Cloud Security Perspectives and Insights

Monitoring the Security Detection Framework

David B. Cross
SVP SaaS Security

For this posting, I would like to introduce my joint guest author Yibin Liao, who is a software developer in the SaaS Cloud Security (SCS) organization.

Our first posting “Oracle SaaS Cloud Security Goes Way Way Beyond the Bare Minimum”, raised a question: how do you ensure that an attacker cannot disable or corrupt your security detection framework?

Very simply, it is all about comprehensive monitoring and validation! In cybersecurity infrastructure, you must have a validation framework and lifecycle that develops and executes tests based on collected evidence.

Security Detection and Validation Lifecycle

A security monitoring and validation framework and lifecycle must have adequate detection infrastructure that can alert on detections correctly, and only on unexpected configuration changes. 

In Oracle SaaS, we have a strict control environment in place that monitors all known inputs and outputs. Every signature, rule, or threat detection has an explicit test to validate the existence and validity of the rule. A holistic security test framework automatically ensures all tests are executed continuously and test evidence is generated and collected.  In this specific framework, SCS uses an open source framework and test model.

The evidence is tracked and monitored by the Automated SaaS Cloud Security Services (ASCSS) infrastructure at Oracle to ensure that each atomic test is properly detected and tracked as a system-based false positive.  If a specific atomic test failure is detected by ASCSS within a planned timeframe, a separate alert is generated and evaluated automatically to determine if a rule is inactive, corrupted, or disabled. ASCSS validates all results against the defined framework automatically and only sends alerts when a deviation is detected. 

Testing Framework Foundations
The Atomic Red Team is an open-source tool from Red Canary that simulates adversarial behaviors. It is a collection of small, highly portable detection tests mapped to the MITRE ATT&CK framework. It allows security teams to test their controls by executing atomic tests that exercise the same techniques that are used by adversaries. Atomic tests are focused, have few dependencies, and are defined in a structured format that automation frameworks can use. This gives security teams a highly actionable way to start testing their defenses against a broad spectrum of attacks. 

For example, one atomic test tries to delete files:

Each atomic test has a specific Mitre label, which is mapped to a MITRE ATT&CK technique (for example, T1107 is mapped to file deletion). The technique defines the commands to be run during the test. For example, the rm command deletes files in Linux and macOS. As shown above, commands in Test 1 delete a single file, commands in Test 2 delete an entire folder.  SCS has a holistic atomic test for every detection rule in our security detection framework.

Advanced Persistent Threats
In addition to atomic tests, we also build detection techniques for Advanced Persistent Threat (APT) Groups. APT Groups are sets of related intrusion activities that are tracked by a common name in the security community. APT Groups normally use tools or software which combine multiple techniques to perform attacking tasks.

For example, admin@338 is a cyber-threat group that is based in China. This group primarily steals information from financial, economic, and trade policy organizations. They typically use publicly available remote access tools such as Poisonlvy, as well as backdoors such as LOWBALL, to deliver malware.   

This chart is a compilation of publicly reported techniques used by this group.

SCS collects all use cases from the MITRE ATT&CK techniques and public reports (for example, FireEye APT reports) about these groups. SCS conducts Red Team activities and APT simulations as additional means to test our detection framework to ensure we can detect APTs rapidly.     

Monitoring and Validation Framework
When operating a security test framework, teams must test everything from specific technical controls to outcomes. Security teams must have confidence in their detection frameworks and security infrastructure.  It is critical to understand the security controls that are in place and to know the methods or approaches that are required to detect attack vectors or behaviors rapidly.

As highlighted in the Atomic Red Team project goals, all tests in a security test framework should be executed and validated in less than five minutes.  In SCS, we build and execute all tests to be completely atomic, lightweight, and validated in real time with our ASCSS detection system.

SCS executes each test and attack script that is defined in the Atomic Red Team framework in shielded VM images, which are hardened by a set of security controls. The attack behaviors are captured by our logging frameworks (such as auditd and osquery), and then transported to our SIEM platform for automatic alerting, monitoring, and subsequent analysis. We implement a comprehensive test environment for all detection controls and rules in ASCSS. 

Below are a few testing examples of the MITRE ATT&CK techniques in use in the Oracle SaaS environment:

As cyber security professionals, we need to keep learning how adversaries are operating. That is why SCS continually expands detection test frameworks based on research and threat intelligence. We do use industry baseline standards, but as a best practice, we never rely ONLY on such baselines.  We continuously review potential risks, threats, and techniques that must be rapidly detected in a SaaS cloud environment and compliment the baselines accordingly.   

Security Framework Criticality
As highlighted above, SCS ensures that we have a detection rule and atomic test for every entry in the MITRE ATT&CK framework.  We also constantly evaluate and use real-time threat intelligence to advance our detection capabilities and atomic tests as part of the ASCSS infrastructure.

Over the next year, we will share more of our capabilities and demonstrate our advancements in the SaaS cloud security arena. 

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.