Use Case: Protecting E-commerce Order Data from Ransomware with Amazon OpenSearch

Use Case: Protecting E-commerce Order Data from Ransomware.md

For a real-world use case, we can choose sample e-commerce order data to set up a Security Analytics detector to protect against ransomware attacks. E-commerce platforms are frequent targets due to the valuable financial data they hold.

Use Case: Protecting E-commerce Order Data from Ransomware

Scenario:

We want to set up a Security Analytics detector in Amazon OpenSearch Service to monitor for ransomware activities like data exfiltration and system state backup deletion, commonly seen in ransomware attacks like BlackCat and LockBit.

Steps to Set Up Security Analytics Detector

Step 1: Access OpenSearch Dashboards

1. Sign in to your OpenSearch Dashboards.
2. Navigate to the "Security Analytics" section.

Step 2: Define the Detector

1. Go to Detectors:
   • Click on "Create Detector".
   • Name: E-commerce Ransomware Protection
   • Description: Detects potential ransomware activities targeting e-commerce order data.

2. Select Data Source:
   • Choose the relevant indexes or index patterns, e.g., opensearch_dashboards_sample_data_ecommerce.

3. Select Log Types and Rules:

   • Choose System Activitiy Microsoft Windows as the log type.
   • Add relevant Sigma rules:
     • Rclone Execution via Command Line or PowerShell
     • Delete Volume Shadow Copies via WMI with PowerShell
     • Wbadmin Delete Systemstatebackup
     • Suspicious Scheduled Task Creation Involving Temp Folder
   

Step 3: Configure Detection Rules

1. Rclone Execution via Command Line or PowerShell:

   • Description: Detects the execution of RClone utility, which is used for data exfiltration.
   • How It Helps: Prevents data exfiltration attempts, protecting sensitive order data.

2. Delete Volume Shadow Copies via WMI with PowerShell:

   • Description: Monitors for deletion of Volume Shadow Copies using PowerShell.
   • How It Helps: Prevents disabling backups, a common tactic in ransomware attacks.

3. Wbadmin Delete Systemstatebackup:

   • Description: Detects attempts to delete system state backups using wbadmin.exe.
   • How It Helps: Protects backups from deletion, ensuring data recovery options.

4. Suspicious Scheduled Task Creation Involving Temp Folder:

   • Description: Detects the creation of scheduled tasks in temporary folders, often used by ransomware.
   • How It Helps: Identifies suspicious scheduled tasks, indicating potential ransomware activity.

Step 4: Mapping Fields for Security Analytics Detector

Given the sample e-commerce order data, here are the mappings for the provided detection rule fields to the corresponding data source fields:

Rule field name	Mapped log field name
winlog.event_data.ParentImage	products.manufacturer
winlog.event_data.Image	products.price
winlog.event_data.HostApplication	customer_full_name
winlog.event_data.Description	event.dataset
timestamp	order_date
source.ip	geoip.region_name
process.command_line	products.sku
destination.ip	geoip.country_iso_code

This mapping ensures each field is unique and corresponds to a relevant data source field in the sample e-commerce order data.

Step 5: Set Detection Interval

• Set the detection interval to an appropriate value, e.g., every 5 minutes, to ensure timely detection.Set the detection interval to an appropriate value, e.g., every 5 minutes for testing purposes. If you want immediate feedback, consider setting a shorter interval, such as 1 minute, during initial testing.
• Select Next

Step 6: Set Up Alert Triggers

1. Create Trigger:

   • Trigger Name: Ransomware Activity Alert
   • Detection Type: Any rules, any severities, any tags.
   • Alert Severity: 1 (Highest)
   

2. Send Notification:

   • Notification Channel: Choose Slack, Email, or another preferred channel. In this demo I select "Chime".

   • Message Subject: "Potential Ransomware Activity Detected"

   • Message Body:

     Triggered alert condition: Ransomware Activity Alert
     Severity: 1 (Highest)
     Threat detector: E-commerce Ransomware Protection
     Description: Detects potential ransomware activities targeting e-commerce order data.
     Detector data sources: opensearch_dashboards_sample_data_ecommerce
     

     

Sub-steps to Create a Slack Channel:

1. Click "Manage Channels":

-   This will open the channel management interface in a new tab.

2. Create Channel:

   • Click "Create Channel".
   • Channel Type: Select "Chime".
   • Name: E-commerce Alerts
   • Webhook URL: Enter the Slack incoming webhook URL.
   • Save the Channel:
     • Click "Save" to create the channel.

Creating Chime Webhook Steps:

1. Create a chat room "Testing"
2. Select "Room Settings"
3. Select Add webhook , give name ransomware-demo-aos

4. Copy URL and paste on channel webhook url in OpenSearch Dashboards

Step 7: Finalize and Create Detector

• Review all configurations and mappings.
• Click "Create Detector" to save and activate the detector.

Use Case: Protecting E-commerce Order Data from Ransomware

Scenario:

We want to set up a Security Analytics detector in Amazon OpenSearch Service to monitor for ransomware activities targeting e-commerce order data. This setup will help protect against attacks like BlackCat, Hive, LockBit, and Conti.

Steps to Set Up Security Analytics Detector

Step 1: Access OpenSearch Dashboards

1. Sign in to OpenSearch Dashboards.
2. Navigate to "Security Analytics".

Step 2: Define the Detector

1. Go to Detectors:
   • Click "Create Detector".
   • Name: E-commerce Ransomware Protection
   • Description: Detects potential ransomware activities targeting e-commerce order data.
2. Select Data Source:
   • Choose opensearch_dashboards_sample_data_ecommerce.

Step 3: Select Log Type and Detection Rules

1. Log Type: Microsoft Windows
2. Detection Rules: Choose relevant rules such as:
   • Rclone Execution via Command Line or PowerShell
   • Delete Volume Shadow Copies via WMI with PowerShell
   • Wbadmin Delete Systemstatebackup
   • Suspicious Scheduled Task Creation Involving Temp Folder

Step 4: Map the Fields

1. destination.ip: geoip.country_iso_code
2. process.command_line: products.sku
3. source.ip: geoip.region_name
4. timestamp: order_date
5. winlog.event_data.Description: event.dataset
6. winlog.event_data.HostApplication: customer_full_name
7. winlog.event_data.Image: products.price
8. winlog.event_data.ParentImage: products.manufacturer

Step 5: Set Detection Interval

• Set the detection interval to an appropriate value, such as every 5 minutes. For testing purposes, consider setting a shorter interval, such as 1 minute.

Step 6: Set Up Alert Triggers

1. Create Trigger:

   • Trigger Name: Ransomware Activity Alert
   • Detection Type: Any rules, any severities, any tags.
   • Alert Severity: 1 (Highest)

2. Send Notification:

   • Notification Channel: Select "Slack" from the options.
   • Message Subject: "Potential Ransomware Activity Detected"
   • Message Body:

     Triggered alert condition: Ransomware Activity Alert
     Severity: 1 (Highest)
     Threat detector: E-commerce Ransomware Protection
     Description: Detects potential ransomware activities targeting e-commerce order data.
     Detector data sources: opensearch_dashboards_sample_data_ecommerce
     

Sub-steps to Create a Slack Channel:

1. Click "Manage Channels":

   • This will open the channel management interface in a new tab.

2. Create Channel:

   • Click "Create Channel".
   • Channel Type: Select "Slack".
   • Name: E-commerce Alerts
   • Webhook URL: Enter the Slack incoming webhook URL.
   • Save the Channel:
     • Click "Save" to create the channel.

3. Return to Alert Trigger Setup:

   • After creating the Slack channel, return to the alert trigger setup.
   • Select the newly created Slack channel (E-commerce Alerts) from the "Notification Channel" dropdown.

Step 7: Finalize and Create Detector

• Review all configurations and mappings.
• Click "Create Detector" to save and activate the detector.

Testing the Detector

Method: Inserting Logs Manually via Dev Tools

To manually insert a log that will trigger the detector, follow these steps:

1. Access Dev Tools:

   • Navigate to "Dev Tools" in OpenSearch Dashboards.

2. Insert Test Log:

   • Use the following command to insert a log that mimics a ransomware activity, such as a suspicious PowerShell command. Replace <INDEX_NAME> with your index name, e.g., opensearch_dashboards_sample_data_ecommerce.

POST /<INDEX_NAME>/_doc
{
  "geoip": {
    "country_iso_code": "US",
    "region_name": "California",
    "location": {
      "lon": -118.2437,
      "lat": 34.0522
    }
  },
  "order_date": "2024-05-31T18:11:31+00:00",
  "event": {
    "dataset": "sample_ecommerce"
  },
  "customer_full_name": "John Doe",
  "products": [
    {
      "sku": "rclone.exe",
      "price": 100.00,
      "manufacturer": "EvilCorp"
    }
  ]
}

3. Run the Detector:

   • If you have set the detection interval to 1 minute, wait for the interval to pass.

4. Review Alerts:

   • Check the alerts section to see if the inserted log triggers any alerts. The alert should be sent to the configured Chime channel.

By following these steps, you can test your Security Analytics detector setup in Amazon OpenSearch by manually inserting logs that simulate ransomware activities. This approach ensures your detector is functioning correctly and provides timely alerts to mitigate ransomware attacks.

Summary

By setting up the detector with a shorter interval or manually triggering it, you can effectively test the Security Analytics detector in Amazon OpenSearch. This approach ensures early detection and prompt response to potential ransomware threats, safeguarding valuable e-commerce order data.

Implementing these steps helps ensure your detector is functioning correctly and provides timely alerts to mitigate ransomware attacks.

For more details, refer to the OpenSearch Security Analytics Documentation.

References

1. https://opensearch.org/docs/latest/security-analytics/sec-analytics-config/detectors-config/