Detection Use Cases

Sift Security CloudHunter provides support for common detection use cases as well as the ability to customize those detections and create entirely new detections. The out-of-the-box use cases are supported through our graph analytics, our custom rules engine, and our anomaly detection engine. This section provides an overview of our library of detection use cases. Here we highlight the key detection categories, which are listed under each stage of the Cloud Attack Chain, Exposure, Access, Lateral Movement, and Actions (see The Cloud Attack Chain). A full list of all the 100+ detections, organized by stage and category is available upon request.

Exposure

Open Permissions: Cloud Storage Bucket Open to Internet

A storage bucket policy has been modified to expose a storage bucket to the unauthenticated users. Open permissions on a bucket could result in exfiltration of sensitive data.

Requires: CloudTrail

Open Permissions: Overly Permissive Network ACL

A network ACL allows traffic on all ports from the internet. Open network ACLs can expose sensitive data, allow adversaries to perform recon on your cloud infrastructure, and give attackers a route to gain access to resources in the subnet to which the ACL is associated.

Requires: CloudTrail, API Access

Open Permissions: Overly Permissive Network Security Group

A security group allows traffic on all ports from the internet. Open security groups can expose sensitive data, allow adversaries to perform recon, and give attackers a route to gain access to the resources to which they are applied.

Requires: CloudTrail, API Access

Open Permissions: Unusual Port Range Used in Security Group

A security group exposes a port range that is unusual for account the instance is located in. This may be indicative of a misconfiguration that is exposing a service to the internet that should be private, or an instance being used for something inappropriate for the underlying account. Open security groups can expose sensitive data, allow adversaries to perform recon, and give attackers a route to gain access to the resources to which they are applied.

Requires: CloudTrail, API Access

Access

Location Anomaly: SSH activity from unusual geolocation

A spike in SSH network traffic with an IP address in an unusual geolocation indicates a successful SSH logon from that location. This alert is raised when the IP address is in a geolocation that is unusual for this account, indicating that an attacker may have gained access to an instance.

Requires: VPC Flow

Location Anomaly: Multiple simultaneous geolocations

A user credential taking action from multiple simultaneous geolocations is an indicator that either the user credential is being shared or has been compromised or stolen.

Requires: CloudTrail

Credential Loss: User account compromise with attempt to hide changes

Unusual access was followed by API calls that are commonly used by attackers to cover their tracks when taking action using lost or stolen credentials. The API calls involved disable or delete common logging mechanisms.

Requires: CloudTrail

Lateral Movement

Privilege Escalation: Unusual unauthorized actions volume

A user, role, or instance is exhibiting an unusual volume of unauthorized actions. Such a spike is common in credential loss or insider threats, when an attacker is doing recon in the environment or trying to get access to specific resources.

Requires: CloudTrail

Credential Loss: User account compromise with IAM persistence

User credentials are being used from an unusual location to make IAM changes. This is common behavior for lost or stolen credentials, where an attacker tries to establish persistence or access other resources. These actions should be scrutinized to ensure they are legitimate.

Requires: CloudTrail

Action

Information Loss: S3 exposure and Exfiltration

An anonymous user has downloaded data from an S3 bucket that has recently been opened to the internet. If this bucket exposure was unintentional, data may have already been leaked to someone outside your organization.

Requires: CloudTrail

Suspicious Access: Suspicious instance and instance behavior

A recently created instance stands out from the rest of the instances in this account because it uses unusual keys, has an unusual type, is in an unusual region, etc. Additionally, there is suspicious API activity coming from the instance (IAM changes, S3 bucket access, etc.). Such instances should be reviewed to ensure they are being used to legitimate purposes.

Requires: CloudTrail

Credential Loss: User account compromise with abuse (instance creation)

User credentials are being used from an unusual location to create new EC2 instances. This is common behavior for lost or stolen credentials.

Requires: CloudTrail