数据转移云帐户

攻击者可以通过将数据（包括云环境的备份）转移到他们在同一服务上控制的另一个云帐户中来窃取数据，从而避免典型的文件传输/下载和基于网络的渗透检测。

通过正常文件传输或通过命令和控制通道来监视向云环境外部的大规模传输的防御者可能不会监视向同一云提供商内部另一个帐户的数据传输。这样的传输可以利用现有的云提供商的API和云提供商的内部地址空间来混合到正常流量中，或者避免通过外部网络接口进行数据传输。

已经观察到事件，攻击者创建了云实例的备份并将其转移到单独的帐户。

Transfer Data to Cloud Account

An adversary may exfiltrate data by transferring the data, including backups of cloud environments, to another cloud account they control on the same service to avoid typical file transfers/downloads and network-based exfiltration detection.

A defender who is monitoring for large transfers to outside the cloud environment through normal file transfers or over command and control channels may not be watching for data transfers to another account within the same cloud provider. Such transfers may utilize existing cloud provider APIs and the internal address space of the cloud provider to blend into normal traffic or avoid data transfers over external network interfaces.

Incidents have been observed where adversaries have created backups of cloud instances and transferred them to separate accounts

标签

ID编号： T1537

策略： 数据渗漏

平台： Azure，AWS，GCP

所需权限： user

数据源： Stackdriver日志，Azure活动日志，AWS CloudTrail日志

需要网络： 是

缓解措施

缓解	描述
过滤网络流量 (M1037)	实施基于网络的过滤限制，以禁止将数据传输到不受信任的VPC。
密码政策 (M1027)	考虑在一定天数内旋转访问密钥，以降低被盗凭证的有效性。
用户帐号管理 (M1018)	将用户帐户和IAM策略限制为所需的最少特权。考虑将临时凭证用于仅在特定时间段内有效的帐户，以降低被盗帐户的有效性。

Mitigation	Description
Filter Network Traffic(M1037)	Implement network-based filtering restrictions to prohibit data transfers to untrusted VPCs.
Password Policies(M1027)	Consider rotating access keys within a certain number of days to reduce the effectiveness of stolen credentials.
User Account Management(M1018)	Limit user account and IAM policies to the least privileges required. Consider using temporary credentials for accounts that are only valid for a certain period of time to reduce the effectiveness of compromised accounts.

检测

监视帐户活动，以尝试与同一云服务提供商上的不受信任或异常帐户共享数据，快照或备份。监视帐户之间以及到不受信任的VPC的异常文件传输活动。

Monitor account activity for attempts to share data, snapshots, or backups with untrusted or unusual accounts on the same cloud service provider. Monitor for anomalous file transfer activity between accounts and to untrusted VPCs.