{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/alert-spike/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["EC2"],"_cs_severities":["medium"],"_cs_tags":["cloud","aws","securityhub","ec2","alert-spike"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis detection focuses on identifying a surge of alerts originating from AWS Security Hub concerning a particular EC2 instance. A sudden spike in security findings could signify an ongoing attack, a recently introduced vulnerability, or a misconfiguration that's triggering multiple security checks. It's important to note that this detection is triggered by the \u003cem\u003enumber\u003c/em\u003e of alerts, not the specific type. While this brief is based on the name of a Splunk detection, it's adapted for broader applicability. An abrupt increase in alerts is a statistically significant anomaly that requires further investigation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access through a compromised credential or exploiting a vulnerability (e.g., CVE-2023-XXXX in a web application running on the EC2 instance).\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker attempts to escalate privileges within the EC2 instance, potentially using tools like \u003ccode\u003esudo\u003c/code\u003e or exploiting kernel vulnerabilities.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker uses the compromised EC2 instance to move laterally to other resources within the AWS environment, utilizing stolen AWS credentials or exploiting misconfigured IAM roles.\u003c/li\u003e\n\u003cli\u003ePersistence: The attacker establishes persistence by creating new user accounts, installing backdoors (e.g., through modified SSH configurations), or scheduling malicious tasks via \u003ccode\u003ecron\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eData Exfiltration: The attacker begins exfiltrating sensitive data from the EC2 instance to an external server using tools like \u003ccode\u003eaws s3 cp\u003c/code\u003e or \u003ccode\u003escp\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eCommand and Control: The attacker establishes a command and control (C2) channel with an external server, allowing them to remotely control the compromised EC2 instance. This may involve using protocols like HTTP or DNS.\u003c/li\u003e\n\u003cli\u003eResource Hijacking: The attacker leverages the compromised EC2 instance for malicious purposes such as cryptomining or launching DDoS attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack leading to a spike in Security Hub alerts could result in data breaches, financial losses, reputational damage, and disruption of services. The compromised EC2 instance could be used as a launchpad for further attacks within the AWS environment. The number of affected users and the severity of the impact depend on the data stored on the compromised instance and the attacker's objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Spike in AWS Security Hub Alerts for EC2 Instance\u003c/code\u003e to identify potential compromises based on alert volume.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule by examining AWS CloudTrail logs to determine the root cause of the alert spike and the actions taken by the attacker.\u003c/li\u003e\n\u003cli\u003eReview and harden IAM roles associated with the EC2 instance to prevent lateral movement (reference the \u0026quot;Lateral Movement\u0026quot; step in the Attack Chain).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the blast radius of a compromised EC2 instance (reference the \u0026quot;Lateral Movement\u0026quot; step in the Attack Chain).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-aws-security-hub-spike/","summary":"Detects a sudden increase in security alerts generated by AWS Security Hub related to a specific EC2 instance, potentially indicating active compromise or misconfiguration.","title":"Spike in AWS Security Hub Alerts for EC2 Instance","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-security-hub-spike/"}],"language":"en","title":"CraftedSignal Threat Feed - Alert-Spike","version":"https://jsonfeed.org/version/1.1"}