Here is a detailed summary of the video transcription in markdown format:
Responding to Cloud Incidents: Tales from the Front Lines
The Current Cloud Security Landscape
- 90% of enterprises are multi-cloud, not just in the data center, leading to a complex attack surface
- 110% increase in cloud-conscious attacks over the past year
- 75% of attacks on cloud resources are cloud-agnostic
- 80% of attacks have an identity component, with attackers obtaining valid credentials to gain initial access
Adversary Tactics and Techniques
-
Initial Access:
- Obtaining valid credentials from the dark web or compromising on-premises systems
- Abusing public-facing applications through brute-forcing, password spraying, or exploiting misconfigurations
-
Discovery:
- Enumerating resources and permissions using various API commands (e.g.,
get-caller-identity
, list-objects
, describe-instances
)
-
Credential Access:
- Attempting to access additional credentials, such as through the Secrets Manager API
-
Privilege Escalation:
- Attaching additional policies or roles to the compromised identity to gain more permissions
-
Persistence:
- Creating new users or access keys to maintain access to the environment
-
Exfiltration:
- Leveraging S3
get-object
commands to exfiltrate data from the environment
Preparing for Incident Response
-
People, Technology, and Process:
- Ensure clear communication and coordination between teams (security, IT, legal, etc.) during an incident
- Maintain visibility into the environment through proper logging and security controls
- Establish a well-tested incident response process to quickly contain and remediate incidents
-
Monitoring and Detection:
- Implement effective detection mechanisms, such as custom alerts or using services like GuardDuty
- Ensure alerts are properly forwarded and triaged by the security team
-
Reducing Attack Surface:
- Minimize the use of privileged permanent credentials
- Monitor your attack surface and stay informed about your environment
CrowdStrike's Approach to Cloud Security
-
Falcon Platform:
- Integrates endpoint detection and response (EDR), identity threat detection and response (ITDR), and cloud security
- Provides visibility across runtime environments, identity infrastructure, and cloud services
-
Threat Hunting and Intelligence:
- CrowdStrike's Overwatch team hunts for new indicators of attack and updates the product accordingly
- CrowdStrike tracks over 250 adversary groups to anticipate their tactics and behaviors
-
Automated Deployment and Protection:
- Leverages AWS services and processes, such as AWS Built-in, SSM Distributor, and Kubernetes DaemonSets, to automate sensor deployment and container protection
- Integrates with various AWS services (CloudTrail, EventBridge, Security Lake, etc.) to provide comprehensive cloud security
-
Next Steps:
- Learn more about CrowdStrike's cloud security offerings
- Try the cloud security health check to assess your cloud security posture
- Explore the CrowdStrike Charlotte AI demos for security investigations