AWS S3 Exfiltration Behavior Identified

This analytic, developed by Splunk, aims to detect AWS S3 exfiltration attempts by identifying correlated risk events. The detection logic focuses on instances where multiple unique analytics and distinct MITRE ATT&CK IDs are triggered for a specific risk object. This correlation is a strong indicator of potential data exfiltration, where an attacker is attempting to gather and remove sensitive data from an AWS S3 environment. The correlation search leverages the Splunk Risk data model and checks for collection and exfiltration tactics against AWS sources.

Attack Chain

1. An attacker gains initial access to an AWS account through compromised credentials or an exposed access key.
2. The attacker enumerates S3 buckets and objects to identify sensitive data (T1537).
3. The attacker attempts to copy S3 objects to an external or unauthorized AWS account.
4. The attacker may attempt to share EBS snapshots publicly to make data accessible outside the organization.
5. The attacker attempts to exfiltrate data to an attacker-controlled EC2 instance.
6. The attacker modifies bucket policies to allow unauthorized access.
7. The attacker uses AWS CLI or API calls to download or transfer the targeted data.
8. The final objective is successful data exfiltration from the AWS S3 environment, leading to data theft and potential compromise of sensitive information.

Impact

A successful AWS S3 exfiltration can lead to significant data breaches, potentially affecting millions of users. Stolen data may include personal information, financial records, intellectual property, and other sensitive data. The compromise of this data can lead to financial losses, reputational damage, legal repercussions, and loss of customer trust. The identification of exfiltration behavior early can prevent significant breaches.

Recommendation

• Enable all detection searches related to data exfiltration to populate the Risk data model in Splunk Enterprise Security.
• Deploy the provided Splunk search query to identify correlated risk events indicative of AWS S3 exfiltration attempts.
• Investigate any alerts generated by this analytic, focusing on the risk object and associated MITRE ATT&CK techniques to determine the scope and impact of the potential exfiltration.
• Tune the provided aws_s3_exfiltration_behavior_identified_filter macro to reduce false positives based on your environment’s specific activities and known legitimate use cases.
• Review the referenced articles to understand common techniques used to exfiltrate data from AWS environments and ensure appropriate security controls are in place.