AWS GuardDuty Alert Details
Alert ID: GUARDDUTY-CLOUD-EXFIL-1537-7842 Alert Time: 2024-03-02 10:30:22 EST Severity: CRITICAL (98/100) Source: AWS GuardDuty Rule: “Data Exfiltration to External AWS Account Detected” MITRE ATT&CK: T1537 – Transfer Data to Cloud Account
Alert Details:
Detection: Large data transfer from corporate S3 bucket to external AWS account
Source: corporate-data-bucket (S3) Source Account: 123456789012 (Corporate AWS Account) Destination: 987654321098 (External AWS Account) Destination Bucket: attacker-bucket Time: 10:15-10:30 EST
Data Transfer Details:
10:15:22 – Copy of customer-data-2024.csv (234 MB)
10:18:45 – Copy of financial-reports-q1.zip (156 MB)
10:22:12 – Copy of source-code-backup.tar.gz (345 MB)
10:25:38 – Copy of hr-database.sql (89 MB)
10:28:55 – Copy of passwords.kdbx (2 MB)
Total: 826 MB transferred
Access Details:
Source Bucket: corporate-data-bucket (us-east-1)
Destination Bucket: attacker-bucket (us-west-2)
IAM User: svc_backup (compromised service account)
Source IP: 185.143.221[.]89 (Bulgaria)
API Calls: 47 S3 COPY operations
Detection Logic:
Large data transfer to external AWS account (anomalous)
Service account svc_backup has no business need for external transfers
Destination account not in approved list
Files contain sensitive data (customer, financial, source code, passwords)
Pattern matches cloud-to-cloud exfiltration
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify GuardDuty alert
AWS GuardDuty Console
Confirmed data exfiltration to external AWS account
2. Account Investigation
Identify compromised credentials
AWS CloudTrail
svc_backup access keys used from Bulgaria IP
3. Immediate Action
Rotate access keys
AWS IAM
svc_backup keys rotated
4. Bucket Permissions
Revoke external account access
S3 Bucket Policy
Removed permissions for external account
5. Data Protection
Determine what was stolen
S3 Access Logs
826 MB of data exfiltrated
6. Incident Response
Activate breach response
Legal, Management
Data breach declared
Jira Incident Report
Ticket: SOC-2024-160 Summary: T1537 – 826 MB of Data Exfiltrated to External AWS Account Status: RESOLVED Resolution: MALICIOUS – Data Breach Confirmed Priority: P1 – CRITICAL Labels: T1537, cloud-exfiltration, aws, guardduty, data-breach, compromised-credentials Components: Cloud-Security, Data-Protection
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: AWS GuardDuty.
Alert: “Data Exfiltration to External AWS Account Detected”.
Source: corporate-data-bucket (S3, Account 123456789012).
Destination: attacker-bucket (External Account 987654321098).
Data: 826 MB exfiltrated.
Time: 2024-03-02 10:30 EST.
Technique: MITRE ATT&CK T1537 – Transfer Data to Cloud Account.
2. Technical Analysis:
Attack Chain:
09:30 – svc_backup service account credentials compromised (GitHub leak)
09:45 – Attacker uses credentials to access AWS Console from Bulgaria IP
10:00 – Attacker enumerates S3 buckets
10:05 – Attacker identifies corporate-data-bucket
10:15-10:30 – Attacker copies 47 files (826 MB) to external account
10:30 – GuardDuty detects
Exfiltrated Data (826 MB):
customer-data-2024.csv (234 MB) – 1.2M customer records (PII)
financial-reports-q1.zip (156 MB) – quarterly financials
source-code-backup.tar.gz (345 MB) – proprietary source code
hr-database.sql (89 MB) – employee records, salaries
passwords.kdbx (2 MB) – corporate password vault
Compromised Credentials:
IAM User: svc_backup
Permissions: Read access to multiple S3 buckets
Leak Source: Public GitHub repository (committed by mistake)
Status: Keys rotated, user deleted
External Account:
Account ID: 987654321098
Region: us-west-2
Owner: Unknown (likely attacker)
Bucket: attacker-bucket (now contains stolen data)
3. Investigation Findings:
Timeline:
09:30 – Credentials compromised
09:45 – Attacker accesses AWS
10:00 – Bucket enumeration
10:15-10:30 – Data exfiltration
10:30 – GuardDuty alert
10:32 – SOC investigates
10:33 – Keys rotated
10:34 – External account access revoked
Indicators of Compromise (IoCs):
AWS:
– Source Account: 123456789012
– Destination Account: 987654321098
– Destination Bucket: attacker-bucket
Network:
– Attacker IP: 185.143.221[.]89
Credentials:
– svc_backup access keys (rotated)
Data:
– 47 files, 826 MB exfiltrated (list attached)
4. Containment Actions:
Immediate Actions:
Rotated svc_backup access keys.
Removed external account permissions from S3 bucket policy.
Blocked attacker IP at AWS WAF.
Disabled compromised IAM user.
Breach Response:
Declared data breach.
Notified legal, PR, management.
Began customer notification process (1.2M customer records).
Rotated all corporate passwords (password vault compromised).
Engaged AWS support to assist with data recovery/takedown.
Cloud Remediation:
Audited all S3 bucket policies.
Implemented S3 Block Public Access.
Enabled S3 server access logging.
5. Root Cause Analysis:
Primary Cause: Service account credentials leaked in public GitHub repository.
Contributing Factors:
No secret scanning in place.
Service account had excessive permissions (read access to sensitive buckets).
No MFA for service accounts (not possible).
No alerting for cross-account data transfers.
6. Business Impact:
Operational Impact: Cloud services affected; password reset for all users.
Data Exposure: 826 MB of customer PII, financial data, source code, passwords exfiltrated.
Regulatory Impact: GDPR/CCPA breach (1.2M customer records).
Financial Impact: Catastrophic (incident response, notifications, fines, lawsuits).
7. Remediation & Prevention:
Completed Actions:
Exfiltration stopped.
Keys rotated.
External access revoked.
Breach response initiated.
Technical Controls Enhanced:
Implemented secret scanning (GitHub Advanced Security).
Enforced least privilege for service accounts.
Added S3 bucket policies to block cross-account transfers.
Enabled GuardDuty with automated response.
Deployed AWS Config rules for cross-account access.
8. Conclusion:
An attacker obtained compromised service account credentials from a public GitHub repository and used them to exfiltrate 826 MB of sensitive data to an external AWS account. GuardDuty detected the cross-account data transfer, but exfiltration had already occurred. A full data breach response was initiated, affecting 1.2 million customers.
Closure Rationale: Data exfiltrated; exfiltration stopped; breach response initiated; all passwords rotated; customer notifications underway.
Analyst: [Your Name], SOC Analyst Date: 2024-03-02 11:30 EST
End of Batch 24
Ready for your next batch of prompts whenever you are.
Batch 25: Impact Incident Reports
Here are the next 5 detailed SOC incident reports.