AWS re:Invent 2023
The Aws Data Driven Perspective on Threat Landscape Trends Sec236

Title

AWS re:Invent 2023 - The AWS data-driven perspective on threat landscape trends (SEC236)

Summary

  • Ryan Holland from the Amazon GuardDuty team and Paul from the Shield Threat Research Team presented on threat trends and AWS's approach to threat research.
  • AWS aims to make itself an unattractive target for bad actors by analyzing inbound traffic for anomalies and using the findings to enhance security features.
  • The team has observed a consistent number of DDoS events over the years, with application layer attacks now being the majority.
  • AWS tracks and mitigates DDoS attacks using a managed IP reputation list, which is also available to customers.
  • MADPOT, a global threat intelligence collection system using honeypots, is integral to AWS's security strategy.
  • AWS collaborates with other internet entities to take down malicious infrastructure, driving up the cost for bad actors.
  • GuardDuty is a threat detection service that monitors for compromised instances and users, employing threat intelligence, machine learning, and malware detection.
  • The most common post-compromise activities observed are crypto mining, using compromised instances to spread further intrusions, and denial of service attacks.
  • Adversaries are increasingly using DNS evasion techniques to avoid detection, prompting AWS to develop new findings to detect unusual DNS behavior.

Insights

  • AWS's security strategy involves proactive threat research, leveraging data from its vast network to identify and mitigate threats.
  • The shift from network layer to application layer DDoS attacks indicates that adversaries are innovating, requiring AWS to adapt its defenses.
  • The use of honeypots (MADPOT) provides AWS with a unique global perspective on threat trends, enabling them to protect their network and inform customers of potential threats.
  • AWS's collaborative efforts with other internet players for takedown requests highlight the importance of industry cooperation in combating cyber threats.
  • GuardDuty's expansion to include more AWS services and its use of machine learning and threat intelligence reflects AWS's commitment to comprehensive threat detection.
  • The real-world test of an EKS cluster misconfiguration demonstrates the speed at which adversaries can exploit vulnerabilities, emphasizing the need for vigilant security practices.
  • The trend of adversaries using DNS evasion techniques to avoid detection by services like GuardDuty underscores the evolving nature of cyber threats and the need for continuous innovation in security measures.
The Antidote for Doubt Forging Your Voice and Building Your Community Ide111The Challenge of Ai in Cloud Security Sec235