Starting Nov. 1st 2023, Information Security office will start sending out alerts for vulnerabilities, policy violations, and intrusion detection events in bCloud discovered using Prisma Cloud. Below is a discussion of the email contents.
The first part of the email will tell you if the issue is a vulnerability or a potential sign of a compromise/malicious activity. Because campus policies have been developed to address the potential for exploitation, they are included in the category of vulnerabilities.
After a discussion of the need to notify ISO in the case of an incident involving notice triggering information, the email will include a section containing one or more alerts about the issues discovered. Below you will three different example alerts that someone may receive in an RT ticket and descriptions/discussions for each one. Then there will steps security contacts can use to further investigate the alerts.
Potential Policy Alert:
Alert ID: N-182602, Severity: high
--------------------------------------------------------------------------------
Service: Amazon EC2
Name: my-4xlarge-Node
ID: i-00f9b73d0a1336c5e
First Seen Time: 2023-06-26 05:23:33
Last Seen Time: 2023-06-26 05:23:33
Description: AWS EC2 instance that is internet reachable with unrestricted access (0.0.0.0/0)
Remediation Cli: N/A
Remediation Cli Description: N/A
Prisma URL: https://app4.prismacloud.io/alerts/overview?filters#alert.id[0]=N-182602&timeRange[type]=to_now&timeRange[value]=epoch
Recommendation:
The following steps are recommended to restrict unrestricted access from the Internet:
1. Visit the Network path Analysis from Source to Destination and review the network path components that allow internet access.
2. Identify the network component on which restrictive rules can be implemented.
3. Implement the required changes and make sure no other resources have been impacted due to these changes:
a) The overly permissive Security Group rules can be made more restrictive.
b) Move the instance inside a restrictive subnet if the instance does not need to be publicly accessible.
c) Define a NAT rule to restrict traffic coming from the Internet to the respective instance.The alert N-182602, is for an EC2 instance that does not restrict Internet access. This may or may not be a policy violation. By policy, access to systems should be limited to the fewest number of systems possible using network firewalls. In some cases, such as public websites, it is appropriate to allow unrestricted access to a specific port, however other ports, or entire systems should not be exposed. In this case there was neither any port scanning nor was were there vulnerabilities in the EC2 instance. As a result, this alert remained at the high severity level. In particular, this alert is a vulnerability, but it would also fall under the MSSEI restrictions if the host had P2 or above data.
Note that the alert has recommended actions for the cloud admin to take. These include:
- Reviewing how access is allowed from the internet
- Identifying where restrictions can be applied
- Restricting traffic or placing the system on a non public network
Vulnerability Alert:
Alert ID: P-164, Severity: high
--------------------------------------------------------------------------------
Service: Google Cloud Storage
Name: my-cloud-bucket-80b1acbf-1f3a-4fd0-9ae0-a0788e9f448d
ID: my-cloud-bucket-80b1acbf-1f3a-4fd0-9ae0-a0788e9f448d
First Seen Time: 2023-06-06 21:32:07
Last Seen Time: 2023-06-06 21:32:07
Description: GCP Storage buckets are publicly accessible to all users
Remediation Cli: gsutil iam ch -d allUsers gs://${resourceName}
Remediation Cli Description: This CLI command requires 'storage.buckets.getIamPolicy' and 'storage.buckets.setIamPolicy' permissions. Successful execution will revoke 'allUsers' permission access in GCP Storage buckets.
Prisma URL: https://app4.prismacloud.io/alerts/overview?filters#alert.id[0]=P-164&timeRange[type]=to_now&timeRange[value]=epoch
Recommendation:
1. Login to GCP Portal
2. Go to Storage (Left Panel)
3. Click Browse
4. Choose the identified Storage bucket whose ACL needs to be modified
5. Click on SHOW INFO PANEL button
6. Check all the ACL groups and make sure that the none of them are set to 'allUsers'Alert P-164 is one is another vulnerability message, however this time the issue is that a storage bucket has been made available to the internet. Unless there is a business need for the resource to be publicly available, the permissions should be changed to restrict access.
For alerts like this, if there is sensitive or notice triggering data in this environment, the Information Security office should be made aware of the situation immediately.
Besides the Recommendation section which has a step by step guide to changing the permissions, this alert also has a command line interface (CLI) option. To change the permissions without using the GCP portal, someone with the appropriate permissions can run `gsutil iam ch -d allUsers gs://${resourceName}`. Further, there is a description of what the CLI option does and it includes the permissions required to run the command. In this case the permissions are 'storage.buckets.getIamPolicy' and 'storage.buckets.setIamPolicy.'
Possible Compromise Alert:
Alert ID: A-20255, Severity: critical
--------------------------------------------------------------------------------
Service: Azure Compute
Name: my-azure-compute-node-01
ID: efb32b52-7f1e-4c13-8d2e-f782bc0d81c6-/subscriptions/7eef5ab4c-62d3-41f8-b25b-eb216f13f9a1/resourceGroups/rg-testteam-default-1/providers/Microsoft.Compute/virtualMachines/my-azure-compute-node-01
First Seen Time: 2023-08-07 20:41:24
Last Seen Time: 2023-08-27 16:41:17
Description: Potentially unauthorized port scanning activity detected on a publicly exposed and vulnerable Azure Virtual Machine
Remediation Cli: N/A
Remediation Cli Description: N/A
Prisma URL: https://app4.prismacloud.io/alerts/overview?filters#alert.id[0]=A-20255&timeRange[type]=to_now&timeRange[value]=epoch
Recommendation:
The following steps are recommended to remediate the incident:
1. Review the remote network connections on the instance to determine if network restrictions can be implemented to prevent traffic from/to suspicious sources/destinations.
2. Review and restrict public exposure based on business requirements.
3. Immediately review reported vulnerabilities and assess the significant risks they pose.
4. Apply recommended patches, workarounds, or mitigations to fix the vulnerabilities quickly.Finally, alert A-20255, is for an IDS style alert for an Azure compute node. It is based of network activity that is seen targeting a server running in Azure. In this case what would normally be seen a low severity issue (the reconnaissance scanning) is escalated to critical, because a patch management tool on the host which feeds into Prisma had detected that it was running some out of date software, and the network restrictions did not prevent access to the VM.
This does not necessarily mean that the scanning was for the vulnerability or the vulnerability was exploited, but it should be reviewed for issues. The recommendations section for this alert, includes:
- Trying to restrict access to the compute node from the internet.
- Reviewing the exposure to see if it is necessary to the needs of the project.
- Reviewing the vulnerability to determine if there is a significant risk
- Applying any patches, workarounds, or mitigations necessary to deal with the vulnerability.
In all of the alerts above (and in any alert generated from Prisma Cloud) there is a "Prisma URL" line. To get more information on what was detected and generated an alert, an admin with Prisma access, can use that URL to see more information about what was detected. After going to that URL, the steps are as follows:
- Click on the “Alert Count” for that Alert ID.
- On the Screen for that specific alert, you can then click on the Alert ID.
Note: that this section also has a tab for recommendation which should contain the same information as was sent in the RT ticket. - This will open up a section specific to that alert. The overview section will show the severity, the types of finding, the Alert ID, the time when it was last detected, and the status of the alert. Additionally, it has a link to see the resource in the native cloud environment.
- Click on the “Evidence” tab. You can chose to see the evidence in either Graph or Table form, however for this demonstration we are going with Table.