Hunting for a persistent threat in AWS.
A worldwide cybersecurity software company that maintained extensive amounts of innovation and operational intellectual property (IP) in their cloud environments had experienced several past breaches in which sensitive data was exfiltrated (describe impact of this). They believed that the attacker may have gained persistency within their AWS environment and looked to investigate further to be sure that the problem was behind them.
Seeking an expert in AWS threat hunting
The customers were a CISO (Chief Information Security Officer) and Deputy CISO who needed a partner with proven strength in cloud threat hunting that also had deep knowledge of the AWS environment and opportunities a threat actor may exploit, to root out any damaging exfiltration activity that might still be under way.
Mitiga leverages IR2 to conduct the hunts
Mitiga’s investigation centered on identifying both old and new tactics, techniques, and procedures (TTPs) that a threat actor could have used to gain persistency, developing attack scenario variants based on the attacker’s previous TTPs, and performing a series of attacks specifically geared towards the enterprise’s AWS environment. The IR2 platform’s Managed Threat Hunting was used for the task. Specifically, Mitiga’s research team leveraged IR2’s Cloud Attack Scenario Library (CASL) reflecting Mitiga’s growing body of cloud threat intelligence, as well as enriching CASL further and informing the hunt by querying industry intelligence sources, dark web forums, and underground markets. We term this approach to hunting “forensics as code.”
Providing the Quick Insights that Create Peace of Mind
Within one week of being engaged, Mitiga’s AWS threat hunt concluded that no additional leaks or indicators of compromise had taken place before, during, and after the given timespan, helping the customer feel confident that they could moving forward from the earlier incidents. We used our proprietary threat-likelihood rating system to determine that it was “Highly Unlikely” that the attacker regained persistency. Coming back with answers so quickly exceeded the customers’ expectations and allowed them to regain focus on their primary business objectives.
