{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/vpc-flow-logs/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["VPC Flow Logs","EC2"],"_cs_severities":["high"],"_cs_tags":["aws","cloudtrail","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Amazon Web Services"],"content_html":"\u003cp\u003eThis rule detects the deletion of VPC flow logs in Amazon Web Services Elastic Compute Cloud (EC2). Flow logs capture information about IP traffic going to and from network interfaces within a VPC, and their deletion can severely impact security monitoring and incident response. An attacker may delete these logs to cover their tracks, making it difficult to detect and investigate malicious activity. This activity is detected via the \u003ccode\u003eDeleteFlowLogs\u003c/code\u003e API action. This poses a risk to organizations relying on VPC flow logs for auditing and security analysis, hindering their ability to identify and respond to potential security incidents.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an AWS account with sufficient privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing VPC flow logs using AWS APIs or CLI tools.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the flow logs they want to delete to cover their tracks.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eDeleteFlowLogs\u003c/code\u003e API action to initiate the deletion of the targeted flow logs.\u003c/li\u003e\n\u003cli\u003eAWS EC2 service processes the \u003ccode\u003eDeleteFlowLogs\u003c/code\u003e API request.\u003c/li\u003e\n\u003cli\u003eThe targeted flow logs are permanently deleted from the configured storage location (CloudWatch Logs or S3).\u003c/li\u003e\n\u003cli\u003eSecurity monitoring and alerting systems relying on flow log data are rendered ineffective for the period covered by the deleted logs.\u003c/li\u003e\n\u003cli\u003eThe attacker continues their malicious activities, now with a reduced risk of detection due to the absence of flow log data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of VPC flow logs can severely impair an organization's ability to detect and respond to security incidents. The absence of flow log data hinders network traffic analysis, anomaly detection, and forensic investigations. This can lead to delayed incident response, increased dwell time for attackers, and potential data breaches. The impact is especially significant for organizations that rely heavily on VPC flow logs for compliance and security auditing. The rule is rated high severity (73) because it directly impacts an organization's visibility into its network traffic.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;AWS VPC Flow Logs Deletion\u0026quot; to your SIEM and tune for your environment to detect this activity (see rule below).\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of \u003ccode\u003eDeleteFlowLogs\u003c/code\u003e events to determine if they are authorized and legitimate.\u003c/li\u003e\n\u003cli\u003eReview IAM policies to ensure the principle of least privilege is being followed, limiting the ability of users and roles to delete flow logs.\u003c/li\u003e\n\u003cli\u003eEnable multi-factor authentication (MFA) for all AWS accounts, especially those with administrative privileges.\u003c/li\u003e\n\u003cli\u003eMonitor CloudTrail logs for other suspicious activities associated with the user account that performed the \u003ccode\u003eDeleteFlowLogs\u003c/code\u003e action.\u003c/li\u003e\n\u003cli\u003eImplement AWS security best practices as outlined by AWS in their knowledge center to strengthen overall security posture (references).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-02-29T10:00:00Z","date_published":"2024-02-29T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-02-29-aws-vpc-flow-log-deletion/","summary":"An adversary may delete flow logs in AWS EC2 using the DeleteFlowLogs API to evade defenses and hinder security monitoring, impacting incident response and log auditing capabilities.","title":"AWS VPC Flow Logs Deletion","url":"https://feed.craftedsignal.io/briefs/2024-02-29-aws-vpc-flow-log-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed - VPC Flow Logs","version":"https://jsonfeed.org/version/1.1"}