Skip to main content

Network Gateway Change

This alert occurs when Lacework detects a network gateway change.

Why this Alert is Important

A network gateway is the entry point into the AWS environment. Most of the time this can be benign and as a part of a scheduled change. Sometimes, however, this may indicate a DOS (Denial Of Service) or DDOS (Distributed Denial Of Service) where an attacker might try to forward the network traffic to a malicious gateway, causing loss of availability.

Investigation

Analyze the logs to look for any unauthorized gateways. If you have any WAFs (Web Application Firewalls), review the rules and modify the ones that increase exposure.

Resolution

Ensure that all allowed gateways are documented and that these changes are made by authorized personnel.

https://attack.mitre.org/techniques/T1100/

https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html