SOAR Use Case: Threat Hunting – Detecting Exposed AWS Keys
As the need for rapid deployment, scalability and operational flexibility with modern information technology grows, organizations are increasingly turning to cloud-based infrastructure-as-a-service (IaaS) to meet their technology needs more cost effectively and efficiently. But the way many cloud-based IaaS environments are architected creates shared vulnerabilities that allow malicious access to a resource or service to easily escalate to account level access. This allows an attacker extensive access within an account that can easily go unnoticed. For example, temporary keys extracted from a compromised host could be used to gain API access to other services for that account. Once access is granted, an attacker would have extensive access to the complete environment that few organizations are looking for actively.
Devo SOAR playbooks can automatically detect and respond to this type of activity and help expedite response in multiple ways. When Amazon detects exposed AWS API keys, they send an email notifying the appropriate resources. Devo SOAR can continuously watch for those emails and when one is received, can automatically pull the API key from the email and disable it to prevent it from being used in an attack. Devo SOAR can also automatically hunt for exposed keys on repositories like Github or Pastebin and then notify the appropriate personnel while disabling the exposed key. And Devo SOAR can also use machine learning to baseline normal activity tied to the use of AWS API keys to automatically detect and respond to malicious activity.
Related Use Cases