AWS EC2 Security Group Configuration Change

  1[metadata]
  2creation_date = "2021/05/05"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2024/11/07"
  6
  7[rule]
  8author = ["Elastic", "Austin Songer"]
  9description = """
 10Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying
 11configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or
 12pivot in an AWS environment.
 13"""
 14false_positives = [
 15    """
 16    A security group may be created by a system or network administrator. Verify whether the user identity, user agent,
 17    and/or hostname should be making changes in your environment. Security group creations by unfamiliar users or hosts
 18    should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
 19    """,
 20]
 21from = "now-9m"
 22index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 23language = "kuery"
 24license = "Elastic License v2"
 25name = "AWS EC2 Security Group Configuration Change"
 26note = """
 27### Investigating AWS EC2 Security Group Configuration Change
 28
 29This rule identifies any changes to an AWS Security Group, which functions as a virtual firewall controlling inbound and outbound traffic for resources like EC2 instances. Modifications to a security group configuration could expose critical assets to unauthorized access. Threat actors may exploit such changes to establish persistence, exfiltrate data, or pivot within an AWS environment.
 30
 31#### Possible Investigation Steps
 32
 331. **Identify the Modified Security Group**:
 34   - **Security Group ID**: Check the `aws.cloudtrail.flattened.request_parameters.groupId` field to identify the specific security group affected.
 35   - **Rule Changes**: Review `aws.cloudtrail.flattened.response_elements.securityGroupRuleSet` to determine the new rules or configurations, including any added or removed IP ranges, protocol changes, and port specifications.
 36
 372. **Review User Context**:
 38   - **User Identity**: Inspect the `aws.cloudtrail.user_identity.arn` field to determine which user or role made the modification. Verify if this is an authorized administrator or a potentially compromised account.
 39   - **Access Patterns**: Analyze whether this user regularly interacts with security group configurations or if this event is out of the ordinary for their account.
 40
 413. **Analyze the Configuration Change**:
 42   - **Egress vs. Ingress**: Determine if the change affected inbound (ingress) or outbound (egress) traffic by reviewing fields like `isEgress` in the `securityGroupRuleSet`. Unauthorized changes to outbound traffic can indicate data exfiltration attempts.
 43   - **IP Ranges and Ports**: Assess any added IP ranges, especially `0.0.0.0/0`, which exposes resources to the internet. Port changes should also be evaluated to ensure only necessary ports are open.
 44
 454. **Check User Agent and Source IP**:
 46   - **User Agent Analysis**: Examine the `user_agent.original` field to identify the tool or application used, such as `AWS Console` or `Terraform`, which may reveal if the action was automated or manual.
 47   - **Source IP and Geolocation**: Use `source.address` and `source.geo` fields to verify if the IP address and geolocation match expected locations for your organization. Unexpected IPs or regions may indicate unauthorized access.
 48
 495. **Evaluate for Persistence Indicators**:
 50   - **Repeated Changes**: Investigate if similar changes were recently made across multiple security groups, which may suggest an attempt to maintain or expand access.
 51   - **Permissions Review**: Confirm that the user’s IAM policies are configured to limit changes to security groups only as necessary.
 52
 536. **Correlate with Other CloudTrail Events**:
 54   - **Cross-Reference Other Security Events**: Look for related actions like `AuthorizeSecurityGroupIngress`, `CreateSecurityGroup`, or `RevokeSecurityGroupIngress` that may indicate additional or preparatory steps for unauthorized access.
 55   - **Monitor for IAM or Network Changes**: Check for IAM modifications, network interface changes, or other configuration updates in the same timeframe to detect broader malicious activities.
 56
 57### False Positive Analysis
 58
 59- **Routine Security Changes**: Security group modifications may be part of regular infrastructure maintenance. Verify if this action aligns with known, scheduled administrative activities.
 60- **Automated Configuration Management**: If you are using automated tools like `Terraform` or `CloudFormation`, confirm if the change matches expected configuration drift corrections or deployments.
 61
 62### Response and Remediation
 63
 64- **Revert Unauthorized Changes**: If unauthorized, revert the security group configuration to its previous state to secure the environment.
 65- **Restrict Security Group Permissions**: Remove permissions to modify security groups from any compromised or unnecessary accounts to limit future access.
 66- **Quarantine Affected Resources**: If necessary, isolate any affected instances or resources to prevent further unauthorized activity.
 67- **Audit IAM and Security Group Policies**: Regularly review permissions related to security groups to ensure least privilege access and prevent excessive access.
 68
 69### Additional Information
 70
 71For more details on managing AWS Security Groups and best practices, refer to the [AWS EC2 Security Groups Documentation](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-security-groups.html) and AWS security best practices.
 72"""
 73references = ["https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-security-groups.html"]
 74risk_score = 21
 75rule_id = "29052c19-ff3e-42fd-8363-7be14d7c5469"
 76severity = "low"
 77tags = [
 78    "Domain: Cloud",
 79    "Data Source: AWS",
 80    "Data Source: Amazon Web Services",
 81    "Data Source: AWS EC2",
 82    "Use Case: Network Security Monitoring",
 83    "Resources: Investigation Guide",
 84    "Tactic: Persistence",
 85    "Tactic: Defense Evasion"
 86]
 87timestamp_override = "event.ingested"
 88type = "query"
 89
 90query = '''
 91event.dataset: "aws.cloudtrail"
 92    and event.provider: "ec2.amazonaws.com"
 93    and event.action:(
 94            "AuthorizeSecurityGroupEgress" or
 95            "CreateSecurityGroup" or
 96            "ModifyInstanceAttribute" or
 97            "ModifySecurityGroupRules" or
 98            "RevokeSecurityGroupEgress" or
 99            "RevokeSecurityGroupIngress")
100    and event.outcome: "success"
101'''
102
103[rule.investigation_fields]
104field_names = [
105   "@timestamp",
106   "user.name",
107   "aws.cloudtrail.user_identity.arn",
108   "aws.cloudtrail.user_identity.type",
109   "user_agent.original",
110   "aws.cloudtrail.flattened.request_parameters.instanceId",
111   "event.action",
112   "event.outcome",
113   "cloud.region",
114   "event.provider",
115   "aws.cloudtrail.request_parameters",
116   "aws.cloudtrail.response_elements"
117]
118
119
120[[rule.threat]]
121framework = "MITRE ATT&CK"
122
123[rule.threat.tactic]
124id = "TA0003"
125name = "Persistence"
126reference = "https://attack.mitre.org/tactics/TA0003/"
127[[rule.threat]]
128framework = "MITRE ATT&CK"
129[[rule.threat.technique]]
130id = "T1562"
131name = "Impair Defenses"
132reference = "https://attack.mitre.org/techniques/T1562/"
133[[rule.threat.technique.subtechnique]]
134id = "T1562.007"
135name = "Disable or Modify Cloud Firewall"
136reference = "https://attack.mitre.org/techniques/T1562/007/"
137
138
139
140[rule.threat.tactic]
141id = "TA0005"
142name = "Defense Evasion"
143reference = "https://attack.mitre.org/tactics/TA0005/"