How Hopeful Effective Is Your Cloud Detection & Response Capability ? Hope is NOT a strategy ! @run2obtain 

Effective Cloud Detection & Response (CDR) capabilities play a vital role in promptly identifying and responding to security incidents. @run2obtain 

• Cost savings – post breach investigations, fines from regulatory institutions .. • Quick & reliable incident response • Safeguard enterprise reputation • Confidence in your capabilities • Happy customers • ….. The ROI of early attack detection & swift response is HUGE ! @run2obtain 

CDR mechanisms are challenged by the rapid evolution of cloud infrastructure and fast- paced threat landscape. @run2obtain The absence of alerts does not imply all is well ... neither does the abundance of alerts imply effectiveness (alert fatigue is REAL). 

Since HOPE is NOT a strategy, assumptions about CDR effectiveness should be practically and continuously evaluated. Security chaos engineering enables continuous verification of CDR ! @run2obtain Security Chaos Engineering 101: The Mind Map & Feedback Loop (mitigant.io) 

How does Security Chaos Engineering enhance CDR effectiveness? Quick, simple example. How do you know if AWS Cloudtrail is disabled by a malicious attacker ? We run this basic example in the Mitigant Security Chaos Engineering platform. @run2obtain 

Luckily, we have our CDR set up quite well. (DataDog Cloud SIEM) We can see the Cloudtrail stopped event. This is a trigger for an appropriate response. One lesson though ! The MTTD was roughly 6 minutes … can be improved ! What if the CDR set up was broken ? How do you know ? Happens all the time -> misconfigured S3 bucket, broken lambda forwarder … @run2obtain 

We run a couple more SCE experiments. This time the dreaded bucket replication attack which abuses the S3 replication service. Our CDR captures some interesting events. Some teams might miss this out, notice the MITRE ATTACK Tactics & Techniques -> exfiltration, persistence and account manipulation. Does it ring a bell ? Crafting a detection rule for these pattern of events would makes sense. @run2obtain Abusing the Replicator: Silently Exfiltrating Data with the AWS S3 Replication Service by Kat Traxler (vectra.ai) 

So, verify the effectiveness of your CDR rather than hoping for effectiveness ! How do you start ? • Defend from inside out & assume breach ! • Identity your high-value targets (HVT) • Enhance CDR specifically for your HVT using SCE • Move backwards, apply same to non-HVTs • Rinse & Repeat • Become cyber-resilient • ….. @run2obtain Demystifying Security Chaos Engineering - Part II (mitigant.io) 

Hope root for the effectiveness of your CDR. Cloud Immunity | Mitigant https://mitigant.io Leverage The Mitigant Security Chaos Engineering Platform @run2obtain