Unauthorized AWS Security Group Creation Notification
It is important to continuously monitor malicious activites on AWS accounts, such as creation of an unauthorized AWS security group.
Category: Data Enrichment and Threat Intelligence, Network Security
Cyware Products Used:
Orchestrate
Cyware Fusion and Threat Response (CFTR)
Third-Party Integrations Used:
AWS EC2: AWS console to make changes to the security group.
AbuseIPDB: To enrich malicious IPs present in the AWS alert.
Problem Statement
AWS Web Application Firewall (WAF) is a firewall that allows or denies traffic based on defined rules. The web access control list contains a collection of rules which determine whether a given request should be allowed or blocked and as soon as these alerts trigger, we need to take appropriate actions. Threat actors intend to create new security groups in AWS accounts to make changes to the firewall rules. Hence, it is important to continuously monitor malicious activities on AWS accounts and reject or approve requests for creating new security groups.
Solution
The solution is to continuously monitor malicious activities on the AWS console by involving the incident response teams. It is also important to facilitate the right amount of human intervention to approve or reject requests to create new security groups in the AWS console by evaluating the legitimacy of the request. This document explains the process to automatically onboard malicious activities to Cyware Fusion and Threat Response (CFTR) application and allows security analysts to approve or reject newly created AWS security groups.
How do we solve this problem?
Create Incident in CFTR: The playbook starts by retrieving suspicious alerts from the AWS console and onboarding them to CFTR as incidents.
Send for Approval: The playbook now notifies the respective security members responsible for managing the AWS console with a New security group created on the AWS console message via Email and the Cyware Enterprise Mobile app. Security analysts can respond to the notification with Yes or No.
Responded with Yes: The playbook considers the request as approved and updates the incident in CFTR with Closed status. Additionally, the closure notes are also updated to the incident.
Responded with No: The playbook considers the request as rejected and deletes the newly created security group on the AWS EC2 console.
Enrichment: The identified malicious indicator such as the source IP is sent to the AbuseIPDB application for enrichment.
Ready for Investigation: The enrichment details are updated to the CFTR incident and kept ready for analyst investigation.
Benefits
Proactive Response
Security teams can automatically update the AWS cloud firewall to block malicious IPs as soon as they’re detected on the network and proactively look for other malicious activity performed by the source IP within the network.
Reduced Analyst Workload
While security analysts are already burdened with processing a large volume of threat alerts, the use of security automation helps reduce the workload by accelerating the analysis of unstructured threat information.
Respond Quickly and Accurately
The solution automatically collates all the relevant information in one place for easier and faster access and helps users prioritize the incidents, thereby assisting security teams in assessing and responding faster to similar incidents.