Discover and read the best of Twitter Threads about #CloudTrail

Most recents (2)

When I think about threat hunting:

- Pro-active search for active / historical threats
- Pro-active search for insights
- Insights lead to better understanding of org
- Insights are springboard to action
- Actions improve security / risk / reduce attack surface
With these guiding principles in hand, here's a thread of hunting ideas that will lead to insights about your environment - and those insights should be a springboard to action.
Here are my DCs

Do you see evidence of active / historical credential theft?

Can you tell me the last time we reset the krbtgt account?

Recommendations to harden my org against credential theft?

How many do we already have enabled?

Where can we improve?
Read 8 tweets
Highlights from chasing an attacker in #AWS this week:

Initial lead: custom alert using #CloudTrail
- SSH keygen from weird source
IP enrichment helped
Historical context for IAM user, "this isn't normal"
#GuardDuty was not initial lead
- Did have LOW sev high vol alerts
Attacker tradecraft:
- Made ingress rules on sec groups that allowed any access to anything in VPC
- Interesting API calls: > 300 AuthorizeSecurityGroupIngress calls
- Spun up new ec2 instance likely to persist
- Mostly recon - "What policy permissions does this IAM user have?"
Investigations:
Orchestration was super helpful. We bring our own.

For any AWS alert we auto acquire:
- Interesting API calls (anything that isn't Get*, List*, Describe*)
- List of assumed roles (+ failures)
- AWS services touched user user/role
- Gave us answers, fast
Read 4 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!