<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>AWS Network Access Control List - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/aws-network-access-control-list/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/aws-network-access-control-list/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS Network Access Control List Deletion Detected</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-aws-network-acl-deleted/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-aws-network-acl-deleted/</guid><description>Detection of AWS Network Access Control List (ACL) deletion events via CloudTrail logs indicates a potential attempt to weaken network security controls.</description><content:encoded><![CDATA[<p>This brief focuses on the detection of AWS Network Access Control List (ACL) deletions using AWS CloudTrail logs. The deletion of a network ACL entry, specifically the <code>DeleteNetworkAclEntry</code> event, is a critical event that could indicate a malicious actor attempting to bypass existing network security controls. These ACLs are designed to restrict network access, so their removal can expose cloud instances to unauthorized access, data exfiltration, and further compromise. The source Splunk analytic leverages AWS CloudTrail data to detect instances where a user deletes a network ACL entry. Early detection of this activity is crucial for maintaining the integrity and security of AWS environments. The detection logic requires the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later).</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to an AWS account, potentially through compromised credentials or exploiting a vulnerability. (T1566)</li>
<li>The attacker enumerates existing Network ACLs to identify potential targets for deletion. (T1082)</li>
<li>The attacker executes the <code>DeleteNetworkAclEntry</code> command, removing specific rules from the targeted ACLs. (T1562.007)</li>
<li>CloudTrail logs the <code>DeleteNetworkAclEntry</code> event, capturing details such as the user, timestamp, and affected ACL.</li>
<li>The monitoring system detects the deletion event based on the CloudTrail logs.</li>
<li>The deletion of the ACL entry weakens the network security posture, potentially opening unauthorized access to resources.</li>
<li>The attacker exploits the newly opened network paths to access previously protected resources.</li>
<li>The attacker achieves their objective, such as data exfiltration, lateral movement, or resource compromise.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful deletion of network ACL entries can have severe consequences, including unauthorized access to sensitive data, compromise of critical systems, and potential data exfiltration. This can lead to financial losses, reputational damage, and regulatory penalties. If an attacker successfully removes key ACLs, they can bypass network segmentation and gain access to previously isolated environments, potentially impacting hundreds or thousands of instances, depending on the scale of the AWS deployment.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule to your SIEM to detect AWS Network ACL deletions using CloudTrail logs.</li>
<li>Investigate any detected <code>DeleteNetworkAclEntry</code> events in CloudTrail to determine the legitimacy of the activity and the user involved.</li>
<li>Enable and review CloudTrail logs regularly to ensure comprehensive monitoring of AWS environment changes.</li>
<li>Enforce multi-factor authentication (MFA) for all AWS accounts to mitigate the risk of compromised credentials.</li>
<li>Implement principle of least privilege to limit the number of IAM roles that are able to modify Network ACLs.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>aws</category><category>cloudtrail</category><category>network-acl</category><category>defense-evasion</category></item><item><title>AWS Network Access Control List Created with All Open Ports</title><link>https://feed.craftedsignal.io/briefs/2024-01-aws-open-nacls/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-aws-open-nacls/</guid><description>An AWS Network Access Control List (NACL) configured to allow all ports and protocols, potentially exposing resources to unauthorized access.</description><content:encoded><![CDATA[<p>This alert identifies a potentially misconfigured AWS Network Access Control List (NACL). NACLs act as a firewall for controlling traffic in and out of one or more subnets. When a NACL is configured to allow all ports and protocols (0.0.0.0/0 for all traffic), it effectively bypasses network-level security controls. While there may be legitimate reasons for such a configuration, it often indicates a security oversight, such as a default configuration not properly secured or an intentional circumvention of security policies. The creation of overly permissive NACLs can lead to significant risk by allowing unrestricted network access to critical resources, potentially leading to data breaches, unauthorized access, or other malicious activities. This detection focuses on the misconfiguration itself, regardless of the actor or intent behind it.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies a target AWS environment.</li>
<li>The attacker identifies or creates a new AWS Network ACL with ingress and egress rules allowing all traffic (0.0.0.0/0).</li>
<li>The attacker associates this overly permissive NACL with one or more subnets within the target AWS Virtual Private Cloud (VPC).</li>
<li>The attacker leverages the open NACL to scan for vulnerable services and systems within the associated subnets.</li>
<li>The attacker exploits identified vulnerabilities to gain initial access to a system within the subnet.</li>
<li>The attacker moves laterally to other systems within the open network segment.</li>
<li>The attacker escalates privileges to gain administrative control of the environment.</li>
<li>The attacker exfiltrates sensitive data or deploys malicious payloads such as ransomware.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The creation of a Network Access Control List with all open ports significantly expands the attack surface of the affected AWS environment. Successful exploitation could lead to unauthorized access to sensitive data, system compromise, data breaches, and potential financial loss. The scope of impact depends on the resources exposed by the open NACL and the attacker's ability to move laterally within the environment.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Implement the Sigma rule <code>AWS NACL Created with All Open Ports</code> to detect the creation of overly permissive NACLs and trigger investigation.</li>
<li>Regularly review and audit existing NACL configurations to identify and remediate overly permissive rules.</li>
<li>Implement the principle of least privilege when configuring NACLs, allowing only necessary traffic.</li>
<li>Enable AWS CloudTrail logging and monitor for NACL creation events to ensure proper oversight and detection.</li>
<li>Implement alerting for changes to NACL configurations in your SIEM/SOAR platform based on the <code>aws_network_access_control_list_created_with_all_open_ports.yml</code> detection logic.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>network-acl</category><category>misconfiguration</category></item></channel></rss>