Threat Hunting Primer - Section 2: AWS Primer - Threat Hunting Products
AWS Cloud Threat Hunting
AWS provides a rich set of security and observability services across identity, compute, networking, and serverless layers. Threat hunters can ingest telemetry from these services into Elastic AI or other SIEM/SOAR platforms, and build custom Lambda-based detectors for real-time analytics.
Key Security and Observability Tools
| Service | Description | Threat Hunting Use Cases |
|---|---|---|
| CloudTrail | Captures all API calls and events within AWS | Detect privilege escalation, IAM changes, new service usage |
| VPC Flow Logs | Logs IP traffic going to/from network interfaces | Track lateral movement, detect beaconing, data exfiltration |
| GuardDuty | ML-based threat detection engine | Monitor for compromised instances, unusual login locations |
| AWS Lambda | Serverless function service with event-driven triggers | Execute detection logic on-the-fly with minimal infrastructure |
| AWS Config | Tracks resource configuration history and drift | Detect insecure configurations, noncompliant IAM policies |
| Security Hub | Central dashboard for findings from AWS services | Correlate findings across CloudTrail, GuardDuty, Inspector |
| Detective | Graph-based threat analysis of logs and behaviors | Investigate incidents like credential misuse, role assumptions |
Example: Lambda Function to Detect Public EC2 AMIs
def lambda_handler(event, context):
if event['detail']['eventName'] == "ModifyImageAttribute":
if "launchPermission" in event['detail']['requestParameters']:
permissions = event['detail']['requestParameters']['launchPermission']
if {"group": "all"} in permissions:
raise_alert("EC2 AMI made public")
MITRE ATT&CK Mapping (AWS)
| Tactic | Technique | AWS Source | Detection Strategy |
|---|---|---|---|
| Initial Access | T1078 - Valid Accounts | CloudTrail | Login events from unknown IPs or geographies |
| Persistence | T1098 - Account Manipulation | IAM API Events | Unauthorized user additions to privileged groups |
| Defense Evasion | T1070 - Indicator Removal | CloudTrail, S3 | Disabling or deleting logging configurations |
| Exfiltration | T1041 - Exfiltration Over C2 Channel | VPC Flow Logs | Outbound traffic to rare foreign IPs |
Elastic AI Integration (AWS)
You can use Filebeat or Elastic Agent to stream logs from CloudTrail, GuardDuty, and VPC Flow Logs into Elastic. Here’s a sample detection rule that correlates high-severity GuardDuty findings:
{
"query": {
"bool": {
"must": [
{ "match": { "event.module": "aws" }},
{ "match": { "aws.service.name": "guardduty" }},
{ "range": { "aws.guardduty.severity": { "gte": 7 } } }
]
}
}
}
Suggested AWS Threat Hunting Queries
You can use these indicators across your security stack:
| Behavior | Service | Sample Indicator |
|---|---|---|
| Suspicious EC2 launch from TOR exit node | CloudTrail | sourceIPAddress = known_tor_ips |
| IAM User adding new Admin policy | CloudTrail | PutUserPolicy + AdministratorAccess |
| Outbound DNS to rare domain | VPC Flow Logs + Route53 | *.xyz or *.top domains with no previous history |