How does your AWS environment stand up to the MITRE ATT&CK framework?

In today’s digital age, adopting public cloud platforms like Amazon Web Services (AWS) security means reinforcing them. AWS is a complex and versatile platform. When problems or security incidents arise, it’s important to have a systematic approach to investigation and analysis or it can quickly become noisy with lots of false positives. This is where the adversarial tactics, techniques, and common knowledge (MITRE ATT&CK) framework can help.

The MITRE ATT&CK framework plays a crucial role in security incident response, providing a structured and comprehensive framework for understanding, detecting and responding to cybersecurity threats and attacks. It benefits security incident response in the following ways:

• Provides a common language for describing a threat actor’s tactics, techniques and procedures (TTPs) so a security team can gain a deeper understanding of adversaries’ tactics, motives, capabilities and strategies.
• Identifies the relationship between observed behaviors and indicators of compromise (IOCs) to specific techniques and tactics within the framework for more precise detection of malicious activities and knowing which stages of an attack are in progress.
• Supports proactive threat hunting by allowing security analysts to explore their environment to identify anomalies and trace them to specific tactics or techniques.
• Helps security teams prioritize alerts and incidents based on the tactics and techniques involved to focus resources and efforts on the most critical and relevant threats.
• Informs security teams on bolstering their defenses based on weaknesses and gaps in their security posture and implementing appropriate mitigations.
• Assists in developing response playbooks, helping organizations prepare for different phases of an attack.

In developing your incident response and security defenses for your AWS environment, the MITRE ATT&CK framework is even more useful when incorporated into a so-called mind map for AWS investigations. A mind map is a graphical tool that can help you outline and follow a structured investigation process. When applied to AWS investigations, it is a visual representation or diagram that helps organize and structure the process of investigating issues, incidents or anomalies related to AWS cloud infrastructure and services.

How to incorporate the MITRE ATT&CK framework for AWS investigations

Start by identifying the relevant MITRE ATT&CK techniques associated with the AWS services and resources under investigation. MITRE ATT&CK provides a comprehensive list of tactics and techniques used by threat actors. Focus on those techniques that may apply to AWS environments.

1. Create main branches in your mind map to represent each of the MITRE ATT&CK tactics. Some of the common tactics include “Initial Access,”
   “Execution,” “Persistence,” “Privilege Escalation,” “Defense Evasion” and others. These can serve as high-level categories in your mind map.
2. Under each MITRE ATT&CK tactic, create sub-branches for the specific techniques that apply to your AWS investigation. For example, under
   “Execution,” you might include techniques like “User Execution” or “Scripting.”
3. For each technique, consider how it might show up in an AWS environment. Provide specific examples or indicators related to AWS services and resources. This could include instances of IAM (Identity and Access Management) abuse, EC2 instance compromise, or S3 bucket misconfigurations.
4. Map AWS resources and data sources to the relevant MITRE ATT&CK techniques. For instance, indicate which AWS services are relevant for each technique, such as CloudTrail logs, VPC flow logs, or CloudWatch alarms.
5. Include detection and mitigation strategies for each technique in your mind map. Explain how you can monitor and detect suspicious activities, as well as potential steps to mitigate or remediate issues. These strategies should be specific to AWS, such as configuring AWS CloudWatch
   alarms or applying AWS security best practices.

As your investigation progresses and you gain more insights, you can update the mind map to reflect the current status of your investigation. This
ensures you have an up-to-date reference for tracking your findings and actions. Incorporating the MITRE ATT&CK framework into your mind map
for AWS investigations allows you to align your investigation process with industry-standard best practices for threat detection and response. This approach helps you systematically address potential threats and vulnerabilities specific to AWS environments while keeping your investigation organized and comprehensive.

How to alert for MITRE ATT&CK in your AWS environment with Sumo Logic Cloud SIEM

While mapping aids investigations, it’s important to be proactive, automatically identifying significant movements within the AWS CloudTrail logs. Mere event-type correlations might produce countless alerts, given the routine nature of many actions.

This is where Sumo Logic’s Cloud SIEM comes into play. Let’s say you want to set an alert that gets triggered when user actions span at least three MITRE ATT&CK stages. This involves orchestrating distinct streams for discovery, collection, persistence, privilege escalation, initial access, and credential access, with an alert for any combination.

Here are the steps for how to do this:

1. In Cloud SIEM: Navigate to the Content section within the Cloud SIEM interface.
2. Rule creation: Select Rules and then choose Create.
   
3. Aggregation rule: Click on the Aggregation Rule and proceed to Create.
4. Filter events: Start by narrowing down only to CloudTrail events.
5. Correlation entity: Use user_username as the entity to ensure all events are correlated according to
   user actions.
6. Rule metadata: Assign a descriptive name and provide relevant details.
7. Timeframe: Designate a 24-hour window, ensuring alerts are pertinent to recent actions.
   
8. Aggregation parameters: Create an aggregation for each MITRE ATT&CK stage. Remember that using a
   count distinct on the user_username value aids in determining the final match logic’s output.
   
9. Detection: The final goal is to spot users with events spanning three or more MITRE ATT&CK stages.
   

Adopting this systematic approach can diminish background noise, focusing on
high-quality signals when users navigate the MITRE ATT&CK pathways
in your AWS domain. Though some adjustments might be requisite,
especially for roles like AWS admins, this framework is critical for
identifying potentially malicious activities.

Dive deeper into Sumo Logic’s Cloud SIEM solution to fortify the digital defense of your AWS environments.