<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Knowledge_base - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/knowledge_base/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 17:30:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/knowledge_base/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS Bedrock Knowledge Base Deletion Attempt</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-aws-bedrock-knowledge-base-deletion/</link><pubDate>Wed, 03 Jan 2024 17:30:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-aws-bedrock-knowledge-base-deletion/</guid><description>An adversary may delete AWS Bedrock Knowledge Bases, which are resources that store and manage domain-specific information for AI models, to disrupt business operations or remove traces of data access by using the DeleteKnowledgeBase API call.</description><content:encoded><![CDATA[<p>This threat brief focuses on the detection of attempts to delete AWS Bedrock Knowledge Bases, which are crucial resources for storing and managing domain-specific information used by AI models within the AWS ecosystem. The deletion of these knowledge bases is detected by monitoring AWS CloudTrail logs for DeleteKnowledgeBase API calls. This activity could signal a malicious actor who has compromised AWS credentials and is attempting to disrupt operations, conceal data access, or degrade AI capabilities. A successful deletion could severely impact model performance and remove critical business context, potentially leading to significant operational disruptions. This analytic specifically looks for the &quot;DeleteKnowledgeBase&quot; event within CloudTrail logs related to the &quot;bedrock.amazonaws.com&quot; service.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> The attacker gains unauthorized access to an AWS account, potentially through compromised credentials or exploiting a vulnerability in the AWS environment. (T1078)</li>
<li><strong>Privilege Escalation:</strong> The attacker escalates privileges within the AWS account to gain sufficient permissions to manage Bedrock Knowledge Bases. (T1068)</li>
<li><strong>Discovery:</strong> The attacker uses AWS APIs or the AWS Management Console to identify existing Bedrock Knowledge Bases within the compromised account. (T1082)</li>
<li><strong>Credential Access:</strong> The attacker leverages compromised credentials or obtains additional AWS credentials to perform actions in AWS Bedrock. (TA0006)</li>
<li><strong>Impair Defenses:</strong> The attacker disables or modifies CloudTrail logging to prevent detection of their activities. (T1562)</li>
<li><strong>Resource Manipulation:</strong> The attacker executes the <code>DeleteKnowledgeBase</code> API call, targeting specific Knowledge Base IDs to remove them from the AWS environment. (T1485)</li>
<li><strong>Impact:</strong> The deletion of the Knowledge Base leads to disruption of AI models relying on the knowledge base, data loss, or degradation of AI-driven services.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful deletion of AWS Bedrock Knowledge Bases can lead to significant disruptions. AI models that rely on the deleted knowledge bases may experience degraded performance or complete failure, impacting business operations. The loss of critical business context stored within these knowledge bases can also hinder decision-making processes and lead to financial losses. The number of victims and the specific sectors targeted would depend on the scope of the compromised AWS account and the usage of Bedrock services.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable and monitor AWS CloudTrail logs with specific focus on Bedrock service events, especially the <code>DeleteKnowledgeBase</code> event (AWS CloudTrail).</li>
<li>Deploy the Sigma rule <code>Detect AWS Bedrock Knowledge Base Deletion</code> to your SIEM and tune it for your environment.</li>
<li>Implement multi-factor authentication (MFA) for all AWS accounts to mitigate credential compromise (T1199).</li>
<li>Review and restrict IAM permissions to limit access to sensitive AWS resources, including Bedrock Knowledge Bases (T1078).</li>
<li>Investigate any detected <code>DeleteKnowledgeBase</code> API calls originating from unfamiliar or suspicious sources (Sigma Rule, AWS CloudTrail).</li>
<li>Implement an allowlist for expected administrators who regularly manage Knowledge Base configurations and tune the provided detections based on your specific environment (Known False Positives).</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>aws</category><category>bedrock</category><category>knowledge_base</category><category>deletion</category><category>cloudtrail</category></item></channel></rss>