Hybrid Cloud Connectivity

The bridge between your own data center and the cloud is often the target of lateral movement attacks.

Your Strategy

Avoid classic site-to-site VPNs without additional verification. Rely on Zero Trust Network Access (ZTNA) to limit access to specific applications instead of linking the entire network.

Best Practices

▸Encryption: Use mTLS for endpoint authentication.
▸Governance: Monitor the data flow at the transition point using VPC Flow Logs.
▸Resilience: Redundant connections via different providers for DoS prevention.

STRIDE-LM Design Risks

SpoofingS-01

Identity Spoofing

Attacker impersonates a legitimate user or partner.

TamperingT-01

Data Tampering

Unauthorized modification of shared data or configurations.

RepudiationR-01

Audit Log Manipulation

Deleting or altering traces of an action.

Information DisclosureI-01

Sensitive Data Exposure

Unintentional disclosure of internal information to externals.

Denial of ServiceD-01

Resource Exhaustion

Overloading systems through massive requests or resource hogging.

Elevation of PrivilegeE-01

Privilege Escalation

Gaining privileges beyond what is intended.

Lateral MovementL-01

Lateral Movement

Accessing further internal systems after initial login.

Monitoring GapsM-01

Insufficient Logging

Missing or inadequate recording of security-relevant events.

MITRE ATT&CK® Techniques

Reconnaissance

T1592

Gather Victim Digital Network Information

ATT&CK

Collecting information about the target infrastructure.

Mitigated by

Data Anonymization (Differential Privacy)Extended ProtectionHigh

NIST: PR.PT-3

Output Content FilteringBaseline ProtectionLow

NIST: AI-1.2OWASP: LLM02

Initial Access

T1133

External Remote Services

ATT&CK

Access via VPNs or cloud management interfaces.

Mitigated by

Zero Trust Network Access (ZTNA)Extended ProtectionHigh

CIS: 12.2NIST: PR.AC-3

Conditional Access PoliciesBaseline ProtectionMedium

CIS: 6.1NIST: PR.AC-7OWASP: API2

T1078

Valid Accounts

ATT&CK

Exploiting existing credentials for access.

Mitigated by

Zero Trust Network Access (ZTNA)Extended ProtectionHigh

CIS: 12.2NIST: PR.AC-3

Conditional Access PoliciesBaseline ProtectionMedium

CIS: 6.1NIST: PR.AC-7OWASP: API2

Least Privilege PrincipleBaseline ProtectionMedium

CIS: 6.2NIST: PR.AC-6OWASP: A01:2021

FIDO2 EnforcementBaseline ProtectionMedium

CIS: 6.5NIST: PR.AC-7OWASP: A07:2021

Privileged Identity Management (PIM)Baseline ProtectionMedium

CIS: 6.2NIST: PR.AC-1OWASP: A01:2021

Regular Access ReviewsBaseline ProtectionLow

CIS: 6.6NIST: PR.AC-1OWASP: A01:2021

MFA for Windows Sign-inExtended ProtectionMedium

CIS: 6.5NIST: PR.AC-7

Persistence

T1098

Account Manipulation

ATT&CK

Changing permissions or creating new accounts.

Mitigated by

Privileged Identity Management (PIM)Baseline ProtectionMedium

CIS: 6.2NIST: PR.AC-1OWASP: A01:2021

Regular Access ReviewsBaseline ProtectionLow

CIS: 6.6NIST: PR.AC-1OWASP: A01:2021

T1484

Domain Policy Modification

ATT&CK

Modifying domain policies for privilege escalation.

Mitigated by

SIEM IntegrationExtended ProtectionHigh

CIS: 8.5NIST: DE.AE-3NIST: DE.CM-1OWASP: A09:2021

Least Privilege PrincipleBaseline ProtectionMedium

CIS: 6.2NIST: PR.AC-6OWASP: A01:2021

Privileged Identity Management (PIM)Baseline ProtectionMedium

CIS: 6.2NIST: PR.AC-1OWASP: A01:2021

Credential Access

T1557

Adversary-in-the-Middle

ATT&CK

Intercepting communication between two parties.

Mitigated by

Privileged Access Workstation (PAW)Extended ProtectionHigh

CIS: 6.4NIST: PR.AC-3

T1539

Steal Web Session Cookie

ATT&CK

Capturing active session tokens to bypass authentication.

Mitigated by

Conditional Access PoliciesBaseline ProtectionMedium

CIS: 6.1NIST: PR.AC-7OWASP: API2

FIDO2 EnforcementBaseline ProtectionMedium

CIS: 6.5NIST: PR.AC-7OWASP: A07:2021

Trusted Certificate ProfilesBaseline ProtectionLow

CIS: 12.7NIST: PR.AC-3

T1552

Credentials from Password Stores

ATT&CK

Extracting passwords from web browsers or password managers.

Mitigated by

Output Content FilteringBaseline ProtectionLow

NIST: AI-1.2OWASP: LLM02

T1003

OS Credential Dumping

ATT&CK

Extracting credentials from the operating system.

Mitigated by

Privileged Access Workstation (PAW)Extended ProtectionHigh

CIS: 6.4NIST: PR.AC-3

MFA for Windows Sign-inExtended ProtectionMedium

CIS: 6.5NIST: PR.AC-7

T1110

Brute Force

ATT&CK

Attempts to gain access to accounts or API keys through systematic trial and error.

Mitigated by

FIDO2 EnforcementBaseline ProtectionMedium

CIS: 6.5NIST: PR.AC-7OWASP: A07:2021

Lateral Movement

T1021

Remote Services

ATT&CK

Use of legitimate remote services for lateral movement within the network.

Mitigated by

Zero Trust Network Access (ZTNA)Extended ProtectionHigh

CIS: 12.2NIST: PR.AC-3

Regular Access ReviewsBaseline ProtectionLow

CIS: 6.6NIST: PR.AC-1OWASP: A01:2021

T1550

Use Alternate Authentication Material

ATT&CK

Using stolen tokens or hashes to authenticate without a password.

Mitigated by

Zero Trust Network Access (ZTNA)Extended ProtectionHigh

CIS: 12.2NIST: PR.AC-3

Is your scenario more complex?

AYSOLI experts support you in implementing your specific security requirements.

Free consultation