# Living off the Cloud (LotC)
Definition
Living off the Cloud (LotC) is an attack technique where adversaries abuse legitimate cloud services, APIs, and management tools to conduct malicious operations that blend with normal cloud activity. Analogous to Living off the Land (LotL) techniques that use built-in operating system tools, LotC leverages the cloud provider's own infrastructure and services for command and control, data exfiltration, persistence, and lateral movement. Because the attacker uses authorized cloud services in expected ways, these activities are extremely difficult to distinguish from legitimate cloud administration.
How It Works
LotC techniques exploit the trust and functionality of cloud platform services:
Command and Control (C2):
- Using cloud-native messaging services (AWS SQS, Azure Service Bus, GCP Pub/Sub) for C2 communication
- Hosting C2 infrastructure on cloud functions (Lambda, Azure Functions) that auto-scale and are difficult to block by IP
- Using cloud storage (S3, Azure Blob, GCS) for dead-drop C2 communication
- Leveraging legitimate SaaS APIs (Slack, Microsoft Graph, Google Drive) as C2 channels
Data Exfiltration:
- Copying data to attacker-controlled cloud storage accounts within the same cloud provider
- Using cloud-native data transfer services (AWS DataSync, Azure Data Box) for large-scale exfiltration
- Exfiltrating through legitimate SaaS integrations (SharePoint sync, Google Drive sharing)
- Creating snapshots of databases or VMs and sharing them to external accounts
Persistence:
- Creating backdoor IAM users, roles, or service accounts in cloud environments
- Deploying serverless functions (Lambda, Azure Functions) as persistent backdoors
- Modifying cloud automation (CloudFormation, Terraform, ARM templates) to recreate backdoor access after remediation
- Adding OAuth application registrations that maintain access independent of user credentials
Lateral Movement:
- Using cloud IAM role assumption to pivot between cloud accounts
- Leveraging cross-account resource sharing to access resources in other accounts
- Using cloud management planes (AWS SSM, Azure Arc, GCP OS Config) to execute commands on instances
- Exploiting trust relationships between cloud services
Discovery:
- Querying cloud APIs (IAM, EC2, S3, RDS) to map the environment using legitimate read permissions
- Using cloud logging services to understand monitoring coverage and blind spots
- Enumerating cloud resource metadata (tags, names, configurations) to identify high-value targets
Why It Matters
Cloud adoption has outpaced cloud security monitoring capabilities. Most organizations have invested heavily in on-premises security monitoring (SIEM, EDR, NDR) but have significant blind spots in cloud activity monitoring. LotC exploits this gap.
The challenge is fundamental: cloud management activity looks the same whether performed by a legitimate administrator or an attacker who has compromised administrator credentials. When an attacker creates an IAM role, it produces the same API call and CloudTrail log entry as when a legitimate admin does it.
Detection requires deep understanding of what "normal" cloud activity looks like for each organization. This baseline must account for:
- Which IAM entities perform which actions
- Normal patterns for data access and transfer
- Expected resource creation and modification patterns
- Typical cross-account and cross-region activity
Most security teams lack this visibility. Cloud provider native logging is voluminous but often not configured, collected, or analyzed effectively. The result is a massive detection gap that sophisticated attackers exploit.
Real-World Applications
- APT29 (Cozy Bear): The Russian intelligence group extensively uses Microsoft 365 and Azure services for C2, persistence, and data collection, as demonstrated in the SolarWinds campaign and subsequent Microsoft breach.
- Scattered Spider: This threat group abuses cloud identity services and SaaS platforms for persistence and lateral movement in enterprise environments.
- Cloud-Native Ransomware: Attackers encrypt cloud-native storage (S3, Azure Blob) and delete backups using the cloud provider's own APIs.
- Cryptojacking: Attackers spin up compute resources (EC2, GCE instances, Lambda functions) in compromised cloud accounts for cryptocurrency mining.
- Data Theft via Cloud Sync: Attackers use legitimate cloud sync tools (OneDrive, SharePoint, Google Drive) to exfiltrate data without triggering DLP on network boundaries.
CDA Perspective
LotC is tracked under CDA's Threat Intelligence & Defense (TID) domain using the Predictive Defense Intelligence (PDI) methodology. Cloud security monitoring is one of the most significant gaps in most organizations' defenses.
CDA's approach:
- M-TID-R01 assesses cloud monitoring coverage and identifies blind spots in cloud API activity logging
- M-TID-H01 deploys cloud-native threat detection (CloudTrail analysis, Azure Monitor, GCP Chronicle) with behavioral baselines
- M-IAT-H01 implements cloud IAM hardening to reduce the tools available to attackers (least privilege, conditional access, session policies)
- M-SPH-B02 configures cloud security posture management to detect persistent backdoor configurations
CDA's principle: if you cannot see it, you cannot defend it. Cloud API logging, identity monitoring, and data access monitoring must achieve parity with on-premises security monitoring. Most organizations are nowhere close.
Key Takeaways
- Living off the Cloud uses legitimate cloud services for malicious operations that blend with normal activity
- Attackers use cloud messaging, storage, compute, and IAM services for C2, exfiltration, and persistence
- Detection requires understanding normal cloud activity patterns for the specific organization
- Most organizations have significant blind spots in cloud activity monitoring compared to on-premises
- Cloud IAM compromise is the primary enabler; IAM hardening and monitoring are critical defenses
- APT29 and other nation-state actors extensively use LotC techniques in real-world operations