Attackers Exploit Cloud Logging Services for Defense Evasion and Persistent Visibility
New research from Unit 42 details sophisticated techniques attackers use to manipulate or disable cloud logging services, blinding security defenses and enabling prolonged undetected operations.
Cloud logging services are indispensable tools for security monitoring, providing a comprehensive audit trail of all actions within cloud environments. However, their critical role also makes them a prime target for adversaries seeking to operate undetected. New research from Palo Alto Networks' Unit 42 highlights how attackers can abuse these services for defense evasion and to maintain persistent visibility within a compromised cloud infrastructure.
Attackers primarily employ two categories of techniques against cloud logging services: defense evasion and continuous visibility. Defense evasion involves manipulating or disabling logs to bypass detection systems, allowing malicious activities to proceed unnoticed. Continuous visibility, conversely, focuses on redirecting logs to attacker-controlled accounts, granting them ongoing insight into the victim's environment and actions.
The research delves into the mechanics of these attacks, focusing on widely used services like Amazon Web Services (AWS) CloudTrail and Google Cloud Logging. In AWS, a 'trail' configuration dictates log collection and delivery, typically to an Amazon S3 bucket. Attackers with the necessary permissions can stop logging or manipulate the S3 bucket to delete or alter logs. Similarly, Google Cloud Logging uses 'sinks' to route log entries, which attackers can also compromise to disrupt or exfiltrate log data.
Several specific techniques are detailed for defense evasion. These include stopping logging services directly, deleting log storage destinations like S3 buckets, removing log routers such as Google Cloud sinks, impairing logging through attacker-controlled encryption keys, and log poisoning. Each method aims to blind security tools, including SIEMs, SOAR platforms, and Cloud Security Posture Management (CSPM) tools, which rely heavily on log data for threat detection and analysis.
Beyond simply hiding their tracks, attackers can also leverage these compromised logging services to establish persistent visibility. By redirecting logs to their own infrastructure, adversaries can monitor an organization's cloud activities, track defensive responses, and identify further opportunities for exploitation or data exfiltration. This creates a significant blind spot for defenders, making incident response and threat hunting exceedingly difficult.
The Unit 42 report emphasizes that understanding these attack vectors is crucial for organizations to implement appropriate security configurations and detect service misuse. By hardening access controls to logging services, implementing immutability for log data where possible, and actively monitoring for unusual changes to logging configurations, organizations can mitigate these risks.
Palo Alto Networks highlights that its customers are protected through products like Cortex Cloud and its Cloud Security Assessment service, which identifies misconfigurations. The research serves as a critical reminder that the very tools designed to enhance cloud security can become potent weapons in the hands of sophisticated attackers if not properly secured and monitored.