Any organization with cloud resources must develop investigation capabilities for cloud-related security incidents.


When investigating security incidents and threat hunting signals in the AWS control plane, questions like “what happened in this AWS session?” and “what exactly did the user do?” are critical for determining whether the suspected activity is benign, or if it seems malicious and requires deeper investigation.


Understanding which services the actor used in the session, which resources he interacted with, and what he did with those resources can give crucial context for the analyst or forensic investigator. However, it turns out these questions are much harder to answer than one would think.


Eliav Livneh offers an investigation methodology for control-plane security incidents and demonstrates it on a GuardDuty alert while diving deep into technical aspects of CloudTrail logging related to user sessions, identity-pivoting actions, web console activity, and event-specific actions. During the demonstration, it will be shown how these technical details can be used to answer the questions mentioned above, and enable and speed up investigations.


The presentation will be accompanied by two findings discovered while conducting research at Hunters, which emphasize the complexity of CloudTrail logs on one hand, and show how intimate knowledge of the logs helps investigating and threat hunting in AWS on the other hand: a new attack technique, and a previously undocumented behavior of AWS API keys being recycled between different identities.


Presented by:
Eliav Livneh, Senior Cloud Researcher, Hunters.


You can also listen to the podcast about the AWS attack technique here.
Or read the blog post about the attack technique here.


Want to see how XDR can radically transform your Security Operations?

Get a Demo