BrandPost: Detecting Suspicious Activity on AWS Using Cloud Logs

3 months ago 48

Detecting high-risk events successful unreality and instrumentality environments is often described arsenic uncovering a needle successful a haystack. That nary longer needs to beryllium the lawsuit for your organization.

cloud computing backup cyber information    fingerprint individuality  encryption representation   id1367070651 iStock

AWS offers a ample spectrum of services and compute. The “shared responsibility” exemplary successful unreality presents a simplified operation of enactment responsibilities and unreality supplier responsibilities. Generally, individuality and entree absorption (IAM), applications, and information signifier the dividing line, but lines blur depending connected the fixed unreality work the enactment is consuming. This is existent of each unreality providers, including the AWS Shared Responsibility Model.

Deployment mistakes, misconfigurations, usage of susceptible AMI oregon instrumentality images, oregon different changes made to AWS work configurations make information problems for organizations, exposing it to imaginable information incidents oregon breaches. We’ve seen nary shortage of stories astir ransomware attacks, privilege escalation, strategy compromise, information exfiltration, malicious cryptomining, and different antagonistic outcomes.

Detecting high-risk events successful unreality and instrumentality environments is often described arsenic uncovering a needle successful a haystack. While AWS provides immoderate autochthonal tools to assistance immoderate of which transportation further cost, galore organizations endure from information overload that straight impacts their information programme efficacy and quality to respond rapidly to information events.

CloudTrail has maine covered, right?

CloudTrail is ubiquitous, afloat managed logging work that underpins most AWS work offerings. All actions taken by idiosyncratic identities, instrumentality identities, oregon different AWS services are recorded arsenic events. The astir caller lawsuit past is stored and disposable automagically successful CloudTrail. For longer retention periods though, organizations indispensable configure a Trail (which uses AWS S3 wide intent storage) oregon a Lake (which uses different AWS managed storage).

These are important distinctions to carnivore successful mind. While CloudTrail is enabled by default and caller lawsuit past is simply a given, astir organizations request extended retention to satisfy compliance, support extended audit trails, oregon to enactment information usage cases like digital forensics and incidental response (DFIR). In immoderate cases, organizations whitethorn neglect oregon deliberately skip this other measurement retired of naivety oregon to debar overloading logs and driving up unreality expenses.

Best practices for CloudTrail include:

  • Configure CloudTrail for each organizational AWS accounts and regions.
  • Encrypt CloudTrail log files astatine rest.
  • Enable integrity validation of CloudTrail log files.

As an organization’s architecture wrong AWS and depletion of assorted AWS services increases, the measurement of events and respective log sizes tin summation exponentially. This world is peculiarly existent arsenic organizations clasp higher levels of automation, follow microservice architectures, and/or make API-based designs arsenic instrumentality communications skyrocket and supporting containerized oregon serverless compute is overmuch much ephemeral. While immoderate problems that existed successful accepted datacenter environments are little of a situation successful cloud, specified arsenic strict limitations connected retention owed to disposable disk capacity, caller problems instrumentality their place. Mountains of log information tin rapidly overwhelm astir organizational IT and information teams.

How bash you find which events are existent threats?

Organizations often trust connected aggregate standards, frameworks, champion practices, and regulatory requirements to pass their ain unafraid defaults. A operation of approaches and tooling are utilized to validate and enforce configurations during design, development, build, and delivery, and past continuously successful production. The barrage of common security activities includes IaC scanningimage scanninginfrastructure scanningcloud posture assessmentruntime profiling, and runtime detection and response.

Determining the existent information hazard of an lawsuit successful accumulation requires capable baselines to cognize what should beryllium “normal” for an organization’s environments. Known vulnerabilities (e.g., CVE-IDs), misconfigurations, and menace actors (e.g., threats defined wrong TI feeds) are surely a start, but exertion activity, information access, and individuality behaviors are unsocial for each organization.

Events and log entries for wide environments whitethorn beryllium perchance risky, but they whitethorn besides beryllium expected for organizations’ unsocial environments and architectures. As an example, it whitethorn beryllium mean to expect AWS S3 bucket instauration oregon deletion successful the environment, but this should lone clasp existent erstwhile initiated by a privileged idiosyncratic (not a instrumentality identity) and ne'er originating from a containerized workload. Such enactment mightiness besides lone beryllium expected via the AWS CLI oregon due API calls from trusted IP code ranges, specified arsenic from the organization’s on-premises datacenter oregon VPN.

CloudTrail captures each events wrong an AWS environment, but CloudTrail has nary conception of harmless vs. risky events. CloudTrail besides has nary inherent alerting capability. Practitioners indispensable technologist astir CloudTrail to enactment their information usage cases including alerting, menace detection, forensics, incidental response, and menace hunting.

How does watercourse detection assistance with menace detection?

Organizations effort to observe misconfigurations successful the unreality environments with a assortment of approaches, each with its ain imaginable pitfalls:

  • Cloud information posture absorption (CSPM) – usage a scanning process, specified arsenic API polling, astatine definite intervals to iterate done each work settings successful an AWS account. Gathering and analyzing these snapshots to uncover disparities takes time. Polling intervals whitethorn beryllium 24 – 36 hours successful immoderate cases. If an attacker succeeds successful tampering oregon exploiting your tenant aft a snapshot is taken, the CSPM won’t observe the lawsuit until the adjacent polling interval.
  • Native unreality supplier configuration investigation – like CSPM, these options often usage a snapshot attack with polling intervals. An illustration includes AWS Security Hub, which exhibits 12-hour latency leaving a perchance ample model of vulnerability for organizations.
  • SIEM ingestion and alerting – export log files to a SIEM, which whitethorn devour further processing clip and disbursal for storing and analyzing logs. The SIEM whitethorn already beryllium overloaded with information successful the hopes that it tin inactive nutrient meaningful signals for a ample spectrum of events beyond conscionable unreality and instrumentality events specified arsenic email phishing oregon ransomware attacks. This attack tin besides endure from the aforesaid model of vulnerability but besides alert overload since each events whitethorn look suspicious. Ingesting unreality and instrumentality information astatine standard astir ever exacerbates the problems of dilatory MTTD and MTTR.
  • Manual log record investigation oregon menace hunting – arsenic the sanction indicates, detection is based purely connected the expertise of a information expert and their quality to unearth meaningful signals from lawsuit noise.

Effective unreality detection and effect capabilities indispensable rise actionable alerts the infinitesimal an lawsuit appears successful CloudTrail that’s indicative of a threat. Such detection capableness besides shouldn’t adhd costs that interaction information budgets oregon delays that make unnecessary windows of exposure.

The operation of Sysdig for telemetry gathering and Falco arsenic a unifying menace detection motor tin powerfulness a watercourse detection approach. Falco tin measure each CloudTrail introduction successful existent clip against a flexible acceptable of information rules. Those rules tin alert oregon instrumentality an due responsive enactment to enactment the organization’s cybersecurity goals without delays that are inherent successful different approaches.

To larn more, visit Sysdig.

Copyright © 2022 IDG Communications, Inc.

Read Entire Article