Volume

Block object storage hosted on-premise or by third-party providers, typically made available to resources as virtualized hard drives[1][2][3]

ID: DS0034
Platforms: IaaS, Linux, Windows, macOS
Collection Layers: Cloud Control Plane, Host
Contributors: Center for Threat-Informed Defense (CTID)
Version: 1.0
Created: 20 October 2021
Last Modified: 30 March 2022

Data Components

Volume: Volume Creation

Initial construction of a cloud volume (ex: AWS create-volume)

Volume: Volume Creation

Initial construction of a cloud volume (ex: AWS create-volume)

Domain ID Name Detects
Enterprise T1578 Modify Cloud Compute Infrastructure

Monitor for the unexpected creation or presence of cloud block storage volumes . To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones.

Volume: Volume Deletion

Removal of a a cloud volume (ex: AWS delete-volume)

Volume: Volume Deletion

Removal of a a cloud volume (ex: AWS delete-volume)

Domain ID Name Detects
Enterprise T1485 Data Destruction

Monitor for unexpected deletion of a cloud volume (ex: AWS delete-volume)

Enterprise T1578 Modify Cloud Compute Infrastructure

Monitor for the unexpected deletion or absence of cloud block storage volumes . To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones.

Volume: Volume Enumeration

An extracted list of available volumes within a cloud environment (ex: AWS describe-volumes)

Volume: Volume Enumeration

An extracted list of available volumes within a cloud environment (ex: AWS describe-volumes)

Domain ID Name Detects
Enterprise T1580 Cloud Infrastructure Discovery

Monitor cloud logs for API calls and other potentially unusual activity related to block object storage enumeration. Discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained.

Volume: Volume Metadata

Contextual data about a cloud volume and activity around it, such as id, type, state, and size

Volume: Volume Metadata

Contextual data about a cloud volume and activity around it, such as id, type, state, and size

Domain ID Name Detects
Enterprise T1578 Modify Cloud Compute Infrastructure

Periodically baseline cloud block storage volumes to identify malicious modifications or additions.

Volume: Volume Modification

Changes made to a cloud volume, including its settings and control data (ex: AWS modify-volume)

Volume: Volume Modification

Changes made to a cloud volume, including its settings and control data (ex: AWS modify-volume)

Domain ID Name Detects
Enterprise T1611 Escape to Host

Monitor cluster-level (Kubernetes) data and events associated with changing containers' volume configurations.

Enterprise T1578 Modify Cloud Compute Infrastructure

Monitor for the unexpected changes to cloud block storage volumes . To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones.

References