Identity is the new security perimeter. This is especially true for the cloud-native environments where most critical resources are just one hop away.

When you analyze the top 10 latest cloud breaches, the most common denominator is the compromise of identity accounts. In half of the breaches, an identity compromise is the source of the breach. In the other half, the source is a vulnerability or misconfiguration that eventually leads to an account compromise. The compromised account is then used to move laterally in the cloud environment, ultimately achieving the goal of data compromise or service disruption.

In this post, we’ll explore how AiStrike approaches cloud threat investigation and response through an identity-centric approach.

Defining Cloud Identity

Before we delve further into cloud identity risks, let’s first define what a cloud identity is. In simple terms, any entity that can be assigned permission to initiate an activity is an identity. In the cloud ecosystem, this can be a user, a local account (i.e., root), a service account, a machine account, an API, or an instance profile attached to a host or container.

Cloud Identity Risks

One of the biggest security challenges, we see in the cloud is overprivileged roles. Per the Microsoft 2023 State of Cloud Permissions Risks Report:

• There are 40,000+ permissions across key cloud infrastructure platforms
• >50% of these permissions are high-risk capable of causing catastrophic damage if used improperly
• 1% of permissions granted to identities are actually used

If you add all this up, we have:

1. Complex cloud identity structures across users, machine accounts, roles, and policies.
2. Overprivileged identities with access permissions that are rarely used.
3. Weaknesses in monitoring and governance processes as organizations grapple with rapid cloud deployments.

Moving From Asset to Identity Mindset

The 2023 Gartner Cloud Security Governance Survey showed that 71% of the organizations are most concerned about cybersecurity incidents related to unauthorized data access. Investigation and response capabilities for on-premises environments are not optimized for the complexity of the shared responsibilities and supply chain relationships in the cloud deployments. To be efficient in the cloud, investigation and response require an identity centric approach to effectively follow the steps an attacker could take in the cloud.

‍

The AiStrike Approach

AiStrike identity-centric approach to cloud investigation and response includes:

1. Discover cloud identities: This includes users, accounts, roles, and permissions, so we know the universe and blast radius of an organization’s exposure.
2. Enrich with context: Enrich identities with context to better understand the behavior pattern of identities
   • For users, we bring in identity context to know the department, role, and title of the user.
   • For machine accounts, we use tags to identify the type of resource.
   • For each identity, based on the permissions, we add context on whether the identity is privileged or not.
3. Build behavior fingerprint: Leverage historic activity and alert data to build behavior fingerprint for identities.
4. Identify anomalous patterns: Monitor alerts against the historic behavior fingerprint to baseline normal and identify outliers - such as logins from abnormal IP addresses, multiple privilege escalations, abnormal API calls and more.
5. Detect toxic combinations using MITRE ATT&CK framework: Correlate the abnormal activity with other alerts, vulnerabilities, and misconfigurations to evaluate if the abnormal activity is a one-off, a hygiene issue, or a real threat that needs immediate attention.
6. Track lateral movement: Analyze activity patterns across cloud entities to identify lateral movement using compromised identities.

Sample Use Cases

AiStrike discovers all forms of cloud identities – human and machine, enriches them with context, and builds behavior fingerprint to baseline normal and prioritize risk from unauthorized activities.

Some of our key use cases for cloud identity analytics include:

• Cloud identity compromise: Analyze identity behavior pattern to detect anomalous or suspicious activities
• API security analytics: Analyze API calls for anomalies and breaches like suspicious data access patterns or unauthorized configuration changes.
• Human risk investigation: Profile users based on their role in the organization and detect activities that indicate high-risk behavior, which could result from bad hygiene or intentional misuse.
• Supply chain analytics: Monitor patterns of updates to cloud from CI/CD pipeline to detect anomalous code or configuration changes that can introduce risk into the cloud environment.

What’s Next?

So, you have monitored for identity anomalies and found something unauthorized—what next? This is only 50% of the work; the rest involves understanding the impact, tracking down the origin of the issue, and initiating remediation to fix the issue strategically at the root cause. How can this be done at scale? What is the role of AI in simplifying and streamlining threat investigation and response focused on identities?

We will cover this in part two of the blog series, so please stay tuned for more.