Security is an important priority for any company, and with increasing cloud adoption, companies need to take serious measures to secure and protect their data. This is where GuardDuty comes into the picture, allowing you to monitor your AWS account for any unusual and unexpected behavior.

In this article, we’ll go through an overview of GuardDuty and its capabilities, and discuss how to automatically remediate anomalies that GuardDuty detects.

GuardDuty: What Is It & Why Use It?

AWS offers GuardDuty as a managed service for threat detection, enabling continuous monitoring to protect your AWS accounts and data stored in S3. It does this by analyzing data (account and network activity) found in VPC Flow Logs, DNS Logs, and AWS CloudTrail Events. It also has a threat detection mechanism to detect anomalies and malicious IP addresses, plus it utilizes machine learning for more accurate threat detection.

One of the key benefits of using GuardDuty is that it continuously monitors your AWS accounts for any threats and anomalies. Another advantage is that it works completely independently from your resources; you don’t need to enable any service or install any software, and there’s no performance overhead on your workload. On top of that, alerts provided by GuardDuty are detailed and actionable and can be easily integrated with your existing event management and workflow systems.

Like other AWS services, GuardDuty works on a pay-as-you-go model, so you only need to pay for the events analyzed. Since it’s a fully managed service, you also don’t need to install any additional software or subscribe to any threat intelligence feed.

What Data Sources Does GuardDuty Analyze?

GuardDuty can analyze data from VPC Flow Logs, DNS logs, and AWS CloudTrail, pulling streams directly from each source. It manages permissions with the help of service-linked roles, which let you store and collect logs without having to manage S3 bucket policies or perform any modification.

GuardDuty provides near real-time security detection and is optimized for a large volume of data. Additionally, it gives you a built-in detection technique that’s continuously being improved by the AWS Security team.

What Can GuardDuty Detect?

GuardDuty can detect various kinds of security threats and malicious activities. Detection is primarily divided into the following categories, which we will further discuss in the sections below: reconnaissance, instance compromise, account compromise, and bucket compromise.

Reconnaissance

Activities indicating potential reconnaissance include:

• EC2 instance port probing from a malicious IP address or by a known malicious host: GuardDuty can alert you if a port opened on the listed EC2 instance is continuously being probed by scanners on the internet. This can occur when your environment’s port is not blocked by the security group, network access control list (NACL), or host-level firewall, such as iptables. Ports that are sometimes left exposed include port 22 (SSH access in Linux) or 3389 (RDP access in Windows), and you can limit exposure to these ports by restricting access to include only your corporate network.
• EC2 instance performing port scanning to an outbound remote host: This GuardDuty finding tells you that your EC2 instance is trying to connect to multiple ports in a short period; this could indicate port scanning. If this activity is unexpected, you can investigate any possible malware and remove it from the compromised instance. You can also replace the compromised instance with the new instance by terminating the old one. Here are some other steps you can follow to remediate the compromised instance.
• IAM principal invoked the API to add, modify, or delete users, groups, or policies in your AWS account: This could indicate that your AWS credentials have been compromised, and the attacker is trying to find the permission or capabilities of these credentials. To remediate this, you can change the root user password, rotate IAM keys, and delete unauthorized IAM users. Check out some additional steps you can follow here.

Instance Compromise

Activities that can indicate an instance compromise include:

• Denial of Service (DoS) attack: GuardDuty alerts you when an EC2 instance is generating a large amount of data, whether it’s using TCP, UDP, or a protocol not normally used. You can follow these steps to remediate.
• Cryptocurrency mining: This GuardDuty alerts tells you that your EC2 instance is trying to query an IP address associated with Bitcoin and cryptocurrency-related activity.

Account Compromise

Activities that can indicate an account compromise include:

• Disabling of a CloudTrail trail: Here, GuardDuty alerts you that the CloudTrail trail within your AWS environment is disabled. Hackers often disable trails to cover their tracks and eliminate traces of their activities. Deleting a trail or an S3 bucket storing trail logs, as well as a trail update, can trigger this alert.
• Infrastructure deployment in an unknown location: This GuardDuty finding will let you know about any unauthorized infrastructure deployment, such as an instance deployed in a region that has never been used.

Bucket Compromise

Activities that can indicate a bucket compromise include:

• Deletion of data in an S3 bucket: This GuardDuty finding tells you that an IAM entity in your AWS environment is deleting an S3 bucket in order to delete the data within it. If the given IAM entity doesn’t have any prior history of doing this, then this activity could be suspicious.
• The API call to retrieve S3 bucket data from an unknown location: Here, GuardDuty lets you know that an S3 API operation, such as PutObject, originated from an IP address included on a threat list.

If either of the above behaviors is unexpected, you can follow these steps to remediate.

GuardDuty continuously monitors S3 events, like List/Get and Delete Object, to detect any suspicious S3 bucket activity.

Automated Remediation to GuardDuty Findings: Using CloudWatch Events and Lambda

One of the most powerful capabilities of GuardDuty is that you can create automated responses to be executed when GuardDuty observes an anomaly. Here’s an example situation with an automated response:

The steps are as follows:

1. An instance attempts to contact a malicious instance, which is in a custom threat list. This indicates that the first instance has probably been compromised.
2. GuardDuty has been monitoring the VPC Flow Logs (along with CloudTrail and DNS Logs) and analyzing this based on threat lists, machine learning, baselines, etc.
3. GuardDuty generates a finding and sends this to the GuardDuty console and CloudWatch Events.
4. The CloudWatch Event rule triggers a Simple Notification Service (SNS) topic and a Lambda function.
5. SNS sends you an e-mail with the finding information.
6. A Lambda function isolates the compromised instance.

Here’s how this works in practice. One day you receive this email, which indicates that your EC2 instance might be compromised:

When an event like this occurs, you can get more information by navigating to the GuardDuty console, which will display more detail about the finding, similar to what is shown below. The finding indicates the severity of the issue, the finding type, the resource affected, the last time the finding was detected, and the number of times the subsequent event has happened:

The finding, UnauthorizedAccess:EC2/MaliciousIPCaller.Custom, indicates that the EC2 instance is communicating to an IP address (outbound) included in the threat list. Clicking on it shows a more detailed view:

Without automated remediation, you would have to investigate further and make a manual intervention. However, if automated remediation was set up, then AWS will have corrected this issue already.

To do this, you can use CloudWatch Event Rules. In a previous article (Getting More from AWS CloudWatch), we discussed an overview of CloudWatch; Event Rules are one of its most powerful features. In the CloudWatch console, you can create an Event Rule.

Here’s an example remediation for the situation described above:

Notice that the Rule consists of two parts:

• An Event Source, which when it occurs…
• Triggers the action(s) listed under Targets.

In the example above, the “Event Source” is aws.guardduty, and the event is UnauthorizedAccess:EC2/MaliciousIPCaller.Custom. When this event occurs (as it did in the example situation above), the two actions defined under Targets will be triggered.

The two actions are:

• A Lambda function, which isolates the compromised instance from network access. (It removes the instance from its current security group and adds it to one with no ingress or egress rules.)
• An SNS action, which sends an email to notify you that the instance was isolated:

Learn More About Automated Remediation

The example above (the compromised EC2 instance) is explained in more detail in the “Getting Hands on with Amazon GuardDuty” workshop. The workshop also includes detailed walkthroughs for two other examples: Compromised IAM Credentials and IAM Role Credential Exfiltration.

Another good resource is the AWS Online Tech Talk, “Remediating Amazon GuardDuty and AWS Security Hub Findings.”

Is GuardDuty Enough?

For AWS users, GuardDuty is an essential tool to keep their accounts secure and be notified of malicious activity. Enabling GuardDuty is a single-click process, and it easily combines with other AWS services such as Lambda and CloudWatch Events, providing for automated event remediation.

However, GuardDuty is not a comprehensive web security suite, and it cannot protect against all forms of malicious activity. Internet-facing resources need more protection than what GuardDuty can offer.

For full protection, you need an additional solution: one that includes a next-gen WAF, multi-layer DDoS protection, advanced bot management, and other security technologies that provide capabilities which the native AWS services do not.

Reblaze includes all of these, and more, all in a fully managed web security solution that runs natively on Amazon Web Services. For a demo, contact us here.