修改云计算基础设施指攻击者通过创建、删除或篡改云环境中的计算资源(如虚拟机实例、存储快照、容器集群)来规避安全检测并维持持久访问。传统防御手段依赖集中式日志审计、异常操作序列检测以及资源变更审批流程,通过监控短时间内大量资源操作或非常规用户行为来识别潜在攻击。云服务商通常建议采用变更标签标记、多因素认证强化和最小权限原则来降低风险。
为应对日益严格的基础设施监控措施,攻击者发展出多种隐蔽式云环境操控技术,通过资源生命周期操纵、API协议级伪装和全球区域跳转等策略,将恶意操作深度嵌入云平台正常运维流程,实现"形变而神隐"的新型云渗透模式。
当前云基础设施修改匿迹技术的核心在于攻击行为与云平台原生特性的深度融合。攻击者充分利用云计算弹性扩展、资源短暂性和全球分布等设计特征,重构传统攻击链的实施范式:临时资源池动态重构技术将攻击痕迹分散到数百个短周期实例中,利用云服务日志聚合的时效性缺陷实现"先销毁后记录"的对抗效果;快照链式隐匿操作通过构造复杂版本依赖关系,将关键修改隐藏在历史快照的元数据迷宫中;云服务API合法调用伪装技术则突破协议级检测,实现恶意指令与合法管理流量的比特级融合;跨区域镜像漂移更是将地理政治因素转化为攻击优势,构建出跨境、跨司法管辖区的弹性攻击面。这些技术的共性在于突破传统基础设施攻防的静态对抗模式,转而利用云环境动态特性构建时空维度分散、协议层面合规、资源管理合法的自适应攻击体系。
匿迹技术的演进导致传统基于操作日志分析和策略合规检查的云安全防护体系面临严峻挑战,防御方需构建跨区域日志关联分析、API流量语义解析等新型检测能力,同时强化镜像完整性验证机制和全球威胁情报共享网络,实现对隐蔽云基础设施修改行为的立体化防御。
| 效应类型 | 是否存在 |
|---|---|
| 特征伪装 | ✅ |
| 行为透明 | ✅ |
| 数据遮蔽 | ✅ |
| 时空释痕 | ✅ |
攻击者通过深度模拟云平台管理API的通信规范和操作模式,使恶意基础设施修改请求在协议结构、认证流程等维度与合法管理行为完全一致。例如使用官方SDK生成请求、遵循速率限制策略、植入合法运维上下文等,使得安全系统难以从网络流量或日志条目中识别异常特征。
利用云平台零日配置漏洞或未公开API功能实施隐蔽修改,例如通过特定参数组合绕过安全组策略审计,或利用容器服务的热迁移特性实施无痕持久化。这些手法依赖对云服务底层机制的深度理解,使得传统基于已知漏洞特征的检测手段失效。
采用云服务商提供的原生加密服务对恶意操作产生的日志、快照等数据进行端到端加密,例如使用AWS KMS加密EBS卷快照,或利用Azure Storage Service Encryption隐藏篡改痕迹。加密过程完全遵循平台安全规范,导致防御方无法通过内容检查发现异常。
通过全球多区域基础设施的动态漂移和短周期资源池重构,将攻击痕迹分散在不同地理区域和时态窗口中。例如在亚太区域创建恶意镜像后立即复制至欧洲区域,利用区域间日志同步延迟和策略差异,使得完整攻击链的还原需要协调多区域数据,显著提高分析复杂度。
| ID | Mitigation | Description |
|---|---|---|
| M1047 | Audit |
Routinely monitor user permissions to ensure only the expected users have the capability to modify cloud compute infrastructure components. |
| M1018 | User Account Management |
Limit permissions for creating, deleting, and otherwise altering compute components in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.[1] |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0025 | Cloud Service | Cloud Service Metadata |
Monitor for quota increases across all regions, especially multiple quota increases in a short period of time or quota increases in unused regions. Monitor for changes to tenant-level settings such as subscriptions and enabled regions.[2] |
| DS0030 | Instance | Instance Creation |
The creation of a new instance or VM is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, the creation of an instance by a new user account or the unexpected creation of one or more snapshots followed by the creation of an instance may indicate suspicious activity.In AWS, CloudTrail logs capture the creation of an instance in the RunInstances event, and in Azure the creation of a VM may be captured in Azure activity logs.[3] [4] Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of gcloud compute instances create to create a VM.[5] |
| Instance Deletion |
The deletion of a new instance or virtual machine is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, detecting a sequence of events such as the creation of an instance, mounting of a snapshot to that instance, and deletion of that instance by a new user account may indicate suspicious activity. In AWS, CloudTrail logs capture the deletion of an instance in the TerminateInstances event, and in Azure the deletion of a VM may be captured in Azure activity logs.[3] [4] Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of gcloud compute instances delete to delete a VM.[5] |
||
| Instance Metadata |
Periodically baseline instances to identify malicious modifications or additions. |
||
| Instance Modification |
Establish centralized logging of instance activity, which can be used to monitor and review system events even after reverting to a snapshot, rolling back changes, or changing persistence/type of storage. Monitor specifically for events related to snapshots and rollbacks and VM configuration changes, that are occurring outside of normal activity. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. |
||
| Instance Start |
Establish centralized logging of instance activity, which can be used to monitor and review system events even after reverting to a snapshot, rolling back changes, or changing persistence/type of storage. Monitor specifically for events related to activation of instances that are occurring outside of normal activity/planned operations. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. |
||
| Instance Stop |
Establish centralized logging of instance activity, which can be used to monitor and review system events even after reverting to a snapshot, rolling back changes, or changing persistence/type of storage. Monitor specifically for events related to deactivation of instances that are occurring outside of planned operations. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. |
||
| DS0020 | Snapshot | Snapshot Creation |
Establish centralized logging for the activity of cloud compute infrastructure components. Monitor for suspicious sequences of events, such as the creation of multiple snapshots within a short period of time. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. |
| Snapshot Deletion |
Establish centralized logging for the activity of cloud compute infrastructure components. Monitor for suspicious sequences of events, such as the deletion of multiple snapshots within a short period of time. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. |
||
| Snapshot Metadata |
Periodically baseline snapshots to identify malicious modifications or additions. |
||
| Snapshot Modification |
Establish centralized logging for the activity of cloud compute infrastructure components. Monitor for suspicious sequences of events, such as the mounting of a snapshot to a new instance by a new or unexpected user. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. |
||
| DS0034 | Volume | Volume Creation |
Monitor for the unexpected creation or presence of cloud block storage volumes . To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. |
| Volume Deletion |
Monitor for the unexpected deletion or absence of cloud block storage volumes . To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. |
||
| Volume Metadata |
Periodically baseline cloud block storage volumes to identify malicious modifications or additions. |
||
| Volume Modification |
Monitor for the unexpected changes to cloud block storage volumes . To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. |