forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
cloud_cryptomining.yml
44 lines (41 loc) · 2.33 KB
/
cloud_cryptomining.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
name: Cloud Cryptomining
id: 3b96d13c-fdc7-45dd-b3ad-c132b31cdd2a
version: 1
date: '2019-10-02'
author: David Dorsey, Splunk
description: Monitor your cloud compute instances for activities related to cryptojacking/cryptomining.
New instances that originate from previously unseen regions, users who launch abnormally
high numbers of instances, or compute instances started by previously unseen users
are just a few examples of potentially malicious behavior.
narrative: 'Cryptomining is an intentionally difficult, resource-intensive business.
Its complexity was designed into the process to ensure that the number of blocks
mined each day would remain steady. So, it''s par for the course that ambitious,
but unscrupulous, miners make amassing the computing power of large enterprises--a
practice known as cryptojacking--a top priority.
Cryptojacking has attracted an increasing amount of media attention since its explosion
in popularity in the fall of 2017. The attacks have moved from in-browser exploits
and mobile phones to enterprise cloud services, such as Amazon Web Services (AWS),
Google Cloud Platform (GCP), and Azure. It''s difficult to determine exactly how
widespread the practice has become, since bad actors continually evolve their ability
to escape detection, including employing unlisted endpoints, moderating their CPU
usage, and hiding the mining pool''s IP address behind a free CDN.
When malicious miners appropriate a cloud instance, often spinning up hundreds of
new instances, the costs can become astronomical for the account holder. So it is
critically important to monitor your systems for suspicious activities that could
indicate that your network has been infiltrated.
This Analytic Story is focused on detecting suspicious new instances in your cloud
environment to help prevent cryptominers from gaining a foothold. It contains detection
searches that will detect when a previously unused instance type or AMI is used.
It also contains support searches to build lookup files to ensure proper execution
of the detection searches.'
references:
- https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf
tags:
category:
- Cloud Security
product:
- Splunk Security Analytics for AWS
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Security Monitoring