Bad actors may be careful to avoid detection when mounting cyber attacks on cloud infrastructure. But there will be clues that point to signs of malicious activity if you know where to look. And the value of these signals adds up. On their own, signs may be too small to warrant action from security teams (behavior that adversaries will look to exploit). But in combination, the co-occurrence of several – albeit weak signals – could be a strong indicator that something isn’t quite right, and an organization’s cloud assets could be under threat. The good news for firms is that composite alerts can warn of malicious activity in the cloud before security issues escalate.
Lacework – a cloud-native application protection provider (CNAPP) – has introduced composite alerts as part of its anomaly detection feature set. And in this first release, its developers have focused on a number of key scenarios – cloud native ransomware, potentially compromised AWS keys, cloud-native crypto mining, cloud defense evasion, and host-based crypto mining. Each of these scenarios has its own set of tell-tale signs, which can be encoded using composite alerts.
The CNAPP platform detects potential attacks by correlating somewhere in the region of seven to eight security events into a single alarm pointing to common malicious activity. Grouping signals in this way helps on a number of fronts. Firstly, it reduces the volume of warnings sent to incident teams. Single triggers can soon rack up hundreds of daily alerts and overwhelm security architects. Whereas focusing on scenarios and looking for the co-occurrence of tell-tale activity, typically takes the number of alarms issued down to a more manageable number.
Labeling attacker goals
Secondly, composite alerts – once raised – can provide not just a warning of potentially malicious cloud activity, but also place that behavior in context and point to the bigger goal of attackers. For example, data breaches can often be traced back to the use of lost or stolen credentials. But telemetry reveals that bad actors use other methods too, and these can signpost an adversary’s next steps.
“Over the past several years, Lacework Labs has combed through petabytes of cloud telemetry to compile a corpus of several hundred unique AWS attacks in the wild involving compromised credentials,” writes Chris Hall, a member of Lacework’s cloud security team. “Through analysis of this data we’ve identified common tactics and techniques that are most likely to occur in an AWS attack.”
Cybersecurity training videos drill into employees the dangers of responding to phishing emails, which direct victims to websites and portals that have been engineered to steal passwords. But Lacework’s research shows that when it comes to mounting AWS attacks, adversaries often grab what they need straight from the web thanks to details that have been carelessly left in the public domain. The CNAPP provider points out that one of the most common methods used by attackers to acquire AWS credentials is to parse exposed keys and secrets from publicly accessible code-sharing platforms such as GitHub and other repositories.
Once an organization’s security details are in the possession of attackers, bad actors will then use APIs such as GetCallerIdentity to test whether those credentials are still valid based on whether requests are successful or not. And this behaviour marks the start of a chain of events that can be encoded as a composite alert to warn cloud security teams.
Considering attacker motives, a common goal is resource hijacking – for example, to use an organization’s cloud services allocation for mining cryptocurrencies or sending thousands of malicious emails. These events could be costly as charges mount up (and if you’re thinking that you could include a child event to check for that too, as part of a composite alert strategy, you’d be right).
But a more severe category of attack is using those illicitly obtained credentials to perform data theft and exploitation. “This encompasses subcategories such as espionage and financially motivated objectives including ransom activities or selling the stolen data on the black market,” adds Lacework’s Chris Hall.
Impossible travel
CNAPP users receive a warning when behavior matches a common attacker scenario and triggers the corresponding composite alert. One of the big indicators of strange behavior is so-called ‘impossible travel’, which is a common marker of fraudulent activity. For example, if a user was logging on from a location in Europe and then five minutes later the same account was being accessed through an internet service provider on another continent, security teams would want to take a closer look.
The advantage of Lacework’s solution is that threat intelligence is built in. But it’s not the only option open to cloud users. And organizations with established security teams can translate well-known attack patterns into more complex alarms too. For example, Amazon CloudWatch allows users to combine up to 100 child alarms into a composite alert.
Warnings – which don’t just have to be security related; they could also signal uptime issues, or other performance concerns – are built using a rule expression, which joins the child alarms using the Boolean operators: AND, OR, and NOT. And CloudWatch alarm states can return one of three values – ok, alarm, or insufficient data.
If your cloud security team is being bombarded with hundreds of false positives or has threat intelligence that could be automated to help protect assets 24/7, then composite alerts could be a signaling strategy that’s well worth investigating.