This alert is triggered when the response body size for requests with content-types txt or text exceeds a preset threshold. This condition may indicate a potential data exfiltration attempt, where malware or a malicious actor is potentially carrying out an unauthorized transfer of data from the computer. This alert is part of the CloudFront extension pack aimed at identifying and mitigating such security threats by monitoring anomalies in data transfer sizes, especially in text format, which are typically smaller and less scrutinized. Impact Potential impacts of failing to monitor unusually large text-based data transfers include: - Data Exfiltration: Malicious extraction of significant volumes of text data, potentially exposing sensitive or proprietary information. - Security Breach: Large, atypical transfers of text data can indicate that the system has been compromised, with an attacker actively siphoning data. - Compliance Violations: Unregulated data transfers, especially of sensitive nature, can breach compliance protocols, resulting in legal issues and penalties. - Network Strain: Excessive data transfers, even if text-based, can burden network resources, affecting overall system performance and reliability. - Reputational Risk: Incidents involving data leaks, especially through overlooked vectors like text data, can damage organizational reputation and erode stakeholder trust. Mitigation Effective strategies to mitigate the risk of text-based data exfiltration include: - Threshold Adjustments: Fine-tune the alert thresholds for text content types based on typical usage and historical data to enhance accuracy in anomaly detection. - Content Analysis: Implement advanced content analysis tools to scrutinize the nature and necessity of outgoing text data, verifying its legitimacy. - Enhanced Monitoring: Increase monitoring of text data responses, particularly focusing on known sensitive information channels. - Security Enhancements: Strengthen overall data security policies, including encryption and data masking, specifically for text data which may not traditionally be as heavily guarded. MITRE Tactic: TA0040 MITRE Technique: T1530

'Summary This alert is specifically designed to activate upon detecting login attempts from a new geographical location. The system flags any login attempt made from an IP address that has not previously been associated with the user''s account. This security measure is vital for identifying potentially unauthorized access attempts, which may indicate account takeovers or other malicious activities. Impact Login attempts from new geographical locations can have several significant impacts, including: - Unauthorized Access: New login locations can be a strong indicator of compromised account credentials being used by unauthorized individuals - Account Takeover: If attackers gain access, they can exploit the account for malicious purposes, such as stealing sensitive data, launching further attacks, or committing fraud - Data Breach: Unauthorized access to user accounts can lead to unauthorized disclosure, alteration, or destruction of sensitive information - Operational Disruption: Malicious activities resulting from compromised accounts can disrupt business operations and services - Legal and Compliance Issues: Failure to detect and respond to unauthorized access attempts may lead to violations of privacy laws and regulations, resulting in fines and legal challenges - Reputational Damage: Security breaches, especially those leading to data loss or service disruption, can negatively affect the organization''s reputation and erode customer trust Mitigation To mitigate the risks associated with login attempts from new geographical locations, consider implementing the following strategies: - Geolocation Analysis: Utilize geolocation tools to analyze and flag login attempts from locations that are unusual for the user, enhancing detection capabilities - Multi-Factor Authentication (MFA): Implement MFA to provide an additional layer of security for verifying the identity of users, especially when a login attempt is made from a new or suspicious location - User Education: Educate users about the importance of security practices, such as using strong, unique passwords and recognizing phishing attempts - Behavioral Profiling: Develop profiles of normal user behaviour and use them to refine these detections and detect deviations that may indicate unauthorized access - Regular Audits and Reviews: Conduct regular security audits and reviews to ensure that security measures are effective and adapt to new threats MITRE Tactic: TA0001 MITRE Technique: T1078'

This alert is configured to trigger upon detecting multiple failed login attempts from a single IP address or user account within a specified timeframe. This security measure is designed to identify potential brute force attacks or credential stuffing attempts, where attackers try numerous username and password combinations to gain unauthorized access to user accounts. Impact Multiple failed login attempts from a single source can suggest several security risks, including: - Brute Force Attacks: Persistent attempts to guess passwords can eventually breach an account, leading to unauthorized access. - Credential Stuffing: Using stolen account credentials from one breach to gain access to other services can result in multiple account compromises. - Account Lockout: Repeated failed login attempts can trigger security protocols that lock the user out of their account, disrupting legitimate access. - System Load: High volumes of failed login attempts can consume system resources, potentially degrading service for legitimate users. - Reputational and Financial Damage: Successful breaches from these attacks can lead to data theft, financial loss, and damage to the organizationu2019s reputation. Mitigation Effective mitigation strategies for multiple failed login attempts include: - Account Lockout Policies: Implement account lockout mechanisms after a certain number of failed login attempts to prevent continued attempts. - Rate Limiting: Set up rate limiting to slow down the attack, making it less feasible for attackers to perform brute force or credential stuffing attacks. - Multi-Factor Authentication (MFA): Require MFA to add an additional layer of security that requires more than just the useru2019s password for access. - Monitoring and Alerts: Enhance monitoring of login patterns and set up alerts for unusual activities, such as spikes in failed logins, to quickly detect and respond to potential attacks. - User Education: Educate users about the importance of strong, unique passwords and the dangers of reusing passwords across multiple sites. - Regular Security Audits: Conduct regular security audits and reviews to assess and improve the effectiveness of existing security measures. MITRE Tactic: TA0001 MITRE Technique: T1110

This alert is triggered when the egress data size surpasses 100MB for any single request and this is not served from the CloudFront cache. This scenario typically indicates an unusual or potentially unauthorized data transmission, which may suggest an attempted data breach or an unexpected application behaviour. Monitoring and controlling large data egress can prevent data loss and identify potential security threats. Impact The potential impacts of not monitoring large data egress include: - Data Loss: Significant amounts of data may be extracted without authorization, leading to loss of sensitive or proprietary information. - Security Breach: Large data egress could be a sign of a compromised system where data is being exfiltrated by attackers. - Compliance Violations: Unmonitored data transfer can result in violations of data privacy regulations and standards, leading to legal and financial repercussions. - Network Congestion: Large data transfers can consume substantial bandwidth, impacting network performance and the availability of applications. - Reputational Damage: Incidents of data leakage can harm an organizationu2019s reputation, affecting customer trust and business operations. Mitigation Mitigation strategies for excessive data egress include: - Threshold Tuning: Adjust the threshold values for data egress alerts based on the expected traffic and response sizes to optimize the balance between sensitivity and specificity of the alerts. - Traffic Analysis: Analyze traffic patterns regularly to identify and authenticate legitimate data transfer while detecting and investigating anomalies. - Security Policies: Implement strict security policies and controls on data access and transfer, ensuring only authorized transactions are allowed. - Encryption and Masking: Use encryption and data masking techniques to secure data in transit and at rest, reducing the impact of potential data breaches. MITRE Tactic: TA0040 MITRE Technique: T1530

'Summary This alert is designed to trigger whenever data transfers occur in fragmented segments. Specifically, it activates when multiple requests from a single IP address transfer data in small chunks during a defined time interval. The configured threshold for this alert is set at data segments of 5MB or more, with more than 10 occurrences within a 10-minute period. These parameters can be adjusted to align with specific business requirements and risk profiles. Impact The fragmentation of data transfers in small segments from a single source can indicate potential data exfiltration activities. The impacts of such events can include: - Data Exfiltration: Small, fragmented data transfers can be a tactic used by malicious actors to avoid detection while slowly siphoning sensitive information. - System Compromise: This pattern of data transfer may also indicate that the system''s security has been compromised, allowing the attacker to execute unauthorized data movements. - Operational Disruption: Repeated small data requests can overload systems, potentially leading to slower response times and degraded service for legitimate users. - Compliance Risks: Unauthorized data transfers, especially of sensitive or regulated data, can lead to compliance issues with data protection regulations, which might incur penalties or legal action. - Reputation Damage: Security breaches involving data exfiltration can negatively impact an organization''s reputation, leading to a loss of customer trust and potential business. Mitigation Strategies to mitigate the risks associated with fragmented data transfers include: - Anomaly Detection: Enhance monitoring systems to detect anomalies in data transfer patterns, focusing on the size and frequency of transfers. - Security Posture Adjustment: Review and adjust security policies and controls to better detect and respond to fragmented data transfers, potentially tightening restrictions on data movement. - Forensic Analysis: Conduct forensic investigations to trace the origin and intent of fragmented transfers, identifying potential breaches or misuse of system resources. - Threshold Reevaluation: Regularly review and modify the threshold settings for alerts based on evolving business needs and emerging threat patterns. - User and Entity Behavior Analytics (UEBA): Implement UEBA solutions to identify unusual behavior patterns associated with specific users or IP addresses, enhancing overall security monitoring and response capabilities. MITRE Tactic: TA0010 MITRE Technique: T1078'

'This alarm is configured to activate when an IP address is detected with a high bad actor score, indicative of malicious intent or previous involvement in security incidents. Upon detection, the alarm triggers an automated response that interfaces with an API gateway. This integration facilitates the immediate update of AWS WAF rules to block the identified IP address, effectively preventing further potentially harmful interactions with system resources. Impact Potential security impact you address via this alert and related actions: - Unauthorized Access Prevention: By detecting and blocking IPs with high bad actor scores, the system prevents unauthorized access attempts, protecting sensitive data and resources - Mitigation of Malicious Activities: Blocking high-risk IPs reduces the likelihood of malicious activities such as data exfiltration, injection attacks, and account takeovers - Protection Against Distributed Denial-of-Service (DDoS) Attacks: Identifying and blocking IPs involved in coordinated attacks helps to mitigate the risk of DDoS attacks, ensuring service availability - Reduced Exposure to Automated Threats: Automated bots and scripts often use multiple IPs to launch attacks. By blocking high bad actor score IPs, the system reduces exposure to these automated threats - Decreased Security Incident Frequency: Proactively blocking high-risk IPs decreases the frequency and severity of security incidents, leading to a more secure and stable environment - Compliance with Security Policies: Ensuring that high-risk IPs are blocked helps maintain compliance with organizational and regulatory security policies, reducing legal and compliance risks - Resource Protection: Prevents malicious entities from consuming bandwidth, computing power, and other resources, preserving them for legitimate users and operations Mitigation Potential mitigation measures include: - Automated IP Blocking: (i) Upon detection of a high bad actor score, automatically update AWS WAF rules to block the identified IP address. (ii) Integrate with API Gateway to ensure real-time updates and enforcement of WAF rules - Enhanced Monitoring and Logging: (i) Enable detailed logging for all requests from flagged IP addresses to gather additional context and support further investigation, (ii) Use AWS CloudWatch and AWS CloudTrail to monitor and log security events for comprehensive visibility - Rate Limiting: (i) Implement rate limiting rules to control the number of requests from any single IP address, reducing the impact of automated attacks, (ii) Use AWS WAF rate-based rules to dynamically adjust thresholds based on observed traffic patterns - Threat Intelligence Integration: (i) Leverage AWS GuardDuty findings to enhance the detection of malicious IPs and correlate with other security data - Periodic Review and Tuning: (i) Regularly review the thresholds and rules for detecting high bad actor scores to ensure they remain effective and relevant, (ii) Adjust parameters'