Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Version History

Version 1 Next »

Purpose

An analyst wants to detect malicious behavior in AWS.  Using the GuardDuty SQS collector to send findings to Devo, the analyst will obtain preanalyzed threats.  As a result, the analyst will use GuardDuty’s threat intelligence to initiate investigations of CloudTrail logs in Devo.

GuardDuty and CloudTrail should be used together to get the highest quality information from AWS.

Example tables

Table

Description

cloud.aws.guardduty.findings

Threats identified by GuardDuty.

Authorize It

  1. Authorize SQS Data Access.

  2. Enable GuardDuty following the AWS documentation. When you you reach the step “Replace Amazon S3 bucket ARN with the Amazon Resource Name (ARN) of the Amazon S3 bucket.” then use the S3 bucket you already authorized in Step 1.

Run It

In the Cloud Collector App, create an SQS Collector instance using this parameters template, replacing the values enclosed in < >.

{
  "inputs": {
    "sqs_collector": {
      "id": "<FIVE_UNIQUE_DIGITS>",
      "services": {
        "aws_sqs_guard_duty": {}
      },
      "credentials": {
              "aws_cross_account_role": "arn:<PARTITION>:iam::<YOUR_AWS_ACCOUNT_NUMBER>:role/<YOUR_ROLE>",
              "aws_external_id": "<EXTERNAL_ID>"
      },
      "region": "<REGION>",
      "base_url": "https://sqs.<REGION>.amazonaws.com/<YOUR_AWS_ACCOUNT_NUMBER>/<QUEUE_NAME>"
    }
  }
}

Secure It

Privilege escalation

/* 
GuardDuty has identified a threat where a malicious entity created a role.
*/
from cloud.aws.guardduty.findings 
where eq(type,"PrivilegeEscalation:Kubernetes/AnomalousBehavior.RoleCreated")

Unauthorized access

/*
GuardDuty has identified unauthorized access to AWS services.
Possible services include EC2 (compute), IAM (access management), and S3 (storage)
*/
from cloud.aws.guardduty.findings 
where startswith(type,"UnauthorizedAccess:")

A typical result might be a credential exfiltration or an SSH brute force attack.

Reconnaissance 

/*
GuardDuty has identified an entity that may be conducting 
reconnaissance of your AWS environment.
*/
from cloud.aws.guardduty.findings 
where startswith(type,"Recon:")

A typical result would be a port scan. If an entity conducts a port scan and also accesses resources, this may be an indication of malicious access.

Malicious IP address

/*
For each IP v4 address, identify all the GuardDuty 
threat finding types.
*/
from cloud.aws.guardduty.findings 
group by service_action_awsApiCallAction_remoteIpDetails_ipAddressV4 
select collectDistinct(type)

For example, if an IP has been identified as accessing credentials, it may be important to know that it also exfiltrated data from S3 and escalated privileges in Kubernetes to determine which resources have been penetrated.

Credential with indicator of compromise

/*
For each access key with a finding, identify all the threat types.
*/
from cloud.aws.guardduty.findings 
group by resource_accessKeyDetails_accessKeyId 
select collectDistinct(type)

For example, if an access key is being used through Tor, you may wish to rotate the credential.

Monitor It

AWS Essential Alerts includes an alert that detects deletion of a GuardDuty detector. GuardDuty configuration changes can be monitored with the CloudTrail Devo service.

Create an inactivity alert to detect interruptions of transfer of data from the source to the SQS queue using the query

from cloud.aws.guardduty.findings
where toktains(hostchain,"collector-") 
select split(hostchain,"-",1) as collector_id

Set the inactivity alert to keep track of the collector_id. It is not unusual to have inactivity because GuardDuty frequently has no findings.

  • No labels