25/01/03 Recording and Notes - Threat Detection Engineering - Itay Haral

Quick recap

The meeting began with a presentation by Etay Haral on cloud detection engineering, focusing on role unchaining in AWS and the challenges of tracing activities back to original actors. The discussion then shifted to operationalizing cloud monitoring, log analysis, and the importance of parsers in creating comprehensive investigation graphs, with participants sharing insights on different cloud service providers and vulnerability management strategies. The conversation ended with conversations about proactive threat detection tools, the challenges faced by educational institutions in maintaining cybersecurity, and personal anecdotes shared by team members.

Cloud Detection Engineering Presentation

Shawn initiated the meeting, welcoming participants and encouraging them to connect on LinkedIn. He introduced a special guest, Etay Haral from the threat research team, who would be presenting on cloud detection engineering. Shawn also mentioned that the meeting would be recorded for those who wished to participate without being recorded. Etay began his presentation, discussing his journey into detection engineering and his experiences at Gem and Whiz. He highlighted the challenges and opportunities he encountered in building and creating content for detection engineers and SOC teams. The meeting was open for questions and discussions.

Role Unchaining for Incident Investigation

Itay discussed the importance of role unchaining in AWS for SOC teams, highlighting its role in tracing activities back to the original actor. He explained that role chaining, where a user assumes multiple roles, can obscure the identity of the original actor, making it difficult to investigate incidents. Itay emphasized that unchaining is crucial for understanding what happened, investigating, and responding if necessary. He also mentioned two types of attackers: drive-by attackers who are noisy and easy to detect, and more sophisticated attackers who use role chaining to obfuscate their identity. The conversation ended with Itay outlining a process for role unchaining, which involves searching for an assume role event given a suspicious event to investigate.

Challenges in Unchaining AWS Access Keys

Itay discussed the challenges faced while trying to unchain the access keys in AWS. Initially, they found temporary access keys to be a useful breadcrumb for unchaining, but this method proved insufficient due to the console port quirk, which generates almost random temporary access keys for console sessions. Itay also mentioned the console conceal quirk, which allows attackers to use the AWS console for reconnaissance without their activities being logged with the relevant access key. However, Itay noted that attackers typically use the console for reconnaissance rather than to obfuscate their identity. Consequently, they had to find alternative breadcrumbs to unchain the role assumption chain. They discovered the identity tuple, which consists of the session name, role name, and session creation date, as useful breadcrumbs. This method has proven effective in unchaining across multiple accounts within an organization. Itay also clarified that external identity providers (IDPs) like Octa simplify the process of unchaining, as they restrict certain actions that attackers might exploit.

Cloud Monitoring and Log Analysis

In the meeting, Shawn and Itay discussed the operationalization of cloud monitoring and the importance of log analysis. They highlighted the need for a policy to react to events and the role of different teams in monitoring alerts. Itay emphasized the importance of role unchaining for investigation and detection, particularly in large-scale operations. He also discussed the benefits of unchaining in ingestion time, such as creating investigation breakdowns and building a detection engine. The team also touched on the cost implications of log collection and analysis, with Shawn noting that smaller operations might find Guard Duty useful but it becomes expensive and less useful in larger environments.

Parser Challenges in Cloud Investigations

In the meeting, Itay discussed the importance of parsers in creating a comprehensive investigation graph for understanding attack timelines. He highlighted the challenges faced with AWS and Azure, noting that AWS requires more complex parsing due to its event structure. Itay also shared a method of cross-referencing logs and inventory to build better timelines. Matt Alvarez asked about the difficulty of tracking actors across different cloud service providers, to which Itay responded that GCP is the easiest, followed by AWS, and then Azure. Jay agreed with Itay's assessment, noting that even Microsoft struggles with Azure.

Gratitude, Future Sessions, and Tech Impact

Shawn expressed gratitude for Itay's presentation and invited him to return for future sessions. Shawn then left the meeting to undergo a pet scan. The team wished Shawn good luck and expressed their appreciation for Itay's contribution. The team also discussed the upcoming changes in the administration and the potential impact on their work. Jay and Matt Alvarez discussed the interesting talks they had attended at the CCC conference, highlighting the political undertones and the impact of technology on society. They also discussed the recent appeals court decision striking down net neutrality rules, expressing concern about the potential consequences. Neil mentioned that NVD had enriched about 1% of all new CVEs in the last two weeks of December and that Cisco seemed to be backing away from them.

Vulnerability Management and Scoring Challenges

This segment discusses ongoing challenges and perspectives regarding vulnerability management and scoring systems like the NVD and CVSS. Neil expresses concerns about the fragmentation of vulnerability scoring approaches as NVD's role becomes uncertain, potentially leading to inconsistent prioritization. Jay suggests focusing more on preventative controls rather than chasing alerts. They acknowledge communication issues from NVD but debate whether a centralized vulnerability scoring system is truly necessary. The discussion highlights the difficulties smaller organizations face in keeping up with vulnerability remediation amidst an overwhelming number of alerts.

Gray Noise, Paid Intelligence, and Vulnerabilities

In the meeting, Matt Alvarez discussed the potential of Gray Noise as a proactive tool for detecting exploits, suggesting it could provide valuable context on exploitability. Neil expressed concerns about the increasing reliance on paid intelligence services, fearing it could widen the gap between those who can afford protection and those who cannot. Jay emphasized the importance of having a good backup strategy and being able to respond quickly to vulnerabilities, suggesting that early detection may not always be the most crucial factor. The team also discussed the challenges of balancing the need for intelligence with the need to protect the ecosystem as a whole.

School District Network Security Challenges

In the meeting, Matt Alvarez shared his experiences working in school district networks and the challenges faced by school districts in maintaining security. He mentioned his father's experience with a ransomware attack that resulted in the loss of data. Jay shared his experience with a university's network team, highlighting the issue of alert fatigue. Matt also shared his experience working at a hotel during its construction, where he encountered alert fatigue due to frequent fire alarm tests. The team discussed the importance of regular drills and procedures to prepare for emergencies. Neil shared his experience participating in the Polar Bear Plunge in Coney Island on New Year's Day. The team ended the conversation with well wishes for the upcoming weekend.

AI-generated content may be inaccurate or misleading. Always check for accuracy.