Instantly Stop S3 Ransomware and Malware

REPORT

SANS 2021 Ransomware Detection and Incident Response Report

In this report, we will address ransomware attacks head-on. These are a different type of attack and thus require that we approach incident detection and response differently.

Read Now

With New AWS S3 Object Lambda and Blue Hexagon Agentless Cloud-Native AI Security
Over the past year, we have worked closely with AWS to bring real-time inline blocking of malicious objects and malicious access in AWS S3 through a native integration with the recently announced AWS S3 Object Lambda
– Naveen Kulshreshtha and Arun Raman , Blue Hexagon

Overview

Customers use AWS S3 as a scalable managed storage platform for their business applications, ranging from Pinterest using AWS S3 to store billions of images daily to 3M storing healthcare application data for processing and archival. Data privacy and security is of paramount importance for customers of public cloud, and is top of mind for CISOs and Security Architects. While much of cloud security for AWS S3 has hitherto focused on preventing or remediating misconfigurations such as accidental public exposure, there is growing recognition of the need to both prevent unauthorized access to AWS S3 and to prevent the use of AWS S3 buckets as a conduit for malware artifacts such as ransomware dropper payloads or malicious Javascript. Threat actors attack, sometimes opportunistically, legitimate applications by uploading malicious payloads indirectly through the application into AWS S3 or directly through stolen credentials or to exposed buckets.

Customers deploy Blue Hexagon Cloud Security for AWS to protect their cloud environment against advanced threats targeting their workloads, network, and AWS S3 storage. Powered by real-time Deep Learning AI, Blue Hexagon scans files in S3 storage, network, etc. in sub-seconds to convict and classify malware. Further, all cloud activity including S3 access is checked against the Deep Learning derived IOCs for signs of malicious activity.

Over the past year, we have worked closely with AWS to bring real-time inline blocking of malicious objects and malicious access in AWS S3 through a native integration with the recently announced AWS S3 Object Lambda. In a nutshell, any attempt to access an object in an enabled AWS S3 bucket is gated by a Blue Hexagon Lambda function that analyzes the object and grants access only to benign objects while denying access to objects deemed malicious by the Blue Hexagon Deep Learning AI Security platform. The platform is particularly effective against known malware, variants of known malware, and new unknown malware payloads. This prevents the spread of malware within your cloud environment, protecting your users and applications from threats that could be unwittingly detonated by accessing malicious objects from S3 buckets. Furthermore, any attempts to access AWS S3 objects from a malicious external host is automatically blocked as well by correlating with Blue Hexagon Threat Intelligence.

With Blue Hexagon AWS S3 Object Lambda integration, cloud-first and cloud-enabled enterprises can:

● Stop ransomware and any malware from infiltrating their cloud environment.

● Prevent unauthorized access to AWS S3 from malicious hosts.

● Deploy robust user, application and cloud security, by preventing lateral movement of threats.

● Achieve cloud storage compliance with instant detection and full visibility.

In this blog, we describe the integration in detail and explain how you can set up the architecture and dataflow shown in Figure 1 in your AWS environment.

Figure 1: Inline S3 access protection with Blue Hexagon – the Blue Hexagon Security Object Lambda denies access to malicious objects scanned inline in real-time through the HexNet™Deep Learning engine

Blue Hexagon with AWS S3 Object Lambda – Getting Started

Prerequisites

VPC where the S3 Object Lambda Access Point and a backing S3 Access Point will be created
Subnets in the VPC where the Object Lambdas will run
S3 bucket to protect and for which to enable the Access Points
awscli or equivalent to run commands against the S3 bucket and access point
Blue Hexagon Threat Intelligence API key – You can sign up for a free trial and get a license key to deploy the Blue Hexagon S3 Object Lambda integration in your environment. Store the Blue Hexagon API key as a secret in AWS Secrets Manager.

Deployment Steps

Deploy the Blue Hexagon S3 Object Lambda using CloudFormation by clicking on the Launch Stack button below.

Step 1: Identify the AWS VPC in which to launch the AWS S3 Object Lambda function. Object Lambda access points are regional and must be launched in a VPC and subnets in the region.
Step 2: Identify the VPC subnets in which to launch the AWS S3 Object Lambda function.
Step 3: Specify the name of the Secrets Manager secret in which you have stored the Blue Hexagon Threat Intelligence API key.
Step 4: Acknowledge the stack capabilities, and Create Stack!

Figure X – Create S3 lambda function stack.

Step 5: Once the stack is created, grab the Lambda ARN from Outputs.

Step 6: Now launch the CloudFormation stack below to create an S3 Object Lambda Access Point as well as a backing S3 Access Point for an S3 bucket of your choice.
Step 7: Select the VPC in which to deploy the access points – this is the same VPC as selected in the first stack above.
Step 8: Specify the S3 Object Lambda ARN from the outputs section of the first stack deployed above.
Step 9: Specify the name of the S3 bucket for which you would like to enable Blue Hexagon protection. Each S3 bucket needs to have a separate S3 Lambda access point. However, all S3 Lambda access points can reuse the same Lambda function.

Step 10: Click Next, acknowledge, and Create Stack! On creation, the stack outputs the ARN of the S3 bucket access point to be used in API calls. All accesses through this access point will be gated by Blue Hexagon Security, with malicious accesses automatically and transparently blocked by Blue Hexagon.

Inline Prevention of Malicious S3 Access

With the stacks deployed, let’s try accessing files in the bucket using the Blue Hexagon Security S3 Object Lambda access point.

First, let’s access a file named benign.pdf – a benign (not malicious) PDF file.

(bh) user:~$ aws s3api get-object –bucket arn:aws:s3-object-lambda:us-west-2:[redacted]:accesspoint/s3lambdaap –key benign.pdf ./benign.pdf

{

“ContentLength”: 3028,

“ContentType”: “text/plain”,

“Metadata”: {}

}

(bh) user:~$ file benign.pdf

benign.pdf: PDF document, version 1.3

We are able to access it just fine. The Blue Hexagon Deep Learning AI engine scanned the file inline in real-time, and gave a verdict of benign allowing the file to be passed through to the requesting application (awscli in the example).

Now, let’s access a file named whoami.pdf – ostensibly a PDF file that was previously uploaded to the S3 bucket.

(bh) user:~$ aws s3api get-object –bucket arn:aws:s3-object-lambda:us-west-2:[redacted]:accesspoint/s3lambdaap –key whoami.pdf ./whoami.pdf

An error occurred (Denied) when calling the GetObject operation: Access to requested file denied by your security administrator.

Access is denied! The Blue Hexagon Deep Learning AI engine scanned the file inline in real-time, and found the file contained a variant of the glupteba trojan – a PE32 malicious backdoor embedded within the PDF file.

Next Steps

Protecting cloud storage against malware threats via integration with AWS S3 Object Lambda is just one of the applications of the Blue Hexagon HexNet™Deep Learning AI engine. This same engine powers the Blue Hexagon Agentless Multi-Cloud AI Security platform, which provides actionable visibility, real-time threat defense, and continuous compliance for your entire cloud environment in AWS, GCP, and Azure. It is platform agnostic, works in real-time, and can be configured for autonomous response. You can try/buy Blue Hexagon Cloud Security in the AWS Marketplace, or sign up for a limited-time free trial.