Coordinated Attack Detection: Maximal Clique Enumeration with Caching

When defending cloud environments, one of the most critical challenges is detecting coordinated attacks—where multiple attackers attempt to compromise the same resource or endpoint. These attacks can be subtle, with attackers using different IPs to target a common resource. Traditional detection methods, such as signature-based or brute-force detection, often fail to spot these more sophisticated attacks.

But here's the exciting part: By leveraging Maximal Clique Enumeration and caching in Panther, we can detect coordinated activities where multiple IP addresses target the same resource in a short time window—without needing complex machine learning models or expensive SIEM pipelines.

In this blog, I’ll show you how to implement a coordinated attack detection rule using caching to track IP address activity within a 15-minute window.

🧠 The Concept: Coordinated Attack Detection

Attackers often use multiple IP addresses to target a common resource. By monitoring activity and detecting when multiple IPs access the same resource in a short time period, we can infer potential coordinated attacks.

We can take advantage of caching to store the IPs accessing each resource and, using a TTL (time-to-live) mechanism, ensure that only recent activity (within a 15-minute window) is considered.

🧑‍💻 The Strategy

• Track which IP addresses are accessing which resources in a short time window (15 minutes).

• Use Panther’s caching helpers to track access patterns.

• Trigger an alert if multiple IPs (e.g., more than 2) access the same resource within the time window.

🔧 Detection Rule: Coordinated Attack Detection with Caching

Here’s a full breakdown of the detection logic:

1. Imports and Setup

We import the necessary modules and define the Time-to-Live (TTL) for cached entries:

• add_to_string_set and get_string_set are Panther helper functions to interact with the cache.

• TTL is set to 15 minutes, meaning we'll only consider access patterns that happened within the last 15 minutes.

2. Processing the Incoming Event

The rule starts by extracting the resource key and IP address from the incoming event:

• resource_key: a cache key unique to each resource.

• ip_addr: the IP address making the current access attempt.

• current_time: timestamp when the event is processed.

3. Retrieve and Filter Cached Data

We retrieve any existing cached data and filter it to keep only entries that are still within the TTL window:

• Cached data is stored as IP|timestamp pairs.

• We rebuild an ip_timestamp_map containing only fresh (recent) entries.

• Any IPs whose timestamp is older than 15 minutes are ignored.

4. Update the Cache with the Current Event

The new IP and timestamp from the current event are added to the map:

ip_timestamp_map[ip_addr]

Then, the cache is refreshed to include all valid (non-expired) entries:

• This ensures that the cache stays clean and only contains recent data at all times.

5. Detection Logic

Finally, we check how many unique IP addresses have accessed the same resource recently:

• If more than 2 unique IP addresses accessed the resource within the last 15 minutes, the rule returns True — indicating a potential coordinated attack.

• Otherwise, it returns False and no alert is triggered.

✅ Full Detection Code (Panther-Ready)

You can find the full detection code here.

📝 Why This Works

• Real-time Detection: Focuses only on access attempts made within the last 15 minutes.

• Efficient Resource Use: The cache remains small by evicting stale data automatically based on TTL.

• Flexible Thresholds: Easy to adjust how many IP addresses need to be present to trigger detection.

• No External Dependencies: Native Panther Python helpers—no complex infrastructure needed.

🚀 Conclusion

By using Maximal Clique Enumeration and leveraging Panther's caching helpers, you can efficiently detect coordinated attacks in your cloud environment.
This method is lightweight, scalable, and easy to tune—a perfect fit for real-time detection pipelines without heavyweight machine learning models.

Let’s stay ahead of the attackers by looking for patterns that might be hiding in plain sight!

—Asante Babers