{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/aws-network-access-control-list/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS Network Access Control List"],"_cs_severities":["high"],"_cs_tags":["aws","cloudtrail","network-acl","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis brief focuses on the detection of AWS Network Access Control List (ACL) deletions using AWS CloudTrail logs. The deletion of a network ACL entry, specifically the \u003ccode\u003eDeleteNetworkAclEntry\u003c/code\u003e event, is a critical event that could indicate a malicious actor attempting to bypass existing network security controls. These ACLs are designed to restrict network access, so their removal can expose cloud instances to unauthorized access, data exfiltration, and further compromise. The source Splunk analytic leverages AWS CloudTrail data to detect instances where a user deletes a network ACL entry. Early detection of this activity is crucial for maintaining the integrity and security of AWS environments. The detection logic requires the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS account, potentially through compromised credentials or exploiting a vulnerability. (T1566)\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing Network ACLs to identify potential targets for deletion. (T1082)\u003c/li\u003e\n\u003cli\u003eThe attacker executes the \u003ccode\u003eDeleteNetworkAclEntry\u003c/code\u003e command, removing specific rules from the targeted ACLs. (T1562.007)\u003c/li\u003e\n\u003cli\u003eCloudTrail logs the \u003ccode\u003eDeleteNetworkAclEntry\u003c/code\u003e event, capturing details such as the user, timestamp, and affected ACL.\u003c/li\u003e\n\u003cli\u003eThe monitoring system detects the deletion event based on the CloudTrail logs.\u003c/li\u003e\n\u003cli\u003eThe deletion of the ACL entry weakens the network security posture, potentially opening unauthorized access to resources.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the newly opened network paths to access previously protected resources.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration, lateral movement, or resource compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful deletion of network ACL entries can have severe consequences, including unauthorized access to sensitive data, compromise of critical systems, and potential data exfiltration. This can lead to financial losses, reputational damage, and regulatory penalties. If an attacker successfully removes key ACLs, they can bypass network segmentation and gain access to previously isolated environments, potentially impacting hundreds or thousands of instances, depending on the scale of the AWS deployment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect AWS Network ACL deletions using CloudTrail logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected \u003ccode\u003eDeleteNetworkAclEntry\u003c/code\u003e events in CloudTrail to determine the legitimacy of the activity and the user involved.\u003c/li\u003e\n\u003cli\u003eEnable and review CloudTrail logs regularly to ensure comprehensive monitoring of AWS environment changes.\u003c/li\u003e\n\u003cli\u003eEnforce multi-factor authentication (MFA) for all AWS accounts to mitigate the risk of compromised credentials.\u003c/li\u003e\n\u003cli\u003eImplement principle of least privilege to limit the number of IAM roles that are able to modify Network ACLs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-aws-network-acl-deleted/","summary":"Detection of AWS Network Access Control List (ACL) deletion events via CloudTrail logs indicates a potential attempt to weaken network security controls.","title":"AWS Network Access Control List Deletion Detected","url":"https://feed.craftedsignal.io/briefs/2024-01-03-aws-network-acl-deleted/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS Network Access Control List"],"_cs_severities":["high"],"_cs_tags":["cloud","aws","network-acl","misconfiguration"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis alert identifies a potentially misconfigured AWS Network Access Control List (NACL). NACLs act as a firewall for controlling traffic in and out of one or more subnets. When a NACL is configured to allow all ports and protocols (0.0.0.0/0 for all traffic), it effectively bypasses network-level security controls. While there may be legitimate reasons for such a configuration, it often indicates a security oversight, such as a default configuration not properly secured or an intentional circumvention of security policies. The creation of overly permissive NACLs can lead to significant risk by allowing unrestricted network access to critical resources, potentially leading to data breaches, unauthorized access, or other malicious activities. This detection focuses on the misconfiguration itself, regardless of the actor or intent behind it.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a target AWS environment.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies or creates a new AWS Network ACL with ingress and egress rules allowing all traffic (0.0.0.0/0).\u003c/li\u003e\n\u003cli\u003eThe attacker associates this overly permissive NACL with one or more subnets within the target AWS Virtual Private Cloud (VPC).\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the open NACL to scan for vulnerable services and systems within the associated subnets.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits identified vulnerabilities to gain initial access to a system within the subnet.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other systems within the open network segment.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to gain administrative control of the environment.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or deploys malicious payloads such as ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe creation of a Network Access Control List with all open ports significantly expands the attack surface of the affected AWS environment. Successful exploitation could lead to unauthorized access to sensitive data, system compromise, data breaches, and potential financial loss. The scope of impact depends on the resources exposed by the open NACL and the attacker's ability to move laterally within the environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eAWS NACL Created with All Open Ports\u003c/code\u003e to detect the creation of overly permissive NACLs and trigger investigation.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit existing NACL configurations to identify and remediate overly permissive rules.\u003c/li\u003e\n\u003cli\u003eImplement the principle of least privilege when configuring NACLs, allowing only necessary traffic.\u003c/li\u003e\n\u003cli\u003eEnable AWS CloudTrail logging and monitor for NACL creation events to ensure proper oversight and detection.\u003c/li\u003e\n\u003cli\u003eImplement alerting for changes to NACL configurations in your SIEM/SOAR platform based on the \u003ccode\u003eaws_network_access_control_list_created_with_all_open_ports.yml\u003c/code\u003e detection logic.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-aws-open-nacls/","summary":"An AWS Network Access Control List (NACL) configured to allow all ports and protocols, potentially exposing resources to unauthorized access.","title":"AWS Network Access Control List Created with All Open Ports","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-open-nacls/"}],"language":"en","title":"CraftedSignal Threat Feed - AWS Network Access Control List","version":"https://jsonfeed.org/version/1.1"}