From the Trenches: Common-Sense Measures to Prevent Cloud Incidents - Part 2

Written by Omri Segev Moyal & Brenton Morris, Profero - Rapid IR

Introduction

In part one of this series, we discussed some specific incidents that we at Profero have dealt with in the past and some ways in which attackers can take advantage of cloud environments during an incident. In part two we will discuss some methods of looking for offensive attackers in cloud environments that we have found to be useful in the past.

Looking for Offensive Attackers

When scanning for attackers in your environment, it is important to establish and follow best practices. Some tips are below:

Prep

It is essential to prepare your environment to be able to detect malicious behavior:

• Stream your CloudTrail logs to an S3 bucket with MFA delete enabled, preferably in a separate AWS account dedicated to storing audit logs
• Ensure Athena is configured so that during an incident you can quickly query your CloudTrail logs from this bucket

Asset Discovery

Having good config and asset management is extremely important when detecting something out of the ordinary that requires investigation. These are some tools that we use to find assets in our client’s environments:

• Scout Suite
• AWS Billing Console
• AWS Config

Use the Tools Available to You

There are many other tools available to organizations, such as open- source tools like SkyWrapper which is used for finding STS token chains in AWS accounts, AWS Guard Duty, and even checking for changes in your billing console can lead to the identification of malicious activity.

Investigate CloudTrail

If CloudTrail is active but is not being regularly monitored and reviewed, it can only be used as evidence after an incident. This is a missed opportunity, because it is one of the best and easiest tools to engage for early detection and prevention. Some things to look for when reviewing logs include:

• Known IOCs appearing in the logs
• Changes to resources such as CloudFormation stacks—these should be enabled to trigger alerts, in order to ease manual review
• Database actions such as copies being made, data deleted, new instances created or instances being exported
• Network configuration changes/security group policy modifications

Common Mistakes

Here are some common mistakes we run into when we start an IR:

• Logs such as CloudTrail incorrectly stored in S3 buckets, such as misconfiguring the target directory when exporting multiple AWS account trails into the same bucket. This hinders the creation of Athena tables.
• Logs prior to an incident unsearchable, because Athena’s full range of capabilities were not enabled, or the logs to (from?) CloudWatch or other log storage such as ElasticSearch were not exported
• Engineers involved have no incident response training or practice. Game days are excellent opportunities to show engineers what they should be do in the early stages of a security incident.
• Alerting has not been tailored for the organization’s environment. There is no “one size fits all” for alerting. Only you know your environment well enough to understand what is normal activity and what is not—the best people to write alerts are always your own engineers.

Overall Recommendations

In summary, these are the most important elements in securing a cloud environment—which together will offer your company a vital layer of protection against a range of the most common cloud threats in circulation today:

• Get the basics right first—don’t wait for an attack
• Know your environment: monitor your weak points, understand your usual activity
• Create alerts tailored to your usage
• Investigate alerts in a timely manner
• Enable all available logging (data access logging, packet flow logs, etc)
• Ensure logs are searchable
• Practice your response and provide regular updates and training for your engineers
• Constantly reevaluate your security requirements as your environment changes

About the Authors

Omri Segev Moyal is a highly successful entrepreneur, nationally recognized speaker and as of recently, a Forbes 30 under 30 achiever. He is also the Co-founder of Profero. Omri’s passion for empowering others through public speaking, stems from the many years of experience building successful companies of his own. He is dedicated to sharing his knowledge and proven skills with others in hopes that he can provide them with simple solutions that can solve complex problems and help to remove any barriers that stand in their way. His intense focus and drive for success has positioned him to be one of the top thought leaders in the entrepreneurial and start-up space.

Brenton Morris is the Sr Incident Responder at Profero. Brenton leads Incident Response engagements on a daily basis. From cloud sophisticated attackers to Ransomware events. Brenton has a unique set of combined security research and devop experience, allowing him to resolve many cyber-attacks while fully understanding the impact on production systems