Introducing TrailDiscover: Simplifying Access to Security Insights about CloudTrail Events

I’m excited to announce the launch of TrailDiscover, a new initiative to gather CloudTrail events linked to security incidents or actions that could impact security. With this project, I would like to help AWS users gain a better understanding of how attackers misuse AWS services, identifying which events might make sense to monitor, and determining what an attacker might achieve through the actions behind these events. You can explore the project on GitHub and see all the events and information on the website.

Why Did I Create TrailDiscover?

My curiosity about whether certain actions had been used in attacks, which actions make more sense to monitor, and how attackers might misuse certain actions led me through many articles. I realized that, although there’s a ton of great information available, making sense of it, accessing it quickly, and using it to strengthen security required (at least for me) a more organized approach. Therefore, I initiated TrailDiscover to simplify the process for anyone working with AWS to access this information. It aspires to highlight the most misused actions, provide information about incidents related to these actions, and structure this information in a way that can be easily consumed, even automatically if necessary.

I hope that TrailDiscover can assist in several key areas:

• Security Teams: By identifying which events attackers have previously exploited, it might help teams decide what to monitor closely.
• Quick Help During Attacks: In the event of a security issue, you can consult TrailDiscover to see if events are linked to known attack methods, helping you better understand what the attacker might be attempting. This is especially helpful for those who may not specialize in cloud security.
• Encouraging New Discoveries: There’s a bunch of research and articles linked in TrailDiscover. I hope that having them organized can spark new ideas in cloud security.

Current Data Overview

At the time of launching TrailDiscover, it has:

• Information about 256 Events.
• Events from 36 AWS services.
• Links to 50 articles related to incidents.
• Links to 82 articles with information related to the events.

I think no one who follows cloud security incidents will be surprised about which events have the most linked incidents. These typically include events related to creating users for persistence, running instances for resource hijacking, and retrieving objects from S3 to steal data.

Figure 1. Top 10 events by linked incidents.

While I believe that enumeration actions probably appear in more incidents, they are harder to detail in incident reports so we don't see them that often.

When we examine the distribution of events per MITRE ATT&CK® tactic, discovery emerges as the most common category. This is likely because almost all events starting with Get*, List*, and Describe* are potential candidates for this category. However, TrailDiscover only includes those that are explicitly mentioned in incidents or security articles.

Figure 2. MITRE ATT&CK® Tactic Distribution by Event Usage

Lastly, from the list of events, more than half are directly linked to incidents. The remainder are associated with actions known to be potentially misused. While it’s true that in reality, any action can be misused, the ones included in TrailDiscover are specifically chosen because there is at least one piece of research or an alert linked to them.

Figure 3. Percentage of used in the wild events from the total number of events.

Reflections on the Data

As I reflect on the data compiled for TrailDiscover, a few thoughts stand out:

• Just the Tip of the Iceberg: The information I’ve gathered represents only a fraction of the total picture. Many incidents go unreported or lack detailed reports of the attackers’ actions. Also, there are many more articles that I haven’t been able to analyze and get the data.
• Focus on Popular Services: While the current dataset encompasses events from 36 AWS services, it’s important to note that AWS offers over 200 services. The concentration on a subset of services hints at attackers’ preferences for targeting the most widely used ones. While this is totally normal, it also highlights the vast unknown territory that remains in understanding the security dynamics of less-used services.
• Repetitive Techniques, Delayed Detection: The data reveals a pattern of attackers employing similar techniques across different incidents. Despite the apparent repetitiveness of these strategies, many attacks are identified late. This observation raises questions about the effectiveness of current detection and response mechanisms and underscores the need for continuous improvement in our security practices.

Contribute to TrailDiscover

With TrailDiscover now live, I invite you to look into the GitHub repository and the website to discover how it can help you and your team. I’m really keen to hear your thoughts, get your feedback, and see how you might want to contribute to making TrailDiscover even better.