云基础设施发现是指攻击者通过云服务商提供的API、CLI工具或第三方扫描工具,对目标云环境中的计算实例、存储资源、数据库服务等基础设施进行系统性识别的侦察行为。其核心目标是绘制云资源拓扑结构,识别配置缺陷或敏感资产,为后续攻击提供情报支撑。防御方通常通过监控异常API调用模式(如高频次Describe类操作)、检测非常规凭证使用行为(如新地域的突发访问)等手段进行威胁识别,并建议实施细粒度权限控制与操作日志审计。
为应对日益完善的云安全防护体系,攻击者发展出新型隐蔽式基础设施发现技术,通过合法凭证滥用、时序特征伪装、多云协同探测等手法,将恶意侦察行为深度嵌入云平台正常管理操作中,显著降低传统检测机制的有效性。
当前云基础设施发现匿迹技术的核心演进方向体现在操作合法性构建与检测维度突破两个方面。在操作层面,攻击者充分利用云平台原生API的合规调用模式,通过凭证生命周期管理和请求参数规范化处理,使探测行为在身份认证、权限校验、协议合规性等维度完全符合平台安全策略。在检测对抗层面,采用跨时空维度的行为特征稀释策略:时序分散化技术打破传统基于请求频率的检测阈值,多云交叉探测规避单云日志分析的有效性,而合法凭证的持续轮换则削弱基于身份异常的检测模型。三类技术的共性在于将攻击链解构为云平台可接受的"合法原子操作",通过大规模分布式执行与智能调度,使得恶意意图仅体现在操作序列的逻辑关联中,而单个API调用在协议、身份、行为特征等层面均呈现合法属性。
匿迹技术的演进迫使防御体系从单一云环境检测向跨云威胁感知转型,需构建基于行为链分析的检测模型,结合云服务商提供的上下文元数据(如请求来源服务、操作关联资源),并开发多云日志关联分析平台,实现对隐蔽基础设施发现行为的立体化防御。
| 效应类型 | 是否存在 |
|---|---|
| 特征伪装 | ✅ |
| 行为透明 | ❌ |
| 数据遮蔽 | ✅ |
| 时空释痕 | ✅ |
攻击者通过严格遵循云服务API调用规范,将基础设施发现请求伪装成合规的管理操作。例如使用标准DescribeInstances API参数格式、模仿运维人员的分页查询模式,使得单个API请求在协议层面与合法操作完全一致。同时利用多云服务交叉探测,将攻击流量分散到不同云平台的标准通信协议中,进一步强化特征伪装效果。
在API调用过程中普遍采用HTTPS加密传输,隐藏具体的请求参数和响应内容。攻击者还会利用云服务商提供的加密访问令牌和签名机制,对请求头进行完整性保护,使得网络层检测无法直接获取关键操作指令,必须依赖应用层日志分析才能识别恶意行为。
通过API调用时序分散化技术,将集中式探测任务分解为持续数周的低频请求,使单日操作量低于常见检测阈值。结合多云环境的请求分发机制,攻击特征被稀释在多个云平台的海量API调用日志中,传统基于时间窗口统计或单云日志分析的检测手段难以有效关联离散事件。
| ID | Name | Description |
|---|---|---|
| S1091 | Pacu |
Pacu can enumerate AWS infrastructure, such as EC2 instances.[1] |
| G1015 | Scattered Spider |
Scattered Spider enumerates cloud environments to identify server and backup management infrastructure, resource access, databases and storage containers.[2] |
| ID | Mitigation | Description |
|---|---|---|
| M1018 | User Account Management |
Limit permissions to discover cloud infrastructure in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0010 | Cloud Storage | Cloud Storage Enumeration |
Monitor cloud logs for API calls and other potentially unusual activity related to cloud data object storage enumeration. Discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained. |
| DS0030 | Instance | Instance Enumeration |
Monitor cloud logs for API calls and other potentially unusual activity related to cloud instance enumeration. Discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained. |
| DS0020 | Snapshot | Snapshot Enumeration |
Monitor cloud logs for API calls and other potentially unusual activity related to snapshot enumeration. Discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained. |
| DS0034 | Volume | Volume Enumeration |
Monitor cloud logs for API calls and other potentially unusual activity related to block object storage enumeration. Discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained. |