Full Report
Wiz assists Incident Response (IR) and SOC teams with containment through automated assessment of security incidents by identifying possible root causes and calculating the potential blast radius of compromised resources.
Analysis Summary
# Incident Report: Simulated Cloud Compromise Investigation Using Advanced Forensics
## Executive Summary
This report summarizes typical cloud-native security incidents, focusing on the methodology enabled by advanced tools like the Wiz Security Graph for rapid investigation. The core objective in these scenarios is to quickly determine the root cause of a compromise (e.g., vulnerability exploitation or stolen credentials), map the blast radius across related subscriptions and resources, and contain the threat by leveraging automated forensics and runtime monitoring.
## Incident Details
- Discovery Date: Not specified (Implied real-time detection via monitoring)
- Incident Date: Not specified (Implied ongoing threat detection on live assets)
- Affected Organization: Various organizations using public cloud infrastructure (Illustrative Context)
- Sector: Implicitly Technology/Cloud Services (Focus on cloud security tooling)
- Geography: Not specified
## Timeline of Events
### Initial Access
- Date/Time: Not specified
- Vector: Exploitation of a vulnerability (e.g., vulnerable software component), or use of stolen credentials (e.g., exposed SSH key, unauthenticated access to a Jupyter notebook).
- Details: A VM or container became compromised, potentially via an unauthenticated Jupyter notebook instance or the exploitation of critical vulnerabilities present on the machine.
### Lateral Movement
- Date/Time: Post-initial compromise
- Vector: Privilege escalation paths, abusing cleartext secrets, lateral movement via cross-subscription identity paths.
- Details: Analysis revealed potential paths to privilege escalation through a cleartext private key and lateral movement paths leading to roles and KMS keys in *other* subscriptions.
### Data Exfiltration/Impact
- Data/Impact: Potential access to sensitive data or highly privileged cloud roles in other subscriptions. The severity is defined by the "blast radius."
- Details: The immediate risk centers on the access granted by the compromised resource's service account, especially connections to sensitive data or privileged roles in other accounts.
### Detection & Response
- Detection Method: Alert generated on suspicious runtime events occurring on a specific VM/container, analyzed via Wiz Security Graph and runtime sensor.
- Response Actions: Automated Root Cause Analysis performed. Response involved copying VM volumes, downloading a forensics package, analyzing audit logs (e.g., Jupyter Notebook logs), rotating compromised credentials (e.g., private key), and reviewing linked cloud events across subscriptions.
## Attack Methodology
- Initial Access: Vulnerability exploitation or authentication via stolen credentials (e.g., cleartext secrets, weak configuration like unauthenticated Jupyter instance).
- Persistence: Not explicitly detailed, but implied through maintained access via service accounts or roles.
- Privilege Escalation: Abuse of cleartext secrets (e.g., private key) to escalate privileges or gain access to higher-level cloud roles.
- Defense Evasion: Not explicitly detailed, but the goal is to identify evasion techniques via runtime monitoring which exposes malicious process activity.
- Credential Access: Discovery and analysis of cleartext private keys stored on the compromised resource.
- Discovery: Automated analysis by the Security Graph mapping system dependencies and potential paths.
- Lateral Movement: Tracing cross-subscription identity paths (service account context) to roles in other subscriptions.
- Collection: Review of audit logs (e.g., Jupyter Notebook audit logs) and artifacts within the forensics package.
- Exfiltration: Investigating abusive activity associated with high-privilege roles identified in the blast radius assessment.
- Impact: Unauthorized access to organizational resources and secrets across multiple cloud subscriptions.
## Impact Assessment
- Financial: Not specified (Cost savings implied through rapid response efficiency).
- Data Breach: Potential exposure of secrets (private keys) and access to sensitive data associated with highly privileged roles.
- Operational: Potential operational disruption if containment steps (like credential rotation) are urgent, but overall goal is minimizing disruption via fast analysis.
- Reputational: Not specified.
## Indicators of Compromise
- Network indicators: Suspicious cloud provider events related to the compromised resource's service account activity.
- File indicators: Cleartext private key found on the VM volume.
- Behavioral indicators: Suspicious process execution observed via the runtime sensor on the compromised VM/container.
## Response Actions
- Containment measures: Immediately rotating the compromised cleartext private key; pausing/reviewing all associated cloud events linked to the abused role.
- Eradication steps: Not explicitly detailed, assumed following containment through patching vulnerabilities and remediating misconfigurations identified as root causes.
- Recovery actions: Verifying that access paths identified in the blast radius analysis are no longer viable by reviewing associated role usage.
## Lessons Learned
- The necessity of automated Root Cause and Blast Radius analysis specific to cloud environments is paramount for effective IR.
- Misconfigurations (like unauthenticated Jupyter instances) and vulnerable software components remain significant initial access vectors.
- Secrets stored in plain text on the filesystem present critical lateral movement and privilege escalation risks.
## Recommendations
- Implement comprehensive runtime monitoring integrated with infrastructure-as-code analysis (Security Graph) to immediately map dependencies when an alert fires.
- Enforce secrets management policies to prevent cleartext storage of highly sensitive credentials (e.g., private keys) on compute instances.
- Regularly review and restrict cross-subscription access entitlements, especially those granted to service accounts that map to critical roles or keys.