Recent findings by Palo Alto Networks Unit 42 reveal an alarming trend where cybercriminals are increasingly exploiting cloud logging services to avoid detection and sustain unauthorized access. These platforms, crucial for security monitoring, are being manipulated to create blind spots in cloud systems.
The Role of Cloud Logging in Security
Cloud logging services like AWS CloudTrail and Google Cloud Logging are essential for tracking activities across cloud environments. They are heavily relied upon by security teams to bolster SIEM, SOAR, and CSPM tools. However, attackers with sufficient access can disrupt these logs, either evading detection or exfiltrating data for their own analysis.
Researchers have identified two primary tactics used by hackers: defense evasion and maintaining continuous visibility. Defense evasion involves disabling or tampering with logging mechanisms to escape detection. For instance, in AWS, adversaries can stop logging by exploiting CloudTrail: StopLogging permissions, while in Google Cloud, logging sinks can be disabled using specific permissions.
Techniques for Evasion and Manipulation
One common attack is the deletion of log storage destinations. In AWS, attackers with s3:DeleteBucket permissions can erase CloudTrail log buckets, eliminating forensic evidence. A similar approach is used in Google Cloud, where log buckets can be deleted but remain recoverable for a limited period.
More sophisticated methods involve manipulating encryption keys. In AWS, offenders can replace legitimate AWS KMS keys with their own, rendering logs unreadable. Google Cloud faces similar threats with customer-managed encryption keys (CMEK), locking defenders out of their logs.
Maintaining Persistent Visibility
Beyond evasion, attackers also exploit logging systems for continuous surveillance. Instead of triggering alerts, adversaries configure log routing to send log copies to their environments. In AWS, this involves creating new CloudTrail trails, while in Google Cloud, logging sinks are abused to redirect logs.
This redirection silently streams real-time activity data, such as IAM changes and data access events, to cybercriminals, enabling prolonged monitoring and lateral movement without raising alarms. The consequences include a loss of visibility and potential for covert data exfiltration.
To counter these threats, organizations must enforce strict access controls on logging resources. Critical permissions should be restricted to privileged roles, and integrity validation features like AWS CloudTrail log file validation should be enabled.
Protective Measures and Future Outlook
Cloud providers offer some built-in safeguards. AWS retains a 90-day immutable event history for management actions, and Google Cloud provides system-created log buckets that cannot be altered. However, these protections may not cover all scenarios, especially in custom setups.
It’s crucial for organizations to treat log pipelines as critical assets and implement layered defenses to ensure visibility remains intact during attacks. With proactive measures, companies can mitigate risks and protect their cloud environments from sophisticated threats.
