In this technique, the attacker first gains access to the cloud environment, either through a vulnerability or by compromising user credentials.
Once they have access, they search for resources that are not properly tagged or have incomplete tagging, which can make them harder to track and identify.
The attacker then creates an untagged resource, such as an instance or a volume, and uses it to store and maintain persistent access to the compromised environment.
Since the resource is not properly tagged, it is harder for the cloud provider or the victim to detect and identify it as a potential threat.
This technique can be used to maintain access to the cloud environment even after the original point of entry has been remediated or patched.
ID:T0175
Type:Technique
Tactic:Persistence
Summary:Untagged resources
State:Draft
Mitigations
ID
TYPE
SUMMARY
DESCRIPTION
M1550
Mitigation
Mitigation Implement strict access control for clouds Limit access to cloud resources to only authorized users and ensure that proper authentication and authorization mechanisms are in place.
Mitigation Implement strict access control for clouds Limit access to cloud resources to only authorized users and ensure that proper authentication and authorization mechanisms are in place.
M1750
Mitigation
Mitigation Implement proper resource tagging Ensure that all cloud resources are properly tagged with meaningful labels and metadata.
This can help to track and identify resources, making it easier to detect any unauthorized or untagged resources.
M1751
Mitigation
Mitigation Implement resource management policies Establish policies that require all resources to be properly tagged and monitored regularly.
This can help to prevent the creation of untagged resources and quickly identify any that are created.
M1752
Mitigation
Mitigation Regularly review and audit cloud resources Regularly review and audit all cloud resources to identify any untagged or unauthorized resources.
This can help to detect and remove any potential threats before they are used to compromise the environment.
Detections
ID
TYPE
SUMMARY
DESCRIPTION
D1131
Detection
Detection Implement SIEM Implement a SIEM system to centralize and analyze logs and events from various sources, including user account-related activities.
Use SIEM rules or correlation rules to detect any abnormal or suspicious user account-related activities, such as multiple failed login attempts, changes to account settings outside of normal patterns, or simultaneous login attempts from different locations.
D1750
Detection
Detection Monitor resource creation By monitoring the creation of new resources in the cloud environment, security teams can detect any untagged resources that may have been created by an attacker.
Detection Monitor resource creation By monitoring the creation of new resources in the cloud environment, security teams can detect any untagged resources that may have been created by an attacker.
D1751
Detection
Detection Monitor resource usage By monitoring the usage of resources in the cloud environment, security teams can identify any unusual or suspicious behavior that may indicate the presence of an untagged resource.
Detection Monitor resource usage By monitoring the usage of resources in the cloud environment, security teams can identify any unusual or suspicious behavior that may indicate the presence of an untagged resource.
AppSec teams are overwhelmed by useless alerts, managing numerous applications with vulnerabilities across various kill-chain stages, making them increasingly susceptible to successful attacks.
