Full Report
Wiz adds full detection of cloud services for deeper visibility and control over shadow IT.
Analysis Summary
As a malware analyst and TTPs specialist, I must note that the provided article discusses a product enhancement for *Cloud Security Posture Management (CSPM)* offered by the vendor **Wiz**, specifically focusing on improving inventory visibility to counter **Shadow IT**.
**This article does not detail any malware families, attack tools, or malicious techniques/TTPs used by threat actors.** Therefore, the structured summary below reflects the described security capability rather than an offensive artifact.
***
# Tool/Technique: Wiz Enhanced Inventory (CSPM)
## Overview
Wiz has enhanced its Cloud Security Posture Management (CSPM) inventory tool to provide comprehensive visibility across *all* cloud services used within an organization’s infrastructure, regardless of whether Wiz natively supports explicit risk assessment for those specific services. The primary purpose is to detect and manage **Shadow IT** by automatically identifying new and unapproved cloud service usage.
## Technical Details
- Type: Security Tool / CSPM Enhancement
- Platform: Cloud Environments (AWS, other major providers implied)
- Capabilities: Full inventory visibility of all deployed cloud services, automatic detection of newly released services, policy enforcement, and alerting on policy violations (unwanted/unreviewed services).
- First Seen: Announcement date of the enhancement (contextually related to AWS re:invent 2022 announcements).
## MITRE ATT&CK Mapping
*Note: Since this is a defensive tool summary, the MITRE mappings reflect the **defensive activities** this tool enables, primarily related to Discovery and Governance, rather than offensive TTPs traditionally mapped.*
- **TA0005 - Defense Evasion** (By mapping all services, it helps detect unauthorized services that might evade security monitoring)
- T1518 - Software Discovery
- T1518.001 - Cloud Services Discovery (Enabling detection of services actors might use for minimal persistence or staging)
- **TA0007 - Discovery**
- T1580 - Cloud Service Discovery (If used to audit what services are present, which directly counters adversary intelligence gathering)
## Functionality
### Core Capabilities
- **Full Visibility:** Detects and inventories every cloud service in use, including brand-new services released recently (e.g., Amazon OpenSearch Serverless).
- **Inventory Mapping:** Maps detected services to specific regions, accounts, or business units.
- **Policy Management:** Allows security teams to define security policies, marking services as required, approved, or unwanted.
### Advanced Features
- **Shadow IT Prevention:** Automatically surfaces unreviewed or unwanted services as soon as they are deployed.
- **Automated Alerting:** Triggers alerts immediately when policies are violated (e.g., an unwanted service detected in a production environment).
- **Governance and Compliance:** Enables security, DevOps, and FinOps teams to gain control over cloud usage, reducing risk and cost associated with unauthorized technologies.
## Indicators of Compromise
*Note: As a security control, this summary does not list malicious IoCs. Instead, it lists indicators related to the *policy violation* the tool is designed to detect.*
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A (Focus is on cloud resource inventory, not perimeter C2)
- Behavioral Indicators: **Deployment of an 'Unwanted' or 'Unreviewed' Cloud Service** (especially in production environments).
## Associated Threat Actors
- N/A (This tool is used by Blue Teams/Security Operations to defend against unknown threat actors leveraging Shadow IT).
## Detection Methods
- **Signature-based Detection:** Detection based on predefined inventory/configuration signatures against vendor service catalogs.
- **Behavioral Detection:** Detecting the **creation event or configuration** of a cloud service flagged in Wiz policies as unauthorized.
- **YARA rules:** N/A
## Mitigation Strategies
- **Policy Definition:** Proactively defining clear policies specifying which cloud services are approved for use across different classification tiers (e.g., production vs. testing).
- **Automated Remediation:** Configuring alerting or automation (e.g., Serverless functions, ticketing systems) to respond immediately when an unauthorized service is inventoried.
- **Inventory Auditing:** Regularly reviewing the enhanced inventory provided by Wiz to confirm all deployed services align with security standards.
## Related Tools/Techniques
- CSPM Tools (General)
- Cloud Governance Frameworks