https://feed.craftedsignal.io/tags/bedrock/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 12:00:00 +0000https://feed.craftedsignal.io/briefs/2024-01-aws-bedrock-logging-deletion/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-aws-bedrock-logging-deletion/Detection of attempts to delete AWS Bedrock model invocation logging configurations, potentially indicating an adversary trying to remove audit trails of model interactions after credential compromise, to hide malicious AI model usage.This analytic identifies attempts to delete AWS Bedrock model invocation logging configurations. The activity is detected by monitoring AWS CloudTrail logs for calls to the DeleteModelInvocationLogging API. Successful deletion of these logs could allow attackers to interact with AI models hosted on AWS Bedrock without leaving forensic traces. This may be indicative of an adversary who has compromised AWS credentials and is attempting to evade detection of their malicious actions. The impact could range from data exfiltration and prompt injection attacks to other unauthorized activities, all performed without generating audit records. This event should be considered a high-priority alert, as it directly impacts the ability to monitor and respond to potentially malicious use of AI models within the AWS environment. The detection leverages AWS CloudTrail logs and is based on the Splunk ES-CU analytic “AWS Bedrock Delete Model Invocation Logging Configuration”.

Attack Chain

1. An attacker gains unauthorized access to an AWS account, potentially through credential compromise or other means.
2. The attacker enumerates the existing AWS Bedrock model invocation logging configurations within the targeted AWS account.
3. The attacker executes the DeleteModelInvocationLoggingConfiguration API call to disable or remove the logging configuration.
4. AWS CloudTrail logs the DeleteModelInvocationLoggingConfiguration event, capturing details such as the user, source IP, and timestamp.
5. The attacker proceeds to interact with AWS Bedrock models, potentially performing data exfiltration or prompt injection attacks.
6. Because model invocation logging has been disabled, these interactions are not logged, hindering detection and incident response efforts.
7. The attacker attempts to further cover their tracks by deleting or modifying other relevant CloudTrail logs.

Impact

A successful attack could lead to unauthorized access and manipulation of AI models hosted on AWS Bedrock. The deletion of model invocation logs allows attackers to hide their activities, making it difficult to detect and respond to incidents such as data exfiltration or prompt injection attacks. This can result in significant financial loss, reputational damage, and legal liabilities. The exact number of victims and the extent of the damage depend on the scope and duration of the attacker’s access to the AI models.

Recommendation

• Deploy the Sigma rule Detect AWS Bedrock Logging Deletion to your SIEM to detect attempts to delete AWS Bedrock model invocation logging configurations.
• Investigate any detected instances of DeleteModelInvocationLoggingConfiguration events, focusing on unexpected users or source IPs, to validate legitimate administrative actions.
• Enable AWS CloudTrail logging for all AWS regions and services, including Bedrock, to ensure comprehensive audit coverage.
• Implement multi-factor authentication (MFA) for all AWS accounts to reduce the risk of credential compromise (T1685.002).
• Monitor CloudTrail logs for unusual API calls and access patterns to identify potential insider threats or compromised accounts.
• Review and update IAM policies to enforce the principle of least privilege and restrict access to sensitive API actions, such as DeleteModelInvocationLoggingConfiguration.

]]>highadvisoryawsbedrockcloudtrailloggingdefense-evasionhttps://feed.craftedsignal.io/briefs/2024-01-aws-bedrock-guardrails-deletion/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-aws-bedrock-guardrails-deletion/Detection of AWS Bedrock GuardRails deletion, which are security controls to prevent harmful AI outputs, could indicate an adversary attempting to remove safety measures after credential compromise to enable malicious model outputs.This analytic focuses on detecting the deletion of AWS Bedrock GuardRails. AWS Bedrock is a fully managed service that offers a choice of high-performing foundation models (FMs) from leading AI companies. GuardRails within Bedrock are security controls designed to prevent harmful, biased, or inappropriate AI outputs. The deletion of these guardrails, detected through AWS CloudTrail logs, could indicate a malicious actor attempting to bypass security measures after compromising credentials. This could potentially enable harmful or malicious model outputs, leading to the generation of offensive content, extraction of sensitive information, or circumvention of prompt injection defenses. This activity matters to defenders as it highlights a potential attempt to manipulate AI model behavior for malicious purposes, requiring immediate investigation.

Attack Chain

1. An attacker gains unauthorized access to an AWS account with sufficient privileges to manage Bedrock resources, possibly through credential compromise.
2. The attacker authenticates to the AWS environment, establishing a session.
3. The attacker identifies existing AWS Bedrock GuardRails configurations using AWS APIs or the AWS Management Console.
4. The attacker uses the DeleteGuardrail API call via the AWS CLI, SDK, or Management Console, specifying the guardrailIdentifier of the targeted GuardRail.
5. AWS CloudTrail logs the DeleteGuardrail event, including details such as the user identity, source IP address, and GuardRail identifier.
6. The GuardRail is successfully deleted, removing the configured safety controls for the Bedrock models.
7. The attacker leverages the now-unprotected Bedrock models to generate harmful content, extract sensitive information, or bypass other security controls.
8. The attacker exfiltrates sensitive data generated from the unprotected model to an external location.

Impact

Successful deletion of Bedrock GuardRails could allow attackers to manipulate AI models for malicious purposes. This could lead to the generation of offensive or harmful content, extraction of sensitive information, or bypassing prompt injection defenses. Organizations utilizing AWS Bedrock may experience reputational damage, data breaches, and regulatory compliance issues. While specific victim numbers are unavailable, the impact could be significant depending on the sensitivity of the data processed by the models.

Recommendation

• Enable AWS CloudTrail logging for all AWS regions, specifically capturing Bedrock service events to ensure the DeleteGuardrail API calls are logged (data_source).
• Deploy the provided Sigma rule Detect AWS Bedrock GuardRails Deletion to your SIEM and tune for your environment to detect unauthorized GuardRail deletions.
• Investigate any detected DeleteGuardrail events to determine the legitimacy of the action and identify potential credential compromise or malicious intent (Sigma rule).
• Implement an allowlist for expected administrators who regularly manage GuardRails configurations to reduce false positives (known_false_positives).
• Monitor the src IP addresses from which DeleteGuardrail API calls are made to identify potentially suspicious or unauthorized access points (rule and RBA).
• Enforce multi-factor authentication (MFA) for all AWS accounts, especially those with privileges to manage Bedrock resources, to mitigate credential compromise (overview).

]]>highadvisoryawsbedrockcloudtraildefense-evasion