In this article:
This article describes the data available from SecurityScorecard Attack Surface Intelligence in the Amazon Security Lake integration with AWS. For setup instructions for this integration, see this article.
All data in Amazon Security Lake is formatted according to the Open Cybersecurity Framework (OCSF) and saved as Parquet files in Amazon Security Lake through Amazon S3. All intelligence from Attack Surface Intelligence currently is converted to the Security Finding class in OCSF and is validated as compliant before being sent.
Some sources consist of billions of events per day, though most are in the hundreds of thousands to millions. Ensure you have appropriate retention policies set up in Amazon Security Lake, so that you do not incur greater-than-expected storage costs.
Malware Infection Detected
Source: Malware, Adware, Potentially Unwanted/Vulnerable App DNS Sinkholes (see Malware DNS Sinkhole section)
Schema: OCSF Security Finding
Events per day: Billions
Search in Attack Surface Intelligence: Run Search Query in Attack Surface Intelligence UI
Example of query results for malware infections in Attack Surface Intelligence on November 17, 2022
Description: A device's IPv4 address was logged in SecurityScorecard's DNS sinkhole malware, adware, or potentially unwanted/vulnerable collection logs based on an active infection on that device.
Possible usages of this event:
- If this IP address is observed communicating with assets in your AWS organizations, take immediate action to block the address: Quarantine the device that the infected address was communicating with, and take appropriate steps to remediate any misconfigurations that allowed the internal asset to communicate with the infected device. You can automate this action with AWS products by combining AWS Lambda with Amazon Cloudtrail and Virtual Private Cloud (VPC) flow logs.
- If this IP address is observed within your organization as a managed device:
- Take all steps indicated in the preceding bullet; but realize that this device is actively infected or has an unwanted application installed. It may have already exfiltrated data or has been continually acting in a botnet or malicious Command-and-Control infrastructure.
- Check well known blocklists from the community or in SecurityScorecard Attack Surface Intelligence for this IP address to see if your asset or network segment has been flagged externally for malicious activity
- Take appropriate steps to reach out to the blocklist maintainers and remove the listing after you have quarantined and cleansed the device.
The OCSF Security Finding contains ample information to indicate what data is being sent to, or from, the infected device, and assist in your security team's investigation.
Event sample in the Amazon Security Lake Format: Attached as malware_infection_detected_sample.parquet.
Event sample as JSON: Attached as malware_infection_detected_sample.json.