{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/backup/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Amazon RDS"],"_cs_severities":["medium"],"_cs_tags":["aws","rds","snapshot","backup","datadestruction"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis rule detects the deletion of AWS RDS DB snapshots or configuration changes that effectively remove backup coverage for a DB instance. RDS snapshots contain full backups of database instances, and disabling automated backups by setting \u0026quot;backupRetentionPeriod=0\u0026quot; has a similar impact by preventing future restore points. A threat actor with sufficient AWS permissions may delete snapshots or disable backups to inhibit recovery, destroy forensic evidence, or prepare for follow-on destructive actions such as instance or cluster deletion. The rule focuses on successful snapshot deletions and backup disabling events within AWS RDS. The scope includes any AWS environment utilizing RDS for database services.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains access to an AWS account with sufficient permissions to manage RDS instances and snapshots, possibly through compromised credentials or an IAM role with excessive privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates available RDS DB instances and snapshots within the target AWS account using AWS CLI or API calls (e.g., \u003ccode\u003eDescribeDBSnapshots\u003c/code\u003e, \u003ccode\u003eDescribeDBInstances\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies target DB instances and their associated snapshots that are critical for recovery or contain valuable forensic data.\u003c/li\u003e\n\u003cli\u003eThe attacker deletes RDS DB snapshots using the \u003ccode\u003eDeleteDBSnapshot\u003c/code\u003e API call, effectively removing restore points.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker modifies the DB instance configuration using the \u003ccode\u003eModifyDBInstance\u003c/code\u003e API call, setting \u003ccode\u003ebackupRetentionPeriod\u003c/code\u003e to 0 to disable automated backups and prevent future restore points.\u003c/li\u003e\n\u003cli\u003eThe attacker may then delete the RDS instance itself using DeleteDBInstance.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to cover their tracks by deleting relevant CloudTrail logs or disabling CloudTrail logging.\u003c/li\u003e\n\u003cli\u003eThe attacker's objective is to prevent restoration to a known-good state and destroy forensic evidence of attacker actions, potentially as part of a ransomware attack or data exfiltration attempt.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of RDS snapshots or disabling of backups can lead to significant data loss and prolonged downtime, making recovery from security incidents or operational failures difficult or impossible. This can impact business continuity, data integrity, and regulatory compliance. The precise impact depends on the criticality of the affected databases and the availability of alternative backup mechanisms. If successful, this can result in total data loss for the organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect suspicious \u003ccode\u003eDeleteDBSnapshot\u003c/code\u003e, \u003ccode\u003eDeleteDBClusterSnapshot\u003c/code\u003e, or \u003ccode\u003eModifyDBInstance\u003c/code\u003e events setting \u003ccode\u003ebackupRetentionPeriod=0\u003c/code\u003e in AWS CloudTrail logs.\u003c/li\u003e\n\u003cli\u003eRestrict IAM permissions for \u003ccode\u003erds:DeleteDBSnapshot\u003c/code\u003e, \u003ccode\u003erds:DeleteDBClusterSnapshot\u003c/code\u003e, and \u003ccode\u003erds:ModifyDBInstance\u003c/code\u003e (especially backup and deletion-related parameters) to a small set of privileged roles, as described in the remediation steps.\u003c/li\u003e\n\u003cli\u003eUse AWS Config rules and/or Security Hub controls to detect instances with \u003ccode\u003ebackupRetentionPeriod=0\u003c/code\u003e, as recommended in the hardening and preventive controls section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T12:00:00Z","date_published":"2024-07-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-07-aws-rds-snapshot-deletion/","summary":"The deletion of AWS RDS DB snapshots or disabling backups via configuration changes can inhibit recovery, destroy forensic evidence, and prepare for destructive actions by adversaries.","title":"AWS RDS Snapshot Deletion Detected","url":"https://feed.craftedsignal.io/briefs/2024-07-aws-rds-snapshot-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed - Backup","version":"https://jsonfeed.org/version/1.1"}