Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
1 Hour |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
Cloud |
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
High |
Description
An AWS KMS key from a non-organization owned account was used to encrypt multiple objects in the bucket for the first time.
This may indicate an attacker's attempt to perform a ransomware attack against the organization's cloud environment.
Attacker's Goals
- Gain monetary compensation in exchange for decryption or the decryption key.
- Permanently deny access to important storage objects.
Investigative actions
- Check if the external KMS service is a legit encryption service.
- Check if the identity performed enumeration activity to detect insecure s3 buckets, which are configured without the versioning and MFA Delete mechanisms.
- Detect additional buckets that were encrypted using the same external KMS service.
- Disable the identity from which the external service was configured.
- Enable versioning on every critical bucket.
- Enable MFA Delete on every critical bucket.