Mitigant Cloud Attack Emulation and Sekoia SOC demonstrate how to emulate and detect Scattered Spider-like attacks in an AWS environment, illustrating a Threat-Informed Defense approach that blends security measures, threat intelligence, and testing. The article shows how cloud-native emulation and CTI-enabled detection can improve cloud security posture with reduced alert fatigue. hashtags: #ScatteredSpider #AWS #Mitigant #Sekoia #ThreatInformedDefense #CloudAttackEmulation
Keypoints
- The scenario uses Mitigant Cloud Attack Emulation and Sekoia SOC to mirror Scattered Spider-like attacks in AWS and test detection capabilities.
- Threat-Informed Defense Triad combines security measures, Cyber Threat Intelligence (CTI), and evaluation/testing to boost cloud resilience.
- The threat actor is the Scattered Spider group, known to target financial and technology sectors, with a focus on AWS infrastructure in this scenario.
- Attacks are categorized along MITRE ATT&CK phases: Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, and Collection.
- Sekoia Defend and Sekoia Intelligence work together to detect emulated attacks and provide context for threat hunting and triage.
- Mitigant’s emulation tool documents aims, provides no-code execution, and can reverse attacks to minimize cloud maintenance burden.
- The article highlights lessons learned, including the value of CTI, tailored detection rules, correlation, and environment-specific context to reduce false positives.
MITRE Techniques
- [T1078] Initial Access – The attacker gains access to Acme’s corporate AWS account using stolen credentials obtained through phishing. ‘The attacker gains access to Acme’s corporate AWS account using stolen credentials obtained through phishing.’
- [T1203] Execution – The attacker enables serial console access to EC2 instances to bypass network security controls. ‘Enabled serial console access to EC2 instances to bypass network security controls.’
- [T1136] Persistence – The attacker creates backdoor IAM users, raising the “CreateAccessKey” and “CreateUser” events to secure future access to the tenant. ‘the attacker creates backdoor IAM users, raising the “CreateAccessKey” and “CreateUser” events to secure future access to the tenant.’
- [T1078.003] Privilege Escalation – The attacker weakens IAM password policies to facilitate further attacks. ‘weakened IAM password policies to facilitate further attacks.’
- [T1565] Defense Evasion – The attacker deletes VPC subnets and disables domain transfer locks to hide activities. ‘Deletes VPC subnets and disables domain transfer locks to hide activities.’
- [T1552] Credential Access – The attacker compromises Lambda credentials and retrieves secrets from AWS Secrets Manager. ‘Compromised Lambda credentials and retrieved secrets from AWS Secrets Manager.’
- [T1537] Collection – The attacker replicates S3 buckets and exfiltrates sensitive data. ‘replicates S3 buckets and exfiltrates sensitive data.’
Indicators of Compromise
- [IP] Initial Access – 149.248.8.85 – The malicious email link is hosted on this IP, associated with Scattered Spider activity.
Read more: https://blog.sekoia.io/emulating-and-detecting-scattered-spider-like-attacks/