Threat Stack is now F5 Distributed Cloud App Infrastructure Protection (AIP). Start using Distributed Cloud AIP with your team today.
Net-new rules for Amazon ECR and AWS Systems Manager API activity
At Threat Stack, we process tens of billions of events for customers each day. Insight into that amount of data gives us a unique perspective to identify meaningful trends in AWS service usage. Two such trends we’ve recently observed have been increased usage of Amazon Elastic Container Registry (ECR) and AWS Systems Manager. To ensure that our customers use these services securely, we have added default alerting rules for ECR and Systems Manager to Threat Stack. Let’s look at some of the new rules and their filters.
Amazon ECR
You all know what a container registry is, but what’s great about Amazon ECR is how integrated it is with Amazon Elastic Container Service (ECS). Of course Threat Stack already instruments ECS environments with granular detail from Amazon Linux 2 and Docker at runtime. Now, we can deliver more security observability into how static Docker images are sourced within ECR.
Here’s what Threat Stack’s new CloudTrail ECR rules include out of the box:
- CloudTrail: ECR Create Repository (Sev 3)
- CloudTrail: ECR Delete Repository (Sev 3)
- CloudTrail: ECR Image Scan Findings – Severity HIGH (Sev 1)
- CloudTrail: ECR Image Scan Findings – Severity MEDIUM (Sev 2)
- CloudTrail: ECR Put Image (Sev 3)
- CloudTrail: ECR Put Image Scanning Configuration (Sev 3)
- CloudTrail: ECR Set Repository Policy (Sev 3)
In particular, let’s look at the rule CloudTrail: ECR Image Scan Findings – Severity HIGH.
Figure 1: Screenshot of Threat Stack Rules UI for CloudTrail: ECR
The filter syntax here is the most interesting bit, so here’s a closer look:
event_type = "cloudtrail" and eventSource = "ecr.amazonaws.com" and eventName = "DescribeImageScanFindings" and responseElements.imageScanFindings.findingSeverityCounts.HIGH > 0
Since the CloudTrail event JSON for the ECR image scan findings can potentially contain a long list of CVEs, we use the aggregated findingSeverityCounts object to take a quick look. From there, follow the AWS documentation to access the full findings from your scan, either through the Amazon ECR console or via the AWS CLI.
Threat Stack’s goal is to alert you as quickly as possible. But feel free to modify the severity settings, and to customize the rule filter. (For more on the Threat Stack query language used above, see our docs.)
AWS Systems Manager
AWS Systems Manager is a powerful automation tool with a wide range of features. Two of those features — AWS Systems Manager Session Manager and AWS Systems Manager Run Command — are particularly interesting for auditing purposes.
Figure 2: Screenshot of Threat Stack Rules UI for CloudTrail: SSM
Here’s what Threat Stack’s new CloudTrail Systems Manager rules include out of the box:
- CloudTrail: SSM Cancel Command (Sev 3)
- CloudTrail: SSM Create Component (Sev 3)
- CloudTrail: SSM Delete Component (Sev 3)
- CloudTrail: SSM Information Discovery (Sev 3)
- CloudTrail: SSM Resume Session (Sev 3)
- CloudTrail: SSM Send Command (Sev 3)
- CloudTrail: SSM Session Terminated (Sev 3)
- CloudTrail: SSM Start Automation Execution (Sev 3)
- CloudTrail: SSM Start Session (Sev 3)
With Sev 3 defaults across the board, we anticipate that these alerts will be used mostly for auditing purposes — but they can always be tuned to best suit your needs. Let’s look at the filter syntax for CloudTrail: SSM Information Discovery:
event_type = "cloudtrail" and eventSource = "ssm.amazonaws.com" and (eventName starts_with "Describe" or eventName starts_with "List")
While it’s relatively straightforward, it’s a nice example of the starts_with operator that’s supported in Threat Stack’s query language.
Moving From Rules to Events
Custom CloudTrail alerting is but one dimension of the rules you can create in Threat Stack. And once these rules fire, you’ll probably want to dig into the underlying events if you need to conduct an investigation. Check out this investigation of Docker cryptojacking, where we go step-by-step through an alert and its associated events. And look for more investigations as conducted by Threat Stack Cloud SecOps Program℠ analysts coming to this space soon!
Threat Stack is now F5 Distributed Cloud App Infrastructure Protection (AIP). Start using Distributed Cloud AIP with your team today.
About the Author
Related Blog Posts
F5 accelerates and secures AI inference at scale with NVIDIA Cloud Partner reference architecture
F5’s inclusion within the NVIDIA Cloud Partner (NCP) reference architecture enables secure, high-performance AI infrastructure that scales efficiently to support advanced AI workloads.
F5 Silverline Mitigates Record-Breaking DDoS Attacks
Malicious attacks are increasing in scale and complexity, threatening to overwhelm and breach the internal resources of businesses globally. Often, these attacks combine high-volume traffic with stealthy, low-and-slow, application-targeted attack techniques, powered by either automated botnets or human-driven tools.
F5 Silverline: Our Data Centers are your Data Centers
Customers count on F5 Silverline Managed Security Services to secure their digital assets, and in order for us to deliver a highly dependable service at global scale we host our infrastructure in the most reliable and well-connected locations in the world. And when F5 needs reliable and well-connected locations, we turn to Equinix, a leading provider of digital infrastructure.
Volterra and the Power of the Distributed Cloud (Video)
How can organizations fully harness the power of multi-cloud and edge computing? VPs Mark Weiner and James Feger join the DevCentral team for a video discussion on how F5 and Volterra can help.
Phishing Attacks Soar 220% During COVID-19 Peak as Cybercriminal Opportunism Intensifies
David Warburton, author of the F5 Labs 2020 Phishing and Fraud Report, describes how fraudsters are adapting to the pandemic and maps out the trends ahead in this video, with summary comments.
The Internet of (Increasingly Scary) Things
There is a lot of FUD (Fear, Uncertainty, and Doubt) that gets attached to any emerging technology trend, particularly when it involves vast legions of consumers eager to participate. And while it’s easy enough to shrug off the paranoia that bots...