Cloud Attack Emulation and Detection Engineering are revolutionizing how we tackle cyber threats in cloud infrastructure. This synergy is imperative for modern security teams and can be comparable to the art of swordsmithing. The balanced combination of heat, tampering, and appropriate materials produces a masterpiece sword, a formidable weapon wielded by skilled warriors to conquer adversaries.
This article provides an overview of cloud attack emulation and how it can be adopted to enhance detection engineering capabilities. The critical role of detection engineering is demonstrated with practical examples: detection gaps due to AWS API changes and the addition of new MITRE ATT&CK techniques are identified. Furthermore, steps to integrating attack emulation into the Detection Engineering lifecycle are provided, with references to mature security organizations using these approaches: GitLab, Snowflake, and Palantir.
Cloud Attack Emulation - A Primer
The cloud's dynamic nature presents unique challenges, and static, traditional defenses continuously struggle to address these challenges. Attack emulation (also referred to as adversary emulation) addresses these challenges by allowing proactive, continuous testing opportunities aligned with the MITRE ATT&CK framework.
Cloud attack emulation is the process of mimicking Tactics, Techniques, and Procedures (TTPs) of real-world attacks in controlled cloud infrastructure to allow organizations to evaluate their actual cloud security posture empirically.
Cloud attack emulation can minimize errors and alert fatigue by safely emulating cyber attacks that typify real attacker behavior. The emulated attacker behavior, usually captured as security events, provides opportunities to uncover security blindspots that would otherwise go unnoticed until it's too late. Security teams can leverage cloud attack emulation to adopt a Threat-Informed Defense strategy.
Unlike traditional environments, the cloud attack surface is large and challenging to defend. Attackers know this difficulty and continuously evolve creative techniques to breach defenses successfully. Periodic security assessment approaches such as penetration testing and traditional red/purple teaming operations conducted once or twice a year are insufficient as they leave huge attack opportunites. Converserly, defenders must assume breach and evolve security approaches with a more frequent, safe, and efficient assessment cadence. Cloud attack emulation has these properties and democratizes several security functions so average security engineers can perform several job functions.
Detection Engineering - Digital Swordsmithing
Detection Engineering is an aspect of cybersecurity that focuses on developing, fine-tuning, and maintaining systems designed to identify and alert organizations to potential security threats, breaches, and malicious/suspicious activities. Due to the dynamic threat landscape, organizations must continually tune security tools to stay ahead of attacks. Detection engineering is a relatively new field that appeared in the last 2 - 3 years as organizations increasingly realized the need to create detection logic that identifies adversarial patterns and activities rapidly.
Detection engineers are the architects behind the scenes, crafting the rules and systems that sniff out malicious activities. But without a proper test-driven approach, even the most well-designed detection strategies can be bypassed by attackers. That's where attack emulation steps in, providing real-world security testing capabilities that align with the evolving threat landscape. Detection engineering teams provide several capabilities, including the following:
Rule and Algorithm Development
Detection engineers develop and refine security rules and algorithms that power the detection capabilities of security monitoring systems, including Cloud Detection and Response (CDR) and Extended Detection and Response (XDR). Tuning these security systems requires a deep understanding of the evolving nature of cyber threats and adapting the detection mechanisms accordingly.
Detection engineers should be able to jump into situations where security monitoring systems lack critical detection rules or capabilities. In such scenarios, detection engineers can implement the required detection rules rather than dangerously waiting for the vendors' fixes. For example, in November last year, AWS started supporting batch retrieval of secrets. This update allows multiple (1 to n) secrets stored by the AWS Secret Manager to be grabbed with a single call.
Without a doubt, this makes life easy for developers and others as the iterative calls to grab secrets are no longer needed. However, given the creative nature of adversaries, this feature could be abused for malicious reasons. Detection engineers can facilitate effective countermeasures by updating the appropriate detection rules to detect abusive events by adding BatchGetSecretValue. This update is straightforward for open detection rule engines, e.g., Sigma rules and Elastic Security Rules. Essentially, the query for the Elastic security rules can be extended to include event.action:BatchGetSecretValue.
Threat Identification
Threat Identification is the process of understanding the threats an organization might face. Detection engineers analyze patterns and behaviors of past cyber attacks and security events to identify Indicators of Compromise (IoCs) and develop methods to detect similar threats in the future. These timely detection updates might be a lifesaver that detects and prevents a potentially successful cyber attack.
Security Monitoring
Detection engineering involves setting up and maintaining security systems (e.g. XDRs, CDRs) that continuously monitor network traffic, system logs, and other data sources for signs of suspicious/malicious activity. This monitoring is often done in real-time to ensure prompt detection of potential threats.
Alerting Systems
Part of detection engineering is creating alert systems that notify security teams of potential threats. Security teams must tune these alerting systems to minimize false positives (benign activities mistakenly flagged as threats) and false negatives (actual undetected threats). Detection engineers are often involved in the tuning effort.
Data Analysis
Detection engineers use various tools and techniques to analyze data collected from monitoring systems. This analysis is crucial for distinguishing between normal and potentially malicious activities.
Enhancing Incident Response
Detection engineering efforts integrate closely with an organization's incident response strategies. Hence, detection engineers work together with other members of the Security Operations Center (SOC) to ensure efficient response to incidents while reducing the impact on business operations.
Integrating Attack Emulation Into The Detection Development Lifecycle
The detection development lifecycle is a well-defined process for designing, producing, and maintaining threat detections. Security teams can leverage the detection development lifecycle to have a process for evaluating and continuously detecting threats. Attack emulation plays an essential role in detection engineering; this role can be understood by looking through Snowflake’s detection development lifecycle.
Snowflake’s detection development lifecycle is divided into six phases: Requirements Gathering, Design, Development, Testing and Deployment, Monitoring, and Continuous Testing.
Requirements Gathering
This phase is the entry point of most detections that would be developed. It is, therefore, essential to collect information from several sources, including SOC teams, product and corporate security, threat intelligence, incident response, read teams, and the internal detection engineering team. Due to the growing adoption of attack emulation as a more proactive approach to offensive security and security validation, several teams would collect information from attack emulation exercises.
Design
The design phase is critical; well-designed detections would be less costly and potentially become more valuable. The Snowflake security teams leverage the Palantir Alerting and Detection Strategy (ADS) framework to streamline the detection design process. The framework results from several efforts to produce efficient detections that address false positives and negatives. At the center of the ADS framework is the Validation process, which aims to represent a true positive event that triggers the alert. An attack emulation system does the validation process to produce a realistic event.
Development
The detection design is implemented during the development phase using several standardized approaches. One popular approach is the use of Sigma rules as foundational templates. Sigma rules provide a standard format that can be built and translated into several internal formats with cyber security products, e.g., Elastic security rules.
Testing and Deployment
Similar to traditional software engineering, testing is essential in detection engineering. It takes out the perils of assumptions by allowing ascertainment of expected detection outcomes. The detection rules can be tested for efficiency and accuracy, including conformity to MITRE ATT&CK techniques and defined acceptance criteria.
Detection rules are tested against historical or real-time log events. While historical events are often easier to test since they can be acquired from existing log sources, real-time log events often require attack emulation systems. However, real-time log events provide higher guarantees for accuracy, especially for cloud infrastructure, due to the fast rate of change of APIs, cloud services, etc. Detection engineers and ret team operators can use the Mitigant Cloud Attack Emulation platform to generate appropriate event logs for testing detections quickly.
Monitoring
The deployed detection logic requires monitoring to detect bugs, gaps, etc., which detection engineers must update. The update tasks are imperative, and smooth supporting processes are necessary e.g., using a code repository (Detection-as-Code). Any security team member may reactively identify these issues. However, adopting an attack emulation process allows a proactive and guaranteed approach to identify deviations from the expected detections.
Let us see a practical example that illustrates the importance of monitoring. MITRE ATT&CK version 14 was released in October 2023, including four new techniques for the IaaS Cloud Matrix: Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access, Credentials from Password Stores: Cloud Secrets Management, and Log Enumeration. Adding these new techniques to a detection system is imperative to detecting adversaries using these techniques. The highly impressive reaction to my LinkedIn and Twitter (X) posts about these new techniques is a testament to the importance of implementing these updates.
Continuous Testing
Most detection engineering teams work directly or indirectly with other teams of security organizations to continuously test the effectiveness of the deployed detections. Red team operations are often conducted to provide feedback on the preventive, detective, and recovery controls. These activities provide learning opportunities to understand the performance of detections and continually improve several metrics, including coverage, accuracy, quality, etc. In these teams, attack emulation is becoming a preferred approach to quickly running attack scenarios that validate the actual security posture of an organization. For example, the GitLab security team runs attack emulations as a part of red/purple team operations to stay ahead of adversaries.
Supercharging Detection Engineering with Mitigant Cloud Attack Emulation Platform
Cloud attack emulation empowers organizations to adopt a Threat-Informed Defense strategy. However, due to the rapid advancement in attacker tradecraft and the challenging uniqueness of cloud infrastructure, detection engineering has emerged to allow faster identification and elimination of adversaries. Integrating cloud attack emulation into the detection development lifecycle can immensely enhance detection engineering capabilities. The Mitigant Cloud Attack Emulation Platform provides an easy-to-use, agentless approach that allows teams of any size to supercharge their detection engineering capabilities. Sign up for a free trial today - https://www.mitigant.io/sign-up
Kennedy Torkura
Co-Founder & CTO, Mitigant. | Contributing Author - O'Reilly Security Chaos Engineering Book. | AWS Community Builder
