{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/aws-dynamodb/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS DynamoDB","AWS S3","AWS CloudTrail"],"_cs_severities":["low"],"_cs_tags":["aws","dynamodb","exfiltration"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis alert detects the ExportTableToPointInTime operation in AWS CloudTrail logs, specifically when a user or role performs this action for the first time. Adversaries may leverage this operation to collect sensitive data or exfiltrate entire DynamoDB tables to S3 buckets for unauthorized access or analysis. This activity can be a precursor to data breaches or indicative of compromised credentials. The detection focuses on the initial observation of this action to reduce false positives and highlight potentially anomalous behavior that requires investigation. The targeted logs are AWS CloudTrail logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an AWS account, potentially through compromised credentials or an exposed IAM role.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates DynamoDB tables within the AWS environment to identify targets containing sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the \u003ccode\u003eExportTableToPointInTime\u003c/code\u003e API call to export a DynamoDB table to an S3 bucket. This requires appropriate IAM permissions.\u003c/li\u003e\n\u003cli\u003eThe exported data is stored in the designated S3 bucket in a format suitable for offline analysis.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the exported data from the S3 bucket.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the data from the S3 bucket.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes or uses the exfiltrated data for malicious purposes.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack could lead to the exfiltration of sensitive data stored in DynamoDB tables, including customer information, financial records, or proprietary business data. This can result in significant financial losses, reputational damage, and legal liabilities for the affected organization. The number of affected records would depend on the size of the exported DynamoDB table. Organizations in all sectors are potentially at risk if they use DynamoDB to store sensitive information.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect First Time DynamoDB Table Export to S3\u003c/code\u003e to your SIEM, focusing on the \u003ccode\u003eaws.cloudtrail\u003c/code\u003e data stream, to identify initial instances of this activity.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e, \u003ccode\u003esource.ip\u003c/code\u003e, and \u003ccode\u003eaws.cloudtrail.request_parameters\u003c/code\u003e fields to understand the context of the export operation.\u003c/li\u003e\n\u003cli\u003eReview IAM policies to ensure that users and roles have the appropriate least-privilege access to DynamoDB tables, preventing unauthorized export operations.\u003c/li\u003e\n\u003cli\u003eMonitor the \u003ccode\u003ecloud.account.id\u003c/code\u003e and \u003ccode\u003euser.name\u003c/code\u003e fields flagged by the new_terms rule to ensure that only authorized accounts and users are performing DynamoDB table exports.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-aws-dynamodb-exfiltration/","summary":"Detects the initial export of an AWS DynamoDB table to S3, potentially indicating reconnaissance or exfiltration by a compromised account or insider threat.","title":"AWS DynamoDB Table Export to S3 Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-dynamodb-exfiltration/"}],"language":"en","title":"CraftedSignal Threat Feed - AWS DynamoDB","version":"https://jsonfeed.org/version/1.1"}