'CloudTrail Logging Internals: A Methodology For Investigating AWS Security Incidents' - Eliav Levy

CloudTrail Logging Internals - A Methodology For Investigating AWS Security Incidents

Eliav Levy is a lead security researcher at Hunters, where he has been researching different attack surfaces - and mainly AWS. Prior to working at Hunters, he was in the Israeli Military Intelligence unit 8200 for five years.

Abstract: Any organization with cloud resources must develop investigation capabilities for cloud-related security incidents. When investigating security incidents and threat hunting signals in the AWS control plane, questions like “what happened in this AWS session?” and “what exactly did the user do?” are critical for determining whether the suspected activity is benign, or if it seems malicious and requires deeper investigation.

Understanding which services the actor used in the session, which resources he interacted with and what he did with those resources can give crucial context for the analyst or forensic investigator. However, it turns out these questions are much harder to answer than one would think.

The author will offer an investigation methodology for control plane security incidents and demonstrate it on a GuardDuty alert, while diving deep into technical aspects of CloudTrail logging related to user sessions, identity-pivoting actions, web console activity and event-specific actions. During the demonstration, it will be shown how these technical details can be used to answer the questions mentioned above, and enable and speed up investigations.