5 pro tips for detecting in AWS


Detection and response in a cloud infrastructure is, in one word: confusing. And untangling the web of Amazon Web Services (AWS) can be daunting, even for the most experienced among us.

So where do you start?

Sometimes better security practices begin with basic, but critical, changes. In this post, we’ll walk you through five pro tips for threat detection in AWS so you can free yourself from a bunch of alerts and get the space back to focus on the alerts that matter most.

Prioritize security as part of your culture… like, yesterday

News flash: your security team shouldn’t be the only people concerned about security — just ask your colleague that fell for yet another phishing scam. If you want a security program that works, it needs to be ingrained into all parts of your business and culture. That means educating all of your users so they understand security best practices, and keeping these best practices fresh in their minds with consistent, office-wide trainings.

When security is baked into your culture, frameworks, and solutions, it becomes a day-to-day priority.

Set goals along the way to see what does and doesn’t work for your org. Changing the way employees think and feel about security might be an incremental process, and that’s okay!

At the end of the day, every employee should at least understand the importance of security, and your Chief Information Security Officer (CISO) should always have a seat at the table. Giving your CISO insight into business decisions upfront helps keep security a top line priority for your whole org from the beginning, so that you’re not playing catch-up down the line.

Forget what you know about “normal”

What’s “normal” anyway — right?

Every AWS environment is unique, which means what’s usual in one environment can be suspicious in another. Before you can automate or write detections, you need to know what’s exposed to the outside world in your cloud environment, take a serious look at container security, and understand what normal looks like in your environment.

If you spot unusual user or role behavior, dig deeper. Look at it through a wider lens over the past 24 hours. Does anything look interesting, like multiple failed API calls? Understanding what’s the norm in your environment helps you efficiently tune alerts (and helps tune out that security engineer who’s constantly running penetration tests).

Automate, automate, automate

Automating elements of your security program helps with consistency, but do it strategically. Start by asking, “What problem are we trying to solve?” and work from there to free up resources and speed up time-to-detect.

All AWS services are available as APIs, so you can automate just about anything.

Know which servers are mission critical and use automation to adjust those alerts for impact so your team doesn’t miss anything. Not to mention, it might help your security team sleep through the night without waking up in a cold-sweat because an alert slipped through the cracks.

Lean on logging for better context clues

It’s hard to tell a story and determine what happened if there’s no [cloud]trail to follow. Your detections are only as good as your logging. Make sure CloudTrail is logging all of your accounts, not just certain regions, and that no one is tampering with your logging (like turning it off entirely — yikes).

Then, use CloudTrail as an events source to find anomalous or aggressive API usage. We recommend linking MITRE ATT&CK tactics with AWS APIs to filter for the most interesting activity. By the way, here’s a mind map for AWS investigations that lays out some preliminary tactic mapping to make this part easier.

Take your time laying the breadcrumbs (re: make sure your logging is up to par). It helps your detections and ultimately speeds up triage and investigation after your team sees an alert.

Get back to the basics

We get it — for an industry vet, it can be easy to overlook the basics.

But when misconfigurations are a leading vector behind attacks in the cloud, it’s important to make sure you’re brushing up on best security practices in your AWS environment.

It sounds simple, but the best way to understand AWS to write detections — and the key to red team research — is learning the basics of Identity and Access Management (IAM).

Similarly, when thinking about container security, make sure you’re securing every point an attacker can infiltrate. Covering the basics, from IAM to parts of a container, helps you protect your environment and improve your detection writing. See? Simple.

Still have questions? We’d love to chat!