3 Reasons Attackers Are Using Your Trusted Tools Against You (And Why You Don’t See It Coming)
Let Me Tell You Why Your SIEM Is Lying to You
(Keywords: SIEM blind spots, living off the land detection, CI/CD IAM misconfiguration, enterprise cloud detection rules, least privilege checklist)
You built a fortress, but the attackers are using your own tools to stroll through the front door. Welcome to the reality of production.
Author:
Charlie K., Principal DevSecOps Consultant (@DevSecOutlaws), 12 years in IR/SecOps, OSCP/CISSP, worked with Fortune 50s & global healthcare orgs. View creds & references: LinkedIn | GitHub.
Anecdotes sanitized; no PHI or sensitive client info disclosed.
You’re Getting Owned by ‘Normal’ Activity
Sanitized details: July 2023, multi-account AWS org (~200 EC2, 3400 users, 120+ roles). Healthcare sector.
An attacker compromised a pipeline service account (MITRE ATT&CK T1078: Valid Accounts, T1552: Credentials in CI/CD). They then deployed cryptomining nodes via Ansible playbooks, abusing the overly permissive IAM role on their CodeBuild pipeline. Exfiltration? S3 sync jobs piggybacked off standard data flows (T1020: Automated Exfiltration). CloudTrail caught nothing—every action was legit, from their own tools. Containment was a hellish IAM role lockdown, CodeBuild/CloudTrail deep-dive, and full S3 log analysis.
MITRE ATT&CK Living-off-the-land reference, AWS S3 Investigation Guide.
1. Your Monitoring Tools Are Blind to Themselves
SIEM Blind Spots: Where You’re Flying Blind
Most SIEM deployments (Splunk, Elastic) catch “evil.exe,” but choke on attackers using your own scripts