Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS re:Inforce 2019

237 views

Published on

Amazon GuardDuty is a threat detection system that is reimagined and purpose-built for the cloud. Once enabled, GuardDuty immediately starts analyzing continuous streams of account and network activity in near real-time and at scale. You do not have to deploy or manage any additional security software, sensors, or network appliances. Threat intelligence is pre-integrated into the service and is continuously updated and maintained. This session introduces you to GuardDuty, walks you through the detection of an event, and discusses the various ways you can react and remediate.

  • Be the first to comment

Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS re:Inforce 2019

  1. 1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Threat detection on AWS: An introduction to Amazon GuardDuty Ryan Holland Principal Industry Specialist AWS F N D 2 1 6
  2. 2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. The AWS security services ecosystem Protect Detect Respond Automate Investigate RecoverIdentify AWS Systems Manager AWS Config AWS Lambda Amazon CloudWatch Amazon Inspector Amazon Macie Amazon GuardDuty AWS Security Hub AWS IoT Device Defender KMSIAM AWS Single Sign-On Snapshot ArchiveAWS CloudTrail Amazon CloudWatch Amazon VPC AWS WAF AWS Shield AWS Secrets Manager AWS Firewall Manager AWS Organizations Personal Health Dashboard Amazon Route 53 AWS Direct Connect AWS Transit Gateway Amazon VPC PrivateLink AWS Step Functions Amazon Cloud Directory AWS CloudHSM AWS Certificate Manager AWS Control Tower AWS Service Catalog AWS Well- Architected Tool AWS Trusted Advisor Resource Access manager AWS Directory Service Amazon Cognito Amazon S3 Glacier AWS Security Hub AWS Systems Manager
  3. 3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon GuardDuty: Threat detection and notification GuardDuty is a managed threat detection service that continuously monitors for malicious or unusual behavior to help you protect your AWS accounts and workloads GuardDuty monitors • Unusual API calls • Potentially unauthorized deployments that indicate a possible account compromise • Potentially compromised instances or reconnaissance by attackers
  4. 4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon GuardDuty: Threat detection and notification Detect Notify Amazon GuardDuty VPC flow logs DNS logs AWS CloudTrail events High Medium Low FindingsData sources
  5. 5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon GuardDuty data sources VPC flow logs VPC flow logs do not need to be turned on to generate findings; data is consumed through independent duplicate stream Provides information about network communications for threat intel and behavioral detections DNS logs DNS logs are based on queries made from Amazon EC2 instances to known and unknown questionable domains DNS logs are in addition to Amazon Route 53 query logs; Route 53 is not required for Amazon GuardDuty to generate DNS-based findings AWS CloudTrail events AWS CloudTrail history of AWS API calls that are used to access the AWS Management Console, SDKs, AWS CLI, etc. Identification of user and account activity, including source IP address used to make the calls
  6. 6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon GuardDuty service benefits Continuous monitoring of your AWS accounts and resources Detects unknown threats (behavior-based) Detects known threats (threat intel-based) Global coverage with regional results One-click activation with no architectural or performance impact Managed threat detection service Enterprise-wide consolidation and management
  7. 7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What can Amazon GuardDuty detect? Detecting known threats using threat intelligence • Amazon GuardDuty leverages threat intelligence from various sources • AWS security intel • Open source and AWS partners • Customer-provided threat intel • Threat intelligence enables Amazon GuardDuty to identify the following • Known malware-infected hosts • Anonymizing proxies • Sites hosting malware and hacker tools • Cryptocurrency mining pools and wallets
  8. 8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Unknown threats using machine learning Algorithms to detect unusual behavior • Inspecting signal patterns for heuristics • Profiling normal and looking at deviations • Machine learning classifiers
  9. 9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Threat detection classes Reconnaissance • Unprotected port probed • Port scan performed • User permissions discovery • Network permissions discovery • Resource permissions discovery • Inbound Tor traffic • Denial of service traffic • Spam activity • C&C activity • Network port unusual • Traffic volume unusual • Bitcoin activity • Black hole DNS address • DGA domain • DNS data exfiltration • Drop point DNS • Phishing domain • Outbound brute force • Outbound Tor traffic Instance compromise Account compromise • Unusual network permission change • Unusual resource permission change • Unusual compute resources launch • AWS CloudTrail logging disabled • Password policy change • Unusual console login attempts • Unusual console login successful • Instance credentials exfiltration
  10. 10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Threat detection classification • Backdoor: resource compromised and capable of contacting source home • Behavior: activity that differs from established baseline • Cryptocurrency: detected software associated with cryptocurrencies • Pentest: activity detected similar to that generated by known penetration testing tools • Persistence: established a presence in the environment • Recon: attack scoping vulnerabilities by probing ports, listening, using database tables, etc. • Resource consumption: activity that differs from established baseline • Stealth: attack trying to hide actions/tracks • Trojan: program detected carrying out suspicious activity • Unauthorized access: suspicious activity/pattern by unauthorized user Threat purpose class
  11. 11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Reviewing findings: Amazon GuardDuty console
  12. 12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Reviewing findings: API/JSON findings details AWS Management Console API/JSON format Threat information • Severity • Region • Count/frequency • Threat type • Affected resource • Source information • Viewable via Amazon CloudWatch Events
  13. 13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Reviewing findings: Amazon CloudWatch Events • Amazon GuardDuty aggregates all changes to findings that take place in five-minute intervals into a single event • Amazon CloudWatch Events can be graphed, stored, exported, and further analyzed Example GuardDuty-related CloudWatch event
  14. 14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Rich integration via Amazon CloudWatch and AWS Lambda GuardDuty CloudWatch Events Lambda Amazon GuardDuty Amazon CloudWatch CloudWatch Events AWS Lambda function AWS Lambda Act on findings • Integrate with SIEM or other security technologies • Remediate compromised instance or AWS credentials • Employ AWS Lambda to automate further
  15. 15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Automating incident response AWS Systems Manager AWS Lambda Amazon Inspector Run code for virtually any kind of application or backend service— zero administration Gain operational insights, and take action on AWS resources Automate security assessments of Amazon EC2 instances
  16. 16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Automating incident response Amazon CloudWatch Events Amazon GuardDuty findings AWS Lambda function Partner solutions Automated response Anything else
  17. 17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Incident response: Network ACL and AWS WAF rules AWS Step Functions AWS WAF Application requests (static + dynamic) AWS Lambda AWS Lambda Amazon GuardDuty Amazon CloudWatch Application Load Balancer AWS ShieldAmazon CloudFront Network access control list
  18. 18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Automating data collection: AWS Lambda + AWS Systems Manager Systems Manager Documents Amazon CloudWatch Rule Amazon EC2 instance contents Instance:~ ec2-user$ top Instance:~ ec2-user$ pcap Instance:~ ec2-user$ lime AWS LambdaAmazon GuardDuty AWS Lambda function Amazon EBS volume Amazon EBS forensicsAmazon EBS snapshot
  19. 19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Automatic remediation examples Amazon CloudWatch Rule 1. Detach instance from Auto Scaling group and Elastic Load Balancing 2. Remove IAM role 3. Snapshot volume 4. Replace security group on elastic network interface(s) to disallow all traffic 5. Attach forensics network interface Amazon GuardDuty AWS Lambda function 1. Terminate instance
  20. 20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Enabling automated remediation Pick the right action based on affected resource; one size does not fit all Notify/ticket Isolate Terminate/replace A well-defined and consistently enforced tagging strategy is key to enabling remediation Security needs to work with application owners (we should be doing this anyway!) Start with notifications, move deliberately toward more assertive actions
  21. 21. Thank you! © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

×