Hack My Company: An Empirical Assessment of Post-exploitation Behavior and Lateral Movement in Cloud Environments

Abstract

Cloud infrastructures and services are of essential importance for enterprise operations. They form a central point for data storage, processing and exchange. Their information security properties are strongly associated with the protection of the most confidential and important data of enterprises. In this work a credential leak on different platforms is simulated, revealing authentication information for several accounts on a cloud application service. Each account associated with the leaks provides more authentication information for further infrastructures such as an e-mail server, an industrial control system and an enterprise-related streaming server. Additionally, a homepage was launched with information on the fictitious persons associated with the leaked accounts. Interaction with those servers is closely monitored. It was found that around one third of all trespassers conducted lateral movement and successful authentications frequently result in system enumeration and file operations.