Route Table Change
This alert occurs when Lacework detects a route table change.
Why this Alert is Important
A route table is one of the key components in networking. Route table change alerts can be used to detect the route that packets take in a network to reach a certain destination. Sometimes this may indicate a DOS (Denial Of Service) or DDOS (Distributed Denial Of Service) where an attacker might try to forward the network traffic to a malicious gateway, causing loss of availability.
Investigation
Analyze the logs to find any unauthorized route changes. If you have any WAFs (Web Application Firewalls), review the rules and modify the ones that increase exposure.
Resolution
Ensure that all allowed routes are documented and that these changes are made by authorized personnel.
Related Information
https://attack.mitre.org/techniques/T1100/
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html