Thursday, December 5, 2024
HomeAWSResearchers Detail on How Defenders Eliminate Detection Gaps in AWS Environments

Researchers Detail on How Defenders Eliminate Detection Gaps in AWS Environments

Published on

SIEM as a Service

As enterprises increasingly migrate their workloads to cloud infrastructure, the need for robust security measures becomes more pressing.

Unlike traditional data centers, cloud environments offer business agility at a reduced cost, making them attractive targets for cybercriminals.

Defending cloud infrastructure, particularly within Amazon Web Services (AWS), is complex and requires a nuanced understanding of security controls and threat detection.

- Advertisement - SIEM as a Service

This article explores how defenders can address detection gaps in AWS environments by leveraging a combination of Mitigant Cloud Attack Emulation and the Sekoia Security Operations Center (SOC) Platform.

The integration of these tools demonstrates a Threat-Informed Defense strategy that enhances an organization’s ability to detect and respond to threats effectively.

Enterprises are increasingly adopting cloud infrastructure to benefit from its agility and cost-effectiveness. However, this shift has not gone unnoticed by cybercriminals, who now target cloud workloads with sophisticated attacks.

Defending cloud environments is inherently more complex than on-premises infrastructure, necessitating a comprehensive approach to security.

The Sekoia report provides a use-case scenario demonstrating how defenders can address detection gaps in AWS environments by combining Mitigant Cloud Attack Emulation and the Sekoia SOC Platform.

It also discusses how organizations can adopt a Threat-Informed Defense strategy by integrating security measures, Cyber Threat Intelligence (CTI), and evaluation/testing.

This strategy enables organizations to detect and respond effectively to threats within their AWS infrastructure.

Threat Model

The threat model features Acme, a fictitious Fintech company hosting its banking system on AWS cloud infrastructure. John Doe, Acme’s Chief Information Security Officer (CISO), is concerned about the increasing threat Scattered Spider poses.

After attending an MITRE ATT&CK Workshop, John decides to implement a Threat-Informed Defense Strategy (TIDS) to enhance Acme’s cyber-resilience.

He incorporates the following cybersecurity products to align with TIDS:

  • Defensive Measures: Sekoia Defend is a leading SOC platform that provides threat detection and incident response capabilities.
  • Cyber Threat Intelligence: Sekoia Intelligence, a structured and actionable CTI service.
  • Testing & Evaluation: Mitigant Cloud Attack Emulation, a comprehensive cloud-native adversary emulation platform.

The Threat-Informed Defense Triad combines security measures, CTI, and security evaluation/testing to create a robust defense strategy.

Mitigant Cloud Attack Emulation implements several MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs) Scattered Spider uses.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

These attacks are orchestrated against Acme’s AWS environment to mimic Scattered Spider, and the Sekoia SOC Platform is used to detect these attacks.

Cloud Attack Phases and Detection

The threat scenario is emulated to illustrate real attacks, which are typically multi-step and captured via attack kill chains. The MITRE ATT&CK framework groups these attacks into Tactics and Techniques. The attacks against Acme are categorized as follows:

Initial Access

The attacker gains access to Acme’s corporate AWS account using stolen credentials obtained through phishing. Bob from Acme’s finance department receives a malicious email containing a link to a fake corporate website.

The user’s workstation logs this activity, and Sekoia.io’s Intelligence Feed rule detects suspicious IP access.

The “Serial Console Access” attack Implemented in Mitigant is a Common Technique Used By Scattered Spider.
The “Serial Console Access” attack Implemented in Mitigant is a Common Technique Used By Scattered Spider.

Execution

The attacker enables serial console access to EC2 instances, bypassing network security controls. This action is detected by the Sekoia.io rule “AWS CloudTrail EC2 Enable Serial Console Access.”

Insert image of AWS CloudTrail log showing serial console access here.
Insert image of AWS CloudTrail log showing serial console access here.

Persistence

The attacker creates new IAM users and backdoors existing IAM users, raising the “CreateAccessKey” and “CreateUser” events. Specific detection rules tailored to the environment can help identify these activities.

Privilege Escalation

The attacker weakens IAM password policies to facilitate further attacks, triggering the “UpdateAccountPasswordPolicy” event. The Sekoia.io rule “AWS CloudTrail IAM Password Policy Updated” monitors this event.

Insert image of IAM password policy update event here.
Insert image of IAM password policy update event here.

Defense Evasion

The attacker deletes VPC subnets and disables domain transfer locks to hide their activities. These actions are detected by the Sekoia.io rules “AWS CloudTrail EC2 Subnet Deleted” and “AWS CloudTrail Route 53 Domain Transfer Lock Disabled.”

Insert image of VPC subnet deletion and domain transfer lock disablement events here.
Insert image of VPC subnet deletion and domain transfer lock disablement events here.

Credential Access

The attacker compromises Lambda credentials, raising the “ListFunctions20150331” event. Due to their frequency, creating effective detection rules for these events can be challenging.

“Malicious Bucket Replication” Attack Launched from Mitigant Showing the Corresponding MITRE Tactic & Techniques
“Malicious Bucket Replication” Attack Launched from Mitigant Showing the Corresponding MITRE Tactic & Techniques

Collection

The attacker replicates S3 buckets and exfiltrates sensitive data, triggering the “PutBucketReplication” event. The Sekoia.io rule “AWS CloudTrail S3 Bucket Replication” detects this action.

Insert image of S3 bucket replication event here.
Insert image of S3 bucket replication event here.

The integration of CTI helps detect and contextualize attacks, providing a better understanding for further investigation. Alert fatigue is a significant challenge for SOC teams, and triaging rules by effort level can help manage this issue.

Sometimes, customers should create their own rules to reduce false positives. Attack emulation is essential for testing rules and ensuring comprehensive coverage. Context is crucial, and security teams must add context to reduce false positives.

Emulating attacks in the environment provides an excellent approach for deriving the precise context. As cloud infrastructure adoption increases, so do the associated security risks.

Security teams must adopt approaches that allow precise threat optimizations with minimal alert fatigue and false positives. A Threat-Informed Defense strategy provides a meaningful approach, aligning with real attacks.

This article presents an instructive scenario based on the Scattered Spider threat actor, offering valuable lessons for improving cloud security posture.

By adopting a Threat-Informed Defense strategy and leveraging tools like Mitigant Cloud Attack Emulation and the Sekoia SOC Platform, organizations can effectively eliminate detection gaps in AWS environments and safeguard their cloud infrastructure against sophisticated cyber threats.

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to...

Fuji Electric Indonesia Hit by Ransomware Attack

Fuji Electric Indonesia has fallen victim to a ransomware attack, impacting its operations and...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to...