Responding to cloud incidents: Tales from the front lines (SEC313)

Here is a detailed summary of the video transcription in markdown format:

Responding to Cloud Incidents: Tales from the Front Lines

The Current Cloud Security Landscape

• 90% of enterprises are multi-cloud, not just in the data center, leading to a complex attack surface
• 110% increase in cloud-conscious attacks over the past year
• 75% of attacks on cloud resources are cloud-agnostic
• 80% of attacks have an identity component, with attackers obtaining valid credentials to gain initial access

Adversary Tactics and Techniques

1. Initial Access:

   • Obtaining valid credentials from the dark web or compromising on-premises systems
   • Abusing public-facing applications through brute-forcing, password spraying, or exploiting misconfigurations

2. Discovery:

   • Enumerating resources and permissions using various API commands (e.g., get-caller-identity, list-objects, describe-instances)

3. Credential Access:

   • Attempting to access additional credentials, such as through the Secrets Manager API

4. Privilege Escalation:

   • Attaching additional policies or roles to the compromised identity to gain more permissions

5. Persistence:

   • Creating new users or access keys to maintain access to the environment

6. Exfiltration:

   • Leveraging S3 get-object commands to exfiltrate data from the environment

Preparing for Incident Response

1. People, Technology, and Process:

   • Ensure clear communication and coordination between teams (security, IT, legal, etc.) during an incident
   • Maintain visibility into the environment through proper logging and security controls
   • Establish a well-tested incident response process to quickly contain and remediate incidents

2. Monitoring and Detection:

   • Implement effective detection mechanisms, such as custom alerts or using services like GuardDuty
   • Ensure alerts are properly forwarded and triaged by the security team

3. Reducing Attack Surface:

   • Minimize the use of privileged permanent credentials
   • Monitor your attack surface and stay informed about your environment

CrowdStrike's Approach to Cloud Security

1. Falcon Platform:

   • Integrates endpoint detection and response (EDR), identity threat detection and response (ITDR), and cloud security
   • Provides visibility across runtime environments, identity infrastructure, and cloud services

2. Threat Hunting and Intelligence:

   • CrowdStrike's Overwatch team hunts for new indicators of attack and updates the product accordingly
   • CrowdStrike tracks over 250 adversary groups to anticipate their tactics and behaviors

3. Automated Deployment and Protection:

   • Leverages AWS services and processes, such as AWS Built-in, SSM Distributor, and Kubernetes DaemonSets, to automate sensor deployment and container protection
   • Integrates with various AWS services (CloudTrail, EventBridge, Security Lake, etc.) to provide comprehensive cloud security

4. Next Steps:

   • Learn more about CrowdStrike's cloud security offerings
   • Try the cloud security health check to assess your cloud security posture
   • Explore the CrowdStrike Charlotte AI demos for security investigations