Rodrigo Montoro

Rodrigo Montoro has more than 24 years of experience in Information Technology and Computer Security. Most of his career worked with open source security software (firewalls, IDS, IPS, HIDS, log management, endpoint monitoring), incident detection & response, and Cloud Security. Currently, he is Head of Threat & Detection Research at Clavis Security. Before that, he worked as Cloud Researcher at Tenchi Security, Head of Research and Development at Apura Cyber Intelligence, SOC/Researcher at Tempest Security, Senior Security Administrator at Sucuri, Researcher at Spiderlabs. Author of 2 patented technologies involving innovation in the detection field. One is related to discovering malicious digital documents. The second one is in how to analyze malicious HTTP traffic. Rodrigo has spoken at several opensource and security conferences (Defcon Cloud Village, OWASP AppSec, SANS (DFIR, SIEM Summit & CloudSecNext), fwdcloudsec (USA), Toorcon (USA), H2HC (São Paulo and Mexico), SecTor (Canada), CNASI, SOURCE, ZonCon (Amazon Internal Conference), Blackhat Brazil, BSides (Las Vegas e SP)).


Session

06-17
13:30
20min
Hunting AWS Threat Actors with Access Analyzer Policy Suggestions
Rodrigo Montoro

Researching AWS threats requires you to cover over 400 services, 16,000 actions, and innumerable attack paths across access levels and specific threats. The main goal of cloud threat detection is to differentiate between regular and non-compliant usage while accounting for daily administrative actions.

In our past talk, "Tales of an AWS Detection Engineering”, we discussed the challenge of baselining behavior for detection engineering. In this talk, we build on that research by demonstrating the use of AWS Access Analyzer to create such a baseline and provide some ideas (and Jupyter notebooks) for hunting.

AWS Access Analyzer can programmatically generate a policy based on a principal's activity in the last 90 days. We then distill this data into behavioral baselines per principal, enriched with additional details like risk level per action, risk scoring for toxic action combinations, and risk assigned for historically unused services.

To demonstrate, we will use Tactics, Techniques, and Procedures (TTPs) to emulate common threat actors and discuss the resulting hunting detections. At the end of this talk, we will provide a method for creating principal behavior-hunting detection for AWS that is SIEM-agnostic, and that you can apply to your environment.

Declare Cyber Sovereignty
Breakout 2