Amazon GuardDuty serves as a managed threat detection service that continuously scans for malicious or unauthorized activities, helping you secure your AWS accounts and workloads. With its ability to analyze various log types, including Amazon Virtual Private Cloud (VPC) Flow Logs, AWS CloudTrail, and DNS logs, GuardDuty can unearth potential threats in your AWS environment. After activating GuardDuty, you might either discover alarming threats in your account or, ideally, find your dashboard devoid of any alerts for weeks or even longer.
At a recent AWS Loft event, a customer enabled GuardDuty for a lab session. Shortly after, alerts emerged indicating that several Amazon Elastic Compute Cloud (EC2) instances were communicating with known command and control servers. This signaled that GuardDuty had detected behaviors indicative of a botnet takeover. The customer inquired if this was part of the lab, and we clarified that it wasn’t, prompting an immediate investigation by their security team, which fortunately resolved the issue quickly.
Conversely, we encountered another customer who had been using GuardDuty for several days without seeing any alerts on their dashboard. They expressed concerns about the service’s functionality. We reassured them that the absence of findings was actually a positive sign, and we discussed how to create sample findings to test GuardDuty and their remediation process.
In this blog post, along with the accompanying GitHub repository, we aim to prepare you for either experience by guiding you through a threat detection and remediation scenario. This scenario will illustrate how to enable GuardDuty, generate and review test findings, and examine automated remediation examples utilizing AWS Lambda.
Scenario Overview
The instructions and AWS CloudFormation template for setup are available in a GitHub repository. This template establishes a test environment in your AWS account, configures necessary components to navigate the scenario, generates GuardDuty findings, and provides automatic remediation for the simulated threats. Simply run the CloudFormation template from the GitHub repository and follow the guidelines to investigate the incidents.
In this scenario, you oversee an IT organization, and your security engineer, Bob, has activated GuardDuty in a production AWS account and set up several automated remediations. The standard workflow in threat detection and remediation begins with identifying a threat, followed by investigation and remediation. These remediations can be executed manually or through automation. Bob configured this on Thursday but is out of the office on Monday. Unfortunately, upon your arrival, GuardDuty alerts you to multiple detected threats (although the automated remediation has already addressed these, an investigation is still necessary). The documentation on GitHub will walk you through analyzing the findings and explain how the automatic remediation operates. You will also have the chance to manually trigger a GuardDuty finding and observe the automated response.
The generated GuardDuty findings in this scenario include:
- UnauthorizedAccess:EC2/MaliciousIPCaller.Custom
- UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration
- Recon:IAMUser/MaliciousIPCaller.Custom
- UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom
You can review all GuardDuty findings here.
Start right away by visiting the GitHub repository for this scenario, where you will find the instructions and AWS CloudFormation template. This scenario demonstrates how straightforward it is to activate GuardDuty while showcasing some of the threats it can identify. For additional insights on Amazon GuardDuty, refer to the GuardDuty site and their documentation. Also, make sure to check out this informative blog post here. If you have questions about this article, initiate a new discussion on the Amazon GuardDuty forum or reach out to AWS Support. For authoritative insights, you can visit this resource. Lastly, if you’re interested in tips for securing a position at Amazon, this resource is excellent.
Location:
Amazon IXD – VGT2
6401 E Howdy Wells Ave, Las Vegas, NV 89115
Leave a Reply