Traditional detection and response models from the on-premises world need to evolve and change to protect cloud environments. Adapting endpoint detection and response, network detection and response, and extended detection and response to the cloud, however, has proven difficult. This is where cloud detection and response (CDR) comes in.
CDR products and services provide tooling and workflow capabilities that assist organizations in monitoring and remediating cloud security issues. As an emerging technology, it's helpful for security teams to consider use cases that may highlight where CDR offers the most value and can fill gaps in a cloud-centric detection and response model.
The following are use cases CDR can help achieve, accelerating efforts to secure cloud environments, as well as traditional ones. The first four use cases were highlighted in a presentation at a 2022 Cloud Security Alliance (CSA) conference. The last four are additional use cases security teams should consider.
1. Unusual creation of numerous EC2 instances
CDR tools can detect and respond to attacks where a questionable number of Amazon Elastic Compute Cloud (EC2) instances are created. The presentation detailed a cloud workload attack where a cloud identity role created larger numbers of EC2 instances than normal. Additional indicators of compromise detected within the EC2 workload showed a cryptomining bot had been installed.
2. API call activity that indicates enumeration process
A growing CDR use case involves API calls and interactions with APIs, as these constitute most cloud service and object interactions. In the presenter's example, CDR detected unusual agents interacting with a cloud API. The specific types of requests being made matched known reconnaissance and cloud enumeration attacks, and the specific identity and access management (IAM) role assigned to the API calls was found to be more permissive than needed.
3. Unusual network traffic
In this use case, the CDR tool detected an event where a known malicious or suspicious IP address successfully initiated a connection to the cloud infrastructure. Left unchecked, the system attempted to enumerate Lambda's source code, which contains a variety of AWS secrets.
4. Unusual access to storage nodes
Cloud misconfigurations can lead to exposure, attacks and breaches. Nowhere has this been more true than with Amazon Simple Storage Service (S3) buckets in AWS. The last use case explained in the CSA presentation detailed unusual role behavior interacting with an S3 bucket that contained personally identifiable information. Because the API call to the S3 object was unusual, the CDR tool evaluated the configuration of the bucket -- it was open to the public without authentication, and the data stored in it was accessible to the attacker.
5. Third-party cloud activity monitoring
Monitoring requests coming in from unknown or known malicious sources, as well as heightened detection and automated response from known third parties, such as business partners and consultants, could easily be a top CDR use case.
6. Detection of unauthorized changes
Unauthorized changes to cloud configuration could lead to exposure or compromise. This CDR use case could be broadly applied to a variety of resource and service types.
7. Identification of excessive privileges
One of the biggest challenges in building and maintaining a secure cloud environment is managing cloud identities and permissions policies. Many cloud IAM roles are granted more privileges than needed, which could lead to abuse and malicious actions. CDR can help identify overprivileged accounts.
8. Automated response and remediation
While the concept of cloud guardrails is well known and understood, many teams find building end-to-end guardrail automation challenging. CDR platforms could streamline and simplify common detection and response playbooks that take advantage of the cloud fabric for automation. Automated alerting, quarantining, configuration changes and rollback, as well as investigations and evidence collection, could be great starting CDR use cases for many teams.
Keep an eye on the CDR space. As it matures and becomes more prevalent with security operations teams, additional CDR use cases could manifest and evolve.