Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform Capabilities

Conference:  BlackHat USA 2018



The challenges of detecting malicious behavior in a cloud environment and the importance of understanding the shared responsibility model and API layer.
  • Cloud environments have highly dynamic inventory and heavy focus on automation, which can amplify human error.
  • Traditional approaches to detecting malicious behavior don't work in a cloud native environment.
  • The shared responsibility model includes a missing layer at the API level.
  • Understanding the API layer is crucial for detecting threats and understanding the responsibility boundary.
  • Cloud providers release services quickly, so it's important to keep up with their offerings.
  • Key takeaways include the importance of taking advantage of cloud provider APIs and exploring learning resources.
The speaker notes that with the explosion of cloud services, the perimeter dissolves and there are new attack surfaces waiting to be exploited. They also mention that the intersection of people who understand infrastructure, DevOps, and security is a big gap. The speaker emphasizes the importance of understanding the shared responsibility model and the API layer, as well as taking advantage of cloud provider APIs to make solutions work more efficiently. They also recommend exploring learning resources such as the Cloud Goat and the AWS Flaws mini CTF challenge.


Until recently, major public cloud providers have offered relatively basic toolsets for identifying suspicious activity occurring inside customer accounts that may indicate a compromise. Some organizations have invested significant resources to build their own tools or have leveraged industry vendor offerings to provide this visibility. The reality is, that barrier has meant that a large number of organizations haven't dedicated those resources to this problem and therefore operate without sufficient detection and response capabilities that monitor their cloud accounts for compromise.Amazon Web Services, Google Cloud Platform, and Microsoft Azure have recently launched a new set of native platform threat and anomalous behavior detection services to help their customers better identify and respond to certain issues and activities occurring inside their cloud accounts. From detecting crypto-currency mining to identifying bot-infected systems to alerting on suspicious cloud credential usage to triggering on cloud-specific methods of data exfiltration, these new services aim to make these kinds of detections much easier and simpler to centrally manage.But what new and unique insights do they offer? What configuration is required to achieve the full benefits of these detections? What types of activities are not yet covered? What attack methods and techniques can avoid detection by these systems and still be successful? What practical guidelines can be followed to make the best use of these services in an organization?Follow along as we attempt to answer these questions using practical demonstrations that highlight the real threats facing cloud account owners and how the new threat detection capabilities perform in reducing the risks of operating workloads in the public cloud.