Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Modifications for the cloud - Classic Intrusion Analysis Frameworks for AWS Environments: Application and Enhancement

Modifications for the cloud

The AWS approach extends the courses of action available to defenders so that organizations can leverage the inherent benefits of the cloud and the mitigations provided by AWS.

The courses of action have been modified in the following ways:

  • Destroy is replaced with respond.

    Security teams need to plan for successful intrusions to be prepared to respond effectively and efficiently, should an intrusion ever occur. AWS provides customers with response capabilities that help reduce the time, effort, damage, and costs associated with intrusion attempts.

  • Contain is added to the courses of action.

    Containing attackers that successfully penetrate an IT environment is a prudent course of action. Preventing lateral movement and the credential theft and reuse attacks typically associated with lateral movement, will reduce potential damage and speed recovery. AWS provides several controls that customers can use to help contain attackers. For more information, see Appendix: Reference Material.

  • Restore is added to the matrix.

    In the scenario where every course of action that an organization has implemented fails across every phase of the intrusion method, restoring data and infrastructure as quickly as possible will be important to restoring business as usual. The AWS Cloud provides a number of powerful service features that allow the rapid restoration of data, such as point-in-time restore for databases, and object locking (immutability) and versioning for Amazon S3.

AWS also supports many conventional disaster recovery (DR) architectures from pilot light environments that may be suitable for small customer workload data center failures to hot standby environments that enable rapid failover at scale. With data centers in AAWS Regions all around the world, AWS provides a set of cloud-based disaster recovery services designed to provide rapid recovery of your IT infrastructure and data, such as CloudEndure Disaster Recovery.

Table 2: Modified courses of action matrix

Phase Detect Deny Disrupt Degrade Deceive Contain Respond Restore
Reconnaissance: pre-intrusion
Reconnaissance: post-intrusion
Exploit development
Delivery
Exploitation
Installation
Command and Control
Actions on Objectives

The following table lists definitions of the courses of action included in the matrix. All of the following definitions are based on definitions published in Characterizing Effects on the Cyber Adversary, A Vocabulary for Analysis and Assessment.

Note

Defined in 2006 version of JP 3-13, as documented in Mitre, "Characterizing Effects on the Cyber Adversary, A Vocabulary for Analysis and Assessment", https://www.mitre.org/sites/default/files/publications/characterizing-effects-cyber-adversary-13-4173.pdf

Table 3: Courses of action definitions

Action Definition
Detect To discover or discern the existence, presence, or fact of an intrusion into information systems.
Deny To prevent the adversary from accessing and using critical information, systems, and services.
Disrupt To break or interrupt the flow of information.
Degrade To reduce the effectiveness or efficiency of adversary command and control (C2) or communications systems, and information collection efforts or means.
Deceive To cause a person to believe what is not true. MILDEC [military deception] seeks to mislead adversary decision makers by manipulating their perception of reality.
Contain The action of keeping something harmful under control or within limits.
Respond To react quickly to an adversary’s or another’s IO attack or intrusion.
Restore To bring information and information systems back to their original state.
PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.