back caretBlog

How to Apply CIS Controls & MITRE ATT&CK in the Cloud

The top 3 challenges you'll face, and how to solve them

So, you're moving heavy enterprise workloads to the cloud! It's going to be awesome. You'll be so agile and dynamic. Need to scale out a service to handle massive customer demand? Boom, done.

And all of the work you've done to align your security detection and investigation strategy with the MITRE ATT&CK Framework and CIS Top 20 Controls is going to work exactly the same way in the cloud as it has on-premises, and your hybrid security will be a snap to manage.

Wait ... will it?

Many of the same blind spots that plague security operations teams in their on-premises environments are as bad or worse when workloads are migrated to the cloud. Furthermore, when enterprises migrate to the cloud, security practices and toolsets that require management and instrumentation often threaten to negate the flexibility and dynamism that makes the cloud so appealing in the first place.

You don't want to install agents and manage logs in the cloud and on-premises, and you definitely don't want to ship data back and forth to get unified visibility in your hybrid environment. Security practices need to evolve as the cloud takes over.

This post will explore three areas where businesses migrating to the cloud can accidentally sabotage their own security efforts, or lose visibility into areas where they once had coverage. We'll focus on negative impacts to security controls, particularly the CIS Top 20 Controls and MITRE ATT&CK detection coverage.

Asset Inventory (CIS Controls 1 and 2, MITRE ATT&CK T1133

CIS Control 1 notes that "it is impossible to protect devices you don't know about." MITRE ATT&CK for Enterprise lists Hardware Additions as a common tactic for attackers to gain initial access to a target network. To protect your assets, you have to know what they are, and that's harder to track in real time when you've got assets both in the cloud and on-premises.

Security teams already face a difficult challenge in maintaining an up-to-date inventory of hardware and software assets that exist in their on-premises environment, and it's equally important to do so in the cloud. One of the challenges for security teams is keeping track of assets across their on-premises and cloud environments in a way that is seamless and does not require too much context-switching.

How can you take advantage of the cloud while still retaining the asset inventory capabilities you need?

The Solution - Passive Monitoring of Application Traffic

Passive monitoring on the network is a good answer for this problem. This is specifically recommended in CIS Control 1 as a mechanism for maintaining an up-to-date inventory of assets. By using a product that can passively listen to communications in the cloud and on-premises and identify new instances by IP address and by protocol and application traffic, SecOps teams can retain visibility and coverage of CIS Control 1 and several MITRE ATT&CK TTPs across their entire hybrid environment.

The recent announcement of Amazon VPC Traffic Mirroring makes this approach much easier, as AWS now provides direct access to the streaming communications within the VPC for monitoring purposes.

Gotchas - Watch Out For "Cloud Native" Vendors That Require You To Rack Gear

When you're looking at passive monitoring products for the cloud, make sure they don't have a sneaky clause about needing to install hardware in your datacenter in order to function. Several "cloud native" vendors in the passive monitoring space will require some data to be shipped back and forth between cloud and on-premises. This can introduce management overhead and operational friction. Architecture matters, so make sure to dig into it before buying.

Internal Visibility & Lateral Movement Detection (MITRE ATT&CK TA0008)

Moving to the cloud takes a lot of datacenter management tasks off your hands, but it also reduces the amount of control you have. You can't exactly hang a packet broker off your core switch to track what's happening in your Virtual Private Cloud, and you wouldn't want to. Part of the point of the cloud is that someone else manages the gear.

However, this means that the way you access the stuff in your cloud is via a public API that anybody else on the internet can also try to access. This means that once an attacker compromises credentials with access to your cloud environment, they have more options for conducting reconnaissance and late-stage attack activities such as lateral movement, privilege escalation, data staging, and data exfiltration.

Cloud service providers (CSPs) provide monitoring and logging capabilities, but under the shared responsibility model, that is not their primary role. The CSP takes responsibility for the security of the cloud. You've got to secure whatever you keep inside it.

How do you maintain your ability to detect and investigate lateral movement in a hybrid cloud environment?

The Solution: Behavioral Analysis of Traffic in the Cloud

By passively monitoring application traffic in the cloud and conducting behavioral analysis against it, you can detect and investigate lateral movement within your virtual private cloud. Until recently, monitoring this traffic required installing packet-forwarding agents on the cloud instances you wanted to monitor.

Now, with Amazon VPC Traffic Mirroring, it is possible to monitor and analyze this traffic without the operational friction of installing agents or forwarders. By conducting behavioral analysis on this traffic you can detect when instances, accounts, applications, and even peer groups start behaving strangely, and can investigate instantly.

You can get even more value from a passive monitoring tool that is able to integrate with built-in monitoring capabilities offered by your CSP, such as CloudWatch, CloudTrail, and VPC Flow Logs in the case of AWS.

Resource Hijacking (MITRE ATT&CK T1496)

It is increasingly common for attackers (or avaricious employees) to install cryptomining software on company resources to generate a little income on the side. These attacks can get completely out of control when the cloud is involved. According to MITRE, "servers and cloud-based solutions are common targets" for resource hijacking "because of the high potential for available resources."

Imagine an employee or attacker spinning up twenty extra large instances and mining bitcoin. That's a computationally expensive process. How would you detect it? This behavior might not surface until the monthly CSP bill arrives!

Resource hijacking occurs in on-premises environments as well, but the cloud creates the potential for attackers to rapidly scale while evading detection more easily. The ability to detect and stop it in real time is correspondingly more important in cloud and hybrid environments.

The Solution: Application Traffic Monitoring in Cloud Workloads

Are you sensing a theme here?

This is another case where passively monitoring application traffic is the best approach for both cloud and on-premises environments. If you can detect both when new instances spin up, and when they start using cryptomining protocols such as Stratum, in real time, you're much better set up to avoid the big cloud bill and keep your cloud resources in check and secure.

Why Won't My Current Tools Cover These Scenarios?

Most legacy security tools were not built with the cloud in mind. The architecture and implementation details are often incompatible with the cloud's core principles of flexibility and dynamism.

  • Many legacy on-premises solutions are solely appliance based and cannot deploy in cloud environments, so teams end up with multiple tools requiring excessive context switching.
  • Even looking at the current network detection and response vendor landscape, many solutions require customers to install hardware in the datacenter in order to make their cloud solution work. This is counterproductive for cloud-first security initiatives.
  • Logging is available in the cloud, but has some of the same pitfalls as on-premises logging. New instances may be spun up with default configurations that do not include logging, and even if they are logged, the data can quickly become overwhelming for analysts to sift through when investigating incidents. In addition, sophisticated attackers will know to turn off or modify logging to evade detection.

Conclusion

I'm not saying we can see the future, but that's only because it isn't the future any more. Right now, the easiest way to get complete visibility and real-time detection in hybrid cloud environments is to use passive traffic monitoring and behavioral analysis.

That is why we introduced Reveal(x) Cloud, the first SaaS network detection and response (NDR) product for AWS virtual private clouds to provide hybrid security for the cloud-first enterprise. To learn more about how Reveal(x) and Reveal(x) Cloud can provide complete visibility, real-time detection, and guided investigation on-premises and in the cloud in a single product, go here.

ExtraHop Reveal(x) Live Activity Map

Stop Breaches 87% Faster

Investigate a live attack in the full product demo of ExtraHop Reveal(x), network detection and response, to see how it accelerates workflows.

Start Demo

Sign Up to Stay Informed