SlideShare a Scribd company logo

AWS GuardDuty Lab Guide

Amazon Web Services
Amazon Web Services

by Michael St. Onge, Global Cloud Security Architect, AWS Join us for this hands-on lab where you will learn about the new service Amazon GuardDuty by walking through its capabilities and some real-world attack scenarios. You will need an AWS account to do the lab. This should be your own personal account and not an account through your company given the activity in the lab. AWS Credits will be provided to help cover any costs incurred in the lab. Level 300

1 of 33
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Pop-up Loft Amazon GuardDuty Lab Greg McConnel, Security Solutions Architect Jesse Fuchs, Security Solutions Architect Michael St.Onge, Global Cloud Security Architect
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Amazon GuardDuty 1. Intro to GuardDuty & Demo - 20 min – 1:50 – 2:10 2. Lab 1 – Discovery & Remediation – EC2 - 35 min – 2:10 - 2:45 (part 2 at 2:30) 3. Discussion - 10 min – 4. Lab 2 – Discovery & Remediation – IAM - 35 min 5. Discussion - 10 min 6. Summary & Closing - 10 min Amazon GuardDuty
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Amazon GuardDuty Quick Intro – very quick, I promise… Amazon GuardDuty
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Demo Start
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Find the Needle, Skip the Haystack GuardDuty helps security professionals quickly find the threats (needle) to their environments in the sea of log data (haystack) so they can focus on hardening their AWS environments and responding quickly to malicious or suspicious behavior. Amazon GuardDuty: All Signal, No Noise
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved GuardDuty Threat Detection and Notification
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved GuardDuty Service Components AWS Accounts Threat Detection Types Data Sources Findings Trusted & Threat IP Lists Pricing
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved GuardDuty Account Relationships • Adding accounts to the services is simple and done via the console or API. • Invites accepted from an account will be designated as “Member” accounts. The requestor will be the “Master” account. Member Account ……. 1 Member Account 100 (max) Master Account Can Do the Following to ALL accounts: • Generate Sample Findings • Configure and View/Manage Findings • Suspend GuardDuty Service • Upload and Manage Trusted IP and Threat IP Lists (coming soon!) Can only disable own account. Member accounts must all be removed first and by the member account. Member Account Actions and Visibility is Limited to the Member Account. Each Account Billed Separately.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved GuardDuty Service Components AWS Accounts Threat Detection Types Data Sources Findings Trusted & Threat IP Lists Pricing
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved GuardDuty Threat Detection Type Details RECONNAISANCE INSTANCE COMPROMISE ACCOUNT COMPROMISE Instance Recon: • Port Probe/Accepted Comm • Port Scan (intra-VPC) • Brute Force Attack (IP) • Drop Point (IP) • Tor Communications Account Recon: • Tor API Call (failed) • C&C Activity • Malicious Domain Request • EC2 on Threat List • Drop Point IP • Malicious Comms (ASIS) • Bitcoin Mining • Outbound DDoS • Spambot Activity • Outbound SSH Brute Force • Unusual Network Port • Unusual Traffic Volume/Direction • Unusual DNS Requests • Domain Generated Algorithms • Malicious API Call (bad IP) • Tor API Call (accepted) • CloudTrail Disabled • Password Policy Change • Instance Launch Unusual • Region Activity Unusual • Suspicious Console Login • Unusual ISP Caller • Mutating API Calls (create, update, delete) • High Volume of Describe calls • Unusual IAM User Added Signature Based Stateless Findings Behavioral Stateful Findings and Anomaly Detections
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved GuardDuty Service Components AWS Accounts Threat Detection Types Data Sources Findings Trusted & Threat IP Lists Pricing
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved GuardDuty Data Sources VPC Flow Logs VPC flow logs • Flow Logs for VPCs Do Not Need to Be Turned On to Generate Findings, data is consumed through independent duplicate stream. • Suggested Turning On VPC Flow Logs to Augment Data Analysis (charges apply). DNS Logs DNS Logs • DNS Logs are based on queries made from EC2 instances to known questionable domains. • DNS Logs are in addition to Route 53 query logs. Route 53 is not required for GuardDuty to generate DNS based findings. CloudTrail Events CloudTrail Events • CloudTrail history of AWS API calls used to access the Management Console, SDKs , CLI, etc. presented by GuardDuty. • Identification of user and account activity including source IP address used to make the calls. Capture and save all event data via CWE or API Call for long term retention. Additional charges apply.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved GuardDuty Service Components AWS Accounts Threat Detection Types Data Sources Findings Trusted & Threat IP Lists Pricing
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Lists: Trusted and Threat IP Lists GuardDuty uses AWS developed threat intelligence and threat intelligence feeds from: CrowdStrike & Proofpoint Expand Findings with Custom Trusted IP Lists and Known Threat Lists • Trusted IP lists whitelisted for secure communication with infrastructure and applications • No Findings will be presented for IP Addresses on trusted lists (no false positives!) • Threat lists consist of known malicious IP addresses. • GuardDuty generates findings based on threat lists. Limits: 1 Trusted and 6 Threat Lists per Account TRUSTED IP LISTS KNOWN THREATS, CUSTOMER & PARTNER PROVIDED +
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved GuardDuty Service Components AWS Accounts Threat Detection Types Data Sources Findings Trusted & Threat IP Lists Pricing
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved GuardDuty Findings: Console / API
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved ThreatPurpose ThreatFamilyName ThreatFamilyVariant: ResourceTypeAffected / . ! Artifact Meaning: “An EC2 instance is communicating with a known Bitcoin IP address that is part of a known Bitcoin domain” CryptoCurrency BitcoinTool B: EC2 / . ! DNS GuardDuty Finding: Details
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved GuardDuty Findings: Threat Purpose Details • Backdoor: resource compromised and capable of contacting source home • Behavior: activity that differs from established baseline • Crypto Currency::detected software associated with Crypto currencies • Pentest::activity detected similar to that generated by known pen testing tools • Recon: attack scoping vulnerabilities by probing ports, listening, database tables, etc. • Stealth::attack trying to hide actions / tracks • Trojan::program detected carrying out suspicious activity • Unauthorized Access::suspicious activity / pattern by unauthorized user Describes the primary purpose of the threat. Available at launch, more coming!
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved GuardDuty Findings: Severity Levels LOW MEDIUM HIGH Suspicious or malicious activity blocked before it compromised a resource. Suspicious activity deviating from normally observed behavior. Resource compromised and actively being used for unauthorized purpose. Suggestion: Take Immediate Action(s) • Terminate instance(s) • Rotate IAM access keys Suggestion: Investigate Further • Check new software that changed the behavior of a resource • Check changes to settings • AV scan on resource (detect unauthorized software) • Examine permissions attached to IAM entity implicated Suggestion: Take Immediate Action(s) • No immediate recommended steps – but take note of info as something to address in the future
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved • Remediate a Compromised Instance • Remediate Compromised AWS Credentials Responding to Findings: Remediation Automatic Remediation GuardDuty CloudWatch Events Lambda Amazon GuardDuty Amazon CloudWatch CloudWatch Event Lambda Function AWS Lambda
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved • Findings point to a compromised instance (e.g. Backdoor:EC2/XORDDOS, Backdoor:EC2/C&CActivity.B!DNS) • CloudWatch Event Alarm triggers Lambda • Instance tag can be checked to see if automatic action can be taken or if manual intervention needed (e.g. critical productions services) Responding to Findings: Automation Example Lambda Lambda Function AWS Lambda • Lambda Function: • Removes instance from current Security Group(s) and adds to one with all ingress and egress blocked • Snapshots EBS volume(s) • Alerts Security Team
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved GuardDuty Service Components AWS Accounts Threat Detection Types Data Sources Findings Trusted & Threat IP Lists Pricing
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Demo Finish
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Amazon GuardDuty http://loftlab.gregmcconnel.net/
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Amazon GuardDuty Lab 1 The first lab will generate GuardDuty findings when an EC2 instance attempts to connect to a IP in a customer Threat List. We will assume this instance is compromised and isolate it using a Security Group. Here are the steps: • Environment Setup – Create Elastic IP and add this to a Custom Threat List. Run CloudFormation Template • Attack Simulation – In the background the ”Compromised” instance will connect with the “Malicious” instance, generating GuardDuty findings • Remediation – A Lambda function will be added that will remove the ”Compromised” instance from its current Security Group and add it to one with no Ingress or Egress rule • Extra Credit – Enhance the Lambda function to take additional actions on the ”Compromised” instance http://loftlab.gregmcconnel.net/
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Amazon GuardDuty Lab 1 Part 1
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Amazon GuardDuty Lab 1 – Part 2
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Amazon GuardDuty Lab 1 Discussion
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Amazon GuardDuty Lab 2 For the second lab you will be focused on generating and remediating GuardDuty findings related to compromised IAM credentials. Below are the steps you’ll be walking through: • Environment Setup – Run the CloudFormation template and create the additional resources • Attack Simulation – Setup a profile for stolen EC2 credentials and use the AWS CLI to see what you have access to • Remediation – Review the auto remediation Lambda function and other recommended remediations. Answer questions related to how you would remediate these within your own company • Extra Credit – Enhance the Lambda function to output a more granular alert, process other GuardDuty findings, or rotate Instance Profiles to limit downtime of an application
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Amazon GuardDuty Lab 2
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Amazon GuardDuty Lab 2 Discussion
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Amazon GuardDuty Call to Action Enable GuardDuty - monitor the cost and findings during the 30 day free period – assess after 30 days where GuardDuty will sit in your overall security strategy. https://aws.amazon.com/guardduty/
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Pop-up Loft aws.amazon.com/activate Everything and Anything Startups Need to Get Started on AWS

Recommended

Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon Web Services
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Amazon Web Services
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS SecurityAmazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
Deep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech TalksDeep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech TalksAmazon Web Services
 
AWS Cloud trail
AWS Cloud trailAWS Cloud trail
AWS Cloud trailzekeLabs Technologies
 
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech TalksAmazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech TalksAmazon Web Services
 
(SEC324) NEW! Introducing Amazon Inspector
(SEC324) NEW! Introducing Amazon Inspector(SEC324) NEW! Introducing Amazon Inspector
(SEC324) NEW! Introducing Amazon InspectorAmazon Web Services
 

Recommended

Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon Web Services
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Amazon Web Services
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS SecurityAmazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
Deep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech TalksDeep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech TalksAmazon Web Services
 
AWS Cloud trail
AWS Cloud trailAWS Cloud trail
AWS Cloud trailzekeLabs Technologies
 
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech TalksAmazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech TalksAmazon Web Services
 
(SEC324) NEW! Introducing Amazon Inspector
(SEC324) NEW! Introducing Amazon Inspector(SEC324) NEW! Introducing Amazon Inspector
(SEC324) NEW! Introducing Amazon InspectorAmazon Web Services
 
Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: SecurityAmazon Web Services
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAMAmazon Web Services
 
AWS Web Application Firewall and AWS Shield - Webinar
AWS Web Application Firewall and AWS Shield - Webinar AWS Web Application Firewall and AWS Shield - Webinar
AWS Web Application Firewall and AWS Shield - Webinar Amazon Web Services
 
AWS Security Hub
AWS Security HubAWS Security Hub
AWS Security HubAmazon Web Services
 
Aws config
Aws configAws config
Aws configShagun Rathore
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
Amazon CloudWatch Tutorial | AWS Certification | Cloud Monitoring Tools | AWS...
Amazon CloudWatch Tutorial | AWS Certification | Cloud Monitoring Tools | AWS...Amazon CloudWatch Tutorial | AWS Certification | Cloud Monitoring Tools | AWS...
Amazon CloudWatch Tutorial | AWS Certification | Cloud Monitoring Tools | AWS...Edureka!
 
AWS Security Fundamentals
AWS Security FundamentalsAWS Security Fundamentals
AWS Security FundamentalsAmazon Web Services
 
Deep Dive on AWS Single Sign-On - AWS Online Tech Talks
Deep Dive on AWS Single Sign-On - AWS Online Tech TalksDeep Dive on AWS Single Sign-On - AWS Online Tech Talks
Deep Dive on AWS Single Sign-On - AWS Online Tech TalksAmazon Web Services
 
How to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSHow to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSAmazon Web Services
 
Best Practices for Amazon S3 and Amazon Glacier (STG203-R2) - AWS re:Invent 2018
Best Practices for Amazon S3 and Amazon Glacier (STG203-R2) - AWS re:Invent 2018Best Practices for Amazon S3 and Amazon Glacier (STG203-R2) - AWS re:Invent 2018
Best Practices for Amazon S3 and Amazon Glacier (STG203-R2) - AWS re:Invent 2018Amazon Web Services
 
AWS WAF
AWS WAFAWS WAF
AWS WAFAmazon Web Services
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best PracticesAmazon Web Services
 
Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWSAmazon Web Services
 
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018Amazon Web Services
 
AWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAmazon Web Services
 
(SEC323) New: Securing Web Applications with AWS WAF
(SEC323) New: Securing Web Applications with AWS WAF(SEC323) New: Securing Web Applications with AWS WAF
(SEC323) New: Securing Web Applications with AWS WAFAmazon Web Services
 
WIN403_AWS Directory Service for Microsoft Active Directory Deep Dive
WIN403_AWS Directory Service for Microsoft Active Directory Deep DiveWIN403_AWS Directory Service for Microsoft Active Directory Deep Dive
WIN403_AWS Directory Service for Microsoft Active Directory Deep DiveAmazon Web Services
 
AWS 네트워크 보안을 위한 계층별 보안 구성 모범 사례 – 조이정, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집
AWS 네트워크 보안을 위한 계층별 보안 구성 모범 사례 – 조이정, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집AWS 네트워크 보안을 위한 계층별 보안 구성 모범 사례 – 조이정, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집
AWS 네트워크 보안을 위한 계층별 보안 구성 모범 사례 – 조이정, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집Amazon Web Services Korea
 
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...Edureka!
 
GuardDuty Hands-on Lab
GuardDuty Hands-on LabGuardDuty Hands-on Lab
GuardDuty Hands-on LabAmazon Web Services
 
Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation OverviewAmazon Web Services
 

More Related Content

What's hot

AWS Web Application Firewall and AWS Shield - Webinar
AWS Web Application Firewall and AWS Shield - Webinar AWS Web Application Firewall and AWS Shield - Webinar
AWS Web Application Firewall and AWS Shield - Webinar Amazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
Amazon CloudWatch Tutorial | AWS Certification | Cloud Monitoring Tools | AWS...
Amazon CloudWatch Tutorial | AWS Certification | Cloud Monitoring Tools | AWS...Amazon CloudWatch Tutorial | AWS Certification | Cloud Monitoring Tools | AWS...
Amazon CloudWatch Tutorial | AWS Certification | Cloud Monitoring Tools | AWS...Edureka!
 
Deep Dive on AWS Single Sign-On - AWS Online Tech Talks
Deep Dive on AWS Single Sign-On - AWS Online Tech TalksDeep Dive on AWS Single Sign-On - AWS Online Tech Talks
Deep Dive on AWS Single Sign-On - AWS Online Tech TalksAmazon Web Services
 
How to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSHow to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSAmazon Web Services
 
Best Practices for Amazon S3 and Amazon Glacier (STG203-R2) - AWS re:Invent 2018
Best Practices for Amazon S3 and Amazon Glacier (STG203-R2) - AWS re:Invent 2018Best Practices for Amazon S3 and Amazon Glacier (STG203-R2) - AWS re:Invent 2018
Best Practices for Amazon S3 and Amazon Glacier (STG203-R2) - AWS re:Invent 2018Amazon Web Services
 
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018Amazon Web Services
 
AWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAmazon Web Services
 
(SEC323) New: Securing Web Applications with AWS WAF
(SEC323) New: Securing Web Applications with AWS WAF(SEC323) New: Securing Web Applications with AWS WAF
(SEC323) New: Securing Web Applications with AWS WAFAmazon Web Services
 
WIN403_AWS Directory Service for Microsoft Active Directory Deep Dive
WIN403_AWS Directory Service for Microsoft Active Directory Deep DiveWIN403_AWS Directory Service for Microsoft Active Directory Deep Dive
WIN403_AWS Directory Service for Microsoft Active Directory Deep DiveAmazon Web Services
 
AWS 네트워크 보안을 위한 계층별 보안 구성 모범 사례 – 조이정, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집
AWS 네트워크 보안을 위한 계층별 보안 구성 모범 사례 – 조이정, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집AWS 네트워크 보안을 위한 계층별 보안 구성 모범 사례 – 조이정, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집
AWS 네트워크 보안을 위한 계층별 보안 구성 모범 사례 – 조이정, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집Amazon Web Services Korea
 
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...Edureka!
 

What's hot (20)

Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: Security
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAM
 
AWS Web Application Firewall and AWS Shield - Webinar
AWS Web Application Firewall and AWS Shield - Webinar AWS Web Application Firewall and AWS Shield - Webinar
AWS Web Application Firewall and AWS Shield - Webinar
 
AWS Security Hub
AWS Security HubAWS Security Hub
AWS Security Hub
 
Aws config
Aws configAws config
Aws config
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
Amazon CloudWatch Tutorial | AWS Certification | Cloud Monitoring Tools | AWS...
Amazon CloudWatch Tutorial | AWS Certification | Cloud Monitoring Tools | AWS...Amazon CloudWatch Tutorial | AWS Certification | Cloud Monitoring Tools | AWS...
Amazon CloudWatch Tutorial | AWS Certification | Cloud Monitoring Tools | AWS...
 
AWS Security Fundamentals
AWS Security FundamentalsAWS Security Fundamentals
AWS Security Fundamentals
 
Deep Dive on AWS Single Sign-On - AWS Online Tech Talks
Deep Dive on AWS Single Sign-On - AWS Online Tech TalksDeep Dive on AWS Single Sign-On - AWS Online Tech Talks
Deep Dive on AWS Single Sign-On - AWS Online Tech Talks
 
How to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSHow to use IAM roles grant access to AWS
How to use IAM roles grant access to AWS
 
Best Practices for Amazon S3 and Amazon Glacier (STG203-R2) - AWS re:Invent 2018
Best Practices for Amazon S3 and Amazon Glacier (STG203-R2) - AWS re:Invent 2018Best Practices for Amazon S3 and Amazon Glacier (STG203-R2) - AWS re:Invent 2018
Best Practices for Amazon S3 and Amazon Glacier (STG203-R2) - AWS re:Invent 2018
 
AWS WAF
AWS WAFAWS WAF
AWS WAF
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best Practices
 
Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWS
 
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
 
AWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best Practices
 
(SEC323) New: Securing Web Applications with AWS WAF
(SEC323) New: Securing Web Applications with AWS WAF(SEC323) New: Securing Web Applications with AWS WAF
(SEC323) New: Securing Web Applications with AWS WAF
 
WIN403_AWS Directory Service for Microsoft Active Directory Deep Dive
WIN403_AWS Directory Service for Microsoft Active Directory Deep DiveWIN403_AWS Directory Service for Microsoft Active Directory Deep Dive
WIN403_AWS Directory Service for Microsoft Active Directory Deep Dive
 
AWS 네트워크 보안을 위한 계층별 보안 구성 모범 사례 – 조이정, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집
AWS 네트워크 보안을 위한 계층별 보안 구성 모범 사례 – 조이정, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집AWS 네트워크 보안을 위한 계층별 보안 구성 모범 사례 – 조이정, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집
AWS 네트워크 보안을 위한 계층별 보안 구성 모범 사례 – 조이정, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집
 
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
 

Similar to AWS GuardDuty Lab Guide

Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation OverviewAmazon Web Services
 
Threat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS SummitAmazon Web Services
 
Threat Detection and Mitigation at Scale on AWS
Threat Detection and Mitigation at Scale on AWS Threat Detection and Mitigation at Scale on AWS
Threat Detection and Mitigation at Scale on AWS Amazon Web Services
 
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS SummitAmazon Web Services
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionAmazon Web Services
 
SID301 Threat Detection and Mitigation
SID301 Threat Detection and Mitigation SID301 Threat Detection and Mitigation
SID301 Threat Detection and MitigationAmazon Web Services
 
Incident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseIncident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseAmazon Web Services
 
Secure and Automate AWS Deployments with Next Generation Security
Secure and Automate AWS Deployments with Next Generation SecuritySecure and Automate AWS Deployments with Next Generation Security
Secure and Automate AWS Deployments with Next Generation SecurityAmazon Web Services
 
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF Loft
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF LoftIntro to Threat Detection & Remediation on AWS: AWS Security Week at the SF Loft
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF LoftAmazon Web Services
 
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...Amazon Web Services
 
Threat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS SummitAmazon Web Services
 
Security at Scale with AWS - AWS Summit Cape Town 2017
Security at Scale with AWS - AWS Summit Cape Town 2017 Security at Scale with AWS - AWS Summit Cape Town 2017
Security at Scale with AWS - AWS Summit Cape Town 2017 Amazon Web Services
 
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...Amazon Web Services
 
Threat Detection and Mitigation at Scale on AWS - SID301 - Toronto AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Toronto AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Toronto AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Toronto AWS SummitAmazon Web Services
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSAmazon Web Services
 
Intro to threat_detection_and_remediation on aws
Intro to threat_detection_and_remediation on awsIntro to threat_detection_and_remediation on aws
Intro to threat_detection_and_remediation on awsBela Sojina MBA, PMP
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSAmazon Web Services
 
Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2Amazon Web Services
 

Similar to AWS GuardDuty Lab Guide (20)

GuardDuty Hands-on Lab
GuardDuty Hands-on LabGuardDuty Hands-on Lab
GuardDuty Hands-on Lab
 
Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation Overview
 
Threat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS Summit
 
Threat Detection and Mitigation at Scale on AWS
Threat Detection and Mitigation at Scale on AWS Threat Detection and Mitigation at Scale on AWS
Threat Detection and Mitigation at Scale on AWS
 
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS Summit
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat Detection
 
SID301 Threat Detection and Mitigation
SID301 Threat Detection and Mitigation SID301 Threat Detection and Mitigation
SID301 Threat Detection and Mitigation
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design
 
Incident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseIncident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat Response
 
Secure and Automate AWS Deployments with Next Generation Security
Secure and Automate AWS Deployments with Next Generation SecuritySecure and Automate AWS Deployments with Next Generation Security
Secure and Automate AWS Deployments with Next Generation Security
 
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF Loft
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF LoftIntro to Threat Detection & Remediation on AWS: AWS Security Week at the SF Loft
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF Loft
 
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...
 
Threat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS Summit
 
Security at Scale with AWS - AWS Summit Cape Town 2017
Security at Scale with AWS - AWS Summit Cape Town 2017 Security at Scale with AWS - AWS Summit Cape Town 2017
Security at Scale with AWS - AWS Summit Cape Town 2017
 
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
 
Threat Detection and Mitigation at Scale on AWS - SID301 - Toronto AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Toronto AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Toronto AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Toronto AWS Summit
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWS
 
Intro to threat_detection_and_remediation on aws
Intro to threat_detection_and_remediation on awsIntro to threat_detection_and_remediation on aws
Intro to threat_detection_and_remediation on aws
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWS
 
Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

AWS GuardDuty Lab Guide

  • 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Pop-up Loft Amazon GuardDuty Lab Greg McConnel, Security Solutions Architect Jesse Fuchs, Security Solutions Architect Michael St.Onge, Global Cloud Security Architect
  • 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Amazon GuardDuty 1. Intro to GuardDuty & Demo - 20 min – 1:50 – 2:10 2. Lab 1 – Discovery & Remediation – EC2 - 35 min – 2:10 - 2:45 (part 2 at 2:30) 3. Discussion - 10 min – 4. Lab 2 – Discovery & Remediation – IAM - 35 min 5. Discussion - 10 min 6. Summary & Closing - 10 min Amazon GuardDuty
  • 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Amazon GuardDuty Quick Intro – very quick, I promise… Amazon GuardDuty
  • 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Demo Start
  • 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Find the Needle, Skip the Haystack GuardDuty helps security professionals quickly find the threats (needle) to their environments in the sea of log data (haystack) so they can focus on hardening their AWS environments and responding quickly to malicious or suspicious behavior. Amazon GuardDuty: All Signal, No Noise
  • 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved GuardDuty Threat Detection and Notification
  • 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved GuardDuty Service Components AWS Accounts Threat Detection Types Data Sources Findings Trusted & Threat IP Lists Pricing
  • 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved GuardDuty Account Relationships • Adding accounts to the services is simple and done via the console or API. • Invites accepted from an account will be designated as “Member” accounts. The requestor will be the “Master” account. Member Account ……. 1 Member Account 100 (max) Master Account Can Do the Following to ALL accounts: • Generate Sample Findings • Configure and View/Manage Findings • Suspend GuardDuty Service • Upload and Manage Trusted IP and Threat IP Lists (coming soon!) Can only disable own account. Member accounts must all be removed first and by the member account. Member Account Actions and Visibility is Limited to the Member Account. Each Account Billed Separately.
  • 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved GuardDuty Service Components AWS Accounts Threat Detection Types Data Sources Findings Trusted & Threat IP Lists Pricing
  • 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved GuardDuty Threat Detection Type Details RECONNAISANCE INSTANCE COMPROMISE ACCOUNT COMPROMISE Instance Recon: • Port Probe/Accepted Comm • Port Scan (intra-VPC) • Brute Force Attack (IP) • Drop Point (IP) • Tor Communications Account Recon: • Tor API Call (failed) • C&C Activity • Malicious Domain Request • EC2 on Threat List • Drop Point IP • Malicious Comms (ASIS) • Bitcoin Mining • Outbound DDoS • Spambot Activity • Outbound SSH Brute Force • Unusual Network Port • Unusual Traffic Volume/Direction • Unusual DNS Requests • Domain Generated Algorithms • Malicious API Call (bad IP) • Tor API Call (accepted) • CloudTrail Disabled • Password Policy Change • Instance Launch Unusual • Region Activity Unusual • Suspicious Console Login • Unusual ISP Caller • Mutating API Calls (create, update, delete) • High Volume of Describe calls • Unusual IAM User Added Signature Based Stateless Findings Behavioral Stateful Findings and Anomaly Detections
  • 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved GuardDuty Service Components AWS Accounts Threat Detection Types Data Sources Findings Trusted & Threat IP Lists Pricing
  • 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved GuardDuty Data Sources VPC Flow Logs VPC flow logs • Flow Logs for VPCs Do Not Need to Be Turned On to Generate Findings, data is consumed through independent duplicate stream. • Suggested Turning On VPC Flow Logs to Augment Data Analysis (charges apply). DNS Logs DNS Logs • DNS Logs are based on queries made from EC2 instances to known questionable domains. • DNS Logs are in addition to Route 53 query logs. Route 53 is not required for GuardDuty to generate DNS based findings. CloudTrail Events CloudTrail Events • CloudTrail history of AWS API calls used to access the Management Console, SDKs , CLI, etc. presented by GuardDuty. • Identification of user and account activity including source IP address used to make the calls. Capture and save all event data via CWE or API Call for long term retention. Additional charges apply.
  • 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved GuardDuty Service Components AWS Accounts Threat Detection Types Data Sources Findings Trusted & Threat IP Lists Pricing
  • 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Lists: Trusted and Threat IP Lists GuardDuty uses AWS developed threat intelligence and threat intelligence feeds from: CrowdStrike & Proofpoint Expand Findings with Custom Trusted IP Lists and Known Threat Lists • Trusted IP lists whitelisted for secure communication with infrastructure and applications • No Findings will be presented for IP Addresses on trusted lists (no false positives!) • Threat lists consist of known malicious IP addresses. • GuardDuty generates findings based on threat lists. Limits: 1 Trusted and 6 Threat Lists per Account TRUSTED IP LISTS KNOWN THREATS, CUSTOMER & PARTNER PROVIDED +
  • 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved GuardDuty Service Components AWS Accounts Threat Detection Types Data Sources Findings Trusted & Threat IP Lists Pricing
  • 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved GuardDuty Findings: Console / API
  • 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved ThreatPurpose ThreatFamilyName ThreatFamilyVariant: ResourceTypeAffected / . ! Artifact Meaning: “An EC2 instance is communicating with a known Bitcoin IP address that is part of a known Bitcoin domain” CryptoCurrency BitcoinTool B: EC2 / . ! DNS GuardDuty Finding: Details
  • 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved GuardDuty Findings: Threat Purpose Details • Backdoor: resource compromised and capable of contacting source home • Behavior: activity that differs from established baseline • Crypto Currency::detected software associated with Crypto currencies • Pentest::activity detected similar to that generated by known pen testing tools • Recon: attack scoping vulnerabilities by probing ports, listening, database tables, etc. • Stealth::attack trying to hide actions / tracks • Trojan::program detected carrying out suspicious activity • Unauthorized Access::suspicious activity / pattern by unauthorized user Describes the primary purpose of the threat. Available at launch, more coming!
  • 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved GuardDuty Findings: Severity Levels LOW MEDIUM HIGH Suspicious or malicious activity blocked before it compromised a resource. Suspicious activity deviating from normally observed behavior. Resource compromised and actively being used for unauthorized purpose. Suggestion: Take Immediate Action(s) • Terminate instance(s) • Rotate IAM access keys Suggestion: Investigate Further • Check new software that changed the behavior of a resource • Check changes to settings • AV scan on resource (detect unauthorized software) • Examine permissions attached to IAM entity implicated Suggestion: Take Immediate Action(s) • No immediate recommended steps – but take note of info as something to address in the future
  • 20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved • Remediate a Compromised Instance • Remediate Compromised AWS Credentials Responding to Findings: Remediation Automatic Remediation GuardDuty CloudWatch Events Lambda Amazon GuardDuty Amazon CloudWatch CloudWatch Event Lambda Function AWS Lambda
  • 21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved • Findings point to a compromised instance (e.g. Backdoor:EC2/XORDDOS, Backdoor:EC2/C&CActivity.B!DNS) • CloudWatch Event Alarm triggers Lambda • Instance tag can be checked to see if automatic action can be taken or if manual intervention needed (e.g. critical productions services) Responding to Findings: Automation Example Lambda Lambda Function AWS Lambda • Lambda Function: • Removes instance from current Security Group(s) and adds to one with all ingress and egress blocked • Snapshots EBS volume(s) • Alerts Security Team
  • 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved GuardDuty Service Components AWS Accounts Threat Detection Types Data Sources Findings Trusted & Threat IP Lists Pricing
  • 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Demo Finish
  • 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Amazon GuardDuty http://loftlab.gregmcconnel.net/
  • 25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Amazon GuardDuty Lab 1 The first lab will generate GuardDuty findings when an EC2 instance attempts to connect to a IP in a customer Threat List. We will assume this instance is compromised and isolate it using a Security Group. Here are the steps: • Environment Setup – Create Elastic IP and add this to a Custom Threat List. Run CloudFormation Template • Attack Simulation – In the background the ”Compromised” instance will connect with the “Malicious” instance, generating GuardDuty findings • Remediation – A Lambda function will be added that will remove the ”Compromised” instance from its current Security Group and add it to one with no Ingress or Egress rule • Extra Credit – Enhance the Lambda function to take additional actions on the ”Compromised” instance http://loftlab.gregmcconnel.net/
  • 26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Amazon GuardDuty Lab 1 Part 1
  • 27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Amazon GuardDuty Lab 1 – Part 2
  • 28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Amazon GuardDuty Lab 1 Discussion
  • 29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Amazon GuardDuty Lab 2 For the second lab you will be focused on generating and remediating GuardDuty findings related to compromised IAM credentials. Below are the steps you’ll be walking through: • Environment Setup – Run the CloudFormation template and create the additional resources • Attack Simulation – Setup a profile for stolen EC2 credentials and use the AWS CLI to see what you have access to • Remediation – Review the auto remediation Lambda function and other recommended remediations. Answer questions related to how you would remediate these within your own company • Extra Credit – Enhance the Lambda function to output a more granular alert, process other GuardDuty findings, or rotate Instance Profiles to limit downtime of an application
  • 30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Amazon GuardDuty Lab 2
  • 31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Amazon GuardDuty Lab 2 Discussion
  • 32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Amazon GuardDuty Call to Action Enable GuardDuty - monitor the cost and findings during the 30 day free period – assess after 30 days where GuardDuty will sit in your overall security strategy. https://aws.amazon.com/guardduty/
  • 33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Pop-up Loft aws.amazon.com/activate Everything and Anything Startups Need to Get Started on AWS