logo
allArticlesConferencesPresentations

Mapping Motives Tells a Story: Analysis of 2,000 Enterprise Cloud Detections

Conference:  Cloud Native SecurityCon North America 2023

Authors:   David Wolf, Joshua Smith

Summary

The presentation discusses the analysis of over 2,000 live cloud-based detections across hundreds of IaaS customers to identify common themes and defensive patterns that also revealed gaps in the typical enterprise control set. The MITRE ATT&CK Cloud framework was applied as a machine learning corpus to illustrate the attacker stories and detections required to detect, interrupt, and respond to cloud impact. The presentation aims to provide actionable insights for strengthening the multi-cloud SOC.
  • The presentation analyzed over 2,000 live cloud-based detections across hundreds of IaaS customers to identify common themes and defensive patterns.
  • The analysis revealed gaps in the typical enterprise control set.
  • The MITRE ATT&CK Cloud framework was applied as a machine learning corpus to illustrate the attacker stories and detections required to detect, interrupt, and respond to cloud impact.
  • The presentation provides actionable insights for strengthening the multi-cloud SOC.
The presenter discussed the pain point of alert management in the SOC, which is a major issue cited by analysts themselves. High-performing SOCs have lots of alerts, and managing hundreds or thousands of alerts becomes a whole different ball game. The scale and alert management become a problem, and the presentation aims to provide solutions to this problem.

Abstract

We analyzed more than 2,000 live cloud-based detections across hundreds of IaaS customers to identify common themes and defensive patterns that also revealed gaps in the typical enterprise control set. Our analysis set out to answer the question, where are enterprises investing in cloud controls, and where are the control weak points? Next, we applied the MITRE ATT&CK Cloud framework as a machine learning corpus to illustrate the attacker stories and detections required to detect, interrupt, and respond to cloud impact. By applying a novel approach to the verb and noun relationships of cloud infrastructure and workspaces, we were able to map attacker motives to actionable control stories in an approach that can be applied with any SIEM or big data solution powering the modern security operations center (SOC). Join us for a practical journey in learning how to strengthen the multi-cloud SOC, with lessons learned and actionable insights from a cloud detections engineering team.
Materials:
Tags:

Post a comment

Related work

Generating YARA Rules by Classifying Malicious Byte Sequences

Conference:  BlackHat USA 2021
Authors:
2021-08-05

Death to the IOC: What's Next in Threat Intelligence

Conference:  BlackHat USA 2019
Authors:
2019-08-08

Return to Sender - Detecting Kernel Exploits with eBPF

Conference:  Black Hat USA 2022
Authors:
2022-08-10

CANCELLED: Too Soft[ware Defined] Networks: SD-WAN VulnerabilityAssessment

Conference:  BlackHat USA 2018
Authors:
2018-08-08

From Workstation to Domain Admin: Why Secure Administration isn't Secure and How to Fix it

Conference:  BlackHat USA 2018
Authors:
2018-08-08

Objects In The Rear View Mirror Are Closer Than They Appear

Conference:  OWASP 20th Anniversary Event
Authors: Erez Yalon
2021-09-24