Detecting users crawling the MITRE ATT&CK stages in your AWS environment

As more companies migrate workloads to the public cloud, more security operations teams face the challenge of securing those environments. Although cloud providers make accessing the logging very easy, it is not always easy to digest the mountains of data they provide. One example of this is AWS CloudTrail logging. This service is extremely robust which can lead to quite a bit of noise with basic detections.

One of Sumo Logic’s partners, Expel, released a wonderful blog called Introducing a mind map for AWS investigations. It breaks down a significant number of AWS CloudTrail event types and maps them to the MITRE ATT&CK framework. This is extremely useful for helping security teams understand their AWS CloudTrail data and running investigations into user actions.

Taking it to the SIEM

Naturally, in addition to investigation support, you will want to also detect interesting activity in these AWS CloudTrail logs automatically. While you could set up simple correlation rules to fire when these different event types are seen, it would likely just create a lot of noise since some are extremely common for the day-to-day user.

This is where Sumo Logic’s Cloud SIEM solution can help your SOC take things to the next level. For example, looking at the AWS MindMap above, let’s say you want to alert when someone performs a set of actions that touch at least 3 of the MITRE ATT&CK stages above. We’d need to create 6 streams of tracking for Discovery, Collection, Persistence, Privilege Escalation, Initial Access, and Credential Access, and alert when at least 3 of those are seen. We can use an aggregation rule to do just that.

It works like this…

1. Click on the Content menu button within Cloud SIEM Enterprise user interface

2. Click on Rules, then select the Create button

3. Under Aggregation Rule click on the Create button

4. Our first expression filters down to the CloudTrail events only

5. Pick ”user_username” as the Entity so all events correlate against the user (notice this also adds to the group by by default)

6. Give a name and description

7. Set the window to 24hrs since we only want this to fire if it happens in that timeframe
   

   

8. Create an “aggregation” for each MITRE ATT&CK stage (e.g., discovery, collection, etc.)

1. NOTE: We are doing a “count distinct” on the user_username value when there is a match, so the aggregations will be either a 0 or 1 for the final match logic
   

   

9. Look for users that have 1 or more events on 3 or more MITRE ATT&CK stages
   

Now, rather than noise, you’re getting high fidelity Signals when users are crawling the MITRE ATT&CK stages throughout your AWS environment. While this may still need some tuning (looking at you AWS admins), this should be a great starting point for finding users performing suspicious actions within your AWS environment.

To learn more about Sumo Logic’s Cloud SIEM solution, check it out HERE.