For threat intelligence to be useful in these cloud-based organizations, it is critical that cost-effective monitoring directly targets and triages potential security exposures.
Threat intelligence should assist in:
- The identification of credential leaks
- Developer misconfiguration of container environments
- Unauthorized access to critical cloud services not protected by multi-factor authentication
- Infrastructure or code base vulnerabilities.
Threat Intelligence Basics for Cloud-Based Companies
IOCs, including malicious hashes, IP addresses, and domains are generally less useful to cloud-based companies that are primarily concerned about misconfigurations or inadvertent leaks.
In general, cloud infrastructure and applications lack the network traffic necessary to allow forensic artifacts to be useful.
While endpoint security, vulnerability management, and SIEMs are still important for cloud-based companies to detect malicious activity on endpoints, identify vulnerable services, and assist if endpoints are lost or stolen, complementary external threat hunting and intelligence services should primarily focus on:
- Credential Leaks
- Container Misconfiguration
- Unauthorized Access to Cloud Services
Best practices dictate that multi-factor authentication should be implemented to protect external-facing services, including VPN and RDP. In situations where multi-factor authentication is not in use, it is helpful to use third-party services to monitor for credential leaks for company employees.
Credential leaks are less important if an organization has implemented single-sign-on (SSO) with two-factor authentication. However, it is rare that all applications are configured with SSO. In these instances, it is important to track credential leaks.
All too often, development teams leverage base images without an understanding of the full image ‘chain’. By injecting malicious code into an upstream base image, a threat actor can compromise downstream services. Regular audits of the full chain of container definitions assist in curbing unwanted code execution. Similar to traditional servers, container environments communicate via IP Monitoring via external netflow or deep packet inspection provides another layer of protection against compromised libraries and publicly available container images.
Visibility into Unauthorized Access to Critical Cloud Services
Monitoring GitHub repositories is critical to preventing accidental disclosure of sensitive information such as private keys or account credentials.
Netflow and passive DNS analysis can help identify unauthorized access to cloud resources. While unauthorized cloud access is hard to detect in netflow, because authorized access looks the same, enabling appropriate logging increases visibility.
For example, AWS logging capabilities allow analysts to review CloudTrail and CloudWatch logs in tandem. By setting up AWS Traffic Mirroring, analysts can collect packet-level network traffic coming to and from the cloud instances. Matching these configurations with external netflow and scouring Github for public and private keys increases the ability to identify unauthorized cloud access.
Outside Partners Provide Additional Adversary Insight
With the increased need for an understanding of often ambiguous indicators, cloud-based companies will benefit from working with a partner like Nisos that specializes in investigations external to the company’s network.
Determining the difference between a true indicator of a breach or a simple misconfiguration requires deep understanding of how an adversary would attack a cloud environment, as well as the external data that can illuminate a potential attacker’s interaction with the environment. This external data can also help companies prevent methods of fraud including account takeover, spamming of customers, or rogue applications being established.
With assistance from outside experts, cloud-based security teams can feel confident they are well equipped to mitigate risk and respond appropriately when needed.