An upcoming blog will introduce "EC2 Grouper", a cloud attacker group known for leveraging AWS tools to exploit compromised credentials. EC2 Grouper uses consistent patterns, such as AWS PowerShell for automation and a unique security group naming convention ("ec2group12345"), to execute their attack (similar to my luggage combo).
While actor-specific indicators like user agents and group names help in identifying this group, they are unreliable for comprehensive threat detection due to their ephemeral nature. The blog outlines the TTPs associated with EC2 Grouper and demonstrates how Lacework FortiCNAPP enables detection without relying on these ever-changing indicators.
Scope
Cloud identity compromises, like those devised by EC2 Grouper, are among the most challenging to detect and mitigate. Attackers often exploit compromised credentials, frequently obtained from code repositories, to launch sophisticated and automated attacks. EC2 Grouper's tactics include leveraging APIs for reconnaissance, security group creation, and resource provisioning while avoiding direct actions like inbound access configuration.
These patterns highlight the broader challenge of detecting identity compromises that are hidden within legitimate activity, requiring detection mechanisms capable of correlating multiple weak signals.
Solution
Lacework FortiCNAPP excels in detecting identity compromises like those orchestrated by EC2 Grouper. Through Composite Alerts, FortiCNAPP evaluates multiple signals, including API usage anomalies, secret scanning, and unusual activity patterns, to identify malicious behavior with high accuracy.
By mapping observed activity to frameworks like MITRE ATT&CK and integrating tools like CIEM, FortiCNAPP ensures stronger cloud security without relying on ephemeral, actor-specific indicators.
Read the full blog (pending) to learn more about the patterns, tactics, and advanced detection strategies used to identify EC2 Grouper.
