Open Chan9390 opened 3 days ago
sergargar
commented
2 days ago Hi @Chan9390, this is a really good feedback, thank you!
We will based the threshold on the IAM identity that is doing the API calls instead of on the Source IP.
I'll let you know when the change is made so you can test it 😄
abant07
commented
1 day ago Hey @sergargar
Is this issue open to contributors or is the Prowler team already on it? If not, could I work on this one?
Thanks, Amogh
sergargar
commented
1 day ago Hey @Chan9390, we have not started with this issue yet, so ofc is open to contributors.
If you want you can work on this 😄 Thanks!
abant07
commented
1 day ago Sounds good. I will take a crack at it.
I will do what Pepe usually does.
I will first reiterate my understanding of the issue (to make sure no confusion), then I will give a semi detailed plan of what I will do in terms of changing the code.
New feature motivation
The current implementation of threat detection (both privilege escalation and permission enumeration) uses number of potential priv esc/enumeration attempts per source IP address. While it detects simple bruteforce from single IP, the bypass is really easy - combine pacu/iam enumerate with IP rotation tools. The threshold will stay under default threshold limit and doesn't detect the attack.
Solution Proposed
Trying to find threshold based on IAM identity could help detect attacks. Let's say attacker uses pacu/iam enumerate with IP rotation tools, the IAM identity that the attacker uses is still the same. Using threshold based on IAM identity, prowler can find and flag the identity.
Describe alternatives you've considered
N/A
Additional context
No response