Detect and respond to compromised identities in minutes with Sysdig

Sysdig continues to enhance our real-time cloud detection and response (CDR) capabilities with the introduction of Cloud Identity Insights, empowering customers to analyze identity attack patterns and get ahead of threat actors. In this post, we’ll explore how Sysdig uses Cloud Identity Insights to correlate suspicious events with potentially compromised user accounts. Equipped with this context, defenders can swiftly respond, using data from the incident to optimize access policies for compromised users — all within minutes.

Here are just a few of the key new capabilities Cloud Identity Insights offers to enrich your CDR workflows:

Detect potential compromise in seconds with Advanced Cloud Behavioral Analytics
Contain compromised identities with guided remediation
Prevent future attacks with least permissive policy optimization

See Cloud Identity Insights in action

Sysdig’s Cloud Identity Insights brings identity context to CDR workflows, quickly identifying when a user has been compromised. This new feature enriches security telemetry and enables users to respond to incidents faster, containing the impact of a security breach.

The modus operandi

To show what this looks like in practice, we simulated the SCARLETEEL attack, where we compromised a vulnerable application (Spring4Shell) to elevate AWS privilege, disable CloudTrail logging, modify S3 bucket policy, and steal confidential data.

After assuming the compromised IAM role, we ran a discovery script that sequentially called several AWS APIs within a short duration.

Advanced Cloud Behavioral Analytics

We begin our detection and response workflow with a look at the High severity events on our Cloud Events dashboard.

Cloud Identity Insights — Figure: Cloud Events dashboard

Advanced Cloud Behavioral Analytics are an early signal that the user may have been compromised, and identify suspicious patterns with high confidence by looking at user activities over a broader timeframe. For example, the presence of malicious software like Pacu running code to discover your cloud accounts would be considered suspicious, unless there’s a planned red team exercise.

Trigger events in Sysdig Secure

To demonstrate this, we used our compromised user account Admin6 to call several AWS SES (Simple Email Service) APIs (Application Programming Interfaces) within a short timeframe.

class SuspiciousSesRequests:

    def run(self, user_name, aws_region, aws_access_key_id, secret_access_key):
        log.info("Generating Suspicious Ses stateful-event for user: " + user_name)
        try:
            session = boto3.Session(
                aws_access_key_id=aws_access_key_id,
                aws_secret_access_key=secret_access_key,
                region_name=aws_region,)
            
            ses = session.client("ses")
            ses.get_send_quota()
            ses.list_identities()
            ses.get_send_statistics()
            ses.list_verified_email_addresses()
            ses.get_account_sending_enabled()
            ses_v2 = session.client("sesv2")
            ses_v2.get_account()
            secretsmanager = session.client("secretsmanager")
            secretsmanager.list_secrets()
        except Exception:
            log.error("Error running AWS calls", exc_info=True)

if __name__ == "__main__":
    config = Config()
    requests = SuspiciousSesRequests()
    requests.run(
        user_name = config.aws_user_name, 
        aws_region= config.aws_region,
        aws_access_key_id = config.aws_access_key_id,
        secret_access_key = config.secret_access_key)Code language: Perl (perl)

Sysdig logged a timeline of Advanced Cloud Behavioral Analytics detections (see Suspicious SES Activity Detected).

These detections indicate that the adversary scanned the cloud to uncover blind spots and abuse services like AWS SES. From the feed alone, we can see this user has been potentially compromised. We can also see any subsequent actions this user took. Pay close attention to the event timestamps — they were logged in quick succession from the same cloud account.

Unlike Falco detections, Advanced Cloud Behavioral Analytics observes event behavior and triggers events when a sequence of steps are taken by the threat actor to achieve their goals. In our example, the suspicious SES activity indicates that the adversary made several API calls to achieve their objectives, including leaked secrets, email address parsing, and crafting phishing emails.

Security teams are simultaneously notified of the above events and the associated user accounts. Once a potentially compromised user has been identified, real-time identity correlation helps investigate the account in minutes and answer critical questions like:

What resources were accessed by the adversary?
Whose user credentials were compromised?
Which methods did the adversary use to breach the perimeter?
Where else has the adversary activity been reported from?

Investigate with real-time identity correlation

Now that we have sufficient information that indicates adversarial presence, let’s dive in and investigate. We’ll move into the Identity investigation view, where Sysdig automatically associates the Recon events to an EC2 IAM role and plots them on a world map.

Figure: Correlated detections for IAM user `Admin6`

Within this view, Sysdig automatically correlates cloud events and location-aware identities, giving security teams a clear view of the adversary’s actions and other details related to the potentially compromised user. We can instantly discover key details, such as the cloud account in which the event was first detected.

We can also see that the Admin6 user account was responsible for triggering the Suspicious SES event.

At crunch time, you need all available data at your fingertips, and Sysdig provides all the information you could possibly need, making it easy to identify the compromised user as Admin6. The user account is automatically flagged as a Critical Risk and labeled as Potentially Compromised based on the suspicious activity.

Sysdig also automatically correlates data from other sources, including workloads, instances, and IAM roles, to visualize the entire attack path as a graph. This automatic cross-cloud context and correlation enables security teams to investigate the potentially compromised user in minutes and then respond immediately. Based on this context, it is clear that this user has been compromised.

Deploy response strategies

Next, we manually flag Admin6 as compromised, tagging this account across the platform as a risk that needs to be addressed immediately.

Figure: `Admin6` account flagged as Compromised

As soon as the user Admin6 account is flagged as Potentially Compromised, Sysdig recommends Remediation Strategies to contain and stop the attacker in its tracks. The list of strategies ranges from a simple password reset to deleting the compromised user, and includes:

Add Restrictive Policy — Deny all AWS actions outside a specified IP range
Deactivate User — Disable the user’s access without losing configuration and history
Delete User — Remove the user’s account and all associated access to AWS resources
Force Password Reset — Ensure the user updates their password
Delete and Create New Access Keys — Reduce the risk of unauthorized access

Figure: Remediation Strategies to contain compromise

Once the compromised user has been addressed, we can take further actions to prevent cybercriminals from further leveraging user credentials. Cloud Identity Insights automatically generates a recommended IAM policy, optimized to reduce permissions. Sysdig keeps track of all the permissions used by the user only after it was flagged as potentially compromised, and excludes them by default from our recommended policy, stopping threat actors from tainting policy optimizations. This prevents the same kind of attack from happening again.

Figure: Least permissive policy optimization

Assess compromised and risky user roles

Cloud Identity Insights can also be accessed through Sysdig’s Posture views. From this Identity and Access Management view, security teams can quickly filter the compromised identities to see which ones have been potentially compromised and access the workflows shown above for rapid investigation and response.

Figure: Potentially compromised user accounts

Figure: `Admin6` user account flagged as critical risk

These insights are also available under Risks, where all the findings across CNAPP (cloud native application protection platform) focal areas are consolidated, including runtime events, vulnerabilities, posture, and identity, plus attack path analysis and prioritization. Along with allowing you to see compromised and potentially compromised users, the Risks view also shows risky users and roles that need to be prioritized to enhance security posture.

Security teams can own the high-priority risks and use these insights to make well-informed and strategic security decisions within the ever-changing landscape of the cloud environment.

Figure: `Admin6` shows up as a Critical Risk in Sysdig Secure

Figure: The AWS user roles flagged as High Risk

Figure: Risk ownership status with resource details

Figure: Findings that consolidate data across CNAPP

Sysdig’s Cloud Identity Insights provides a crystal-clear picture of attacks across identities, cloud, and workloads. It fosters collaboration to preempt attacks and reduce the identity attack surface, which sets you up to achieve the 555 benchmark for cloud security faster than with any traditional detection and response tools.

Join our upcoming deminar, Cloud Identity Insights: Stop Compromised Identities in Minutes, a technical demonstration of how Sysdig leverages Cloud Identity Insights to detect, investigate, and respond to attacks in minutes.