|
Impair Defenses: Disable or Modify Cloud Firewall
Other sub-techniques of Impair Defenses (4)
| ID | Name |
|---|---|
| T1562.008 | Disable Cloud Logs |
| T1562.007 | Disable or Modify Cloud Firewall |
| T1562.A001 | Disable or Modify GuardDuty |
Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from system firewalls that are described in Disable or Modify System Firewall.
Cloud environments typicall utilize restrictive security groups and firewall rules that only allow network activity from trusted IP addresses via expected ports and protocols. An adversary may introduce new firewall rules or policies to allow access into a victim cloud environment and/or move laterally from the cloud control plane to the data plane. For example, an adversary may use a script or utility that creates new ingress rules in existing security groups (or creates new security groups entirely) to allow any TCP/IP connectivity to a loud-hosted instance. They may also remove networking limitations to support traffic associated with malicious activity (such as cryptomining).
Modifying or disabling a cloud firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. It may also be used to open up resources for Brute Force or Endpoint Denial of Service.
AWS Specific Content
A prerequisite for this technique is that a threat actor has already gained control of an AWS identity with the permissions to perform the actions in the AWS CloudTrail Event Name(s) section.
With access to an AWS identity that has the appropriate permissions, threat actors may use the
ec2:ModifySecurityGroupIngress action to modify VPC Security Groups and Security Group rules to expand their ability to access AWS resources.Detection
AWS Specific Content
When this technique is used by the threat actor, actions taken by the threat actor using the credentials obtained will be logged in CloudTrail. You can use the Event history page in the AWS CloudTrail console to view the last 90 days of management events in an AWS Region for the events listed in the AWS CloudTrail Event Name(s) section, such as
ec2:AuthorizeSecurityGroupIngress.A separate CloudTrail trail will give you an ongoing record of events in your AWS account past 90 days and can be configured to log events in multiple regions. You can also review events using the console as well as the AWS CLI.
It is also possible to create a CloudWatch metric filter to watch for when specific AWS API calls are used and perform notification actions if logged, and additionally configure CloudWatch to automatically perform an action in response to an alarm.
You can also use AWS Config Rules to check if security groups have been configured to allow incoming traffic from 0.0.0.0/0 or ::/0 over specified TCP/UDP ports. Security Hub controls can also check whether ingress is allowed from 0.0.0.0/0 or ::/0 over specific ports, such as port 22.
| ID | Data Source | Data Component | Description |
|---|---|---|---|
| DS0018 | Firewall | Firewall Disable | Monitor for changes in the status of the cloud firewall. |
| DS0018 | Firewall | Firewall Rule Modification | Monitor cloud logs for modification or creation of new security groups or firewall rules. For example, in AWS environments, monitor for the AuthorizeSecurityGroupIngress API call in CloudTrail and use AWS Config to monitor changes to the configuration of a Virtual Private Cloud (VPC) Security Group. |
Mitigation
AWS Specific Content
You can make sure that principals are scoped with the least-privileged permissions necessary to perform duties, limiting the ability to perform unauthorized actions in an AWS account when not required. One possible method of applying the principle of least-privileged permissions is to use Service Control Policies to restrict the maximum available permissions for the IAM users and IAM roles within your AWS Organizations accounts (note - you should test SCPs in a development environment before deploying them in production).
You can also use IAM Access Analyzer to regularly review and verify access and manage permissions across your AWS environment, which will highlight AWS identities with excessive permissions and the actions performed by those identities.
You can also use AWS Firewall Manager to identify and remediate excessively permissive rules for Security Groups that permit traffic from many IP ranges. For additional information on how to configure AWS Firewall Manager to audit Security Groups, click here.