As cyber threats continue to evolve, organizations require proactive strategies to detect and mitigate security risks. Threat hunting, a proactive approach to identifying security incidents before they cause damage, has become essential for modern security operations. AWS enhances threat-hunting capabilities through its Open Cybersecurity Schema Framework (OCSF) and AWS Security Lake, providing a unified approach to security data analysis.
What is AWS OCSF?
The Open Cybersecurity Schema Framework (OCSF) is an open-source project designed to standardize security event data across multiple tools and platforms. It allows organizations to:
- Normalize and correlate security data from various sources.
- Improve interoperability between different security tools.
- Streamline security investigations by providing a common schema.
AWS Security Lake: A Centralized Security Data Repository
AWS Security Lake is a managed service that centralizes security data from AWS, on-premises, and third-party sources into a purpose-built data lake. Key benefits include:
- Automated Data Aggregation: Collects and normalizes logs from AWS services, security tools, and custom sources.
- OCSF Compatibility: Uses the OCSF format to standardize security data.
- Scalability and Cost Efficiency: Stores security data in a cost-effective and scalable manner.
- Query and Analytics Support: Enables threat-hunting using AWS services like Amazon Athena, OpenSearch, and AWS Lake Formation.
Threat Hunting with AWS OCSF and Security Lake
By leveraging OCSF and Security Lake, security teams can conduct efficient threat-hunting operations. Here’s how:
1. Data Ingestion and Normalization
- Enable AWS Security Lake to collect logs from services like AWS CloudTrail, Amazon GuardDuty, VPC Flow Logs, and third-party security tools.
- Convert security logs into the OCSF schema, ensuring uniformity across different data sources.
2. Threat Intelligence Integration
- Ingest threat intelligence feeds into Security Lake for correlation with security event data.
- Use Amazon Detective to analyze and visualize suspicious activity.
3. Querying Security Data
- Utilize Amazon Athena to run SQL queries against Security Lake data.
- Example: Identifying failed login attempts across AWS accounts:
SELECT eventTime, eventSource, eventName, userIdentity, awsRegion FROM security_lake WHERE eventName = 'ConsoleLogin' AND errorMessage IS NOT NULL;
4. Automated Threat Detection
- Configure Amazon GuardDuty and AWS Security Hub to analyze Security Lake data for anomalies.
- Use AWS Lambda to automate responses to detected threats.
5. Investigating and Mitigating Threats
- Correlate OCSF-formatted logs with known threat indicators.
- Leverage OpenSearch to visualize security trends and uncover hidden threats.
- Implement incident response workflows using AWS Systems Manager and SOAR tools.
Use Case: Detecting Unauthorized API Access
Scenario
An attacker attempts unauthorized API requests across multiple AWS regions. Using AWS Security Lake and OCSF, the security team detects and responds to this threat.
Steps to Investigate:
- Query Security Lake for API calls originating from unfamiliar IP addresses.
- Correlate findings with GuardDuty alerts for unusual API activity.
- Trigger automated response using AWS Lambda to block the suspicious IP in AWS WAF.
- Generate reports and alerts in AWS Security Hub for further analysis.
Conclusion
AWS Security Lake and the OCSF framework empower organizations to perform advanced threat-hunting by centralizing and normalizing security data. By leveraging AWS services like Athena, GuardDuty, and OpenSearch, security teams can efficiently detect, investigate, and mitigate threats before they escalate.
Adopting this approach enhances an organization’s security posture, ensuring a proactive defense against emerging cyber threats.
Leave a Reply