4 mins to read
MITRE ATT&CK Stage: Exfiltration and Impact
This blog is the final publication in a series exploring the most powerful cloud permissions and how they map to the MITRE ATT&CK Framework. You can find the series beginning on the Initial Access stage here.
—
The end of the MITRE Framework concludes with Exfiltration or Impact. An attacker may be trying to steal organizational data and remove it from your environment – exfiltration – or just interrupt and disrupt your operations – impact. Even a well-intended employee can misuse these permissions and cause potential impact to your business.
Below, we’ll review several examples of relevant powerful permissions.
Powerful Permissions in AWS
Permission: CreateInstanceProfile
Service: Database Migration Service (DMS)
Context: DMS allows you to migrate databases, warehouses and data stores to AWS cloud or between cloud and on-prem environments. This permission allows one to create an instance profile to specify network and security settings for any given migration project.
So what?
Exfiltration. With this permission, an attacker can configure the instance profile settings to have a public IP address. This would allow public access to the migration project allowing external access and the ability to exfiltrate data.
Even an employee could use this permission to configure public access so they could work on their migration project from home – inadvertently allowing a window in (and out!) for an attacker.
Permission: CreateSmtpGateway
Service: WorkMail
Context: Simple Mail Transfer Protocol (SMTP) gateways can be enabled for outbound email flow rules. These outbound email flow rules let you direct messages from your WorkMail org through an SMTP gateway. This permission creates an SMTP gateway.
So what?
Impact & Exfiltration. With this permission in hand, an attacker could create a gateway to intercept an organization’s outbound mail – a man-in-the-middle attack. With the right permissions in hand, an attacker could additionally configure a lamba function to copy the contents of the intercepted message into an S3 bucket for exfiltration.
Powerful Permissions in Azure
Permission: Microsoft.Maintenance/configurationAssignments/maintenanceScope/InGuestPatch/delete – or ‘write’
Service: Maintenance
Context: Cloud users can configure regular maintenance on Azure resources like Virtual Machines (e.g. patching vulnerabilities). This permission allows one to write or delete a maintenance configuration.
So what?
Impact & Exfiltration. In a long-game effort, an attacker could use these permissions to manipulate a maintenance configuration by altering the scope or deleting it. Down the road they can hope for a relevant zero-day vulnerability or additional CVE to access the respective VM and exfiltrate any data or disrupt operations.
An employee could also forget to create a new maintenance configuration after deleting an old one, leaving the org vulnerable to the same potential threat.
Permission: Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/delete
Service: Cosmos DB
Context: This permission allows someone to delete SQL role assignments within Azure Cosmos DB accounts. Role assignments would be used to granularly define access controls.
So what?
Impact. An attacker could delete a role assignment that is responsible for critical daily operations in a production environment. This could come with further disruption in content delivery or customer service, resulting in loss of revenue for the company.
Powerful Permissions in GCP
Permission: logging.sinks.create
Service: Logging
Context: This permission creates a data sink, which helps route logs to defined destinations.
So what?
Exfiltration. Quite a simple scenario – with this permission, an attacker can create a sink and exfiltrate data to an external destination.
Impact. Alternatively, an employee could create an aggregated log sink to make logging ‘more convenient.’ For example, doing this to combine and route audit log entries from all folders in an org to a specific cloud storage bucket. If the employee filtered or configured this poorly, it could potentially route a LOT of log entries costing the organization a significant amount of destination charges.
Permission: Compute.autoscalers.delete
Service: Compute
Context: Autoscalers automatically add or remove virtual machine instances to accommodate load demand. This permission allows one to delete an autoscaler.
So what?
Impact. An attacker could delete an autoscaler your org has in place to disrupt your ability to take on greater loads. Or, a well-intended employee could delete one in an effort to save the business money. Either way, this would disrupt delivery and operations and even make you more susceptible to a DDoS attack.
Closing Thoughts on Sensitive Cloud Permissions
This six-part series intended to convey the power of sensitive cloud permissions, detailing just how impactful they can be to your business operations and security.
With over 42,000 possible cloud permissions, it is difficult for organizations to accurately keep track of the full volume and more importantly, create security controls around protecting access to them. Visibility tools and manual efforts or native-tooling offer solutions to implementing least privilege, but they are difficult to scale and require significant labor and time.
That being said, it is important for DevOps and Security Teams to prioritize securing the permissions we’ve reviewed in this series – and similar nature ones – to maximize their risk reduction, without chasing down more low-impact permissions.
—
Sonrai’s Cloud Permissions Firewall knows the 3,000 most sensitive cloud permissions out there — and how your identities are using them. Unused sensitive permissions are instantly protected with a global default deny policy fit to your specific access needs — all you have to do is a click a button to deploy. Grant future access needs on the fly with a permissions-on-demand workflow integrated into your ChatOps tool.
While you’re at it, quarantine zombie identities and disable unused cloud services and regions for ultimate risk reduction.
