Cloud Attack Emulation: Democratizing Security Operations in the Cloud

Security operations are the nerve of organizational cybersecurity efforts. An organization’s security policy typically aims to keep it safe by implementing preventive, detective, and recovery measures. Security operations ensure this ambition by synergizing these disparate security efforts into a centrally coordinated, cohesive capability. Despite the indisputable relevance of this capability for adequate security, several organizations do not have security operations capability due to the high costs involved.

This article strongly advocates for the urgent need to democratize security operations. This is not just a suggestion but a call to action, as it is crucial in addressing the challenges organizations face in the current security landscape. Cloud attack emulation provides a means to democratizing security operations by empowering security teams to cheaply and efficiently own security operations capability, including running cloud penetration tests, red/purple teaming exercises, operating security assurance functions, and validating incident response readiness.

‍

Democratization: Making Technologies Cheaply Accessible 

‍

Security operations are currently the preserve of large organizations that have the resources to build the necessary capability. This unfortunate situation implies most organizations would remain insecure, and the number of successful attacks would continually increase. The ability of an organization to effectively remain secure in the face of the current threat landscape hugely depends on owning a security operations capability. Security operations constitute several functions, including threat detection, incident response, cyber threat intelligence, threat hunting, red/purple/blue teaming, etc.

These disparate functions are harmonized in a Security Operations Center (SOC) to synergize preventive, detection, and recovery measures. This synergy of security efforts enables a powerful capability, including effective coordination in the event of an ongoing cyber attack. It is essential to note the changing definition of a SOC, from a brick-and-mortar room with giant screens to a virtualized environment where security teams collaborate regardless of their physical location. The latter definition of a SOC is an opportunity to boost productivity, which is the SOC we focus on in this article. Hence, the term ‘security operations,’ i.e., without the ‘center,’ is mainly used in this article.

The requirements for security operations capability come at a cost; the bar is so high that most organizations cannot afford it. The immediate implication is an increase in the chances of successful attacks. Several organizations alleviate these implications by adopting alternative approaches, majorly outsourcing security operations to consultancies. However, the outsourcing model does not holistically address the challenges faced in the current cloud threat landscape. The rapid adoption of cloud computing and its attendant proliferation has drastically increased the attack surface and, consequently, the number of successful attacks. Similarly, there is a proportionally growing demand for security operations capability; the demand massively outweighs the supply.

‍

Democratization of Expertise

Solving the issue of insufficient security operation is imperative, but we can step back and observe how other computing domains have evolved and addressed similar challenges.  Expertise is the core of this challenge; building expertise in any human endeavor takes time, especially specialized skills like red teaming, threat hunting, and detection engineering. 

Over time, the democratization of expertise has rapidly accelerated access to different aspects of human endeavor, including technology. Gartner asserts that “democratization is focused on providing people with access to technical expertise or business domain expertise via a radically simplified experience and without requiring extensive and costly training.”  One clear example of the importance of technology democratization is the impact of GitHub on software development. Before the emergence of GitHub, getting into software engineering was tough. There was no social construct around technical skills, and people had to spend years learning to write code, sharing the code, getting reviews from others, and also getting access to code developed by others.

Imagine replicating this feat in security operations; the number of successful attacks would drastically reduce, and organizations would be significantly safer. The potential impact of democratizing security operations is immense.

‍

‍

Democratizing Cloud Security Operations

Cloud security operations are challenging. First, you need to gain expertise in either cloud security or security operations and then switch to gain expertise on the other side before arriving at a point of comfortable expertise. Typically, this would take time, effort, and experience. However, leveraging modern security services offered by Cloud Service Providers (CSP) and innovative vendors affords a faster and cheaper approach. With this approach, an average cloud security engineer can operate several security functions that are not traditionally feasible. This reference architecture of a cloud SOC enables this capability. Arguably, the reference architecture might not fit the requirement for “mature” organizations, but we are more concerned with the organizations that might not be in that maturity category. One area that this kind of security operation might struggle with is alert fatigue and finetuning of the cloud SOC.

‍

Leveling the Playing Field With Cloud Attack Emulation

Addressing the limitations of cloud security operations requires using a denominator, an approach that applies to all facets of security, including preventive, detective, and recovery. Cloud attack emulation is not just a solution, but a beacon of hope as its value proportion aptly fits this requirement.  Cloud attack emulation involves the controlled emulation of cyber-attacks to assess the security posture of cloud infrastructure. This practice allows organizations to apply adversary emulation concepts to validate all dimensions of security measures in cloud infrastructure. In simpler terms, it's like stress-testing your security measures against potential real-world threats.Security operations teams leverage cloud attack emulation to democratize security operations in several ways. Let us look at the four most relevant ways: cloud penetration testing, red/purple teaming, incident response, and security assurance.

‍

Cloud Penetration Testing

Many organizations conduct penetration testing to validate their defenses or to fulfill compliance requirements. However, these tests have become ceremonial security activities due to the high cost of hiring external consultants or maintaining internal teams. Most organizations perform penetration testing once or a few times a year. Ironically, this cadence of penetration testing does not suffice for modern organizations using cloud infrastructure. Unlike traditional infrastructure, the changes pushed to cloud environments are more frequent, potentially introducing vulnerabilities that obsolete a previous penetration test to certain degrees. Furthermore, most cloud penetration tests are superficial, majorly targeting the external aspects of the cloud attack surface without touching the cloud control and data planes. 

‍

Cloud attack emulation offers an approach that does not require deep expertise to conduct cloud penetration testing. Furthermore, due to the deep integration with the cloud fabric, i.e., cloud-nativeness, all abstraction layers are tested at the click of a button. Many organizations conduct penetration testing to validate their defenses. Considering the considerable attack surface and continuous risks introduced following deployments/changes, cloud security ought to be a continuous activity. Security testing for cloud infrastructure should that be concluded with static tests e.g. tests for Infrastructure-as-Code, instead dynamic tests should also be conducted to identity security weaknesses that cannot be detected in static states.

‍

Red/Purple Teaming 

Like penetration testing, most organizations cannot afford to keep a standing red/purple team. Organizations with these teams can save time if an automated system handles researching and orchestrating repeatable attacks. With cloud attack emulation, averagely skilled cloud security engineers can conduct these offensive operations and reap the benefits.  Red/Purple teaming engagements are valuable activities used to further test the organization's security posture. These engagements might emulate specific threat actor behavior relevant to the organization’s industry vertical and conduct scenarios identified during threat modeling or tabletop exercises. Organizations gain a lot of security visibility by conducting red/purple team engagements as these augment the superficial security testing done by penetration testing engagements. Furthermore, detection engineers also leverage red teaming approaches to validate the efficiency of the detection rules during the development phase or even after deployment to ensure efficiency and precision. Keeping up with the changes like new cloud APIs, MITRE ATT&CK techniques is often an overhead for security operations. We demostrated in previous blog posts (Part I and Part II ) how Mitigant makes these tasks easy for detection engineers.

Security Assurance

The notion of security is abstract and often hard to quantify; consequently, organizations constantly fall into the trap of being overly optimistic about the accurate measure of an implemented security architecture. Security assurance aims to address this challenge by allowing organizations to validate security measures using evidence-based approaches. The NIST defines security assurance as a “measure of confidence that the security features, practices procedures and architecture of an information system accurately mediate and enforce the security policy.” 

‍

The need for security assurance cannot be downplayed in the current threat landscape, primarily because attackers often target and compromise security systems. Cloud security mechanisms, including CSPMs, CNAPPs, CIEMs, XDRs, etc., must ultimately be validated, or there is the danger of adopting a false sense of security. The best tools for security assurance in the cloud are security systems that can test the tool using cloud-specific attack patterns such as cloud attack emulation. This capability is even more imperative for organizations farther on the maturity ladder; we have seen these organizations suffering from security breaches owing to basic hygiene that would have been identified with proper security assurance implementations. 

‍

Incident Response Readiness

Incident response in the cloud requires a much more agile reaction compared to on-premises systems. The cloud's architecture is heavily API-based, and every resource in a cloud infrastructure is essentially connected. Consequently, the chances of attackers rapidly moving laterally from initial access to target exploitation are relatively high. Therefore, incident response readiness is more dire, and organizations must build in-house capabilities by heavily using automation rather than relying on third parties for incident response. 

Incident response consists of several phases: preparation, detection and analysis, containment, eradication and recovery, and post-incident activity. The preparation phase is critical as it prevents the need to be involved in the other phases. However, given there is no 100% security, organizations might find themselves at any phase of the incident response process. Security operations teams can leverage cloud attack emulation to validate incident response readiness across these phases. AWS recommends using emulations for incident response exercises; these are important to testing readiness in different facets, such as the people, processes, and technology aspects of incident response.

Democratize Cloud Security Operations With Mitigant 

‍

Cloud attack emulation is vital to the democratization of security operations and is essential for improving cybersecurity. The current threat landscape continuously challenges conventional approaches, and the need for security operations capability has never been this urgent. Security operations allow organizations to centrally synergize security efforts toward keeping the organization safe. However, most organizations cannot afford a security operations capability, and the alternative approach, which hinges on outsourcing, cannot meet the required demand. 

Cloud attack emulation addresses these challenges by empowering security teams to cheaply and efficiently own security operations capability, including running cloud penetration tests, red/purple teaming, operating security assurance functions, and validating incident response readiness. The Mitigant Cloud Attack Emulation embodies these features, including automated reporting, integration of Cyber Threat Intelligence, security validation of Generative AI workloads, and Attack Path Analysis. Give us a trial today, or sign up for FREE - https://www.mitigant.io/en/sign-up 

‍