Three Cyberthreats AWS Log Data Doesn't Show You

There are many cyber threats not detected by examining configuration vulnerabilities. Read about the three cyber threats that AWS log data and tools don't show you.

There's nothing more satisfying to a security-conscious Amazon Web Services client than the gift of configuration controls.

With AWS CloudTrail, Amazon CloudWatch and VPC Flow Logs, Amazon Web Services (AWS) automatically indexes network metadata. AWS Config then creates and enforces configurations. Finally, in comes Amazon Inspector to audit virtual server configurations and identify weak spots in applications. A report is generated that provides recommendations for where security can be improved, and voila – you're now guarded against:

  1. Known deviations from preset configurations

  2. Inadequate enforcement of security standards

  3. Non-compliance

However, there are many cyber threats not detected by examining configuration vulnerabilities.  Here are three cyber threats that AWS log data and tools don't show you. You're not guarded against:  

1. Persistent threats

Network breaches occur in stages. A would-be attacker must establish a foothold by exploiting some vulnerability, make a lateral movement to a valuable target, and then exfiltrate data or implant malware.

Raw flow logs will tell you about individual connections and attempts, but they won’t show you behavior changes and patterns. The logs might show you there’s a single break-in attempt from a foreign machine, but no single log line will tell you that this has happened every day for the last three days.

Endpoint modeling is good at identifying “new” things – the discovery phase of the attack  – and “persistent” things – the probing to find a foothold phase of the attack. When a new interaction becomes persistent, you will get an alert so you can react before things can proceed further.

So although VPC Flow Logs and the AWS resource description APIs are excellent data sources, in isolation they aren’t able to spot threats that unfold over time.

2. Compromised accounts

Identity access management tools are useful until a hacker obtains login credentials for applications living in your AWS network. Thanks to VPC Flow Logs and Amazon CloudWatch, every connection via every endpoint is logged.

Identity access management tools are useful until a hacker obtains login credentials.

Again, this doesn't mean anything as long as no rules are broken. We realize that the beauty of your cloud-based applications is that they're accessible on the go, allowing for uninhibited productivity and collaboration. It's hardly unusual for a new device to make a connection, especially for mid-market and larger organizations with a spread-out workforce and client base. AWS Config and Amazon Inspector know this, too. What they don't know is how to differentiate between a legitimate user session and a hacker who's managed to steal account credentials with the intent of exfiltration of sensitive data.

Fortunately, because every endpoint connection is logged and time-stamped – and because all subsequent activities are also logged – the metadata is a map through the mayhem. Analyze this metadata on an ongoing basis, determine a model for standard behavior, detect when there's a deviation from this behavior, and only then can you respond to threats swiftly.

3. Internet-of-Things Overrides

In late October, the Internet of Things (IoT) came to life, and bombarded a DNS company, Dyn, with requests. Because of what was cited as one of the most colossal distributed denial-of-service attacks of its kind, Dyn was unable to route legitimate web requests, causing downtime for some of the biggest names in industry, including Netflix, Twitter, Spotify and Amazon.

The attack was possible because of a type of malware called Mirai, which commandeered IoT devices that still had default passwords, and forced them to issue connection requests toward Dyn.

Here's the terrifying part of this incident: IoT devices enabled by an AWS network may make millions of online connections every day. Again, this is the type of activity that the AWS Config can govern within reason. But the moment a hacker tells those devices to do something they've never done before, be it to join a botnet army bent on breaking almost half of the internet, or something much worse, you're basically on your own.

Unless, of course, you have a system in place that can automatically flag this behavior as anomalous. Our newly named Observable Cloud solution’s learning algorithms use network metadata to glean a more holistic understanding of an endpoint's role, so the moment it goes off course, you'll know about it. When all's said and done, your configurations can only tell you how endpoints should be behaving. To know what they're actually doing, and further, to diagnose threatening activity, requires endpoint modeling.

Experience Dynamic Endpoint Modeling on your own network

Protecting your AWS infrastructure by identifying insider and external threats faster couldn't be easier. Sign up for a free, no-risk trial of Observable’s Endpoint Modeling solution, and change the way you see security.