Try in Splunk Security Cloud

Description

Monitor your cloud compute instances for activities related to cryptojacking/cryptomining. New instances that originate from previously unseen regions, users who launch abnormally high numbers of instances, or compute instances started by previously unseen users are just a few examples of potentially malicious behavior.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change
  • Last Updated: 2019-10-02
  • Author: David Dorsey, Splunk
  • ID: 3b96d13c-fdc7-45dd-b3ad-c132b31cdd2a

Narrative

Cryptomining is an intentionally difficult, resource-intensive business. Its complexity was designed into the process to ensure that the number of blocks mined each day would remain steady. So, it’s par for the course that ambitious, but unscrupulous, miners make amassing the computing power of large enterprises–a practice known as cryptojacking–a top priority.
Cryptojacking has attracted an increasing amount of media attention since its explosion in popularity in the fall of 2017. The attacks have moved from in-browser exploits and mobile phones to enterprise cloud services, such as Amazon Web Services (AWS), Google Cloud Platform (GCP), and Azure. It’s difficult to determine exactly how widespread the practice has become, since bad actors continually evolve their ability to escape detection, including employing unlisted endpoints, moderating their CPU usage, and hiding the mining pool’s IP address behind a free CDN.
When malicious miners appropriate a cloud instance, often spinning up hundreds of new instances, the costs can become astronomical for the account holder. So it is critically important to monitor your systems for suspicious activities that could indicate that your network has been infiltrated.
This Analytic Story is focused on detecting suspicious new instances in your cloud environment to help prevent cryptominers from gaining a foothold. It contains detection searches that will detect when a previously unused instance type or AMI is used. It also contains support searches to build lookup files to ensure proper execution of the detection searches.

Detections

Name Technique Type
Abnormally High Number Of Cloud Instances Launched Cloud Accounts Anomaly
Cloud Compute Instance Created By Previously Unseen User Cloud Accounts Anomaly
Cloud Compute Instance Created In Previously Unused Region Unused/Unsupported Cloud Regions Anomaly
Cloud Compute Instance Created With Previously Unseen Image   Anomaly
Cloud Compute Instance Created With Previously Unseen Instance Type   Anomaly

Reference

source | version: 1