Posts

Aren't AWS Cloud Investigations the same as On-Prem? - Part 1 (AWS EC2)

Image
Introduction  If this is your first time visiting my page, welcome! If you're returning, welcome back—I'm excited to start a new mini-series. It may not be a great debate, but there are a lot of people who believe cloud investigations (we’ll be talking AWS in this series) are no different from investigating on-premises workstations or servers. To those people, I say: you are both correct and completely wrong ðŸ¤£. Jokes aside, I think this is a widely misunderstood concept that leads to so much pain and wasted time—so it’s worth addressing. Let’s talk about it.  In this mini-series, we’ll talk about some of the most commonly used AWS services, starting with EC2. I’ll share my perspective as a Security Incident Responder/Cloud Investigator and draw parallels, but also point out the significant differences between these cloud services, their on-premises equivalents, and your investigation. DISCLAIMER: We will certainly talk about EC2, but it would be i...

My Methodology to AWS Detection Engineering (Part 3 - Variable Scoring)

Image
Introduction  Welcome back to the series! In Part One  and  Two we discussed RBA object selection tailored to AWS identities and how to assign the numerical risk values to those objects using SPL. We also looked at basic examples of how those base scores could stack up for various objects to cross a defined threshold.  All that was necessary to get us here: "variable scoring". We will explore some ideas to get you on your way with variable scoring in the skies of AWS. I want to stress again that this approach is derived from work I've done in my own time using Splunk but it applies to other SIEM offerings and can be built using common programming languages like Python (which is a future project of mine). Anyway,  let's get right into it: Variable Scoring Before we get too far, it may be helpful to define "variable scoring."  Think of variable scoring like the thermostat in your home. The base score is the default temperature setting, providing a nice basel...

My Methodology to AWS Detection Engineering (Part 2: Risk Assignment)

Image
Introduction  Welcome back to the second installment of the blog series discussing my methodology for threat detection engineering in AWS. I am humbled by the response to Part One, so thank you to everyone who reached out. I'm very happy that some of you found it helpful. In case you missed it, we covered RBA object selection for AWS and how an example of how that could be of use. I recommend reading  Part One  before continuing here. But since you're back, I assume you are here for Part Two, so let's get into it. We will look at an example application of risk score assignment with the concepts discussed in Part One and the lessons I've learned using the available RBA features in Splunk ES. This will be a shorter post as I want to focus on the key components that make up the risk assignment rule. Let's start by jumping right into the logic needed in this methodology. Core Components:  Initial Filter 1 in...

My Methodology to AWS Detection Engineering (Part 1: Object Selection)

Image
Introduction  Welcome to the first installment of my new blog series discussing my methodology for threat detection engineering in AWS. This blog assumes you are familiar with Splunk Enterprise Security, its terminology, and/or similar SIEM functionality related to "Risk-Based Alerting" concepts. If not, you can read some reference docs  here  and  here  or if you prefer videos you can go here  and  here .   Also, if you need a refresher on AWS CloudTrail userIdentity fields, see the official documentation here .  To be clear, this is just what I have been doing, and it doesn't mean that it is prescriptive. While this approach may use Splunk at its core, the concepts apply to any SIEM that allows you to perform risk scoring or has the components to do so, such as creating indices, performing lookups, and using eval commands. That said,  ...