How to discover advanced persistent threats in AWS
For many organizations, it’s a matter of when, not if, a cybersecurity threat will occur. According to IBM, the average cost of a data breach in 2022 was a staggering $9.44 million in the U.S., with nearly half of breaches happening in the cloud. The longer a threat lingers, the costlier it gets. Advanced persistent threats (APTs), or threat actors that infiltrate cloud infrastructure like Amazon Web Services (AWS) and linger undetected, are on the rise. On average, threats in 2022 took nine months, or 277 days, to contain.
The good news is that if you’re able to continuously monitor your network and infrastructure, you can detect these APTs faster. The same IBM report cited above states that organizations who contain their threats within 200 days or less can save an average of $1.12 million. Let’s dive deeper into the definition of an APT and how you can use AWS services and threat hunting techniques with your cloud log data for SecOps.
What is an advanced persistent threat?
With the rise of cloud computing platforms like AWS, the security perimeter has changed. A network firewall won’t do for modern cloud environments. APTs use advanced techniques like social engineering and phishing attacks, DNS tunneling, rogue WiFi and more to infiltrate cloud infrastructure. From there, they behave like anyone else on your network to remain undetected and steal as much data as possible.
APTs have many different motives. Some threat actors are a part of a nation-state threat network, or cybercriminals that act on behalf of nations to expose intellectual property or national security information. Others are out for financial gain or just outright disruption — from economic and supply chain disruption to social disruption to make a political point. The bottom line is, these attackers are typically well-funded and extensively knowledgeable on how to exploit a network, acting undetected for months (sometimes years).
Once an APT establishes a foothold, they’ll often deploy malware to create tunnels or backdoors into a network. They may encrypt traffic or rewrite code to remain undetected. From there, they may look to escalate privileges within a system, using administrative privileges to gain access to secure parts of the network. Once they can move without detection, they can identify and exfiltrate critical data and assets.
Now that we know more about APTs, let’s explore techniques to detect them within AWS.
AWS services that monitor malicious activity
AWS GuardDuty continuously monitors for malicious activity to protect your cloud workloads and accounts. You can monitor container workloads, accounts, instances, databases, storage, and users for potential threats. The solution uses anomaly detection, machine learning (ML), behavioral modeling, and threat intelligence for threat detection. From there, you set up automated response and remediation steps to stop threat actors in their tracks.
Unlike GuardDuty, AWS Security Hub is meant to serve as a centralized hub for security alerting and cloud security posture management. Using Security Hub, you can detect deviations from security best practices, and set up alerts to aggregate security findings into a standard format. Similar to GuardDuty, Security Hub also offers automated response and remediation actions to improve mean time to response (MTTR).
However, even if you have these protections in place, it’s important to understand how log data analysis and threat hunting play into the effective detection and response strategy for APTs.
Leveraging log data for threat detection
Threat hunting is a critical part of achieving a proactive security posture. There are many threat hunting frameworks and methodologies that provide a well-defined, research-based structure to the approach. Threat hunters operate on the assumption that the cloud environment has already been compromised and the threat already exists.
Effective threat hunting requires access to massive datasets, often involving long-term historical log data. The greater the quantity and quality of IT telemetry data, the more effective the hunts can be. And, the longer that logs are retained, the more historical context can be incorporated into each hunt.
Security log data can come from a variety of sources (including but not limited to):
- DNS queries
- NetFlow records (network traffic)
- SSL/TLS and other certificate repositories
- Access logs from cloud services
- System event logs from endpoints
- Windows Event logs
- Windows Registry keys
- Endpoint detection and response (EDR) tools
- Application server logs
- Email transaction logs
- System audit records
Security teams can also take advantage of the logs from network performance monitoring solutions and other tools that are already being used for IT operations. While host-level data is most useful for detecting early-stage attacks, network data can reveal the lateral movement that’s typical of APTs.
Activating a security data lake in AWS
Because of the vast number of data sources and tools that aggregate log data in various places, it’s important to have a single source of the truth for more comprehensive visibility into an APT’s potential attack surface. However, many Security Information and Event Management systems (SIEMs) and traditional log management solutions are not optimized for scale. They’re great for real-time network observability, but the deeper threat hunting required for APTs requires a different approach.
In many cases, augmenting a SIEM like Splunk with a security data lake can provide deeper coverage, while reducing the cost of SIEMs for long-term log data retention. Teams can aggregate all of their log data into low-cost cloud object storage like Amazon S3, relying on it as a single system of record for security threat hunting, root cause analysis, and compliance reporting.
From there, a security data lake solution like ChaosSearch can seamlessly ingest log data, automatically detecting and dynamically mapping schema and handling nested JSON structures. From there, security teams can conduct log analysis across all of their log data at scale, including:
- Monitoring all IPs, ports, and endpoints that access your organization's systems
- Analyzing flow logs (e.g. VPC Flow Logs)
- Monitoring inbound traffic sources and patterns
Achieving a proactive security posture starts with having the right tools in place for detection and response. With a combination of AWS services, a SIEM and a security data lake solution, threat hunters can more accurately pinpoint the actions of APTs, shortening the duration of attacks and potentially saving millions of dollars.