Threat Hunting with AWS CloudTrail: Detecting Anomalies for a Secure Cloud Environment
In the ever-evolving landscape of cloud security, AWS CloudTrail has emerged as an essential tool for monitoring and understanding activity across your AWS environment. By logging user actions and resource behavior, CloudTrail provides invaluable insights for strengthening security, ensuring compliance, and creating a robust audit trail.
However, while CloudTrail captures a wealth of event data, the real challenge lies in identifying anomalies that could indicate potential threats. This blog explores how CloudTrail can be leveraged for threat hunting and anomaly detection, offering practical guidance and alert strategies to detect suspicious activities early.
What is AWS CloudTrail?
AWS CloudTrail records detailed logs of actions across AWS services, including:
- Who performed an action
- When it occurred
- Where it originated
These logs form a comprehensive audit trail, aiding:
- Security analysis by identifying unauthorized activities
- Compliance auditing to meet regulatory requirements
- Resource tracking to monitor and troubleshoot changes
Despite its comprehensive coverage, organizations often face challenges in identifying meaningful patterns amid the data, especially during an active attack where the attacker’s sequence of actions must be pieced together.
The Threat Landscape: Why Anomaly Detection is Crucial
Threat actors often begin with reconnaissance to find vulnerabilities, subsequently escalating privileges and exploiting resources. Detecting this early activity can significantly reduce potential damage. Yet, AWS doesn’t provide a built-in guide on which CloudTrail events to monitor or how to prioritize them.
To address this gap, Coralogix has developed a threat-hunting framework using CloudTrail, focusing on over 150 critical events. This includes a correlation alert with its foundational building blocks to link together multiple anomalous events that are usually seen during reconnaissance and an anomaly dashboard to identify suspicious activity effectively.
Building Blocks for Anomaly Detection
1. Multiple Events Detected (By User)
Alert Trigger:
This alert fires when more than 15 unique CloudTrail events that are part of 150 critical events as mentioned above, are detected from a single user within a 20-minute interval.
Rationale: External threat actors usually use automated tools to perform recon activities. When they run such tools, a high number of CloudTrail events are logged within a short interval of time. Many of these events are for “Get”, “List” and “describe” actions.
Challenges & Fine-Tuning Recommendations:
- False Positives: High activity by legitimate users can trigger this alert.
- Fine-Tuning Recommendations:
- Adjust threshold values based on usage patterns.
- Whitelist specific users as needed.
This alert provides a high-fidelity signal for detecting unusual access patterns when fine-tuned to your organization’s needs.
2. Unique Error Types
Alert Trigger:
This alert fires when more than one unique error code is detected within a 20-minute interval for CloudTrail events from a single user.
Rationale:
Threat actors operating in unfamiliar environments often cause multiple unique errors due to insufficient knowledge of permissions and privileges.
Fine-Tuning Recommendations:
- Understand the reasons behind these errors (e.g., misconfigurations or malicious attempts).
- Whitelist legitimate users or error codes where appropriate.
3. More than Usual Errors
Alert Trigger:
This alert fires when an unusually high number of errors are detected in CloudTrail events for a single user within a 20-minute window.
Rationale:
Similar to the previous alert, attackers’ lack of familiarity often leads to failed actions, making this metric a strong indicator of suspicious activity.
Correlation Alert: Correlating Anomalies for Better Detection
To enhance detection fidelity, a correlation alert combines the above building blocks. This alert triggers when either of the following combinations occur within 20 minutes:
- Combination 1:
- Multiple Events Detected (By User)
- Unique Error Types
- Combination 2:
- Multiple Events Detected (By User)
- More than Usual Errors
Purpose of the Correlation Alert
This alert flags multiple anomalous activities by a user in a short time frame, especially those resulting in errors or unusual patterns. Such behavior is rarely legitimate and warrants further investigation. If the activity is benign, adjust the relevant building block alerts by:
- Modifying thresholds
- Whitelisting specific users or error codes
Dashboards: Visualizing the Anomalies
In addition to the alerts, Coralogix has also created a dashboard that provides:
- A clear view of event trends and anomalies
- Insights into top users triggering errors or anomalies
- Breakdown of error codes by user, helping to pinpoint the root cause
By combining alerts with actionable insights, organizations can quickly identify and respond to potential threats.
Conclusion
AWS CloudTrail is a powerful tool for cloud monitoring, but its true value lies in its ability to enable proactive threat hunting. By implementing the above strategies, organizations can:
- Detect and investigate suspicious activities early
- Minimize false positives with tailored fine-tuning
- Strengthen overall security posture
With the right tools, dashboards, and alert configurations, CloudTrail becomes a cornerstone of any robust cloud security strategy. Start your anomaly detection journey today to stay ahead of potential threats and protect your AWS environment.
Book a demo
Complete this form to speak with one of our sales representatives.