AWS GuardDuty

With a few clicks in the AWS Management Console, Amazon GuardDuty can be enabled and customers can have a more intelligent and cost-effective option for threat detection in the AWS Cloud.

Overview

Amazon GuardDuty is a managed threat detection service which could intelligently protect the AWS accounts and workloads. It continuously monitors for malicious or unauthorized behaviors, such as API calls, that indicate a possible account compromise.

GuardDuty detects unexpected activities in AWS environment and generates notification called Findings which specifies the underlying security issue. GuardDuty collects its data from three log streams, VPC Flow Logs, DNS Logs, and CloudTrail Logs and identifies suspected attackers through integrated threat intelligence feeds. When a potential threat is detected, the service delivers an alert to GuardDuty console and AWS CloudWatch Events.

With Amazon GuardDuty, it can be enabled and customers can have a more intelligent and cost-effective option for threat detection in the AWS Cloud.

Scenario

In this lab, you will build a threat list to AWS GuardDuty using your public IP address and an AWS web server. After setting up AWS GuardDuty and active your list. Log in your server and you will see GuardDuty detect it.

Step by Step

Create s3 bucket and store threat list into S3

Storing your threat-list in S3 bucket in order to let GuardDuty find your threat-list.

  1. Create a text file and add your public IP in it in order to test your GuardDuty(You can check your IP via whatismyipaddress or you can try another IP. In your list, IP addresses must appear one per line.

    X.X.175.217 X.X.12.210

  2. Create a bucket on S3 and upload threat-list you created.

  3. Copy path of your threat list and GuardDuty will use this path to find your threat-list.

Active your GuardDuty

We will add a new threat list and connect with uploaded txt and GuardDuty will start detecting whether your account is dangerous or not.

  1. On the service menu, select GuardDuty.

  2. Choose Get started and enable GuardDuty.

  1. On the left panel, select lists and add a threat list.

  1. In Add a threat list,

    • For your List name, enter threatlist_yourname.

    • Paste the path (from your txt file) you copied before.

    • Drop down format menu and click Plaintext.

  1. Click I agree and add list, until you see green check.

  1. With Mac, log in to your server using ssh.
    With Windows, log in to your server with putty.

  2. After a few minutes click Findings on the left panel.

  3. Now you can see how AWS web console access is detected by GuardDuty.

Subscribe Notifications

With AWS SNS Service, it will send all notifications to your email from GuardDuty’s findings.

  1. On service menu, select SNS

  2. choose Create Topic, enter your Topic Name and Display Name as SNS-FromGuardDuty and create

  3. Select the topic you created and Subscribe to topic in Actions

    • Choose E-mail in the protocol menu

    • Enter your email in Endpoint and click create

  1. You will receive a verification email after few minutes and click Confirm Subscription

Create a role

IAM role connect Lambda and GuardDuty to let GuardDuty distinguish dangerous activity whether is in list or not

  1. On Service menu, select IAM

  2. On the left panel, choose roles and Create

  3. choose AWS Service, lambda and click Next:Permission

  4. SearchAWSLambdaBasicExecutionRole and select it.

  5. Click Next:Tag, Review, enter role name : GuardDuty-Finding-ToSNS-yourname and click create.

  6. select the role you created and click Add Inline policy

    {
"Version": "2012-10-17",
"Statement": 
    [
    {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": "sns:Publish",
        "Resource": "<ARN-OF-YOUR-SNS-TOPIC>"
    }
    ]
}

    Note : 為你剛剛建立的 Topic ARN。

  7. Click Review policy,and Create

    • Name: GuardDuty-Finding-ToSNS-Policy

Use Lambda Function to Deliver Notification

You will receive notifications from GuardDuty.

  1. On the Service menu, select Lambda.

  2. On the left panel choose Functions and Create Function

  3. choose Author from scratch

    • Enter GuardDuty-To-SNS-your name in Name

    • Select Run time with python 3.6

    • Select Role with Choose an existing role

    • Select Existing role withGuardDuty-finding-SNS-yourname(a role you created)

  4. input code

  1. In Environment variables

    • Enter Key withSNSTopicArn
    • Enter Value with : arn:aws:iam::XXX19643XXXX:role/GuardDuty-finding-SNS(Your Topic ARN)

  2. click Save

Connect GuardDuty and Lambda

When GuardDuty receives notifications from Lambda, AWS SNS Service will send the notification to your email  1. On the Service menu, click Cloudwatch

  1. On the left panel click rule and Create a role

  2. Click Event Pattern

    • Select Service Name with GuardDuty
    • Select Event Type with GuardDuty Finding
    • click Add Target
    • Select Function with GuardDuty-To-SNS-yourname

  1. click Configure details

  2. Configure rule details:

    • Name : GuardDuty-to-SNS-Rule
    • State : make sure enabled is checked
    • click Create rule

  3. log in your email, you are going to receive notifications

Open the email and you will see more details about this notification.

Furthermore

Finding Type :some examples of Threat purpose

  • UnauthorizedAccess: indicates that GuardDuty is detecting suspicious activity or a suspicious activity pattern by an unauthorized individual.

  • Recon: indicates that a reconnaissance attack is underway, scoping out vulnerabilities in your AWS environment by probing ports, listing users, database tables, and so on.

Severity Levels for GuardDuty Findings : Values 0 and 9.0 to 10.0 are currently reserved for future use.

  • Low: the value of severity parameter falls within the 0.1 to 3.9 range, indicates suspicious or malicious activity that was blocked before it compromised your resource.

  • Medium: the value of severity parameter falls within the 4.0 to 6.9 range, indicates suspicious activity, for example, a large amount of traffic being returned to a remote host that is hiding behind the Tor network, or activity that deviates from normally observed behavior.

  • High: the value of the severity parameter falls within the 7.0 to 8.9 range, indicates that the resource in question (an EC2 instance or a set of IAM user credentials) is compromised and is actively being used for unauthorized purposes.

Conclusion

We have configured AWS GuardDuty for threat detection and tested how it works. Now you can detect malicious behavior using AWS GuardDuty, test it through your IP. You can create your own list and observe the activities by yourself.

AWS GuardDuty is a managed service which does threat detection intelligently and collects different inputs and shows how it acts and reported to you.

Security is now an important issue for everyone in the world, you should try it.

Reference

  • Amazon GuardDuty: https://aws.amazon.com/tw/guardduty/

  • Amazon GuardDuty Document: https://docs.aws.amazon.com/zh_tw/guardduty/latest/ug/what-is-guardduty.html

  • GuardDuty Finding to SNS: https://github.com/miztiik/Serverless-GuardDuty-Findings-to-SNS

Tag:,

Shelly Yu

You may also like

reInvent_facebook_post_werner_Eng
AWS re:Invent 2021 – Werner Vogels Keynote
6 December, 2021
reInvent-Adam-Eng_工作區域 1
AWS re:Invent 2021 – Adam Selipsky Keynote
1 December, 2021
shutterstock_134102588
AutoScaling – Health check v.s. Status Check
25 November, 2021

Leave A Reply

Your email address will not be published. Required fields are marked *