Build your cyber evidence board with Amazon Security Lake and MITRE ATT&CK Framework
“In solving a problem of this sort, the grand thing is to be able to reason backward,”
Sherlock Holmes proclaims in ‘The Adventure of the Copper Beeches.’
If Sir Arthur Conan Doyle’s renowned detective were to discourse on the currency of data, one can imagine he would reckon the fact that Data left unused is data worthless.
Imagine, the iconic image of Sherlock Holmes in his 221b Baker Street, engrossed in a complex case. His room is transformed into a veritable war room of clues and observations, meticulously organized on an evidence board. Holmes doesn’t merely collect data; he interrogates it. Each piece of evidence, each data point, is not just a passive element but a dynamic clue that can lead to multiple pathways in his deductive reasoning.
Just as Holmes sifts through diverse forms of evidence — be it a tobacco ash specimen, a footprint, handwriting or even a dog, so too must we sift through multitudes of data in the cyber realm.
The Evidence Board
When I envision Sherlock Holmes poring over his evidence board, I do not see a physical board, but rather a modern Security Information and Event Management (SIEM) system.
In this mental tableau, each data point is meticulously scrutinized, correlated, and analyzed to produce actionable intelligence, much like Holmes would do with his clues.
In both instances, the mere collection of data or evidence is not the end goal; it’s the starting point of a journey towards a reasoned conclusion. The data must be acted upon, just as Holmes acts upon his clues, extracting their latent value to solve the case at hand.
Amazon Security Lake | The vault of cyber clues
Your SIEM could be the canvas on which you build your evidence board, Amazon Security Lake acts as the vault that centralizes all your essential cyber data.
This includes everything from CloudTrail logs, VPC Flow Logs, S3 data events, Route 53 logs and Security Hub findings including sources from other cloud platforms, on-premises and custom sources. Although individual data points might seem insignificant in isolation, when collated and analyzed through the SIEM, patterns begin to surface and potential threats become more discernable.
If you’re aiming to elevate your cybersecurity posture, then the next logical step is integrating Amazon Security Lake with your SIEM system.
MITRE ATT&CK | The Watson to your Cyber Sherlock avatar
Moving on from Sherlock Holmes, let’s explore a modern tool that applies similar logic to Holmes’ methods but in the context of cybersecurity: the MITRE ATT&CK framework.
While not a ‘Watson’ in the traditional sense — given Watson’s role as a companion and emotional counterbalance — it serves as a systematic guide that complements your SIEM system.
By aligning each rule in your SIEM with specific tactics and techniques outlined in the MITRE ATT&CK framework, you achieve dual objectives.
Firstly, you gain an exhaustive snapshot of your extant detection capabilities. Secondly, and perhaps more pivotally, you cultivate a layered comprehension of the rationale behind those specific rules. This empowers you to not only defend your prevailing security protocols effectively but also to evolve them in an informed manner.
Translating Clues with OCSF Data
Lastly, it’s worth noting that before any piece of data — or clue can be ‘pinned’ to your digital evidence board (the SIEM), it must be translated into a standardized language. This is the juncture at which the OCSF (Open Cybersecurity Standards Framework) becomes pivotal.
OCSF (Open Cybersecurity Standards Framework) schema provides a structured and standardized way to represent cybersecurity data. This universal language allows various cybersecurity tools to interact seamlessly, making it easier for organizations to integrate solutions from different vendors.
Amazon Security Lake automatically converts the data format of native AWS services to OCSF. It can ingest data from ISV partner tools that generate their logs in OCSF format while for those tools that are not OCSF compatible, you need to do the OCSF conversion.
Anatomy of Amazon Security Lake.
Before you begin, you first need to set up Amazon Security Lake in your AWS environment. AWS offers a great user guide that you could follow to start using the lake. Below is the architecture of Security Lake.
One can integrate AWS native logs, logs from other cloud platforms, on-premises and 3rd party security tools.
Each of these sources would have their data in distinct S3 buckets as shown below.
Now, you can use native AWS services such as Amazon Athena and Amazon QuickSight to do analytics and visualization respectively. You could also use your own analytics and visualization tools of your choice.
Since the data is stored as S3 buckets, this gives you the flexibility to integrate with any SIEM tool easily. In this blog, let’s stick to native AWS capabilities.
You will find a database created for security tables in AWS Glue once the appropriate IAM permission roles are set up as explained in the user guide document. These tables cover a wide range of attributes, such as metadata, time, cloud region, API details, actor information, and much more.
Let’s begin our Investigation.
Am picking “Drive-By Compromise” Technique Under Initial Access tactic as shown in the MITRE ATT&CK framework.
The “Drive-By Compromise” technique refers to the automatic download and execution of malicious code when a user visits a compromised website. The website might exploit browser vulnerabilities or execute malicious scripts to compromise the system.
Relevant Amazon Security Lake Tables for Drive-by-Compromise technique
- VPC Flow (amazon_security_lake_table_us_east_1_vpc_flow): To identify suspicious network traffic patterns.
- Route53 DNS (amazon_security_lake_table_us_east_1_route53): To monitor DNS queries to potentially harmful domains.
- CloudTrail (amazon_security_lake_table_us_east_1_cloud_trail_mgmt): To look for unexpected API calls that may result from a successful compromise.
We can detect a number of Indicators of Attack using correlation queries, few examples are below.
Unusual Web Traffic
One of the first signs of a drive-by compromise is unusual outbound web traffic. Using the VPC Flow table, monitor for unusual IP addresses or port numbers that are not part of regular browsing activity.
SELECT src_endpoint.ip, dst_endpoint.ip, connection_info.protocol_num FROM amazon_security_lake_table_us_east_1_vpc_flow WHERE dst_endpoint.ip NOT IN (‘known_safe_ip1’, ‘known_safe_ip2’)
Unexpected API Calls
After a system has been compromised, you may notice unexpected API calls that are not part of your regular AWS usage. Look for API calls that are made at unusual times or from unexpected locations.
SELECT api.operation, api.service.name, time FROM amazon_security_lake_table_us_east_1_cloud_trail_mgmt WHERE api.service.name = ‘unusual_service’ AND time BETWEEN ‘unusual_time1’ AND ‘unusual_time2’
Suspicious Network Activities and API Calls from VPC Flowlogs and CloudTrail
SELECT flow.src_endpoint.ip AS src_ip,flow.dst_endpoint.ip AS dest_ip, flow.connection_info.protocol_num AS protocol, cloudtrail.api.operation AS api_operation, cloudtrail.api.service.name AS api_service
FROM amazon_security_lake_table_us_east_1_vpc_flow AS flow
JOIN
amazon_security_lake_table_us_east_1_cloud_trail_mgmt AS cloudtrail
ON
flow.src_endpoint.ip = cloudtrail.src_endpoint.ip
WHERE
flow.dst_endpoint.ip NOT IN (‘known_safe_ip1’, ‘known_safe_ip2’)
AND cloudtrail.api.service.name = ‘unusual_service’
Monitor upload and new S3 bucket creation from Lambda functions
SELECT lambda.activity_name AS lambda_activity, lambda.src_endpoint.ip AS lambda_src_ip, cloudtrail.api.operation AS api_operation, cloudtrail.api.service.name AS api_service
FROM
amazon_security_lake_table_us_east_1_lambda_execution AS lambda
JOIN
amazon_security_lake_table_us_east_1_cloud_trail_mgmt AS cloudtrail
ON lambda.src_endpoint.ip = cloudtrail.src_endpoint.ip
WHERE
cloudtrail.api.operation IN (‘PutObject’, ‘CreateBucket’);
These are just few of the many art of possibilities with Amazon Security Lake.
The real value comes in when you expand your cyber data spectrum beyond the boundary of AWS cloud into external systems for which Security Lake makes it seamless owing to OCSF standardization.
As cyber threats evolve, so should your defense strategies too. So, arm yourself with the modern-day equivalents of Holmes’ magnifying glass and Watson’s reasoning and unravel the mysteries that lie within your cyber data.
Subscribe to DDIntel Here.
DDIntel captures the more notable pieces from our main site and our popular DDI Medium publication. Check us out for more insightful work from our community.
Register on AItoolverse (alpha) to get 50 DDINs
Join our network here: https://datadriveninvestor.com/collaborate
DDI Official Telegram Channel: https://t.me/+tafUp6ecEys4YjQ1
Follow us on LinkedIn, Twitter, YouTube, and Facebook.Subscribe to DDIntel Here.
DDIntel captures the more notable pieces from our main site and our popular DDI Medium publication. Check us out for more insightful work from our community.
Register on AItoolverse (alpha) to get 50 DDINs
Join our network here: https://datadriveninvestor.com/collaborate
DDI Official Telegram Channel: https://t.me/+tafUp6ecEys4YjQ1
