Analytics Story: Cloud Cryptomining

Date: 2019-10-02 ID: 3b96d13c-fdc7-45dd-b3ad-c132b31cdd2a Author: David Dorsey, Splunk Product: Splunk Enterprise Security

Description

Monitor your cloud compute instances for activities related to cryptojacking/cryptomining. New instances that originate from previously unseen regions, users who launch abnormally high numbers of instances, or compute instances started by previously unseen users are just a few examples of potentially malicious behavior.

Why it matters

Cryptomining is an intentionally difficult, resource-intensive business. Its complexity was designed into the process to ensure that the number of blocks mined each day would remain steady. So, it's par for the course that ambitious, but unscrupulous, miners make amassing the computing power of large enterprises--a practice known as cryptojacking--a top priority. Cryptojacking has attracted an increasing amount of media attention since its explosion in popularity in the fall of 2017. The attacks have moved from in-browser exploits and mobile phones to enterprise cloud services, such as Amazon Web Services (AWS), Google Cloud Platform (GCP), and Azure. It's difficult to determine exactly how widespread the practice has become, since bad actors continually evolve their ability to escape detection, including employing unlisted endpoints, moderating their CPU usage, and hiding the mining pool's IP address behind a free CDN. When malicious miners appropriate a cloud instance, often spinning up hundreds of new instances, the costs can become astronomical for the account holder. So it is critically important to monitor your systems for suspicious activities that could indicate that your network has been infiltrated. This Analytic Story is focused on detecting suspicious new instances in your cloud environment to help prevent cryptominers from gaining a foothold. It contains detection searches that will detect when a previously unused instance type or AMI is used. It also contains support searches to build lookup files to ensure proper execution of the detection searches.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Abnormally High Number Of Cloud Instances Launched Cloud Accounts, Valid Accounts Anomaly
Cloud Compute Instance Created By Previously Unseen User Cloud Accounts, Valid Accounts Anomaly
Cloud Compute Instance Created In Previously Unused Region Unused/Unsupported Cloud Regions Anomaly
Cloud Compute Instance Created With Previously Unseen Image None Anomaly
Cloud Compute Instance Created With Previously Unseen Instance Type None Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
AWS CloudTrail AWS icon AWS aws:cloudtrail aws_cloudtrail

References

Source: GitHub | Version: 1