8 cloud detection and response use cases

1. Unusual creation of numerous EC2 instances

CDR tools can detect and respond to attacks where a questionable number of Amazon Elastic Compute Cloud (EC2) instances are created. The CSA presentation detailed a cloud workload attack where a cloud identity role created larger numbers of EC2 instances than normal. Additional indicators of compromise detected within the EC2 workload showed a cryptomining bot had been installed.

2. API call activity that indicates enumeration process

A growing CDR use case involves API calls and interactions with APIs, which constitute most cloud service and object interactions. In the presenter's example, the CDR tool detected unusual agents interacting with a cloud API. The specific types of requests made matched known reconnaissance and cloud enumeration attacks, and the specific identity and access management (IAM) role assigned to the API calls was found to be too permissive.

3. Unusual network traffic

In this use case, the CDR tool detected an event where a known malicious or suspicious IP address successfully initiated a connection to the cloud infrastructure. Left unchecked, the system attempted to enumerate Lambda's source code, which contains a variety of AWS secrets.

4. Unusual access to storage nodes

Cloud misconfigurations can lead to exposure, attacks and breaches. Nowhere has this been more true than with Amazon Simple Storage Service (S3) buckets in AWS. The last use case in the CSA presentation detailed unusual role behavior interacting with an S3 bucket that contained personally identifiable information. Because the API call to the S3 object was unusual, the CDR tool evaluated the configuration of the bucket and found it was open to the public without authentication and the data stored in it was accessible to the attacker.

5. Third-party cloud activity monitoring

Monitoring requests coming in from unknown or known malicious sources, as well as heightened detection and automated response from known third parties, such as business partners and consultants, could easily be a top CDR use case.

6. Detection of unauthorized changes

Unauthorized changes to cloud configurations could lead to exposure or compromise. This CDR use case applies broadly to a variety of resource and service types.

7. Identification of excessive privileges

One of the biggest challenges in building and maintaining a secure cloud environment is managing cloud identities and permissions policies. Many cloud IAM roles are granted more privileges than needed, which could lead to abuse and malicious actions. CDR can help identify overprivileged accounts.

8. Automated response and remediation

While the concept of cloud guardrails is well known and understood, many teams find building end-to-end guardrail automation challenging. CDR platforms could streamline and simplify common detection and response playbooks that take advantage of the cloud fabric for automation.

Great starting CDR use cases for many teams include automated alerting, quarantining, configuration changes and rollbacks, and investigations and evidence collection.

Dave Shackleford is founder and principal consultant with Voodoo Security; SANS analyst, instructor and course author; and GIAC technical director.