Preface
Detecting Data Exfiltration can be a daunting task. One of the more common use-case is the detection of users exfiltrating data via USB drives. But in this post, we will explore one of the more unconventional way to move a large quantity of data silently via two common AWS services: EC2 and EBS

Let’s look at the process of this exfiltration method:

Demonstration:

  1. First, we will simply create an EC2 instance in our “internal” AWS account that we want to store the data that we want to exfiltrate. Then, let’s create a directory called “exfiltrated-data” with a file called “exfiltrated_file” that contains “this data has been exfiltrated” for this demo

2. Then we will “create image” from the EC2 instance created from the step above

3. The AMI that was created will now appear in the Amazon Machine Image section, pay attention to the Visibility, all the AMIs at creation will have the visibility set to Private.

4. Now, this is the key step, let’s change its visibility to Public so that any accounts in AWS can see it. Note that you can set it to public or to a designated account.
4. Set the AMI to public setting along with the EBS

5. Now the AMI’s visibility is public

6. So how exactly do we exfiltrate the data now? Let’s go over to an AWS account that is totally unrelated to the account above

7. Go to AMIs section and search for the AMI that we just made public.

Found it. Pay attention to the right corner, from a different account, we are now able to search and find the AMI that was just made public from the internal account that I used to store the data that I wanted to exfiltrate.

8. Now, let’s provision a EC2 instance from the AMI, let’s call it – perpetrator-outside

9. SSH into the EC2 instance and find the data


Done, we have successfully exfiltrated data from internal to external leaving almost no trace that could directly indicate Data Exfiltration.

Note that these are really normal usage of AWS services.

Detection Correlation rule:

Log source: Cloudtrail

Alert Logic:

Result:

This is by no mean the end of our Detection journey, of course, we could enrich the detection logic even further with EDR data to look for large or out of ordinary SCP or rsync or correlate with workday data to see termination dates to increase the risk score.

Summary

Such a simple yet effective method to get data out just by using one of the most common services in AWS EC2 and EBS.

And EC2 and EBS aren’t the only thing that could be used to exfiltrate data. There are tons of different AWS services that could be leveraged for this such as S3, EKS, RDS. This post’s goal is to demonstrate the importance of looking at Insider Threat and Data Exfil from multiple angles and perspective – top down and bottom up.