Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Greg McConnel, Senior Solutions Architect
4/30/18
Amazon GuardDuty - Let's Attack
My Account!
(0414-SID)

Webinar prerequisites
To get the most out of this session, you must be comfortable with
several building blocks:
Amazon GuardDuty Amazon EC2 Amazon CloudWatch AWS Lambda IAM

Agenda
• Quick and Easy Reproductions
• Introduction to GuardDuty
• Quick and Easy Automated Remediations
• Introduction to GuardDuty Remediations
• Advanced Reproductions
• Additional GuardDuty Topics

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Quick and Easy Reproductions

• Just expose ports on an EC2 instance to the Internet
• “port probe unprotected port”
• Expose ports 22 or 3389 - “brute force attacks”

• Port scan (nmap –Pn) from “compromised instance” to “internal
server”
• “port scan” finding
• Ping from “compromised instance” to “malicious host”
• “EC2 (unauthorized access) malicious IP caller (custom)” finding
• API calls from "malicious host”
• “IAM (unauthorized access and recon) malicious IP caller (custom)”
findings

Full Name Reproduction
Threat
Purpose
Resource
Type
Threat Family
Name
Custom
Recon:EC2/PortProbeUnprotectedPort Expose instance to the Internet - wait Recon EC2
Port Probe
Unprotected Port
Recon:EC2/Portscan
nmap -Pn to private IP of another EC2 instance
(same VPC)
Recon EC2 Portscan
UnauthorizedAccess:EC2/MaliciousIPCaller.Custom
Ping EC2 instance from another instance
(destination EIP in custom threat list)
Unauthorized
Access
EC2 Malicious IP Caller Custom
Recon:IAMUser/MaliciousIPCaller.Custom API calls from EC2 (EIP in custom threat list) Recon IAMUser Malicious IP Caller Custom
UnauthorizedAccess:IAMUser/MaliciousIPCaller.Cus
tom
API calls from EC2 (EIP in custom threat list)
Unauthorized
Access
IAMUser Malicious IP Caller Custom
UnauthorizedAccess:IAMUser/InstanceCredentialExf
iltration
API calls from external host using temp creds
from IAM role for EC2
Unauthorized
Access
IAMUser
Instance Credential
Exfiltration
Blogpost Pending
https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html

1. The compromised instance connects to the
malicious host and port scans internal server. The
EIP on the malicious host is in a custom threat list.
This traffic is logged in VPC Flow Logs.
2. GuardDuty is monitoring VPC Flow Logs (in addition
to CloudTrail Logs and DNS Logs) and analyzing this
based on threat lists, machine learning, baselines,
etc.
3. GuardDuty generates two findings regarding this
activity and sends these to the GuardDuty console
and CloudWatch Events. The findings are:
Recon:EC2/Portscan &
4. The CloudWatch Event rule triggers an SNS topic and
Lambda function
5. SNS sends an e-mail with the finding information
and/or delivers findings to a SIEM
6. Automated Remediation: Lambda performs an
action on the compromised instance

1. Malicious host makes API calls. EIP on the instance
is in a custom threat list.
2. API calls are logged in CloudTrail.
3. GuardDuty is monitoring CloudTrail Logs (in
addition to VPC Flow Logs and DNS Logs) and
analyzing this based on threat lists, machine
learning, baselines, etc.
Recon:IAMUser/MaliciousIPCaller.Custom &
UnauthorizedAccess:IAMUser/MaliciousIPCaller.Cu
stom
5. The CloudWatch Event rule triggers an SNS topic
and/or delivers the finding to a SIEM

Very Short GuardDuty Introduction

GuardDuty Threat Detection and Notification

GuardDuty Findings
https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types.html

View the Findings

Quick and Easy Automated Remediations

1. The compromised instance connects to the
malicious host and port scans internal server. The
EIP on the malicious host is in a custom threat list.
This traffic is logged in VPC Flow Logs.
2. GuardDuty is monitoring VPC Flow Logs (in addition
to CloudTrail Logs and DNS Logs) and analyzing this
based on threat lists, machine learning, baselines,
etc.
Recon:EC2/Portscan &
4. The CloudWatch Event rule triggers an SNS topic
and Lambda function
and/or delivers findings to a SIEM
6. Automated Remediation: Lambda performs an
action on the compromised instance

Responding to Findings: Remediation
Automatic Remediation
GuardDuty CloudWatch Events Lambda
Amazon
GuardDuty
Amazon
CloudWatch
CloudWatch
Event
Lambda
Function
AWS Lambda

View the Remediation

Advanced Reproductions

• Run CloudFormation template
• SSH to Tester instance, run the script

Full Name Reproduction Threat Purpose
Resource
Type
Threat Family Name
UnauthorizedAccess:EC2/SSHBruteForce
https://github.com/awslabs/amazon-
guardduty-tester
Unauthorized
Access
EC2 SSH Brute Force
UnauthorizedAccess:EC2/RDPBruteForce
guardduty-tester
Unauthorized
Access
EC2 RDP Brute Force
Recon:EC2/Portscan
guardduty-tester
Recon EC2 Portscan
CryptoCurrency:EC2/BitcoinTool.B!DNS
guardduty-tester
Cryptocurrency EC2 Bitcoin Tool
Trojan:EC2/DNSDataExfiltration
guardduty-tester
Trojan EC2 DNS Data Exfiltration
https://github.com/awslabs/amazon-guardduty-tester

1. Script running on Red Team instance makes calls to both the
Linux and Windows instances for Brute Force Attacks
2. Script also makes DNS queries for additional findings.
3. GuardDuty is monitoring VPC Flow Logs (in addition to
CloudTrail Logs and DNS Logs) and analyzing this based on
threat lists, machine learning, baselines, etc.
4. GuardDuty generates a number of findings regarding this
activity and sends these to the GuardDuty console and
CloudWatch Events.

Additional GuardDuty Topics

GuardDuty Account Relationships
• Adding accounts to the service is simple and done via the console or API.
• Invites accepted from an account will be designated as “Member” accounts. The requestor
will be the “Master” account.
Member
Account
…. .
1
Member
Account
1000 (max)
Master Account
Can Do the Following to ALL accounts:
• Generate Sample Findings
• Configure and View/Manage Findings
• Suspend GuardDuty Service
• Upload and Manage Trusted IP and
Threat IP List
Can only disable own account. Member accounts
must all be removed first and by the member
account.
Member Account Actions and
Visibility is Limited to the Member
Account.
Each Account Billed Separately.

Lists: Trusted and Threat IP Lists
GuardDuty uses AWS developed threat intelligence and threat intelligence feeds from:
• CrowdStrike
• Proofpoint
Expand Findings with Custom Trusted IP Lists and Known Threat Lists
• Trusted IP lists whitelisted for secure communication with infrastructure and applications.
• No Findings will be presented for IP Addresses on trusted lists (no false positives!)
• Threat lists consist of known malicious IP addresses.
• GuardDuty generates findings based on threat lists.
Limits: 1 Trusted and 6 Threat Lists per Account
TRUSTED
IP
LISTS
KNOWN THREATS
CUSTOMER and PARTNER
PROVIDED
+

GuardDuty Pricing*
US East (N. Virginia)
US East (Ohio)
US West (Oregon)
Asia Pacific (Mumbai)
EU (Ireland)
EU (London)
EU (Paris)
US West (N. California)
Canada (Central)
EU (Frankfurt)
Asia Pacific (Seoul)
Asia Pacific (Singapore)
Asia Pacific (Sydney)
Asia Pacific
(Tokyo)
South America
(Sao Paulo)
VPC Flow Log and DNS Log Analysis
First 500 GB / month $1.00 $1.10 $1.15 $1.18 $1.75
Next 2000 GB / month $0.50 $0.55 $0.58 $0.59 $0.88
Over 2500 GB / month $0.25 $0.28 $0.29 $0.29 $0.44
AWS CloudTrail Event Analysis
Per 1,000,000 events / month $4.00 $4.40 $4.60 $4.72 $7.00
Free Trial: Any new account to Amazon GuardDuty can try the service for 30-days at no cost. Provides access to the full feature set
and detections during the free trial. GuardDuty will display the volume of logs processed and estimated daily average service charges
to provide a tailored price estimate for GuardDuty to protect all AWS accounts.
Simple Low Cost Pricing Model. Enabled on a Regional Basis.
*EDP pricing discounts apply to the
Amazon GuardDuty service.

Reproductions Summary
EC2 Instance
Malicious
Host
Any Host
Recon:EC2/PortProbeUnprotectedPort – Low Severity
UnauthorizedAccess:EC2/SSHBruteForce – Low Severity
UnauthorizedAccess:EC2/RDPBruteForce – Low Severity
Recon:EC2/Portscan – Low Severity
UnauthorizedAccess:EC2/SSHBruteForce – High Severity
UnauthorizedAccess:EC2/RDPBruteForce – High Severity
Any Host External to AWS
(using temp creds from IAM
Role for EC2)
API Endpoints
UnauthorizedAccess:EC2/MaliciousIPCaller.Custom – Medium Severity
Malicious
Host
(custom)
UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration – High Severity
Malicious
Host
(custom)
UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom – Medium Severity
Recon:IAMUser/MaliciousIPCaller.Custom – Medium Severity

Get Started with Amazon GuardDuty Today
1. Log on to AWS Management Console
2. Enable GuardDuty in Master Account for Each Region to Monitor
3. Invite Member Accounts
4. Start Viewing Findings and Export
5. Set up CloudWatch Events to Log Findings
6. Respond to Findings
GuardDuty to Slack integration: https://github.com/aws-samples/amazon-guardduty-to-slack
Multi-account script: https://github.com/aws-samples/amazon-guardduty-multiaccount-scripts
Testing scripts- https://github.com/awslabs/amazon-guardduty-tester

Thank you!

Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks

Ähnlich wie Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks (20)

Mehr von Amazon Web Services

Mehr von Amazon Web Services (20)

Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks