Threat Stack SOC Analysis: Investigating Incidents Involving Automation Tools

F5 Miniatura
Updated March 09, 2022

Threat Stack is now F5 Distributed Cloud App Infrastructure Protection (AIP). Start using Distributed Cloud AIP with your team today.

As part of their 24/7 work supporting customers through the Cloud SecOps Program℠, the security analysts in the Threat Stack Security Operations Center (SOC) regularly investigate suspicious activity on behalf of our customers. Over the past several months, our security analysts have noticed a steady increase in the use of automation tools that include web-based SSH features.

The use of these tools is a concrete sign that many organizations are maturing their cloud environment and are becoming more sophisticated in their cloud orchestration and day-to-day management. By using web-based SSH and other features that can run custom scripts on remote servers, operations teams can drastically reduce overhead and streamline the lifecycle of their servers and the configuration of services at scale.

However, as we have seen in the past, automating complex operations can lead to mistakes or overlooked risks. First, ensuring that your IAM policies are up to date and specific down to the individual features of given services becomes even more critical. In addition to the focus on IAM, many automation tools, including ones with web-based SSH features, introduce unique challenges for security teams as they investigate suspicious activity in their cloud environment.

In Linux systems, web-based SSH tools don’t manifest as traditional SSH sessions in the underlying logs. This difference can lead to system events in logs that aren’t associated with any logged-in users. Normally, this looks like regular, trusted automation activity — but not if a user can issue arbitrary commands behind it. The implications here are pretty obvious: If a malicious actor, whether an insider or someone leveraging compromised credentials from the outside, is able to gain access to a web-based SSH tool, obfuscation becomes trivial.

The full stack security observability and behavioral analysis capabilities of tools like the Threat Stack Cloud Security Platform® are able to identify this suspicious activity, but this is where the automated nature of web-based SSH tools throws a curveball at security analysts. It requires a different investigative technique to recognize and pivot off nuances in automation events to uncover the underlying intent of a user.

That’s where the Threat Stack SOC analysts come in. By working directly with some of the industry’s most progresssive cloud environments, they are intimately familiar with how to investigate these types of incidents. If you want an inside look at how the Threat Stack Cloud SecOps Program analysts investigate the downstream actions of automation tools when conducting forensics that require user attribution, download our latest Threat Intelligence Report or register for our live demonstration — “Automated Activity or Insider Threat: Can You Tell the Difference?” — being held on March 19. 


Threat Stack is now F5 Distributed Cloud App Infrastructure Protection (AIP). Start using Distributed Cloud AIP with your team today.