Skip to content
Threat Feed
high advisory

AWS S3 Exfiltration Behavior Identified via Risk Correlation

This correlation identifies potential AWS S3 exfiltration behavior by correlating multiple risk events related to Collection and Exfiltration techniques, triggered when multiple analytics and distinct MITRE ATT&CK IDs are triggered for a specific risk object, indicating a potential data exfiltration attempt.

This analytic identifies potential AWS S3 exfiltration behavior by correlating multiple risk events related to Collection and Exfiltration techniques within an AWS environment. The detection logic focuses on instances where two or more unique analytics and distinct MITRE ATT&CK IDs are triggered for a specific risk object, which is indicative of a coordinated data exfiltration attempt. The correlation leverages risk events generated from AWS sources and ingested into Splunk Enterprise Security. This behavior is significant as it can indicate active unauthorized access and theft of sensitive information, severely compromising an organization's data integrity and confidentiality. Successful exfiltration can lead to regulatory fines, reputational damage, and loss of competitive advantage.

Attack Chain

  1. An attacker gains initial access to an AWS account, potentially through compromised credentials or exploiting misconfigured IAM roles.
  2. The attacker enumerates S3 buckets within the account to identify potential targets for data exfiltration.
  3. The attacker attempts to modify bucket policies or ACLs to grant unauthorized access to the targeted S3 buckets.
  4. The attacker performs data collection activities, such as copying data from S3 buckets to a staging location within AWS. This might involve using tools like aws s3 cp or aws s3 sync.
  5. The attacker initiates data exfiltration from the staging location to an external destination. This could involve transferring data to a compromised EC2 instance, a third-party storage service, or directly to the attacker's infrastructure.
  6. The attacker may attempt to obfuscate their activities by deleting CloudTrail logs or disabling security monitoring.
  7. Risk events are generated in Splunk Enterprise Security due to the activities related to collection and exfiltration.
  8. The correlation search identifies the AWS S3 exfiltration behavior based on the multiple risk events and distinct MITRE ATT&CK IDs triggered for a specific risk object.

Impact

A successful AWS S3 exfiltration attack can lead to the unauthorized disclosure of sensitive data, including customer information, financial records, and proprietary intellectual property. The number of affected users and financial losses can vary greatly depending on the scope of the breach, but data breaches involving S3 buckets have resulted in millions of dollars in damages and reputational harm to affected organizations. Industries with stringent data protection regulations, such as healthcare and finance, are particularly vulnerable.

Recommendation

  • Enable all detection searches within the Data Exfiltration Analytic story in Splunk Enterprise Security to ensure that risk events are generated (How_to_implement).
  • Deploy the provided correlation search to identify AWS S3 exfiltration behavior based on multiple risk events and distinct MITRE ATT&CK IDs (search).
  • Investigate any alerts generated by this correlation search to determine the scope and impact of the potential data exfiltration attempt. Use the drilldown searches to investigate (drilldown_searches).
  • Implement stricter IAM policies to limit access to S3 buckets and enforce multi-factor authentication for all AWS accounts. Refer to AWS documentation for guidance.

Detection coverage 2

AWS S3 Multiple Collection and Exfiltration Risk Events

high

Detects potential AWS S3 exfiltration by identifying multiple risk events associated with collection and exfiltration tactics for a single risk object.

sigma tactics: exfiltration techniques: T1537 sources: risk, splunk

AWS S3 Exfiltration via Unauthorized Copy

medium

Detects potential S3 exfiltration by monitoring for unauthorized copy operations, which creates risk events.

sigma tactics: exfiltration techniques: T1530 sources: risk, splunk

Detection queries are available on the platform. Get full rules →