Acquire Infrastructure: Serverless


Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers or AWS Lambda functions, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.

攻撃者は、Cloudflare WorkersやAWS Lambda関数のようなサーバーレスクラウドインフラを購入して設定し、攻撃時に利用することがあります。このようなサーバーレスインフラを利用することで、操作中に使用されたインフラの出所を特定するのを難しくすることができます。

Once acquired, the serverless runtime environment can be leveraged to either respond directly to infected machines or to Proxy traffic to an adversary-owned command and control server.[1][2] As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers.[3][1]

このようなサーバレス実行環境を一旦獲得すると、感染したマシンに直接応答したり、攻撃者の所有するコマンド&コントロールサーバにトラフィックをプロキシしたりすることができるようになります[1][2] 。これらの機能によって生成されたトラフィックは、一般的なクラウド事業者のサブドメインから来るように見えるため、これらの事業者への通常のトラフィックとの区別が難しくなる場合があります[3][1]。

ID: T1583.007
Sub-technique of:  T1583
Platforms: PRE
Contributors: Awake Security
Version: 1.0
Created: 08 July 2022
Last Modified: 20 October 2022


ID Mitigation Description
M1056 Pre-compromise

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.


ID Data Source Data Component Detects
DS0035 Internet Scan Response Content

Once adversaries leverage serverless functions as infrastructure (ex: for command and control), it may be possible to look for unique characteristics associated with adversary software, if known.[4] Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle.