Last week, GitGuardian published an article on disseminating honeytokens at scale, providing a step-by-step guide on deployment jobs: How to Disseminate Honeytokens At Scale: Step-by-Step Guide to Deployment Jobs.
Building upon that foundation, we now present a comprehensive guide on responding to AWS key honeytoken triggers.
When an AWS key honeytoken is triggered, it indicates that someone has potentially accessed the key and attempted to use it with the AWS CLI or SDKs. This could happen if, for example, a malicious actor got access to the asset where the honeytoken was placed, or if the code containing the honeytoken is accidentally (or intentionally) made public on GitHub. If this happens, you should follow a well-defined incident response plan. In this article, we'll walk you through the steps to take when an AWS key honeytoken is triggered.
A Step-by-Step Guide
1. Verify the Alert
The first step is to confirm that the honeytoken trigger is genuine and not a false positive. Review the alert details, such as the timestamp, source IP address, and any additional contextual information provided by GitGuardian. Cross-reference the information with your known AWS usage patterns to determine if it's a legitimate trigger. Take note of any discrepancies or unusual activity that may indicate a real security incident.
2. Investigate the Scope of the Incident
Conduct a thorough investigation to determine the extent of the incident. Analyze the information provided by GitGuardian to identify the specific AWS CLI command or SDK API call that triggered the honeytoken. Look for details such as the command used, the API endpoint accessed, and any associated request parameters.
3. Identify the Compromised Asset
Investigate the asset where the honeytoken was placed and check for signs of unauthorized access, data exfiltration, or suspicious activity. Determine if there are any other potentially compromised credentials or sensitive information associated with the affected asset. Once the compromised asset has been identified, take immediate steps to secure it. This may include revoking access, rotating credentials, patching vulnerabilities, or isolating the asset from the network. Ensure that any unauthorized access is blocked and that the asset is protected from further compromise.
4. Review and Strengthen Security Measures
Review your AWS security posture and identify any gaps or weaknesses that may have contributed to the incident. Assess the effectiveness of your current security controls, such as access key rotation policies, IAM user and role permissions, and logging and monitoring configurations. Implement stronger security measures, such as enabling multi-factor authentication (MFA) for all AWS accounts, regularly rotating access keys, and enforcing strict IAM policies based on the principle of least privilege. Use AWS security services like AWS GuardDuty to continuously monitor and detect suspicious activities.
5. Conduct Incident Post-Mortem
After the incident has been contained and the immediate security risks have been mitigated, conduct a thorough post-mortem analysis. Gather all relevant data, including honeytoken alerts, system logs, and investigation findings. Analyze the data to identify the root cause of the incident and any contributing factors. Assess the effectiveness of your incident response process, including the speed and accuracy of detection, the coordination among team members, and the overall impact mitigation. Identify areas for improvement in your security controls, processes, and incident response procedures. Document the findings and create an action plan to address the identified gaps and prevent similar incidents from occurring in the future.
Using OSINT with IP Address Information
If you are using a honeytoken system like GitGuardian, it can provide valuable information such as the IP address used to interact with the honeytoken key. Even though the honeytoken keys provided by GitGuardian are not associated with any production AWS services, the IP address information can still be useful for further investigation using open-source intelligence (OSINT) techniques.
Obtain the IP Address
When you receive a honeytoken alert from GitGuardian, it will include the IP address that was used to interact with the honeytoken key. Make note of this IP address, as it will be the starting point for your OSINT investigation. Keep in mind that the IP address alone may not provide definitive identification of the attacker, as it could be a proxy, a compromised system, or a public IP address shared by multiple users.
Perform IP Address Lookups
Begin your OSINT investigation by performing basic IP address lookups. Use tools like whois
, nslookup
, or online IP lookup services to gather information about the IP address. Look for details such as the geolocation of the IP address, the autonomous system number (ASN), and the associated internet service provider (ISP). This information can give you insights into the geographical location and network infrastructure associated with the IP address.
Investigate Threat Intelligence
Check if the IP address is associated with any known threat intelligence feeds or blacklists. Utilize resources like VirusTotal, AbuseIPDB, or other reputation databases to see if the IP address has been flagged for malicious activities in the past. Look for any reports or indicators of compromise (IOCs) related to the IP address. If the IP address is known to be associated with malicious activities, it can provide valuable context for your investigation.
Explore WHOIS and DNS Records
Conduct a more in-depth analysis of the IP address by exploring WHOIS and DNS records. Use WHOIS databases to retrieve information about the IP address owner, such as the organization name, contact details, and registration dates. Perform reverse DNS lookups to identify any domain names associated with the IP address. Investigate the identified domain names for any suspicious or malicious activities.
Leverage Social Media and Public Records
Utilize social media platforms and public records to gather additional information related to the IP address. Search for any mentions of the IP address or associated domain names on social media sites, forums, or discussion boards. Look for any user profiles, posts, or comments that may provide insights into the attacker's identity, motives, or tactics. Additionally, explore public records databases to see if there are any legal or historical records associated with the IP address or the individuals/organizations linked to it.
Collaborate and Share Intelligence
Engage with the broader cybersecurity community and share your findings related to the IP address. Participate in cyber threat intelligence (CTI) sharing platforms, such as MISP (Malware Information Sharing Platform) to exchange information and gain insights from other security professionals. Collaborate with trusted partners, industry peers, or law enforcement agencies to collectively investigate and respond to the incident.
Document and Integrate Findings
Throughout your OSINT investigation, document your findings and observations in a structured manner. Capture relevant data points, screenshots, and evidence that support your analysis. Integrate the OSINT findings with other data sources, such as honeytoken alerts, system logs, and security event data, to create a comprehensive picture of the incident. Use the consolidated information to guide your incident response actions, update security controls, and inform future prevention strategies.
PS - Here's a curation of 30 platforms that can be used for OSINT:
Final Thoughts and Wrapping Up
GitGuardian provides a powerful solution to help you detect and respond to AWS key leaks effectively. By leveraging GitGuardian Honeytoken, you can gain insights into potential security incidents and take proactive measures to mitigate risks.
If you're not already using GitGuardian, now is the time to take action. Sign up for a free trial and experience the benefits of honeytoken monitoring.
GitGuardian's intuitive platform allows you to easily integrate honeytokens into your AWS environment, providing an additional layer of security without added complexity.