Digital forensic analysis is critical for investigating and mitigating security incidents in today's dynamic cloud environments. However, conducting post-breach investigations requires precise skills typically honed through on-the-job experiences, a luxury not always available due to the unpredictable nature of breaches.

A more proactive approach is to simulate realistic attack scenarios using adversary emulation. By orchestrating emulated attacks, security teams can practice forensic analysis, gain hands-on experience, and uncover blind spots in their cloud defenses without waiting for an actual incident.

This blog, co-authored by Cado Security and Mitigant, demonstrates how adversary emulation and forensic analysis can be used to understand and investigate cloud-based attacks. Specifically, we simulate an AWS EC2 compromise, explore how attackers move laterally, exfiltrate data from S3 buckets, and showcase practical forensic techniques for investigating these activities.

The intricacies of investigating these attacks using modern cloud forensics analysis techniques are also shown. These practical lessons are important for SOC teams and other cloud security professionals who defend cloud infrastructure from malicious intruders.

                         High-Level Illustration of Attack Scenario 

Threat Scenario

Organizations should conduct incident response exercises periodically to better understand attack detection, response, and forensic analysis processes and capabilities. Doing this practically provides a realistic evaluation of these critical capabilities rather than betting on assumptions that may be unrealistic. A threat scenario involving AWS EC2 compromise has been formulated to demonstrate the importance of conducting those above.

Threat Model

The threat model illustrates ACME, a fictitious Fintech that hosts its sophisticated banking system on AWS cloud infrastructure. ACME’s CISO, John Doe, has been bothered about evaluating the security team's cloud forensics analysis capabilities. Consequently, he organized an incident response exercise to target several AWS services, including EC2 instances, security groups, IAM, and S3.

John uses the following cloud security approaches to achieve his objectives: 

Adversary Emulation: Mitigant Cloud Attack Emulation, the most comprehensive cloud-native adversary emulation platform, provides over 100 attacks that align with MITRE ATT&CK and MITRE ATLAS. Security teams leverage Mitigant’s automated adversary platform, which requires straightforward setup and cleans up the target cloud environment after the attacks.

Cloud Forensics Analysis: Cado Security is the provider of the first investigation and response automation platform focused on revolutionizing incident response for the hybrid world. Cado significantly reduces response times by automating data capture, processing, and analysis in cloud, container, serverless, SaaS, and on-premises environments. 

Coverage of MITRE ATT&CK and MITRE ATLAS Shown in The Mitigant Cloud Attack Emulation

Cloud Adversary Emulation

Adversary Emulation allows security teams to mimic attacker behavior realistically. The Mitigant Cloud Attack Emulation is leveraged as an adversary emulation platform to implement several attacks targeting an AWS account. The attacks are based on several MITRE ATT&CK Techniques, thus providing tangible learning opportunities.

Cloud Attack Phases

The “Compromised Instance” attack scenario is orchestrated from Mitigant Cloud Attack Emulation. It has two attack actions: Malicious EC2 Enumeration and Server-side Request Forgery (SSRF). These actions demonstrate how attackers can access an EC2 instance, perform discovery operations, move laterally into the AWS account, and exfiltrate sensitive resources from S3 buckets.

Steps for Emuating SSRF and Malicious EC2 Enumeration Attacks

Malicious EC2 Enumeration 

In the attack, illegal access to an EC2 instance is acquired, and then the attacker uses the AWS SSM agent to send commands to get more information about the cloud environment. This attack implements the following MITRE ATT&CK techniques: Cloud Administration Command  (T1651), Command and Scripting Interpreter: Cloud API (T1059.009), and Cloud Infrastructure Discovery (T1580). The SSM Agent naturally inherits the permissions attached to the instance via the instance profile, allowing the attacker commensurate access. The attacker leverages the SSM agent to send commands via the AWS CLI to discover EC2 instances, security groups VPCs, IAM users, and S3 buckets.

Server-Side Request Forgery

This attack implements Server-side Request Forgery (SSRF), which became popular after the 2019 Capital One data breach. Unlike the Malicious EC2 Enumeration attack, the attacker, this time, interrogates the Instance Metadata Service and retrieves valid credentials.

The retrieved credentials inherit the permissions attached to the EC2 instance via the instance profile. With these credentials, the attacker first enumerates IAM users and S3 buckets. The attacker discovers a bucket with sensitive data, which he first transfers to the EC Instance before exfiltrating it from the cloud account.

This attack implements the following MITRE ATT&CK techniques: Unsecured Credentials: Cloud Instance Metadata API (T1552.005), Cloud Infrastructure Discovery (T1580), and Transfer Data to Cloud Account (T1537). 

Detailed Steps for Emulating the Malicious EC2 Enumeration Attack

Detailed Steps for Emulating the Server-Side Request Forgery Attack

Cloud Forensic Analysis 

We imported the compromised system into the Cado Platform as an EBS snapshot. This triggers several analysis pipelines - to extract and index all files, run detection content, and perform various analysis steps:

The Insights tab gives a quick overview of some potentially suspicious activities:

Jumping over to the more detailed search pane, we can see several logs and other forensic artifacts that have been processed. In particular, there’s a large amount of activity from SSM - AWS’s native agent:

Extracting any associated commands executed over SSM natively, and we can see some suspicious activity here:

Moving across the timeline of events, we can review all events here, which show the attacker listing access users and access keys, downloading security credentials from the local AWS meta-data service, and creating a directory for possible exfiltration.

The raw shell scripts that SSM executes are also persisted on disk, and we can see in the event below a colleague has made some notes on this event:

Let’s click the filename and view the actual file contents:

Here, we can analyze  the contents of any files across the system. Browsing to the “/tmp” folder, we also see activity related to what we’ve seen earlier from the SSM logs:

This is a quick overview of how to review SSM activity particularly using static disk analysis. Cado can also import additional data relating to SSM activity and other cloud access from resources such as CloudWatch and CloudTrail.

Lessons Learned 

There are several lessons to be learned from the attack emulation and forensics analysis:

1. EC2 instances remain a juicy target for attackers, and appropriate security measures need to be implemented to prevent compromise, e.g., enabling IMDS v2 as a countermeasure against SSRF.
2. Attackers use several TTPs. While covering all techniques on the MITRE ATT&CK matrix may be good, it's more important to cover the various techniques and processes under a Tactic. In the attack demonstrated, the attacker used SSM agents to pass commands via the AWS CLI rather than using the CLI directly. This approach might bypass normal security measures.
3. Identity and access management remain essential to prevent attacks compromising and elevating privileges. Cloud resources should be configured following the least privilege principle to ensure the attackers cannot leverage the access to cloud resources for unauthorized actions, but not overly permissive privileges that attackers could leverage.  
4. There’s often more activity you can find when you have access to the full copy of a system - not just cloud-level logging.

Ensure the incident readiness of your security team today by leveraging state-of-the-art cloud forensic services and frequently conducting incident response exercises. Contact Cado Security here and sign up for a FREE Mitigant Cloud Security Platform trial here.