Asia-24-Bohannon-CloudConsoleCartographer.pdf

《Asia-24-Bohannon-CloudConsoleCartographer.pdf》由会员分享，可在线阅读，更多相关《Asia-24-Bohannon-CloudConsoleCartographer.pdf（108页珍藏版）》请在三个皮匠报告上搜索。

1、ASIA 2024Cloud Console CartographerTapping Into Mapping Slogging Thru LoggingIntroductionCloud Logs for DefendersPROBLEM:Noisy Console LogsSOLUTION:Mapping for ClarityTool Demo+ReleaseANDI AHMETIASSOCIATE THREAT RESEARCHERSecEagleAnd1andi-ahmetiKosovoPermiso-io-tools/CloudGrapplerDANIEL BOHANNONPRIN

2、CIPAL THREAT RESEARCHERdanielhbohannondanielhbohannondanielbohannon/Invoke-Obfuscation/Invoke-CradleCrafter/Invoke-DOSfuscation/Revoke-ObfuscationUSA(5 yrs)(2 yrs)Role of Logs in Threat Hunting&IR Logs=Visibility Enable(if not by default)Forward to secondary location Process further:Aggregate Correl

3、ate Search for malicious activityOn-Prem vs Cloud Logs(Data source,not storage location)Host&network logs Native logging vs aftermarket products Extremely granular:E.g.process arguments,image loads,process memory,registry modifications,DNS lookups,network connections,logon types,file writes,file con

4、tent Numerous“fingerprints”in user/attacker activityIntroductionCloud Logs for DefendersPROBLEM:Noisy Console LogsSOLUTION:Mapping for ClarityTool Demo+ReleaseOn-Prem vs Cloud Logs(Data source,not storage location)Determined by cloud provider Control plane management Data plane usage Delay in log ge

5、neration Retention limits(if not forwarded)Far less granular/more abstracted Fewer“fingerprints”in user/attacker activityIntroductionCloud Logs for DefendersPROBLEM:Noisy Console LogsSOLUTION:Mapping for ClarityTool Demo+ReleaseCloud Log Examples Creating a UsereventTime:2024-04-01T13:33:37.0000000Z

6、,userIdentity:.,eventSource:,eventName:CreateUser,awsRegion:us-east-1,userAgent:AWS Internal,requestParameters:userName:krileva,responseElements:user:arn:arn:aws:iam:200802171337:user/krileva,userName:krileva,path:/,userId:AIDA12345678ABCDEFGHI,createDate:Apr 1,2024 1:33:37 PM,readOnly:false,eventTy