Hunting AWS Threat Actors Using Access Analyzer Policy Suggestions

Learn to effectively hunt AWS threat actors in this conference talk that explores advanced threat detection techniques using Access Analyzer Policy Suggestions. Discover how to navigate the complexities of AWS security across 400+ services, 16,000 actions, and numerous attack paths while differentiating between legitimate and non-compliant usage. Explore practical methods for creating behavioral baselines using AWS Access Analyzer's 90-day activity data, enhanced with risk-level assessments for actions, toxic combinations, and unused services. Follow along with hands-on demonstrations using Jupyter notebooks to understand how to emulate threat actor TTPs and implement SIEM-agnostic hunting detections. Building upon previous research in AWS Detection Engineering, gain insights into creating principal behavior-hunting detection systems applicable to any AWS environment. The presentation covers introduction to motivation, user database hunting, differential database analysis, detection database implementation, dummy data creation, Prowler testing, cloud log analysis, and concluding insights.