A single, cloud-native platform for workload compliance and security across the entire infrastructure stack, throughout the application lifecycle.
Cloud Posture Management
Identification of changes made to cloud configuration through service provider APIs, including host instances, security groups, IAM policy, and access keys.
Build-time and runtime application security, including developer feedback and live attack detection and blocking.
Real-time, continuous monitoring and protection for Linux and Windows virtual machine workloads.
RESTful APIs and built-in integrations that leverage existing incident response, investigation, and analytics tools.
Container & Kubernetes Security
Detection of risky behaviors, active threats, and configuration issues for containers, container orchestration, and managed container services.
Extend your team’s security expertise and resources with the Threat Stack Cloud SecOps Program℠.
Threat Stack Oversight℠
Reduce mean-time-to-respond with 24/7 monitoring and alert escalation from the Threat Stack Security Operations Center.
Threat Stack Insight℠
Improve your cloud security posture with deep security analytics and a dedicated team of Threat Stack experts who will help you set and achieve your security goals.
Follow along as the Threat Stack Security Team shows how a malicious actor leverages the unique characteristics of the public cloud to launch their attack.
See inside an active cryptomining malware campaign as Threat Stack’s Security Operations Center (SOC) details a recently discovered variant of the Shellbot malware.
Threat Stack offers unique solution packages to meet your cloud security goals.
Trade Up Program
Trade in any competitive solution and receive an invoice credit for current contract towards a Threat Stack plan, a dedicated on-boarding team, and customer service manager.
Compliance for Cloud Workloads
Demonstrate continuous monitoring to auditors with pre-built rulesets and compliance reports that map to major regulatory compliance requirements like PCI-DSS, HIPAA, and SOC 2.
Security for AWS
Integrate Threat Stack with AWS to monitor changes and misconfigurations across multiple accounts and services.
Monitor for anomalous or risky behaviors across host, container, and container orchestration to alert you to signs of compromise.
Detect and remediate vulnerabilities across your infrastructure.
File Integrity Monitoring
Monitor for creates, deletes, opens, and edits to secret files to identify nefarious activity and satisfy compliance requirements.
Correlate security signals across your entire infrastructure stack with flexible built-in integrations, APIs, and data lake integration for SIEM.
Bring Security and DevOps teams together: Deploy in minutes and auto-scale with configuration management tools and Kubernetes to monitor cloud-native resources throughout the build pipeline.
Monitor all of your de-coupled, stateless, polyglot services in a single solution, even when they’re built and deployed in separate pipelines by different teams.
Fargate Security Monitoring
Threat Stack fills the visibility gap for managed container services like AWS Fargate, with process tracking and detailed netflow metadata.
View Resource Center
Cloud security tips, insights, and ideas.
Stay up to date with the latest press releases, news, and events from Threat Stack.
Watch a sophisticated cloud attack and learn the necessary steps to prepare yourself.
Meet the Threat Stack leadership team.
Building a great company starts with building a great team.
55 Summer Street
Boston, MA 02110
Hear what our customers explain how Threat Stack has made them more successful and secure.
Become a Threat Stack Partner.
How can we help you?
Over the past two years, the Threat Stack Security Team has observed strong evidence of malicious actors leveraging the unique characteristics of public cloud environments to launch or hide their breaches. The following page shows an example of a common attack pattern observed by the Threat Stack Cloud Security Platform®.
In attacks of this nature, the first step many bad actors take is to leverage stolen API Keys. Stolen keys are preferred because their use appears legitimate and often goes undetected. To obtain these keys, attackers use a variety of methods, including stealing keys from employee laptops with malware, or farming from open-source code websites like GitHub, where employees accidentally upload their API Keys. Once the actor confirms that the API Keys work, they want to ensure that they can regain access, even if someone in Security or Ops terminates their stolen Access Key. To do so, they could create new keys, IAM roles, or use another method to create a way to persist.
Once the actor successfully enters the environment via the infrastructure APIs, they look to see whether they have direct access to the resources they need, such as an RDS database or S3 bucket. In addition to trying to access S3 data, an attacker will try and start an EC2 instance so that they can persist on the network itself.
When they discover they cannot access the RDS database or S3 buckets directly, they start to utilize their EC2 access. In this case, the actor launches EC2 instances inside the environment. Because of poor Security Group configuration in the environment, these hosts are equally as trusted as any other legitimate host on their network. Many organizations trust all traffic within their network boundary, so this gives the attacker the ability to consider lateral movement.
After they’ve identified or launched the EC2 instance with an insecure IAM role policy, they log in. The actor has now established a beachhead in the environment’s network, allowing them to recon and scan the network that they’ve breached.
The actor proceeds to move laterally from this initial rogue EC2 instance, scanning and exploiting as they compromise other hosts in the network. EC2 instances are granted IAM permissions when they launch, which in some cases can give them legitimate access to AWS managed services like S3 or RDS.
Once the actor has landed on a host with the necessary IAM permissions, or with database credentials on the host, the actor can perform the necessary RDS API calls (or SQL commands) to access the database with the target data. From here, they can exfiltrate it either directly through the terminal or through their chain of compromised hosts to avoid Data Loss Prevention tools.
Over the past two years, the Threat Stack Security Team has observed strong evidence of malicious actors leveraging the unique characteristics of public cloud environments to launch or hide their breaches. The above diagram shows an example of a common attack pattern observed by the Threat Stack Cloud Security Platform®. The attacker traverses back and forth from the infrastructure control plane to host level in order to obtain valuable data.
Interested in Intrusion Detection with Threat Stack?