Author: Author's Name
Approver: Approver Name
Last Date Approved:
Throughout the execution of the playbook, focus on the desired outcomes, taking notes for enhancement of incident response capabilities.
- Vulnerabilities exploited
- Exploits and tools observed
- Actor's intent
- Actor's attribution
- Damage inflicted to the environment and business
- Return to original and hardened configuration
AWS Cloud Adoption Framework Security Perspective
- Directive
- Detective
- Responsive
- Preventative
- [PREPARATION] Use AWS GuardDuty detections for IAM
- [PREPARATION] Identify, document, and test escalation Procedures
- [DETECTION AND ANALYSIS] Perform detection and analyze CloudTrail for unrecognized API events
- [DETECTION AND ANALYSIS] Perform detection and analyze CloudWatch for unrecognized events
- [CONTAINMENT & ERADICATION] Delete or rotate IAM User Keys
- [CONTAINMENT & ERADICATION] Delete or rotate unrecognized resources
- [CONTAINMENT & ERADICATION] Rotate SMTP Credentials
- [RECOVERY] Execute recovery procedures as appropriate
***The response steps follow the Incident Response Life Cycle from NIST Special Publication 800-61r2 Computer Security Incident Handling Guide
- Tactics, techniques, and procedures: Tool: AWS Management Console
- Category: Log Analysis
- Resource: SES
- Indicators: Cyber Threat Intelligence, Third Party Notice
- Log Sources: CloudTrail
- Teams: Security Operations Center (SOC), Forensic Investigators, Cloud Engineering
- Preparation
- Detection & Analysis
- Containment & Eradication
- Recovery
- Post-Incident Activity
This playbook outlines the process for responses to attacks against AWS Simple Email Service (SES). In combination with this guide, please review the Amazon SES Sending review process FAQs for answers to enforcement actions and responses to adverse SES usage.
For additional information, please review the AWS Security Incident Response Guide
- Assess your security posture to identify and remediate security gaps
- AWS developed a new open source Self-Service Security Assessment tool that provides customers with a point-in-time assessment to gain valuable insights into the security posture of their AWS account.
- Maintain a complete asset inventory of all resources including servers, networking devices, network/file shares and developer machines
- Consider implementing AWS GuardDuty to continuously monitor for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon SES
- Implement CIS AWS Foundations including expiration of accounts and mandatory credential rotations
- Enforce multi-factor authentication (MFA)
- Enforce password complexity requirements and establish expiration periods
- Run an IAM Credential Report to list all users in your account and the status of their various credentials, including passwords, access keys, and MFA devices
- Use AWS IAM Access Analyzer to identify the resources in your organization and accounts, such as IAM roles that are shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk
- Use Sending Authorization Policies to control who can send email and from where
- Use configuration sets to create didicated IP address pools permitted to send various types of messages
- Consider using Dedicated IP addresses for Amazon SES
- Manage your own lists for mailing and subscriptions as well as for email suppression in Amazon SES
- Setup Amazon SES event publishing for real-time notifications
- Use least-privilege Identity and Access Management in Amazon SES
- Review SES best practices, focusing on Security and Access
- Setup SPF, DKIM, and DMARC for your own domain to help prevent phishing and spoofing
The following findings are specific to IAM entities and access keys and always have a Resource Type of AccessKey. The severity and details of the findings differ based on the finding type. For more information on each finding type please reference the GuardDuty IAM finding types webpage.
- CredentialAccess:IAMUser/AnomalousBehavior
- DefenseEvasion:IAMUser/AnomalousBehavior
- Discovery:IAMUser/AnomalousBehavior
- Exfiltration:IAMUser/AnomalousBehavior
- Impact:IAMUser/AnomalousBehavior
- InitialAccess:IAMUser/AnomalousBehavior
- PenTest:IAMUser/KaliLinux
- PenTest:IAMUser/ParrotLinux
- PenTest:IAMUser/PentooLinux
- Persistence:IAMUser/AnomalousBehavior
- Policy:IAMUser/RootCredentialUsage
- PrivilegeEscalation:IAMUser/AnomalousBehavior
- Recon:IAMUser/MaliciousIPCaller
- Recon:IAMUser/MaliciousIPCaller.Custom
- Recon:IAMUser/TorIPCaller
- Stealth:IAMUser/CloudTrailLoggingDisabled
- Stealth:IAMUser/PasswordPolicyChange
- UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B
- UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS
- UnauthorizedAccess:IAMUser/MaliciousIPCaller
- UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom
- UnauthorizedAccess:IAMUser/TorIPCaller
I need a business decision on when forensics should be conductedWho is monitoring the logs/alerts, receiving them and acting upon each?Who gets notified when an alert is discovered?When do public relations and legal get involved in the process?When would you reach out to AWS Support for help?
Amazon SES is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in Amazon SES. CloudTrail captures API calls for Amazon SES as events. The calls captured include calls from the Amazon SES console and code calls to the Amazon SES API operations.
Following are specific CloudTrail eventName events to look for changes in your account related to SES:
- DeleteIdentity
- DeleteIdentityPolicy
- DeleteReceiptFilter
- DeleteReceiptRule
- DeleteReceiptRuleSet
- DeleteVerifiedEmailAddress
- GetSendQuota
- PutIdentityPolicy
- UpdateReceiptRule
- VerifyDomainDkim
- VerifyDomainIdentity
- VerifyEmailAddress
- VerifyEmailIdentity
Viewing events with CloudTrail Event history
- Log and monitor SES events (e.g. sending, bounces, complaints, etc)
- Monitor sender reputation metrics
- Setup appropriate Cloudwatch Alarms or dashboard for SES metrics
- Delete or rotate IAM User Keys and Root User Keys; you may wish to rotate all keys in your account if you cannot identify a specific key or keys that has been exposed
- Delete unauthorized IAM Users
- Delete unauthorized policies
- Delete unauthorized roles
- Revoke temporary credentials. Temporary credentials can also be revoked by deleting the IAM User.
- NOTE: Deleting IAM Users may impact production workloads and should be done with care
- Rotate SMTP Credentials
- Create new IAM users with least-privilege access policies
- Implement steps and resources found in section
Preparation - SES Specific - Log and monitor SES events (e.g. sending, bounces, complaints, etc)
- Monitor sender reputation metrics
- Setup appropriate Cloudwatch Alarms or dashboard for SES metrics
This is a place to add items specific to your company that do not necessarilly need "fixing", but are important to know when executing this playbook in tandem with operational and business requirements.