Catch Me If You Can: Hunting Cloud Exfiltration Using Anomaly Detection

Presented at CactusCon 12 (2024), Feb. 16, 2024, 2 p.m. (60 minutes).

Cloud exfiltration, and credentialed access incidents in cloud environments in general, tends to resist detection and often goes unnoticed until something else triggers an incident response. There are at least four large cases, in the public record, where large-scale cloud exfil went undetected for some time until it was uncovered as part of a retrospective incident response. the best explanation of why comes from the most recent public incident retrospective writings: "it is difficult for investigators to differentiate between threat actor activity and ongoing legitimate activity [in the cloud]." This talk summarizes several years' work in cloud exfil hunting and detection using a combination of anomaly detection and conventional hunting queries implemented in a Jupyter notebook. Outline: 1. Introduction 2. Brief history - 2016, 2019, 2020, 2021 cloud exfiltration cases (the majors) 3. Brief summary of the numerous smaller cases 4. Cloudtrail event types - S3 events vs. other data layers - and enrichments (geo, asn info) 5. Hunting credentialed access using anomaly detection 6.Hunting anomalous snapshot activity 7. Hunting anomalous database layer activity 8. Identifying anomalous volumetric S3 data movement using anomaly detection 9. Non-volumetric S3 data movement 9. Moving “left of boom” for earlier warning - hunting potential precursor events that may precede bulk data exfil in S3

Presenters:

• randomuserid - Head of Detection Science
  Craig has seen things you people wouldn't believe - attack ships on fire off the shoulder of Orion, C-beams glittering in the dark near the Tannhäuser Gate. He was a principal at three successful security product startups. In between startups, he served as a special consultant for security at apex level finance and defense sector firms. He previously served as a principal researcher and area lead at Elastic where he developed the first ML jobs for cloud native threat hunting and detection among other features. He is currently the Director of Algorithmic Threat Detection at Uptycs where he continues work on ML applications to threat hunting and detection. He is a member of the review board at CAMLIS, a policy attaché at DEFCON and a mentor at BSides Las Vegas. He has presented at numerous conferences including the SANS Threat Hunting Summit, SOURCE Boston, Cloud Security World and AWS Community Days in Boston and New York, and six BSides conferences.

Links:

• https://cactuscon-12.sessionize.com/session/556688

Similar Presentations:

• ToorCon: Seattle (Beta) (2007) / Anycast Cloud Bursting
• GrrCON 2013 / Cloud Incident Response
• RVAsec 2022 / Basslines and Baselines: The role of Anomaly Detection in Cloud Security