GuardDuty Hands-on Lab

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Pop-up Loft
Amazon GuardDuty Lab
Greg McConnel,
Security Solutions Architect
Jesse Fuchs,
Security Solutions Architect

Amazon GuardDuty
1. Intro to GuardDuty & Demo - 20 min
2. Lab 1 – Discovery & Remediation – EC2 - 35 min
3. Discussion - 10 min
4. Lab 2 – Discovery & Remediation – IAM - 35 min
5. Discussion - 10 min
6. Summary & Closing - 10 min
Amazon GuardDuty

Amazon GuardDuty
Quick Intro – very quick, I promise…
Amazon GuardDuty

Demo Start

Find the Needle, Skip the Haystack
GuardDuty helps security professionals quickly find the threats (needle) to
their environments in the sea of log data (haystack) so they can focus on
hardening their AWS environments and responding quickly to malicious or
suspicious behavior.
Amazon GuardDuty:
All Signal, No Noise

GuardDuty Threat Detection and Notification

GuardDuty Service Components
AWS
Accounts
Threat
Detection
Types
Data
Sources
Findings
Trusted &
Threat IP
Lists
Pricing

GuardDuty Account Relationships
• Adding accounts to the services is simple and done via the console or API.
• Invites accepted from an account will be designated as “Member” accounts. The
requestor will be the “Master” account.
Member
Account
…….
1
Member
Account
100 (max)
Master Account
Can Do the Following to ALL accounts:
• Generate Sample Findings
• Configure and View/Manage
Findings
• Suspend GuardDuty Service
• Upload and Manage Trusted IP and
Threat IP Lists (coming soon!)
Can only disable own account. Member
accounts must all be removed first and by
the member account.
Member Account Actions and
Visibility is Limited to the
Member Account.
Each Account Billed Separately.

GuardDuty Threat Detection Type Details
RECONNAISANCE INSTANCE COMPROMISE ACCOUNT COMPROMISE
Instance Recon:
• Port Probe/Accepted Comm
• Port Scan (intra-VPC)
• Brute Force Attack (IP)
• Drop Point (IP)
• Tor Communications
Account Recon:
• Tor API Call (failed)
• C&C Activity
• Malicious Domain Request
• EC2 on Threat List
• Drop Point IP
• Malicious Comms (ASIS)
• Bitcoin Mining
• Outbound DDoS
• Spambot Activity
• Outbound SSH Brute Force
• Unusual Network Port
• Unusual Traffic
Volume/Direction
• Unusual DNS Requests
• Domain Generated Algorithms
• Malicious API Call (bad IP)
• Tor API Call (accepted)
• CloudTrail Disabled
• Password Policy Change
• Instance Launch Unusual
• Region Activity Unusual
• Suspicious Console Login
• Unusual ISP Caller
• Mutating API Calls (create,
update, delete)
• High Volume of Describe calls
• Unusual IAM User Added
Signature Based Stateless Findings Behavioral Stateful Findings and Anomaly Detections

GuardDuty Data Sources
VPC Flow Logs
VPC flow logs
• Flow Logs for VPCs Do Not Need
to Be Turned On to Generate
Findings, data is consumed
through independent duplicate
stream.
• Suggested Turning On VPC Flow
Logs to Augment Data Analysis
(charges apply).
DNS Logs
DNS Logs
• DNS Logs are based on queries
made from EC2 instances to known
questionable domains.
• DNS Logs are in addition to Route
53 query logs. Route 53 is not
required for GuardDuty to
generate DNS based findings.
CloudTrail Events
CloudTrail Events
• CloudTrail history of AWS API calls
used to access the Management
Console, SDKs , CLI, etc. presented
by GuardDuty.
• Identification of user and account
activity including source IP address
used to make the calls.
Capture and save all event data via CWE or API Call for long term retention. Additional charges apply.

Lists: Trusted and Threat IP Lists
GuardDuty uses AWS developed threat intelligence and threat intelligence feeds
from: CrowdStrike & Proofpoint
Expand Findings with Custom Trusted IP Lists and Known Threat Lists
• Trusted IP lists whitelisted for secure communication with infrastructure and applications
• No Findings will be presented for IP Addresses on trusted lists (no false positives!)
• Threat lists consist of known malicious IP addresses.
• GuardDuty generates findings based on threat lists.
Limits: 1 Trusted and 6 Threat Lists per Account
TRUSTED
IP
LISTS
KNOWN THREATS,
CUSTOMER & PARTNER
PROVIDED
+

GuardDuty Findings: Console / API

ThreatPurpose ThreatFamilyName ThreatFamilyVariant: ResourceTypeAffected / . ! Artifact
Meaning: “An EC2 instance is communicating with a known Bitcoin IP
address that is part of a known Bitcoin domain”
CryptoCurrency BitcoinTool B: EC2 / . ! DNS
GuardDuty Finding: Details

GuardDuty Findings: Threat Purpose Details
• Backdoor: resource compromised and capable of contacting source home
• Behavior: activity that differs from established baseline
• Crypto Currency::detected software associated with Crypto currencies
• Pentest::activity detected similar to that generated by known pen testing tools
• Recon: attack scoping vulnerabilities by probing ports, listening, database tables, etc.
• Stealth::attack trying to hide actions / tracks
• Trojan::program detected carrying out suspicious activity
• Unauthorized Access::suspicious activity / pattern by unauthorized user
Describes the primary purpose of the threat. Available at launch, more coming!

GuardDuty Findings: Severity Levels
LOW MEDIUM HIGH
Suspicious or malicious
activity blocked before it
compromised a resource.
Suspicious activity deviating
from normally observed
behavior.
Resource compromised and
actively being used for
unauthorized purpose.
Suggestion:
Take Immediate Action(s)
• Terminate instance(s)
• Rotate IAM access keys
Suggestion:
Investigate Further
• Check new software that
changed the behavior of a
resource
• Check changes to settings
• AV scan on resource (detect
unauthorized software)
• Examine permissions attached
to IAM entity implicated
Suggestion:
Take Immediate Action(s)
• No immediate recommended
steps – but take note of info
as something to address in
the future

• Remediate a Compromised Instance
• Remediate Compromised AWS Credentials
Responding to Findings: Remediation
Automatic Remediation
GuardDuty CloudWatch Events Lambda
Amazon
GuardDuty
Amazon
CloudWatch
CloudWatch
Event
Lambda Function
AWS Lambda

• Findings point to a compromised instance (e.g. Backdoor:EC2/XORDDOS,
Backdoor:EC2/C&CActivity.B!DNS)
• CloudWatch Event Alarm triggers Lambda
• Instance tag can be checked to see if automatic action can be taken or if
manual intervention needed (e.g. critical productions services)
Responding to Findings: Automation Example
Lambda
Lambda Function
AWS Lambda
• Lambda Function:
• Removes instance from current Security
Group(s) and adds to one with all ingress
and egress blocked
• Snapshots EBS volume(s)
• Alerts Security Team

Demo Finish

Amazon GuardDuty
http://loftlab.gregmcconnel.net/

Amazon GuardDuty Lab 1
The first lab will generate GuardDuty findings when an EC2 instance attempts to connect to a IP in a customer
Threat List. We will assume this instance is compromised and isolate it using a Security Group. Here are the
steps:
• Environment Setup – Create Elastic IP and add this to a Custom Threat List. Run CloudFormation
Template
• Attack Simulation – In the background the ”Compromised” instance will connect with the “Malicious”
instance, generating GuardDuty findings
• Remediation – A Lambda function will be added that will remove the ”Compromised” instance from its
current Security Group and add it to one with no Ingress or Egress rule
• Extra Credit – Enhance the Lambda function to take additional actions on the ”Compromised” instance
http://loftlab.gregmcconnel.net/

Amazon GuardDuty Lab 1 Part 1

Amazon GuardDuty Lab 1 – Part 2

Discussion

For the second lab you will be focused on generating and remediating GuardDuty findings related to
compromised IAM credentials. Below are the steps you’ll be walking through:
• Environment Setup – Run the CloudFormation template and create the additional resources
• Attack Simulation – Setup a profile for stolen EC2 credentials and use the AWS CLI to see what you have
access to
• Remediation – Review the auto remediation Lambda function and other recommended remediations.
Answer questions related to how you would remediate these within your own company
• Extra Credit – Enhance the Lambda function to output a more granular alert, process other GuardDuty
findings, or rotate Instance Profiles to limit downtime of an application

Discussion

Amazon GuardDuty Call to Action
Enable GuardDuty - monitor the cost and findings during the 30 day free period –
assess after 30 days where GuardDuty will sit in your overall security strategy.
https://aws.amazon.com/guardduty/

Pop-up Loft
aws.amazon.com/activate
Everything and Anything Startups
Need to Get Started on AWS

GuardDuty Hands-on Lab

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a GuardDuty Hands-on Lab

Semelhante a GuardDuty Hands-on Lab (20)

Mais de Amazon Web Services

Mais de Amazon Web Services (20)

GuardDuty Hands-on Lab