Adversaries can exploit serverless computing, integration, and automation services in cloud environments to execute arbitrary code.
This can be done through serverless functions, compute engines, application integration, and web servers.
The attackers can use these resources to run malicious code, such as crypto-mining malware or create functions that enable further compromise of the cloud environment.
Attackers may also use event-triggered execution to persistently execute serverless functions over time, such as creating Lambda functions in AWS environments that add additional cloud credentials to a user.
ID:T0155
Type:Technique
Tactic:Execution
Summary:Cloud workload
State:Draft
Mitigations
ID
TYPE
SUMMARY
DESCRIPTION
M1532
Mitigation
Mitigation Implement least privilege access controls Limit access to sensitive resources and data to authorized personnel only, and implement least privilege access controls to prevent unauthorized access to sensitive information.
Mitigation Implement least privilege access controls Limit access to sensitive resources and data to authorized personnel only, and implement least privilege access controls to prevent unauthorized access to sensitive information.
M1550
Mitigation
Mitigation Implement strict access control for clouds Limit access to cloud resources to only authorized users and ensure that proper authentication and authorization mechanisms are in place.
Mitigation Implement strict access control for clouds Limit access to cloud resources to only authorized users and ensure that proper authentication and authorization mechanisms are in place.
M1551
Mitigation
Mitigation Use built-in security controls Utilize built-in security controls provided by the cloud provider, such as AWS's AWS Shield, AWS WAF, and Azure's Azure Firewall.
Mitigation Use built-in security controls Utilize built-in security controls provided by the cloud provider, such as AWS's AWS Shield, AWS WAF, and Azure's Azure Firewall.
Detections
ID
TYPE
SUMMARY
DESCRIPTION
D1510
Detection
Detection Implement Intrusion Detection System and anti-malware An intrusion detection system (IDS) is a security tool designed to detect and alert on unauthorized access to a computer system or network.
Implementing intrusion detection systems (IDS) and anti-malware software can help to identify and block malicious activity. IDS is a critical security tool that helps organizations to detect and respond to security incidents in a timely manner. By providing real-time monitoring and analysis of network traffic, IDS can help organizations to stay ahead of potential threats and reduce the risk of a security breach.
D1550
Detection
Detection Implement real-time monitoring of cloud resources Continuously monitor cloud resources to detect anomalous or suspicious behavior, such as unexpected changes to serverless functions, compute engines, or integration workflows.
Detection Implement real-time monitoring of cloud resources Continuously monitor cloud resources to detect anomalous or suspicious behavior, such as unexpected changes to serverless functions, compute engines, or integration workflows.
AppSec teams are overwhelmed by useless alerts, managing numerous applications with vulnerabilities across various kill-chain stages, making them increasingly susceptible to successful attacks.
