Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Enhancing Cloud Detection & Response with Secur...

Enhancing Cloud Detection & Response with Security Chaos Engineering

💥 Your Cloud Detection & Response might be misleading you 💥

Effective Cloud Detection & Response (CDR) capabilities are vital in promptly identifying and responding to security incidents. The absence of alerts does not imply all is well, and neither does the abundance of alerts imply effectiveness (alert fatigue is REAL).

The elephant in the room -> How do you strike a balance and avoid a false sense of security? You VERIFY CDR effectiveness using empirical methods that present hard, undeniable, reliable evidence.

That is what security chaos engineering does for you. CDR approaches struggle to distinguish signal from noise; the cloud attack surface is large. Smart approaches are imperative to overcome this challenge.

• Defend from inside out & assume breach !
• Identity your high-value targets (HVT)
• Enhance CDR specifically for your HVT using SCE
• Move backwards, apply the same to non-HVTs
• Rinse & Repeat
• Become cyber-resilient

Some example SCE experiments are presented in the shared document, e.g., abusing the AWS S3 replication service. How to intelligently detect such malicious events and enhance incident response.

Check out Mitigant Cloud Immunity product. It offers seamless SCE experiments that automatically roll back your environment post-experiment and provide contextual recommendations and detailed cyber-resilience reporting.

Kennedy Torkura

June 29, 2023
Tweet

More Decks by Kennedy Torkura

Other Decks in Technology

Transcript

  1. Effective Cloud Detection & Response (CDR) capabilities play a vital

    role in promptly identifying and responding to security incidents. @run2obtain
  2. • Cost savings – post breach investigations, fines from regulatory

    institutions .. • Quick & reliable incident response • Safeguard enterprise reputation • Confidence in your capabilities • Happy customers • ….. The ROI of early attack detection & swift response is HUGE ! @run2obtain
  3. CDR mechanisms are challenged by the rapid evolution of cloud

    infrastructure and fast- paced threat landscape. @run2obtain The absence of alerts does not imply all is well ... neither does the abundance of alerts imply effectiveness (alert fatigue is REAL).
  4. Since HOPE is NOT a strategy, assumptions about CDR effectiveness

    should be practically and continuously evaluated. Security chaos engineering enables continuous verification of CDR ! @run2obtain Security Chaos Engineering 101: The Mind Map & Feedback Loop (mitigant.io)
  5. How does Security Chaos Engineering enhance CDR effectiveness? Quick, simple

    example. How do you know if AWS Cloudtrail is disabled by a malicious attacker ? We run this basic example in the Mitigant Security Chaos Engineering platform. @run2obtain
  6. Luckily, we have our CDR set up quite well. (DataDog

    Cloud SIEM) We can see the Cloudtrail stopped event. This is a trigger for an appropriate response. One lesson though ! The MTTD was roughly 6 minutes … can be improved ! What if the CDR set up was broken ? How do you know ? Happens all the time -> misconfigured S3 bucket, broken lambda forwarder … @run2obtain
  7. We run a couple more SCE experiments. This time the

    dreaded bucket replication attack which abuses the S3 replication service. Our CDR captures some interesting events. Some teams might miss this out, notice the MITRE ATTACK Tactics & Techniques -> exfiltration, persistence and account manipulation. Does it ring a bell ? Crafting a detection rule for these pattern of events would makes sense. @run2obtain Abusing the Replicator: Silently Exfiltrating Data with the AWS S3 Replication Service by Kat Traxler (vectra.ai)
  8. So, verify the effectiveness of your CDR rather than hoping

    for effectiveness ! How do you start ? • Defend from inside out & assume breach ! • Identity your high-value targets (HVT) • Enhance CDR specifically for your HVT using SCE • Move backwards, apply same to non-HVTs • Rinse & Repeat • Become cyber-resilient • ….. @run2obtain Demystifying Security Chaos Engineering - Part II (mitigant.io)
  9. Hope root for the effectiveness of your CDR. Cloud Immunity

    | Mitigant https://mitigant.io Leverage The Mitigant Security Chaos Engineering Platform @run2obtain