The Red Report 2024: The Top 10 Most Prevalent MITRE ATT&CK Techniques
Huseyin Can YUCEEL | October 06, 2023
The Top 10 MITRE ATT&CK Techniques Used by Adversaries
In the rapidly evolving technology landscape, cloud services have become indispensable to businesses. Organizations worldwide use cloud services such as Amazon Web Services (AWS) to run daily operations and deliver products to customers. Since cloud services offer more scalability and flexibility than traditional IT systems, organizations are increasingly migrating their operations to the cloud. Like any other part of IT infrastructure, organizations need to secure their cloud infrastructure and follow security best practices. Since cloud security is a vast topic, we decided to write a blog series on cloud security best practices.
This is the first blog of the series where we explained the best practices for cyber asset management in AWS Cloud.
Amazon Web Services (AWS) is a leading cloud computing platform many businesses and individuals use to build, deploy, and manage their IT resources and applications. At its core, AWS offers a vast array of cloud-based services for networking, storage, databases, machine learning, security and more. These services are hosted in AWS's global network of data centers strategically located in multiple geographic regions. This global infrastructure enables organizations to deploy their applications and data close to their users, ensuring low-latency access and high availability.
Figure 1: Shared Responsibility Model in AWS
For security and compliance, AWS uses the Shared Responsibility Model, which is a framework that defines the responsibilities of AWS and its users for security in the cloud. In general, AWS is responsible for the security of the cloud infrastructure, and its users are responsible for the security of their data and applications in the cloud. Organizations should focus on data protection, access management, network security, system and application security, threat monitoring, incident response, and compliance. Maintaining a secure cloud environment can be challenging for organizations, considering the scope of the security responsibilities. According to Gartner, 99% of cloud security failures will be the customer's fault through 2025. Therefore, organizations need to understand their security responsibilities better and adopt cloud security best practices to defend themselves against security breaches proactively. These best practices can be categorized under three main categories.
Cloud Asset Management
Identity and Access Management
Logging and Monitoring
In this blog, we focused on the first category, cloud asset management.
Securing any environment starts with knowing which assets are to be secured. Cloud asset management in AWS refers to the practice of effectively identifying, organizing, and overseeing the resources deployed within a cloud environment. These resources include virtual servers, databases, storage, networking components, software configurations, and more. Some of the common AWS resources are as follows:
Amazon S3: Amazon Simple Storage Service (S3) is a scalable and durable object storage service that is designed to store and retrieve data, such as files, documents, images, videos, backups, and data archives, in the cloud. For a wide range of cloud-based applications, Amazon S3 serves as a fundamental storage solution. It can also be used for content distribution, data archiving, and data analytics.
Amazon RDS: Amazon Relational Database Service (RDS) is a fully managed database service that simplifies the process of setting up, operating, and scaling a relational database in the cloud. With Amazon RDS, users can deploy and manage popular relational database engines without the need to handle administrative tasks like hardware provisioning, database setup, and software patching. It is suitable for a wide range of use cases, including web applications, e-commerce platforms, content management systems, and data warehousing.
Amazon VPC: Amazon Virtual Private Cloud (VPC) is a networking service that allows users to create isolated, private, and secure virtual networks within the AWS cloud. With Amazon VPC, users can define and control their own virtual network environment, including IP address ranges, subnets, route tables, and network gateways. It enables users to launch AWS resources, such as Amazon EC2 instances and RDS databases, into a virtual network of their choice.
After all AWS resources are identified, each resource should be tagged with appropriate metadata labels. These tags are user-defined key-value pairs that provide additional information and context about each resource. Tags make managing, organizing, searching, and tracking AWS resources easier, ultimately enhancing visibility, cost management, and resource control.
Since users or services with the right credentials can add or remove resources instantly in a cloud environment, keeping an up-to-date inventory of resources is crucial for security. Otherwise, managing these resources can get out of hand very quickly. Therefore, organizations should apply the following practices for cloud asset management.
The first step of cloud asset management is to identify all the assets in the cloud. Organizations should list all the servers, applications, databases, and storage containers and understand the extent of their attack surface. Security teams cannot identify assets that need to be protected without a well-maintained asset inventory.
Not all assets require the same level of attention from security teams. Cyber threat actors are more likely to target valuable and critical assets. Also, they may cause more damage to organizations when compromised. Each asset in the inventory should be tagged with appropriate risk and security classification. Therefore, security teams should prioritize their efforts based on the risk associated with each of their assets.
As organizations expand their operations in the cloud, their attack surface is likely to expand. Unlike traditional IT environments, cloud assets can be deployed instantly with the right credentials. The growing number of assets creates a challenge for security teams to manage their attack surface. Especially internet-exposed assets in the cloud can be abused as an initial access vector. Therefore, organizations need to implement policy on resource deployment, network segmentation, access control, and patch management that upholds security as a priority.
AWS allows organizations to run their own applications and virtual machines in the cloud. The lack of physical devices, such as servers or network equipment, may lead to a false sense of security. However, assets in the cloud may still have vulnerabilities that adversaries can exploit. Organizations should have a vulnerability management policy that defines how to address vulnerable assets in the cloud. Security teams should be quick to identify and patch vulnerabilities before adversaries can abuse them.
As organizations continue to migrate their workloads to the cloud, the need for automated cloud security posture management becomes more prominent. Picus Cloud Security Validation enables you to address cloud security issues before a breach happens. It allows security teams to audit their essential AWS services, identify misconfigured IAM policies, and validate their gaps with simulated attacks. Picus also provides actionable insights to help you address misconfigurations in your AWS environment. Reports and dashboards provided by Picus Cloud Security Validation enable you to track improvements to your cloud security posture and share results.
Amazon Web Services (AWS) continues to grow as a major cloud service provider, and many organizations increasingly use cloud services to run their operations. However, being in the cloud does not eliminate cyber security risks, and organizations are still responsible for ensuring the security of their business. Due to cloud environments' dynamic nature, organizations are advised to track their assets and related vulnerabilities and address identified security gaps continuously.