From the Trenches: Common-Sense Measures to Prevent Cloud Incidents - Part 2
Published 02/16/2022
Written by Omri Segev Moyal & Brenton Morris, Profero - Rapid IR
Introduction
In part one of this series, we discussed some specific incidents that we at Profero have dealt with in the past and some ways in which attackers can take advantage of cloud environments during an incident. In part two we will discuss some methods of looking for offensive attackers in cloud environments that we have found to be useful in the past.
Looking for Offensive Attackers
When scanning for attackers in your environment, it is important to establish and follow best practices. Some tips are below:
Prep
It is essential to prepare your environment to be able to detect malicious behavior:
- Stream your CloudTrail logs to an S3 bucket with MFA delete enabled, preferably in a separate AWS account dedicated to storing audit logs
- Ensure Athena is configured so that during an incident you can quickly query your CloudTrail logs from this bucket
Asset Discovery
Having good config and asset management is extremely important when detecting something out of the ordinary that requires investigation. These are some tools that we use to find assets in our client’s environments:
- Scout Suite
- AWS Billing Console
- AWS Config
Use the Tools Available to You
There are many other tools available to organizations, such as open- source tools like SkyWrapper which is used for finding STS token chains in AWS accounts, AWS Guard Duty, and even checking for changes in your billing console can lead to the identification of malicious activity.
Investigate CloudTrail
If CloudTrail is active but is not being regularly monitored and reviewed, it can only be used as evidence after an incident. This is a missed opportunity, because it is one of the best and easiest tools to engage for early detection and prevention. Some things to look for when reviewing logs include:
- Known IOCs appearing in the logs
- Changes to resources such as CloudFormation stacks—these should be enabled to trigger alerts, in order to ease manual review
- Database actions such as copies being made, data deleted, new instances created or instances being exported
- Network configuration changes/security group policy modifications
Common Mistakes
Here are some common mistakes we run into when we start an IR:
- Logs such as CloudTrail incorrectly stored in S3 buckets, such as misconfiguring the target directory when exporting multiple AWS account trails into the same bucket. This hinders the creation of Athena tables.
- Logs prior to an incident unsearchable, because Athena’s full range of capabilities were not enabled, or the logs to (from?) CloudWatch or other log storage such as ElasticSearch were not exported
- Engineers involved have no incident response training or practice. Game days are excellent opportunities to show engineers what they should be do in the early stages of a security incident.
- Alerting has not been tailored for the organization’s environment. There is no “one size fits all” for alerting. Only you know your environment well enough to understand what is normal activity and what is not—the best people to write alerts are always your own engineers.
Overall Recommendations
In summary, these are the most important elements in securing a cloud environment—which together will offer your company a vital layer of protection against a range of the most common cloud threats in circulation today:
- Get the basics right first—don’t wait for an attack
- Know your environment: monitor your weak points, understand your usual activity
- Create alerts tailored to your usage
- Investigate alerts in a timely manner
- Enable all available logging (data access logging, packet flow logs, etc)
- Ensure logs are searchable
- Practice your response and provide regular updates and training for your engineers
- Constantly reevaluate your security requirements as your environment changes
About the Authors
Omri Segev Moyal is a highly successful entrepreneur, nationally recognized speaker and as of recently, a Forbes 30 under 30 achiever. He is also the Co-founder of Profero. Omri’s passion for empowering others through public speaking, stems from the many years of experience building successful companies of his own. He is dedicated to sharing his knowledge and proven skills with others in hopes that he can provide them with simple solutions that can solve complex problems and help to remove any barriers that stand in their way. His intense focus and drive for success has positioned him to be one of the top thought leaders in the entrepreneurial and start-up space.
Brenton Morris is the Sr Incident Responder at Profero. Brenton leads Incident Response engagements on a daily basis. From cloud sophisticated attackers to Ransomware events. Brenton has a unique set of combined security research and devop experience, allowing him to resolve many cyber-attacks while fully understanding the impact on production systems
Related Articles:
Texas Attorney General’s Landmark Victory Against Google
Published: 12/20/2024
10 Fast Facts About Cybersecurity for Financial Services—And How ASPM Can Help
Published: 12/20/2024
Winning at Regulatory Roulette: Innovations Shaping the Future of GRC
Published: 12/19/2024
The EU AI Act and SMB Compliance
Published: 12/18/2024