{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/security_group/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS","Google Cloud Platform","Microsoft Azure"],"_cs_severities":["high"],"_cs_tags":["cloud","security_group","anomaly","aws"],"_cs_type":"advisory","_cs_vendors":["Amazon","Google","Microsoft"],"content_html":"\u003cp\u003eThis detection identifies anomalous modifications to cloud security groups by users within a 30-minute timeframe. It focuses on actions such as modifications, deletions, and creations of security groups, analyzing cloud infrastructure logs to detect deviations from normal behavior. The analytic calculates the standard deviation of security group changes per user, employing a 3-sigma rule to identify outliers. This activity is significant because unauthorized or malicious alterations to security groups can expose sensitive resources or disrupt critical services. The original Splunk ES content was published in 2026-04-17T11:58:53Z. This may indicate a compromised account, insider threat, or privilege escalation attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a cloud environment through compromised credentials or an insider threat (T1578.005).\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing cloud security groups to identify potential targets for modification.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies security group rules to allow unauthorized access to internal resources or services.\u003c/li\u003e\n\u003cli\u003eThe attacker creates new security groups with overly permissive rules, bypassing existing security controls.\u003c/li\u003e\n\u003cli\u003eThe attacker deletes existing security groups, disrupting network segmentation and potentially causing service outages.\u003c/li\u003e\n\u003cli\u003eThese actions are performed repeatedly within a short time frame (30 minutes), significantly deviating from the user's baseline activity.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the newly opened access to exfiltrate sensitive data or deploy malicious workloads.\u003c/li\u003e\n\u003cli\u003eThe ultimate objective is to compromise sensitive resources, disrupt services, or establish a persistent foothold within the cloud environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive data, disruption of critical services, and potential financial losses. A single compromised account can lead to the modification of numerous security groups, impacting multiple applications and services. The impact can range from data breaches and compliance violations to complete service outages. Depending on the scope of the compromised security groups, the blast radius can extend across the entire cloud infrastructure, affecting potentially thousands of users and applications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure proper ingestion of AWS CloudTrail, GCP Pubsub Message logs, and Azure Audit logs into a data model like the Change datamodel referenced in the search query.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eCloud Security Group Modifications by User\u003c/code\u003e to your SIEM to detect anomalous security group modifications (logsource: AWS CloudTrail).\u003c/li\u003e\n\u003cli\u003eTune the threshold and time window of the Sigma rule based on your environment's baseline activity to reduce false positives. Consider adjusting the \u003ccode\u003eupperBound\u003c/code\u003e calculation in the search query.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine if the modifications are legitimate or malicious. Prioritize alerts triggered by users with no history of security group administration.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all user accounts to mitigate the risk of compromised credentials.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-cloud-security-group-modifications/","summary":"This analytic identifies unusual modifications to cloud security groups by users, such as modifications, deletions, or creations, analyzed over 30-minute intervals, potentially indicating compromised accounts or insider threats leading to resource exposure or service disruption.","title":"Unusual Cloud Security Group Modifications by User","url":"https://feed.craftedsignal.io/briefs/2024-01-03-cloud-security-group-modifications/"}],"language":"en","title":"CraftedSignal Threat Feed - Security_group","version":"https://jsonfeed.org/version/1.1"}