Detect and reply to compromised identities in minutes with Sysdig

Sysdig continues to reinforce our real-time cloud detection and response (CDR) capabilities with the introduction of Cloud Identification Insights, empowering clients to research id assault patterns and get forward of menace actors. On this publish, we’ll discover how Sysdig makes use of Cloud Identification Insights to correlate suspicious occasions with doubtlessly compromised consumer accounts. Outfitted with this context, defenders can swiftly reply, utilizing knowledge from the incident to optimize entry insurance policies for compromised customers — all inside minutes.

Listed below are just some of the important thing new capabilities Cloud Identification Insights affords to complement your CDR workflows:

• Detect potential compromise in seconds with Superior Cloud Behavioral Analytics
• Comprise compromised identities with guided remediation
• Stop future assaults with least permissive coverage optimization

See Cloud Identification Insights in motion

Sysdig’s Cloud Identification Insights brings id context to CDR workflows, shortly figuring out when a consumer has been compromised. This new function enriches safety telemetry and allows customers to answer incidents quicker, containing the influence of a safety breach. 

The modus operandi

To indicate what this seems like in follow, we simulated the SCARLETEEL assault, the place we compromised a susceptible utility (Spring4Shell) to raise AWS privilege, disable CloudTrail logging, modify S3 bucket coverage, and steal confidential knowledge. 

After assuming the compromised IAM function, we ran a discovery script that sequentially referred to as a number of AWS APIs inside a brief length.

Superior Cloud Behavioral Analytics

We start our detection and response workflow with a take a look at the Excessive severity occasions on our Cloud Occasions dashboard. 

Superior Cloud Behavioral Analytics are an early sign that the consumer might have been compromised, and determine suspicious patterns with excessive confidence by taking a look at consumer actions over a broader timeframe. For instance, the presence of malicious software program like Pacu operating code to find your cloud accounts can be thought of suspicious, until there’s a deliberate pink workforce train. 

Set off occasions in Sysdig Safe

To show this, we used our compromised consumer account Admin6 to name a number of AWS SES (Easy E mail Service) APIs (Software Programming Interfaces) inside a brief timeframe.

class SuspiciousSesRequests:

    def run(self, user_name, aws_region, aws_access_key_id, secret_access_key):
        log.data("Generating Suspicious Ses stateful-event for user: " + user_name)
        strive:
            session = boto3.Session(
                aws_access_key_id=aws_access_key_id,
                aws_secret_access_key=secret_access_key,
                region_name=aws_region,)
            
            ses = session.shopper("ses")
            ses.get_send_quota()
            ses.list_identities()
            ses.get_send_statistics()
            ses.list_verified_email_addresses()
            ses.get_account_sending_enabled()
            ses_v2 = session.shopper("sesv2")
            ses_v2.get_account()
            secretsmanager = session.shopper("secretsmanager")
            secretsmanager.list_secrets()
        besides Exception:
            log.error("Error running AWS calls", exc_info=True)

if __name__ == "__main__":
    config = Config()
    requests = SuspiciousSesRequests()
    requests.run(
        user_name = config.aws_user_name, 
        aws_region= config.aws_region,
        aws_access_key_id = config.aws_access_key_id,
        secret_access_key = config.secret_access_key)Code language: Perl (perl)

Sysdig logged a timeline of Superior Cloud Behavioral Analytics detections (see Suspicious SES Exercise Detected).

These detections point out that the adversary scanned the cloud to uncover blind spots and abuse providers like AWS SES. From the feed alone, we are able to see this consumer has been doubtlessly compromised. We are able to additionally see any subsequent actions this consumer took. Pay shut consideration to the occasion timestamps — they had been logged in fast succession from the identical cloud account. 

Not like Falco detections, Superior Cloud Behavioral Analytics observes occasion habits and triggers occasions when a sequence of steps are taken by the menace actor to realize their objectives. In our instance, the suspicious SES exercise signifies that the adversary made a number of API calls to realize their targets, together with leaked secrets and techniques, electronic mail tackle parsing, and crafting phishing emails.

Safety groups are concurrently notified of the above occasions and the related consumer accounts. As soon as a doubtlessly compromised consumer has been recognized, real-time id correlation helps examine the account in minutes and reply important questions like:

• What assets had been accessed by the adversary?
• Whose consumer credentials had been compromised?
• Which strategies did the adversary use to breach the perimeter?
• The place else has the adversary exercise been reported from? 

Examine with real-time id correlation

Now that we now have ample data that signifies adversarial presence, let’s dive in and examine. We’ll transfer into the Identification investigation view, the place Sysdig robotically associates the Recon occasions to an EC2 IAM function and plots them on a world map.

Inside this view, Sysdig robotically correlates cloud occasions and location-aware identities, giving safety groups a transparent view of the adversary’s actions and different particulars associated to the possibly compromised consumer. We are able to immediately uncover key particulars, such because the cloud account during which the occasion was first detected.

We are able to additionally see that the Admin6 consumer account was chargeable for triggering the Suspicious SES occasion.

At crunch time, you want all accessible knowledge at your fingertips, and Sysdig gives all the data you could possibly presumably want, making it simple to determine the compromised consumer as Admin6. The consumer account is robotically flagged as a Essential Danger and labeled as Doubtlessly Compromised based mostly on the suspicious exercise. 

Sysdig additionally robotically correlates knowledge from different sources, together with workloads, cases, and IAM roles, to visualise the total assault path as a graph. This computerized cross-cloud context and correlation allows safety groups to analyze the possibly compromised consumer in minutes after which reply instantly. Primarily based on this context, it’s clear that this consumer has been compromised. 

Deploy response methods

Subsequent, we manually flag Admin6 as compromised, tagging this account throughout the platform as a threat that must be addressed instantly.

As quickly because the consumer Admin6 account is flagged as Doubtlessly Compromised, Sysdig recommends Remediation Methods to include and cease the attacker in its tracks. The checklist of methods ranges from a easy password reset to deleting the compromised consumer, and contains:

• Add Restrictive Coverage — Deny all AWS actions exterior a specified IP vary
• Deactivate Person — Disable the consumer’s entry with out shedding configuration and historical past
• Delete Person — Take away the consumer’s account and all related entry to AWS assets
• Pressure Password Reset — Make sure the consumer updates their password
• Delete and Create New Entry Keys — Cut back the chance of unauthorized entry

As soon as the compromised consumer has been addressed, we are able to take additional actions to forestall cybercriminals from additional leveraging consumer credentials. Cloud Identification Insights robotically generates a beneficial IAM coverage, optimized to scale back permissions. Sysdig retains monitor of all of the permissions utilized by the consumer solely after it was flagged as doubtlessly compromised, and excludes them by default from our beneficial coverage, stopping menace actors from tainting coverage optimizations. This prevents the identical form of assault from occurring once more. 

Assess compromised and dangerous consumer roles

Cloud Identification Insights will also be accessed by means of Sysdig’s Posture views. From this Identification and Entry Administration view, safety groups can shortly filter the compromised identities to see which of them have been doubtlessly compromised and entry the workflows proven above for fast investigation and response.

These insights are additionally accessible underneath Dangers, the place all of the findings throughout CNAPP (cloud native utility safety platform) focal areas are consolidated, together with runtime occasions, vulnerabilities, posture, and id, plus assault path evaluation and prioritization. Together with permitting you to see compromised and doubtlessly compromised customers, the Dangers view additionally reveals dangerous customers and roles that have to be prioritized to reinforce safety posture. 

Safety groups can personal the high-priority dangers and use these insights to make well-informed and strategic safety choices throughout the ever-changing panorama of the cloud atmosphere.

Sysdig’s Cloud Identification Insights gives a crystal-clear image of assaults throughout identities, cloud, and workloads. It fosters collaboration to preempt assaults and scale back the id assault floor, which units you as much as obtain the 555 benchmark for cloud safety quicker than with any conventional detection and response instruments.

Be a part of our upcoming deminar, Cloud Identification Insights: Cease Compromised Identities in Minutes, a technical demonstration of how Sysdig leverages Cloud Identification Insights to detect, examine, and reply to assaults in minutes.