Use of AWS APIs indicating data staging and exfiltration
Description
AlphaSOC detected AWS API use related to data staging and exfiltration. Attackers use AWS APIs to collate and package sensitive data within the AWS environment (known as staging) that is subsequently exfiltrated.
Impact
Threat actors can use data staging and exfiltration to prepare and move stolen data, exploiting permissions granted to AWS services to bypass security controls and evade detection. This can result in access to sensitive data, intellectual property theft, and compliance violations. Stolen data can be used for secondary attacks to gain unauthorized access to more resources.
Severity
Severity | Condition |
---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Examine the specific AWS API calls, focusing on the resources accessed, the amount of data transferred, and the identity of the caller. Review CloudTrail logs for unusual patterns or unauthorized access. Identify and revoke any compromised credentials. Isolate affected resources and rotate all access keys. Using legitimate AWS services for exfiltration makes it difficult to distinguish malicious activity from normal operations, potentially allowing data breaches to go unnoticed for extended periods of time.
Known False Positives
- Establishment of a new, legitimate connection between a user and a network with a given ASN
- Large-scale data migrations or backups to external storage services
- Automated scripts or applications that legitimately transfer data between AWS services
- Development and testing activities involving data replication or movement