<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>VPC Flow Logs - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/vpc-flow-logs/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 29 Feb 2024 10:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/vpc-flow-logs/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS VPC Flow Logs Deletion</title><link>https://feed.craftedsignal.io/briefs/2024-02-29-aws-vpc-flow-log-deletion/</link><pubDate>Thu, 29 Feb 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-02-29-aws-vpc-flow-log-deletion/</guid><description>An adversary may delete flow logs in AWS EC2 using the DeleteFlowLogs API to evade defenses and hinder security monitoring, impacting incident response and log auditing capabilities.</description><content:encoded><![CDATA[<p>This rule detects the deletion of VPC flow logs in Amazon Web Services Elastic Compute Cloud (EC2). Flow logs capture information about IP traffic going to and from network interfaces within a VPC, and their deletion can severely impact security monitoring and incident response. An attacker may delete these logs to cover their tracks, making it difficult to detect and investigate malicious activity. This activity is detected via the <code>DeleteFlowLogs</code> API action. This poses a risk to organizations relying on VPC flow logs for auditing and security analysis, hindering their ability to identify and respond to potential security incidents.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains unauthorized access to an AWS account with sufficient privileges.</li>
<li>The attacker enumerates existing VPC flow logs using AWS APIs or CLI tools.</li>
<li>The attacker identifies the flow logs they want to delete to cover their tracks.</li>
<li>The attacker uses the <code>DeleteFlowLogs</code> API action to initiate the deletion of the targeted flow logs.</li>
<li>AWS EC2 service processes the <code>DeleteFlowLogs</code> API request.</li>
<li>The targeted flow logs are permanently deleted from the configured storage location (CloudWatch Logs or S3).</li>
<li>Security monitoring and alerting systems relying on flow log data are rendered ineffective for the period covered by the deleted logs.</li>
<li>The attacker continues their malicious activities, now with a reduced risk of detection due to the absence of flow log data.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful deletion of VPC flow logs can severely impair an organization's ability to detect and respond to security incidents. The absence of flow log data hinders network traffic analysis, anomaly detection, and forensic investigations. This can lead to delayed incident response, increased dwell time for attackers, and potential data breaches. The impact is especially significant for organizations that rely heavily on VPC flow logs for compliance and security auditing. The rule is rated high severity (73) because it directly impacts an organization's visibility into its network traffic.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;AWS VPC Flow Logs Deletion&quot; to your SIEM and tune for your environment to detect this activity (see rule below).</li>
<li>Investigate any detected instances of <code>DeleteFlowLogs</code> events to determine if they are authorized and legitimate.</li>
<li>Review IAM policies to ensure the principle of least privilege is being followed, limiting the ability of users and roles to delete flow logs.</li>
<li>Enable multi-factor authentication (MFA) for all AWS accounts, especially those with administrative privileges.</li>
<li>Monitor CloudTrail logs for other suspicious activities associated with the user account that performed the <code>DeleteFlowLogs</code> action.</li>
<li>Implement AWS security best practices as outlined by AWS in their knowledge center to strengthen overall security posture (references).</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>aws</category><category>cloudtrail</category><category>defense-evasion</category></item></channel></rss>