregate multi-cloud logs.
- **Pacu/CloudSploit**: Exploitation frameworks that generate the very alert patterns this technique aims to detect.