How does your AWS environment stand up to the mitre att&ck framework?

Blog

How does your AWS environment stand up to the MITRE ATT&CK framework?

Christopher Beier
Table of contents

AWS_MITRE_blog

In today’s digital age, adopting public cloud platforms like Amazon Web Services (AWS) security means reinforcing them. AWS is a complex and versatile platform. When problems or security incidents arise, it’s important to have a systematic approach to investigation and analysis or it can quickly become noisy with lots of false positives. This is where the adversarial tactics, techniques, and common knowledge (MITRE ATT&CK) framework can help.

The MITRE ATT&CK framework plays a crucial role in security incident response, providing a structured and comprehensive framework for understanding, detecting and responding to cybersecurity threats and attacks. It benefits security incident response in the following ways:

  • Provides a common language for describing a threat actor’s tactics, techniques and procedures (TTPs) so a security team can gain a deeper understanding of adversaries’ tactics, motives, capabilities and strategies.
  • Identifies the relationship between observed behaviors and indicators of compromise (IOCs) to specific techniques and tactics within the framework for more precise detection of malicious activities and knowing which stages of an attack are in progress.
  • Supports proactive threat hunting by allowing security analysts to explore their environment to identify anomalies and trace them to specific tactics or techniques.
  • Helps security teams prioritize alerts and incidents based on the tactics and techniques involved to focus resources and efforts on the most critical and relevant threats.
  • Informs security teams on bolstering their defenses based on weaknesses and gaps in their security posture and implementing appropriate mitigations.
  • Assists in developing response playbooks, helping organizations prepare for different phases of an attack.

In developing your incident response and security defenses for your AWS environment, the MITRE ATT&CK framework is even more useful when incorporated into a so-called mind map for AWS investigations. A mind map is a graphical tool that can help you outline and follow a structured investigation process. When applied to AWS investigations, it is a visual representation or diagram that helps organize and structure the process of investigating issues, incidents or anomalies related to AWS cloud infrastructure and services.

How to incorporate the MITRE ATT&CK framework for AWS investigations

Start by identifying the relevant MITRE ATT&CK techniques associated with the AWS services and resources under investigation. MITRE ATT&CK provides a comprehensive list of tactics and techniques used by threat actors. Focus on those techniques that may apply to AWS environments.

  1. Create main branches in your mind map to represent each of the MITRE ATT&CK tactics. Some of the common tactics include “Initial Access,”
    “Execution,” “Persistence,” “Privilege Escalation,” “Defense Evasion” and others. These can serve as high-level categories in your mind map.
  2. Under each MITRE ATT&CK tactic, create sub-branches for the specific techniques that apply to your AWS investigation. For example, under
    “Execution,” you might include techniques like “User Execution” or “Scripting.”
  3. For each technique, consider how it might show up in an AWS environment. Provide specific examples or indicators related to AWS services and resources. This could include instances of IAM (Identity and Access Management) abuse, EC2 instance compromise, or S3 bucket misconfigurations.
  4. Map AWS resources and data sources to the relevant MITRE ATT&CK techniques. For instance, indicate which AWS services are relevant for each technique, such as CloudTrail logs, VPC flow logs, or CloudWatch alarms.
  5. Include detection and mitigation strategies for each technique in your mind map. Explain how you can monitor and detect suspicious activities, as well as potential steps to mitigate or remediate issues. These strategies should be specific to AWS, such as configuring AWS CloudWatch
    alarms or applying AWS security best practices.

As your investigation progresses and you gain more insights, you can update the mind map to reflect the current status of your investigation. This
ensures you have an up-to-date reference for tracking your findings and actions. Incorporating the MITRE ATT&CK framework into your mind map
for AWS investigations allows you to align your investigation process with industry-standard best practices for threat detection and response. This approach helps you systematically address potential threats and vulnerabilities specific to AWS environments while keeping your investigation organized and comprehensive.

How to incorporate the MITRE ATT&CK framework for AWS investigations

How to alert for MITRE ATT&CK in your AWS environment with Sumo Logic Cloud SIEM

While mapping aids investigations, it’s important to be proactive, automatically identifying significant movements within the AWS CloudTrail logs. Mere event-type correlations might produce countless alerts, given the routine nature of many actions.

This is where Sumo Logic’s Cloud SIEM comes into play. Let’s say you want to set an alert that gets triggered when user actions span at least three MITRE ATT&CK stages. This involves orchestrating distinct streams for discovery, collection, persistence, privilege escalation, initial access, and credential access, with an alert for any combination.

Here are the steps for how to do this:

  1. In Cloud SIEM: Navigate to the Content section within the Cloud SIEM interface.Navigate to the Content section within the Cloud SIEM interface
  2. Rule creation: Select Rules and then choose Create.
    Rule creation Select Rules
  3. Aggregation rule: Click on the Aggregation Rule and proceed to Create.Aggregation rule Click on the Aggregation Rule
  4. Filter events: Start by narrowing down only to CloudTrail events.
  5. Correlation entity: Use user_username as the entity to ensure all events are correlated according to
    user actions.
  6. Rule metadata: Assign a descriptive name and provide relevant details.
  7. Timeframe: Designate a 24-hour window, ensuring alerts are pertinent to recent actions.
    Timeframe: Designate a 24-hour window
  8. Aggregation parameters: Create an aggregation for each MITRE ATT&CK stage. Remember that using a
    count distinct on the user_username value aids in determining the final match logic’s output.
    Aggregation parameters
  9. Detection: The final goal is to spot users with events spanning three or more MITRE ATT&CK stages.
    Detection

Adopting this systematic approach can diminish background noise, focusing on
high-quality signals when users navigate the MITRE ATT&CK pathways
in your AWS domain. Though some adjustments might be requisite,
especially for roles like AWS admins, this framework is critical for
identifying potentially malicious activities.

Dive deeper into Sumo Logic’s Cloud SIEM solution to fortify the digital defense of your AWS environments.

Christopher Beier
Principal Product Marketing Manager

Christopher has spent the past 25 years dedicated to work in cybersecurity. He’s a US Navy veteran who did IT work in submarines.

From his home in Forest Grove, OR, he enjoys flying stunt kites, college football (Go Ducks!), and watching his kids’ swim meets.

People who read this also enjoyed

The patching paradox: The reality of AI in security

Secure your Slack environment with Sumo Logic Cloud SIEM

How log management protects your security stack