The document discusses cloud computing models and security best practices. It begins with an overview of on-premise, time-sharing, and cloud computing models. The main types of cloud services - IaaS, PaaS, and SaaS - are described along with the shared responsibility model. The MITRE ATT&CK framework for cyber adversary behavior is introduced. Cloud security controls are mapped to the phases of an attack according to MITRE ATT&CK, including reconnaissance, weaponization, delivery, exploitation, installation, command and control, and objectives. References for further information are provided at the end.
2. Concept of Cloud
ON-PREMISE TIME-SHARING CLOUD
Let’s understand this evolution with an example…
Kriti is an owner of a budding start-up. Currently the
company has 10 users, and the website is
maintained by a single PC stored in one of the
closets, easily managed by 1 person
3. The users count increases
with time
Let’s see what options she
has in order to scale-up the
process
On-Premise Time-sharing Cloud
Buy more
computers to
handle the
increased traffic
and download the
code and perform
other
configurations in
all the purchased
computers
Use the
computers/servers of
big companies like IBM
on a rental basis to
handle the increased
traffic.
Consult a cloud
provider and
spend less time
managing the
infrastructure and
spend more time
creating as a
developer. Have
the autonomy on
scaling the usage
as per business
and forthcoming
profits
4. There are 3 main types of cloud computing
as-a-service options
Infrastructure-as-a-service (IaaS)
Platform-as-a-service (PaaS)
Software-as-a-service (SaaS)
5. Shared Responsibility Model
On-site
Applications
Data
Runtime
Middleware
Operating System
Virtualization
Servers
Storage
Networking
IaaS
Applications
Data
Runtime
Middleware
Operating System
Virtualization
Servers
Storage
Networking
PaaS
Applications
Data
Runtime
Middleware
Operating System
Virtualization
Servers
Storage
Networking
SaaS
Applications
Data
Runtime
Middleware
Operating System
Virtualization
Servers
Storage
Networking
You manage
Service Provider manager
6. MITRE ATT&CK
Framework:
MITRE Adversarial Tactics,
Techniques and common
knowledge
Curated knowledge base and model for cyber
adversary behavior, reflecting the various phases of
an adversary’s attack lifecycle and the platforms
they are known to target.
MITRE Att&ck
techniques in
Windows, MacOS,
Linux and other
environment involve
malware and entering a
network that is owned
and operated by the
target organization
MITRE Att&ck techniques
in AWS, Azure, Office
365 and another related
environment don’t
typically involve malware
as target environment is
owned and operated by a
3rd party service provider
7. Technique Behavior
Initial Access Adversary spear-phishes the victims gaining
credentials to Cloud service provider
Persistence Uses stolen credentials to create a new account
Privilege Escalation Uses valid account to change access
Defense Evasion Creates a new VM instance firewall rules
Credential Access Steals access token to a database
Discovery Locates target database
Lateral Movement Uses applications access taken to access
database
Collection Mines info from the database
Exfiltration Exfiltrates to adversary accounts in the
environment
MITRE Att&ck
techniques
8. Security Controls in the cloud
Recon Weaponize Delivery Exploitation Installation C2 Applications and objectives
• Motivation
• Preparation
• Configuration
• Packaging
• Mechanism of
delivery
• Infection vector
• Applications
affected
• Methods
• Persistence
• Acquiring
additional
components
Communication
between victim and
adversary
What does the adversary do
when they have control
MITRE ATT&CK MITRE ATT&CK MITRE ATT&CK MITRE ATT&CK MITRE ATT&CK MITRE ATT&CK MITRE ATT&CK
• Active Scanning
• Passive Scanning
• Determine
domain and IP
address (3rd party
IT footprint )
• Malware
• Scripting
• Service
Execution
• Spear-Phishing
Attachment/links
• Exploit public
facing application
• Supply chain
compromise
• Local job
scheduling
• Scripting
• Application
shimming
• Hooking
• Login items
• Data
obfuscation
• Domain
Fronting
• Email collection
• Data from local
system/Network share
9. Security Controls in the cloud
Recon Weaponize Delivery Exploitation Installation C2
Security Security Controls Security Controls Security
Controls
Security Security
• Policies and
procedures
• Firewall
• Cyber
Awareness
Training
• Threat and
Vulnerability
Management
• Anti-virus
• Web Proxy
• Mobile device
management
• Anti-virus
• EDR
• IDS
• Anti-virus
• EDR
• Policies and
procedures
• IDS
• Web Proxy
• Firewall
• EDR