![]() Then, he uses those keys to discover, access, and exfiltrate sensitive data from an S3 bucket. He further exploit a misconfigured reverse-proxy server to query the EC2 metadata service and acquire instance profile keys. According to the summary page of the scenario, attacker starts with anonymous outsider with no access or privileges. In the below table, we have mapped the attacker techniques and data sources to these techniques.įigure 1 - Attack activity mapped to ATT&CK tactics and techniquesĬapital One Breach attack simulation using Cloudgoatįor attack simulation purpose, we will use the cloudgoat scenario- cloud_breach_s3. If you want to check related detections before we publish second part, you can refer Azure Sentinel Pull Request containing Logstash config file, AWSS3Logparser and hunting queries.īased on the available information about attack, let`s start extracting and mapping the Tactics, Techniques and Procedures (TTPs) used by an attacker to the MITRE’s Tactic and Techniques which recently expanded to include Cloud ATT&CK Techniques. We will also walk-through how to ingest relevant data sources, develop detection or hunting queries using Kusto Query Language(KQL) and also use Azure Sentinel incident workflow and investigation features. ![]() In the second part, we will analyze logs generated from simulation and see how we can hunt for some of the attacker techniques from AWS data sources on boarded to Azure Sentinel. ![]() This is the first part of two part article in which we will perform the attack simulation of Capital one Breach scenario using Cloud Goat scenario - cloud_breach_s3 which is developed by Rhino Security Labs. Based on the criminal complaint charging the accused hacker and several technical analysis blogs published post breach, it involved exploiting a Server Side Request Forgery (SSRF) flaw in a web application to obtain Amazon Web Services (AWS) access keys for a highly permissive (S3FullAccess) Identity and Access management (IAM) role to access sensitive files on S3 storage buckets and later exfiltrated the sensitive data to an attacker controlled local storage. In July 2019, Capital one suffered one of the biggest data breaches affecting more than 100 million customer accounts and credit card applications. ![]()
0 Comments
Leave a Reply. |