This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

AWS CloudTrail - Anomalous Activity Detection Threat Content

Sarthak
Occasional Contributor Occasional Contributor
Occasional Contributor
‎2021-09-14 01:06 PM

AWS CloudTrail is an AWS service that helps in governance, compliance and operational risk auditing of an AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail.
One can identify who or what took which action, what resources were acted upon, when the event occurred, and other details to help analyze and respond to activity in an AWS account.
More can be learnt about AWS CloudTrail here

As the adoption of AWS increases, the workload that is being dealt by AWS services globally, has grown exponentially and so has the variety of attacks that Threat Actors execute.

To effectively identify unexpected, malicious and anomalous access behavior, and maintaining security monitoring within an account, we have used CloudTrail Events to create Log based Application Rules and Event Stream Analytics (ESA) Rules.

Application Rules:

  • AWS - Critical changes to logging
    Helps in detecting unexpected changes done to VPC Flow Logs, CloudWatch & CloudTrail Logging Sources within an AWS Account. Impairing defenses to evade detection can be a tactic employed by threat actors.
    Generated Meta Keys: boc = aws - critical changes to logging

  • EC2 - Multiple instances created
    This rule triggers when 5 or more EC2 instances are launched within a single request by a single user entity in an AWS Account. It can be indicative of potential abuse of computing resources by an adversary.
    Generated Meta Keys: boc = ec2 - multiple instances created

  • EC2 - Multiple instances terminated
    This rule triggers when 5 or more EC2 instances are terminated within a single request by a single user entity in an AWS Account. It can be indicative of potential abuse of computing resources by an adversary.
    Generated Meta Keys: boc = ec2 - multiple instances terminated

  • EC2 - Multiple large instances created
    This rule triggers when 3 or more EC2 instances of type xlarge or greater are launched within a single request by a single user entity in an AWS Account. It can be indicative of potential abuse of computing resources by an adversary.
    Generated Meta Keys: boc = ec2 - multiple large instances created

Log App RulesLog App Rules

 

Event Stream Analytics (ESA) Rules:

  • IAM - Multiple failed API calls from a single user (Unauthorized Access)
    The rule will trigger when there are high number of failed IAM API Calls (Error Code = AccessDenied, NotAuthorized, UnauthorizedOperation) from a single user entity within a specified amount of time, in an AWS Account. As the name suggests it will be effective in detecting unauthorized access events.

  • IAM - Multiple users created within a short period of time
    The rule will trigger when a specified number of IAM users are created within a specified amount of time, in an AWS Account. It will help to detect unexpected and potentially malicious IAM activity.

  • IAM - Multiple users deleted within a short period of time
    The rule will trigger when a specified number of IAM users are deleted within a specified amount of time, in an AWS Account. It will help to detect unexpected and potentially malicious IAM activity.

  • IAM - Multiple worldwide successful console logins were observed
    The rule will trigger when there are multiple successful console login events for the same user entity from different locations within a specified amount of time, in an AWS Account. Successful console login events from more than one location in a relatively shorter time frame would be indicative of potential account compromise.

  • EC2 - Multiple instances created within a short period of time
    The rule will trigger when high number of EC2 instances are launched by a single user entity in an AWS Account. It can be indicative of potential abuse of computing resources by an adversary.

  • EC2 - Multiple large instances created within a short period of time
    The rule will trigger when high number of EC2 instances of type xlarge or greater are launched by a single user entity in an AWS Account. It can be indicative of potential abuse of computing resources by an adversary.

  • EC2 - Multiple instances created in multiple regions within a short period of time
    The rule will trigger when multiple EC2 instances are launched in different regions by a single user entity within a specified amount of time, in an AWS Account. It can be indicative of potential abuse of computing resources by an adversary.

  • EC2 - Multiple instances terminated within a short period of time
    The rule will trigger when high number of EC2 instances are terminated by a single user entity in an AWS Account. It can be indicative of potential abuse of computing resources by an adversary.

  • S3 - Mass copy objects*
    The rule will trigger when high number of S3 objects are copied by a single user entity within a specified amount of time, in an AWS Account. It can be indicative of potential abuse of storage resources and exfiltration by an adversary.

  • S3 - Mass delete objects*
    The rule will trigger when high number of S3 objects are deleted by a single user entity within a specified amount of time, in an AWS Account. It can be indicative of potential abuse of storage resources and exfiltration by an adversary.

  • S3 - Buckets enumerated
    The rule will trigger when high number of S3 buckets are listed by a single user entity within a specified amount of time, in an AWS Account. It can be indicative of recon activity and potential compromise.

*Please note that Data Events for S3 needs to be enabled within the Trail Configuration for these detections to work. More on this here

*The Application & ESA Rules listed above may generate false positives. As each environment is unique, the filtering/whitelisting should be done on an individual basis.

 

ESA RulesESA Rules

 

Dependencies:

  • Log Device/Parser: AWS CloudTrail
    AWS CloudTrail Log Device/Parser needs be deployed from NW Live to handle and process the incoming CloudTrail Events from your account respectively.

    We have used custom meta keys for our detection queries to work. Thus, below lines have to be added to the table-map-custom.xml file on the Log Decoder,
    <mapping envisionName="cs.accesskeyid" nwName="cs.accesskeyid" flags="None" format="Text"/>
    <mapping envisionName="cs.instancetype" nwName="cs.instancetype" flags="None" format="Text"/>
    <mapping envisionName="cs.imageid" nwName="cs.imageid" flags="None" format="Text"/>
    More about Table Map Files here
    More about Log Parser Customization here

  • Log Collector: AWS S3 Universal
    The S3 Universal Connector Plugin needs to be deployed from NW Live and configured properly in order to receive the CloudTrail Events in JSON format.
    More on this here

Conclusion:

Visibility into account activity is a key aspect to establish security control in AWS, which can be easily harnessed using the power of NetWitness & CloudTrail together.

References:

© 2022 RSA Security LLC or its affiliates. All rights reserved.