Responding to cloud incidents: Tales from the front lines (SEC313)

Here is a detailed summary of the video transcription in markdown format:

Responding to Cloud Incidents: Tales from the Front Lines

The Current Cloud Security Landscape

  • 90% of enterprises are multi-cloud, not just in the data center, leading to a complex attack surface
  • 110% increase in cloud-conscious attacks over the past year
  • 75% of attacks on cloud resources are cloud-agnostic
  • 80% of attacks have an identity component, with attackers obtaining valid credentials to gain initial access

Adversary Tactics and Techniques

  1. Initial Access:

    • Obtaining valid credentials from the dark web or compromising on-premises systems
    • Abusing public-facing applications through brute-forcing, password spraying, or exploiting misconfigurations
  2. Discovery:

    • Enumerating resources and permissions using various API commands (e.g., get-caller-identity, list-objects, describe-instances)
  3. Credential Access:

    • Attempting to access additional credentials, such as through the Secrets Manager API
  4. Privilege Escalation:

    • Attaching additional policies or roles to the compromised identity to gain more permissions
  5. Persistence:

    • Creating new users or access keys to maintain access to the environment
  6. Exfiltration:

    • Leveraging S3 get-object commands to exfiltrate data from the environment

Preparing for Incident Response

  1. People, Technology, and Process:

    • Ensure clear communication and coordination between teams (security, IT, legal, etc.) during an incident
    • Maintain visibility into the environment through proper logging and security controls
    • Establish a well-tested incident response process to quickly contain and remediate incidents
  2. Monitoring and Detection:

    • Implement effective detection mechanisms, such as custom alerts or using services like GuardDuty
    • Ensure alerts are properly forwarded and triaged by the security team
  3. Reducing Attack Surface:

    • Minimize the use of privileged permanent credentials
    • Monitor your attack surface and stay informed about your environment

CrowdStrike's Approach to Cloud Security

  1. Falcon Platform:

    • Integrates endpoint detection and response (EDR), identity threat detection and response (ITDR), and cloud security
    • Provides visibility across runtime environments, identity infrastructure, and cloud services
  2. Threat Hunting and Intelligence:

    • CrowdStrike's Overwatch team hunts for new indicators of attack and updates the product accordingly
    • CrowdStrike tracks over 250 adversary groups to anticipate their tactics and behaviors
  3. Automated Deployment and Protection:

    • Leverages AWS services and processes, such as AWS Built-in, SSM Distributor, and Kubernetes DaemonSets, to automate sensor deployment and container protection
    • Integrates with various AWS services (CloudTrail, EventBridge, Security Lake, etc.) to provide comprehensive cloud security
  4. Next Steps:

    • Learn more about CrowdStrike's cloud security offerings
    • Try the cloud security health check to assess your cloud security posture
    • Explore the CrowdStrike Charlotte AI demos for security investigations

Your Digital Journey deserves a great story.

Build one with us.

Cookies Icon

These cookies are used to collect information about how you interact with this website and allow us to remember you. We use this information to improve and customize your browsing experience, as well as for analytics.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference.

Talk to us