AWS Threat Hunting Ideas: SNS

Overview:

The following are some threat hunting ideas for the SNS service.

1. Unauthorized Topic Creation (CreateTopic)

Goal: Detect unauthorized creation of SNS topics for malicious purposes.
CloudTrail Event: CreateTopic
Hunting Idea:
- Identify topics created by unexpected users or during unusual times.
  aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=CreateTopic
- Monitor for a sudden spike in topic creation, which may indicate an automated attack or misuse.

2. Suspected Data Exfiltration (Publish)

Goal: Detect data exfiltration attempts by sending sensitive data through SNS topics.
CloudTrail Event: Publish
Hunting Idea:
- Look for Publish events containing large payloads or frequent invocations from unknown users.
  aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=Publish
- Correlate with other data exfiltration indicators (e.g., unusual traffic in VPC Flow Logs).

3. Unauthorized Topic Deletion (DeleteTopic)

Goal: Detect attempts to delete SNS topics to disrupt communication or hide malicious activity.
CloudTrail Event: DeleteTopic
Hunting Idea:
- Monitor for DeleteTopic events on critical topics, especially during off-hours.
- Cross-reference with other logs to check if topic deletion is part of a larger attack.

Goal: Detect unauthorized changes to SNS subscriptions.
CloudTrail Events: Subscribe, Unsubscribe
Hunting Idea:
- Monitor Subscribe events to ensure only authorized entities subscribe to topics.
- Investigate Unsubscribe events to ensure critical subscriptions are not removed maliciously.

5. Modifying Topic Policies (SetTopicAttributes)

Goal: Detect unauthorized policy changes that might expose SNS topics.
CloudTrail Event: SetTopicAttributes
Hunting Idea:
- Hunt for changes that make topics publicly accessible or reduce security controls.
- Look for cross-account access granted to unknown AWS accounts.

6. Enabling or Disabling Logging (SetTopicAttributes)

Goal: Detect disabling of SNS delivery status logging to hide malicious activity.
CloudTrail Event: SetTopicAttributes
Hunting Idea:
- Monitor changes to delivery status logging configuration to ensure logging remains enabled.

7. Cross-Account Access Grant (AddPermission/RemovePermission)

Goal: Detect unauthorized permissions allowing cross-account access to SNS topics.
CloudTrail Events: AddPermission, RemovePermission
Hunting Idea:
- Monitor AddPermission events to ensure cross-account access is not granted without approval.
- Look for RemovePermission events targeting security-critical topics.

8. Unusual Topic Usage (Publish)

Goal: Detect anomalies in topic usage patterns.
CloudTrail Event: Publish
Hunting Idea:
- Identify topics with an unusually high rate of Publish events, which could indicate abuse.
- Correlate with CloudWatch metrics to spot performance issues or misuse.

9. Unauthorized Delivery Protocol Changes (SetSubscriptionAttributes)

Goal: Detect changes in delivery protocols (e.g., switching from HTTPS to HTTP) that reduce security.
CloudTrail Event: SetSubscriptionAttributes
Hunting Idea:
- Monitor changes in subscription protocols, especially if switched to less secure protocols.

Goal: Detect message flooding or DoS attacks using SNS topics.
CloudTrail Events: Publish, Subscribe
Hunting Idea:
- Hunt for a sudden spike in Publish events or large-scale subscriptions that may indicate flooding.
- Look for patterns where multiple unknown accounts subscribe to the same topic.

PreviousAWS Threat Hunting Ideas: SQS NextAWS Threat Hunting Ideas: RDS

Last updated 1 year ago