Likelihood: MODERATE
Impact: VERY HIGH
Treatment: MITIGATE
Confidence: Moderate
Likelihood is moderate because exploitation requires prior access to cloud environments with sufficient IAM permissions — not a mass-exploitation scenario — but the techniques are documented, accessible to skilled threat actors, and no detection countermeasure eliminates the exposure without explicit hardening; impact is very_high because successful execution destroys the observability foundation underpinning all downstream detection, investigation, and response capabilities, converting any subsequent attack phase into an undetectable, uninvestigable event with direct regulatory, forensic, and financial consequence.
Treatment rationale: The threat is not insurable out of existence, not avoidable without abandoning cloud audit infrastructure, and not acceptable given regulatory and operational dependencies on audit log integrity — active control hardening (immutable log destinations, IAM least-privilege on logging APIs, alerting on logging-service mutations) is the only viable primary treatment.
Third-Party / Supply-Chain Risk
AWS CloudTrail and Google Cloud Logging are shared-responsibility platform services; the logging control plane itself is vendor-managed infrastructure. Organizations relying on third-party MSSPs, MDR providers, or co-managed SIEM/SOAR integrations that ingest from CloudTrail or Google Cloud Logging inherit a secondary exposure: if an attacker disables logging at the cloud platform layer before the MSSP or MDR provider detects it, the third party's detection and response capability is simultaneously degraded without their direct awareness. Per NIST SP 800-161 framing, any supplier whose threat detection capability is downstream of CloudTrail or Google Cloud Logging is an affected dependency and should be inventoried accordingly.
Loss Exposure (illustrative)
Magnitude: High — illustrative $500K–$5M per incident
Frequency: Illustrative: for an organization with material cloud workloads and no logging-integrity controls in place, a plausible exposure window of 1 event per 3–7 years; organizations with hardened immutable-log configurations and mutation alerting may reduce this to 1 event per 10+ years or effectively near-zero for this specific technique class.
Annualized: Illustrative ALE: $70K–$1.7M/year for an unmitigated, cloud-heavy organization — reflecting low-to-moderate frequency against high loss magnitude; this compresses substantially with mitigating controls in place.
Basis: Loss magnitude derived from: (1) extended dwell time costs — logging evasion is a pre-attack phase technique, meaning any subsequent breach investigation starts with degraded forensic capability, inflating investigation and remediation effort; (2) regulatory exposure — inability to demonstrate audit trail integrity creates residual liability under data protection frameworks even before a confirmed data event; (3) SIEM/SOAR/MDR capability loss — organizations paying for detection and response tooling lose the functional value of those investments for the duration of the blind period. Frequency framing based on: attacker access prerequisite (reduces base rate), documented technique availability (increases probability for targeted or well-resourced threat actors), and absence of vendor-provided patch path (sustains exposure until the organization independently hardens controls). No third-party loss-cost reports cited.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• Confirmed or suspected logging disruption preceding a breach may constitute a material gap in required security controls under cyber-insurance policy conditions — verify with broker before and after any logging-integrity incident.
• If audit log destruction coincides with unauthorized access to regulated data (PII, PHI, financial records), the inability to reconstruct activity scope may complicate or extend breach-notification obligations under applicable frameworks — verify with counsel.
• Contractual security commitments (SOC 2, ISO 27001, customer DPAs) typically require demonstrable audit trail integrity; a logging-evasion event may constitute a reportable control failure under those agreements — verify with counsel.
