Discover and read the best of Twitter Threads about #GuardDuty

Most recents (3)

Excited technologies announced by @aselipsky at #reinvent2022
Entire catalog of #AWS #Analytics and #MachineLearning services available on #ServerLess

It is a paradigm shifter!
'A Zero ETL Future' - Federated queries across data sources
bridging OLTP and OLAP those who know will get what folks like me have been struggling.
Read 18 tweets
Many target AWS from afar, but this #redteam played the long game:

1. Physical access to a laptop via a retail store
2. Persisted via a @Raspberry_Pi under a table
3. Lat. movement via SSH through OSX
4. Recon via Bash history
5. Used stolen .boto to access AWS

👇Thread 👇 Image
1. Lock your laptops! Lower the password timeout window so your users don't have to think about it. With this access the red team was able to gain not only their initial access, but credentials they could use to SSH to several machines across the org.
2. Strong case for asset inventory, especially if a non-standard device such as a Raspberry Pi joins the network. Identifying and alerting on such devices would have caught this much earlier (especially if on a retail/guest wifi).
Read 6 tweets
Highlights from chasing an attacker in #AWS this week:

Initial lead: custom alert using #CloudTrail
- SSH keygen from weird source
IP enrichment helped
Historical context for IAM user, "this isn't normal"
#GuardDuty was not initial lead
- Did have LOW sev high vol alerts
Attacker tradecraft:
- Made ingress rules on sec groups that allowed any access to anything in VPC
- Interesting API calls: > 300 AuthorizeSecurityGroupIngress calls
- Spun up new ec2 instance likely to persist
- Mostly recon - "What policy permissions does this IAM user have?"
Investigations:
Orchestration was super helpful. We bring our own.

For any AWS alert we auto acquire:
- Interesting API calls (anything that isn't Get*, List*, Describe*)
- List of assumed roles (+ failures)
- AWS services touched user user/role
- Gave us answers, fast
Read 4 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!