The first time I ever took a briefing on cloud security was in 2011 from a senior national security official in the Pentagon. He believed that the U.S. Department of Defense could become exponentially more secure if we migrated away from the 90,000 networks we had at the time and towards a smaller network attack surface that could be more easily defended. Transitioning legacy networks to the cloud is hard work — every large enterprise needs to plan and plan, and plan some more, to do so — but the good news is that new research makes it easier to secure the cloud and measure cloud security effectiveness.
In a major innovation in cybersecurity since that conversation 11 years ago, cloud service providers now contain security controls within their commercial solutions, which some call “native security controls.” These cloud security capabilities in some cases mirror the capabilities provided by third party vendors, i..e., endpoint detection, next generation firewalls, and segmentation capabilities. But because they reside in the cloud itself, that presents an opportunity for streamlining cybersecurity operations and infrastructure. Infrastructure and security teams can now work through one solution, driving down complexity and making the chief information security officer’s job a lot easier.
Here comes the blue pill, as Morpheus would say. Security teams still need to know:
- the security controls that actually exist within the cloud provider;
- Whether and how well those security controls are working.
And this is why we are so excited to have partnered with MITRE Engenuity’s Center for Threat-Informed Defense to develop new research that maps the security controls within Amazon AWS and Microsoft Azure to the MITRE ATT&CK® framework. This week, the Center for Threat-Informed defense published the second installment in its cloud security mappings project, this time mapping AWS security controls to ATT&CK.
Why is this important? These mappings are based on human analysis to align ATT&CK to the security controls in the cloud, and this analysis paves the way for automated security control validation. By testing known adversary tactics, techniques, and common knowledge (the acronym “A. T. T. & C. K”) against the cloud security controls in AWS and Azure, you can determine your cloud security readiness and effectiveness. This helps organizations adopt a threat-informed defense throughout their cloud implementation, from initial planning to operations to maintenance.
What does a threat-informed defense mean in practice for the cloud? If your organization is worried about the cybercrime group FIN6, for example, did you know that there are specific AWS security controls that block, detect, and mitigate FIN6’s dangerous behaviors? When you were deploying your new cloud provider, did your security architects design those specific security controls into your cloud operations, did your engineers turn them on, and did anyone validate that they were configured correctly? This research empowers you to answer those questions.
But that’s not all. It also adds a scoring rubric that tells you how well those controls can block, detect, or mitigate known threat actors. This helps organizations ensure that every aspect of their cloud security program is focused on the threats that matter most.
At AttackIQ, we are building scenarios and assessments to emulate adversary TTPs against cloud security controls to validate cloud security effectiveness. And we have a brand new CISO’s Guide to Cloud Security Using ATT&CK that outlines the research and offers practical recommendations to improve your security readiness through automated testing. You can download it for free here.
When you’ve been doing cybersecurity for as long as I have, by default you gain a historical perspective. A decade after that first cloud security conversation in the Pentagon, this is an exciting evolution in our cybersecurity story and a hopeful sign of progress. The mapping of MITRE ATT&CK to native cloud security controls will make it easier for security teams to manage cybersecurity risks of all kinds.