Full Report
Leonid Belkind, CTO of Torq, and Itay Arbel, PM at Wiz, explain how organizations can build a coherent Cyber Security Incident Response Plan using Wiz CDR to analyze cloud events and threat alerts in their context together with Torq's next-generation orchestration and automation capabilities.
Analysis Summary
# Tool/Technique: Torq Security Automation Platform
## Overview
Torq is a next-generation, no-code security orchestration, automation, and response (SOAR) platform designed to manage, analyze, and automate responses to security events at scale, often integrated with cloud detection tools like Amazon GuardDuty and threat context providers like Wiz.
## Technical Details
- Type: Tool (Security Automation/Orchestration Platform)
- Platform: Implied Cloud/Enterprise Security Environments (integrates with AWS services)
- Capabilities: No-code workflow building, security process template utilization, automated data enrichment, analysis orchestration, and real-time threat mitigation.
- First Seen: Not explicitly mentioned in the text.
## MITRE ATT&CK Mapping
The description focuses on **Response and Analysis** capabilities rather than offensive TTPs, mapping primarily to defensive concepts:
- **TA0009 - Collection** (Indirectly, via data gathering/enrichment in Analysis)
- T1005 - Data from Local System (If gathering data during response)
- **TA0010 - Exfiltration** (Indirectly, via blocking paths during Containment)
- T1048 - Exfiltration Over Alternative Protocol (If automated containment blocks C2)
- **TA0011 - Command and Control** (Indirectly, by enforcing security posture in Containment)
- T1071 - Application Layer Protocol (If endpoint configuration is remediated)
*Note: As a defensive tool, Torq’s direct ATT&CK mapping is primarily in how it enables **Defense** activities, which align best with the **Response** tactics (e.g., automating T1070 actions like system clearing or T1021 actions like blocking network connections).*
## Functionality
### Core Capabilities
- **Orchestration and Automation:** Automatically executes defined security workflows (playbooks) triggered by security alerts (e.g., from Amazon GuardDuty).
- **No-Code Workflow Building:** Allows security teams to create complex investigative and remediation processes without writing extensive code.
- **Alert Triage & Enrichment:** Retrieves contextual data from sources like the Wiz Security Graph to enrich initial alerts.
- **Incident Response Execution:** Implements containment, eradication, and recovery steps programmatically.
### Advanced Features
- **Seamless Integration:** Works directly with Wiz Cloud Security Graph to pull asset context, exposure data, and threat information.
- **Real-Time Response Tailoring:** Adjusts workflows based on the context of the attack (e.g., checking internal exposure connections).
- **MTTR Reduction:** Shortens Mean Time To Respond (MTTR) by automating analysis and routing remediation actions directly to DevOps or security teams.
## Indicators of Compromise
This section is not applicable as Torq is an enterprise security defense tool, not malware or an attack tool associated with network/file IoCs.
## Associated Threat Actors
This section is not applicable as Torq is a commercial security product used by defender organizations.
## Detection Methods
This section is not applicable as Torq is an enterprise security defense tool.
## Mitigation Strategies
As a tool designed for mitigation, its use *is* a mitigation strategy:
- **Automated Containment:** Modifying Security Groups and Access Control Lists (ACLs) to block attack sources.
- **Configuration Hardening:** Orchestrating changes to cloud asset configurations to improve security posture (e.g., enforcing MFA or strong passwords).
- **Rapid Remediation:** Shortening the window between detection and recovery using automated workflows.
## Related Tools/Techniques
- **Amazon GuardDuty:** The primary threat detection service providing the initial findings/alerts that trigger Torq workflows.
- **Amazon CloudWatch Events / Amazon EventBridge:** Services used to monitor and route GuardDuty findings to the automation platform.
- **Wiz Cloud Detection & Response (CDR) / Wiz Security Graph:** Provides essential asset context, topology mapping, and correlation needed for accurate analysis and prioritized response.
***
# Tool/Technique: Wiz Cloud Security Graph
## Overview
The Wiz Security Graph is a core component used by security teams to understand the topology, asset context, and connectivity within their cloud environment. It enriches security alerts from detection tools by providing timely context, which is crucial for prioritizing incident response efforts.
## Technical Details
- Type: Tool (Cloud Security Posture/Context Provider)
- Platform: Cloud Environments (AWS, likely multi-cloud compatible)
- Capabilities: Discovers and correlates cloud asset signals, maintains up-to-date connection states, maps cloud topology, identifies assets with access to sensitive data, and provides context for security tooling alerts.
- First Seen: Not explicitly mentioned in the text.
## MITRE ATT&CK Mapping
This tool supports defensive operations, primarily aiding in the **Analysis and Preparation** phases.
- **TA0007 - Discovery** (By mapping environment topology)
- T1087.004 - Account Discovery: Cloud Accounts
- **TA0005 - Defense Evasion** (Indirectly, by providing context to circumvent evasion)
- T1550.002 - Use Alternate Authentication Material (By identifying systems reliant on weak authentication like password-based SSH)
## Functionality
### Core Capabilities
- **Asset Contextualization:** Provides data on asset external exposure and internal connection states.
- **Threat Prioritization:** Alerts security teams specifically when risky activities (like SSH brute force) occur on publicly exposed assets with high environmental permissions.
- **Signal Correlation:** Correlates alerts from services like GuardDuty with environmental context.
### Advanced Features
- **Crown Jewel Mapping:** Used during analysis to understand possible attack paths between a compromised asset and sensitive organizational data ("crown jewels").
## Indicators of Compromise
Not applicable as Wiz is an enterprise security defense tool.
## Associated Threat Actors
Not applicable as Wiz is a commercial security product used by defender organizations.
## Detection Methods
Not applicable as Wiz is an enterprise security defense tool.
## Mitigation Strategies
The context provided by the Security Graph enhances mitigation effectiveness:
- **Prioritized Containment:** Ensures containment actions are targeted at the most critical assets first, maximizing impact.
- **Proactive Assessment:** Aids post-incident review to identify weak points in the cloud architecture that need hardening before they are exploited again.
## Related Tools/Techniques
- **Amazon GuardDuty:** Provides the raw threat finding which Wiz contextualizes.
- **Torq:** Consumes enriched alert data from Wiz to trigger automated remediation workflows.
***
# Tool/Technique: Amazon GuardDuty
## Overview
Amazon GuardDuty is a managed threat detection service offered by AWS that continuously monitors for malicious or unauthorized activity and threat intelligence across AWS accounts and workloads (network activity, DNS logs, CloudTrail events).
## Technical Details
- Type: Tool (Cloud Native Detection Service)
- Platform: Amazon Web Services (AWS)
- Capabilities: Continuous monitoring of network activity, endpoint activity, and CloudTrail for suspicious patterns, detection of various threats including brute force attacks.
- First Seen: Pre-dates the context provided, but usage within the article is current.
## MITRE ATT&CK Mapping
As a detection source for threat activity (in this case, brute force):
- **T1110 - Brute Force**
- T1110.003 - Password Guessing: Network Service (If detecting SSH brute force against an instance)
- **T1078.004 - Valid Accounts: Cloud Accounts** (Detection of activity violating permissions)
## Functionality
### Core Capabilities
- Monitoring network and endpoint activity within AWS environments.
- Generating findings related to detected threats (e.g., brute force attacks).
- Integrating findings with event monitoring services like Amazon EventBridge.
### Advanced Features
- Utilizes high-fidelity threat intelligence feeds to identify malicious actors.
## Indicators of Compromise
Not explicitly listed, but GuardDuty generates findings based on observed IOCs such as compromised port scanning, known malicious IPs accessing the environment, or unusual API calls.
## Associated Threat Actors
Threats detected by GuardDuty could be associated with any actor targeting AWS infrastructure, including known ransomware groups or automated scanners utilizing brute force or reconnaissance TTPs.
## Detection Methods
GuardDuty itself is the detection mechanism. Findings are signaled via the AWS Console and typically routed via:
- **Cloud Service Integration:** Events streamed to Amazon EventBridge or CloudWatch Events.
## Mitigation Strategies
The service enables immediate mitigation planning:
- **Event Triggering:** Findings trigger orchestration platforms like Torq for automated response.
- **Focusing Response:** Alerts guide responders to the initial point of compromise.
## Related Tools/Techniques
- **Torq:** Consumes GuardDuty findings to automate response.
- **Amazon EventBridge/CloudWatch Events:** Used as the routing mechanism for findings into automation platforms.
***
# Technique: Cloud Brute Force Attack (Hypothetical Example)
## Overview
This refers to the attack scenario used as the primary example within the text—an attempted brute force attack against a cloud asset, likely using protocols like SSH, which the security stack (GuardDuty, Wiz, Torq) is designed to prevent or mitigate.
## Technical Details
- Type: Technique (Attack Scenario)
- Platform: Cloud Assets (e.g., EC2 instances configured for password authentication)
- Capabilities: Repeated attempts to guess credentials (passwords) to gain unauthorized access to a remote computing resource.
- First Seen: Ongoing threat, not a specific date.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1110 - Brute Force
- T1110.003 - Password Guessing: Network Service
## Functionality
### Core Capabilities
- Attempting unauthorized login against exposed remote services.
- Exploiting weak or default credentials.
### Advanced Features
- Often relies on large scale credential lists or automated scanning/testing.
## Indicators of Compromise
- **Behavioral Indicators:** High volume of failed login attempts targeting a single asset or account over a short period.
## Associated Threat Actors
Any threat actor or automated scanner targeting publicly exposed cloud infrastructure.
## Detection Methods
- **Behavioral detection:** Amazon GuardDuty identifies the high volume of failed login events indicative of brute force.
- **Contextual Identification:** Wiz identifies the target asset as publicly exposed and configured to allow password authentication.
## Mitigation Strategies
The integration of the three tools focuses on swift mitigation:
1. **Blocking:** Immediately modifying Security Groups/ACLs to block the source IP address of the attack (Containment via Torq).
2. **Credential Enforcement:** Orchestrating enforcement of MFA and strong passwords on target assets.
## Related Tools/Techniques
- The successful mitigation relies on the integration of **Amazon GuardDuty (Detection)**, **Wiz (Context)**, and **Torq (Containment)**.