Skip to content

Cloud Service Discovery

What is "Cloud Service Discovery"?

Cloud Service Discovery refers to the process and techniques used by attackers to identify and map cloud services being used in a target environment. This is a sub-category within the MITRE ATT&CK framework, specifically categorized under the Discovery tactic. The primary goal of this activity is to gather information about cloud-based resources that can be exploited or used as leverage within broader attack campaigns.

How is Cloud Service Discovery Performed?

  1. API Exploration: Attackers use cloud service provider APIs (Application Programming Interfaces) to explore and enumerate services. For instance, AWS provides APIs like DescribeInstances for EC2 or ListBuckets for S3, which can be used maliciously to discover resources.

  2. Network Scanning: Although more common in traditional networks, network scanning can also be adapted to cloud environments where attackers scan IP ranges associated with cloud services.

  3. Phishing for Credentials: Attackers might use phishing attacks to gain credentials that provide API access to cloud environments.

  4. Exploiting Public Information: Information from public repositories or misconfigured public resources (like open S3 buckets) can reveal details about what services are in use.

  5. Use of Cloud Native Tools: Tools provided by cloud providers for legitimate monitoring and management can also be leveraged by attackers if they gain access to them.

Where is Cloud Service Discovery Applied?

Cloud Service Discovery techniques are applied across various platforms including:

  • IaaS (Infrastructure as a Service): Platforms like AWS, Azure, and Google Cloud Platform.
  • PaaS (Platform as a Service): Such as Heroku, Google App Engine.
  • SaaS (Software as a Service): Through services like Microsoft Office 365, Dropbox, etc., although discovery here focuses more on service configuration and data exposure than underlying infrastructure.

This discovery process typically occurs at the reconnaissance phase of an attack lifecycle where understanding the environment is crucial for planning further exploitation or lateral movement.

Why Perform Cloud Service Discovery?

The reasons why attackers perform Cloud Service Discovery include:

  • Identifying Valuable Assets: To locate data-rich services or critical infrastructure components that could be targets for data breaches or ransomware attacks.
  • Mapping Security Posture: Understanding security configurations and identifying weaknesses such as misconfigurations or outdated components.
  • Evasion Planning: Identifying security tools and monitoring solutions deployed so they can plan how to evade detection during further stages of their attack.
  • Operational Planning: For crafting more effective spear-phishing campaigns or social engineering attacks based on specific tools and workflows identified within the target's cloud environment.

By performing Cloud Service Discovery, attackers gain a deeper understanding of their target's architecture and operational specifics, which allows them to tailor their subsequent actions more effectively and increase their chances of success in compromising systems or exfiltrating data.