In the sprawling cloud infrastructure of GlobalTech Inc., a meticulously planned ransomware attack was set in motion by a sophisticated adversary, codenamed Vector. Vector’s objective wasn’t just to encrypt data for a ransom but to navigate through a complex AWS environment with precision, exploiting specific, less obvious permissions to achieve his goals. Phase 1: Initial Foothold Vector’s initial entry was through a compromised third-party CI/CD pipeline that had permissions to deploy resources in GlobalTech’s AWS environment. The pipeline was configured with an IAM role, CI_CD_Deployer, whi ..read more

Sonrai recently launched the first-ever Cloud Permissions Firewall – a new class of solution built to more efficiently protect sensitive permissions and access.  A new solution class deserves a proper introduction and definition, so this blog will cover what a Cloud Permissions Firewall is, why enterprises need one, how it is different from other identity-focused solutions, and how it helps Development, Operations, and Security Teams drastically reduce risk in the cloud without slowing down innovation. What is a Cloud Permissions Firewall? A Cloud Permissions Firewall is an advanced secur ..read more

MITRE ATT&CK Stage: Exfiltration and Impact This blog is the final publication in a series exploring the most powerful cloud permissions and how they map to the MITRE ATT&CK Framework. You can find the series beginning on the Initial Access stage here. — The end of the MITRE Framework concludes with Exfiltration or Impact. An attacker may be trying to steal organizational data and remove it from your environment – exfiltration – or just interrupt and disrupt your operations – impact. Even a well-intended employee can misuse these permissions and cause potential impact to your business ..read more

MITRE ATT&CK Stage: Defensive Evasion This blog is the fifth publication in a series exploring the most powerful cloud permissions and how they map to the MITRE ATT&CK Framework. If you have not yet read the first blog on the Initial Access stage, you can find it here and follow along the series. – A lot of activity in the cloud is traceable. Most organizations know it is best practice to enable logging and security tools to help in auditing or protection practices. However, there are a few actions one can take to disable these processes or cover their tracks. Once an attacker is in yo ..read more

MITRE ATT&CK Framework: Credentials Access This blog is the fourth publication in a series exploring the most powerful cloud permissions and how they map to the MITRE ATT&CK Framework. You can find the beginning of the series here. —– ‘Credential Access’ is the next stage of the MITRE ATT&CK Framework we’ll explore – an attacker’s efforts to hijack accounts and steal passwords. For the purpose of mapping permissions to the framework, we’ve considered any sort of credential theft OR the ability to create new credentials as ‘credential access’. Using legitimate credentials – the toke ..read more

MITRE ATT&CK Framework: Lateral Movement & Privilege Escalation This blog is the third publication in a series exploring the most powerful cloud permissions and how they map to the MITRE ATT&CK Framework. You can find the previous blog on Persistence techniques here. — An attacker is in your cloud. They are looking to move around it in search of further opportunity. Whether it is pivoting in and out of different accounts, hopping from identity or the next, or gaining more privilege, they’re on the move. Traditionally, Privilege Escalation and Lateral Movement are distinct stages in ..read more

MITRE ATT&CK Framework: Persistence This blog is the second publication in a series exploring the most powerful cloud permissions and how they map to the MITRE ATT&CK Framework. If you have not yet read the first blog on the Initial Access stage, you can find it here. – Once an attacker has gained a foothold into your environment, their first thought is, ‘how can I stay here?’ Meaning, what nooks and crannies can they create or windows can they leave open to offer them ways back into your cloud or ways, inflict further damage, or just remain. This is how we categorized permissions into ..read more

MITRE ATT&CK Framework: Initial Access A cloud permission is never a dangerous thing by nature. In fact, their power is solely defined by the context in which they are used. Whether a permission falls into the wrong hands for malicious use, or an employee uses it and unintentionally introduces new risk, cloud permissions can be powerful tools. Some permissions inherently hold more power than others and should be controlled accordingly. With over 40,000+ possible actions across the major cloud providers, prioritizing locking down the permissions with the greatest potential for damage is cri ..read more

Governance, security and compliance become difficult projects at scale. If you’re an enterprise operating out of Google Cloud, you’re likely looking for ways to manage access, enforce guardrails, and make configuration constraints to resources across your organization. Below, we will introduce all you need to know about GCP Organization Policies and describe how you can leverage them to centralize control over your environment. What is a GCP Organization Policy? Organization Policy is a powerful tool provided by Google Cloud, designed to give you centralized and systematic control over your cl ..read more

Amazon Web Services (AWS) S3, or Simple Storage Service, is a highly scalable object storage service that allows businesses to store and retrieve any amount of data. S3 permissions are the explicit rules within policies that determine who can access the service entirely and more specifically the objects within it. Let’s dive into why managing access is important. The Role of IAM Policies in S3 Managing identity and access to the S3 service is vital. Because S3 is a storage service, it hosts sensitive and business-critical data for most enterprises using AWS – think business secrets, employee i ..read more