by Brad Dispensa, Sr. Solutions Architect, AWS
Operating a security practice on AWS brings many new challenges that haven't been faced in data center environments. The dynamic nature of infrastructure, the relationship between development team members and their applications, and the architecture paradigms have all changed as a result of building software on top of AWS. In this session we will cover how you can use secure configuration and automation to monitor, audit, and enforce your security policies within an AWS environment. Level 200
18. GuardDuty Account Relationships
• Adding accounts to the services is simple and done via the console or API.
• Invites accepted from an account will be designated as “Member” accounts. The
requestor will be the “Master” account.
Member
Account
……. .
1
Member
Account
1000 (max)
Master Account
Can Do the Following to ALL accounts:
• Generate Sample Findings
• Configure and View/Manage Findings
• Suspend GuardDuty Service
• Upload and Manage Trusted IP and
Threat IP Lists (coming soon!)
Can only disable own account. Member
accounts must all be removed first and by the
member account.
Member Account Actions and
Visibility is Limited to the
Member Account.
Each Account Billed Separately.
19. GuardDuty Findings: Console / API
AWS Management Console API / JSON Format
Quickly See Threat
Information Including:
• Severity
• Region
• Count/Frequency
• Threat Type
• Affected Resource
• Source Information
• Viewable via
CloudWatch Events
Export Finding Data for
Further Analysis Including:
• Ingest into SIEM
• Data Enrichment
• Programmatic
Response
• Additional Information
• ARN
• Span of Time
• Resource Info
20. ThreatPurpose ThreatFamilyName ThreatFamilyVariant: ResourceTypeAffected / . ! Artifact
Meaning: “An EC2 instance is communicating with a known Bitcoin IP
address that is part of a known Bitcoin domain”
CryptoCurrency BitcoinTool B: EC2 / . ! DNS
GuardDuty Finding: Details
21. GuardDuty Findings: Threat Purpose Details
• Backdoor: resource compromised and capable of contacting source home
• Behavior: activity that differs from established baseline
• Crypto Currency: detected software associated with Crypto currencies
• Pentest: activity detected similar to that generated by known pen testing tools
• Recon: attack scoping vulnerabilities by probing ports, listening, database tables, etc.
• Stealth: attack trying to hide actions / tracks
• Trojan: program detected carrying out suspicious activity
• Unauthorized Access: suspicious activity / pattern by unauthorized user
Describes the primary purpose of the threat. Available at launch, more coming!
22. GuardDuty Findings: CloudWatch Events (CWE)
• GuardDuty aggregates all
changes to findings that take
place in five-minute intervals
into a single event.
• CloudWatch Events can be
graphed, stored, exported,
and further analyzed. Example GuardDuty Related CloudWatch Event
23. GuardDuty Findings: Severity Levels
LOW MEDIUM HIGH
Suspicious or malicious
activity blocked before it
compromised a resource.
Suspicious activity deviating
from normally observed
behavior.
Resource compromised and
actively being used for
unauthorized purpose.
Suggestion:
Take Immediate Action(s)
• Terminate instance(s)
• Rotate IAM access keys
Suggestion:
Investigate Further
• Check new software that
changed the behavior of a
resource
• Check changes to settings
• AV scan on resource (detect
unauthorized software)
• Examine permissions attached
to IAM entity implicated
Suggestion:
Take Immediate Action(s)
• No immediate recommended
steps – but take note of info
as something to address in
the future
24. “I need to make a change, I’ll SSH in and…”
Things you don’t need to hear any more
35. select
useridentity.sessioncontext.sessionIssuer.userNa
me as uid, eventsource, eventname
from cloudtrail_logs
Where
useridentity.sessioncontext.sessionIssuer.userNa
me = ‘target-name’
GROUP BY
useridentity.sessioncontext.sessionIssuer.userNa
me, eventsource, eventname
Query cloud trail data for the target user or role with
Athena