Detecting AWS Control Plane Abuse in an Actionable Way Using Det{R}ails

Virtual October 21, 2020 1:00 pm - 1:40 pm Feedback     

Bookmark and Share

Felipe Espósito
Rodrigo Montoro

Monitoring events will always be a big challenge for defensive teams. Now, with the increasing adoption of cloud by enterprises, new data sources are needed to monitor these services and detect security incidents. In the AWS Cloud ecosystem, the primary source of visibility of the control plane activities is called CloudTrail. Leveraging CloudTrail allows you to observe any action that happens in AWS services you use, with a small set of exceptions. The AWS service APIs provide around 7,000 different actions (and growing!) that, when logged, give a lot of extra info that can be correlated and used to find malicious activities. However, as with most data sources, it is very noisy. Plus, it fails to include in its events critical contextual information that threat hunters need. Security analysts and incident responders need to triage and act upon suspected incidents quickly. Additionally, since it is focused on logging API calls on a very complicated kind of environment, there is a big learning curve for traditional security staff without extensive cloud expertise. In this talk, we will present a proposed methodology to perform security incident detection using CloudTrail logs. We will cover event enrichment, simple alerts, and how to use Sigma rules, Jupyter, TheHive, and the Elastic Stack to perform more in-depth detection, exploration, and visualization of the data. This work we are developing is a project called Det{R}ails, which will become open-sourced shortly. Det{R}ails can operate in real-time or used to investigate some incident standalone. All it requires is necessary access to the S3 bucket where you are saving your Cloudtrail events. Besides that, we have some schemas to enrich data with your company context, which makes your visualization much more accurate, and as the first goal makes prioritization better.