AWS Guard Duty

#aws #ids #security

Guard Duty

First off, a simple definition:
GuardDuty is a guard that will stand in front of your workload and continuously let you know of any threats that are coming to your workload.

Now the real definition:
Amazon GuardDuty offers threat detection enabling you to continuously monitor and protect your AWS accounts, workloads, and data stored in Amazon Simple Storage Service (Amazon S3). GuardDuty analyzes continuous metadata streams generated from your account and network activity found in AWS CloudTrail Events, Amazon Virtual Private Cloud (VPC) Flow Logs, and domain name system (DNS) Logs. GuardDuty also uses integrated threat intelligence such as known malicious IP addresses, anomaly detection, and machine learning (ML) to more accurately identify threats.

Features of Guard Duty

Amazon S3 protection - Monitor object-level suspicious activity
EKS Protection - Monitor suspicious activities on EKS clusters
Runtime Monitoring - Using an agent, monitor suspicious activities on ECS(Fargate), EKS, EC2
Malware Protection - Scan EBS volumes for malware
RDS Protection - scans login activity on Aurora RDS
Lambda Protection - scans network traffic from Lambda execution

Suppression Rules - Selectively suppress some findings to automatically archive findings which are low-value, false positive etc, to reduce the noise.

Threat list - This is a list of known malicious IPs. This could be in many formats including industry-standard formats like STIX, OTX or even plaintext. Lists could be stored at an accessible internet URI, including your own S3 bucket.

Trusted List - stores known trusted IPs with the same storage and format characteristics

Findings - You can drill down into the findings, and get more information about the incident including the target of the attack, the actor of the attack etc. It also provides a link to pivot to detective and investigate this incident.

Demo

1.Malicious IP access

We create a text file with a known IP in it, say 8.8.8.8 and upload it to an S3 bucket. Specify this file as a Threat List inside GuardDuty.

From an EC2 inside your account, ping this IP.

ping 8.8.8.8

Soon, GuardDuty finds this and you can see it in the console.

2.Instance Credential Exfiltration

We know an EC2 instance could have an IAM Role (Instance Profile) which gives it access to AWS API calls as per the role permissions. We can simulate the scenario where a hacker has got access to the EC2 and is using these credentials to call AWS APIs.

Login to the EC2 and get the IAM credentials.
This could depend on the Instance Metadata Service Version of the EC2.
See this page for details:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#instance-metadata-security-credentials

For me, I am on v2. My Ec2-instance has the role ec2-admin

TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` \
&& curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/iam/security-credentials/ec2-admin

From the output of this command note the Access Key ID, Secret Access Key and Session Token.

Now replicate same session in any other system terminal where you have AWS CLI installed. Below commands can be used for that. It creates a profile called badbob (BAD BOB!) who is the hacker.


aws configure set profile.badbob.region us-east-1

aws configure set profile.badbob.aws_access_key_id <AccessKeyId>

aws configure set profile.badbob.aws_secret_access_key <SecretAccessKey>

aws configure set profile.badbob.aws_session_token <Token>

Now using the session, issue several AWS API Calls. An example is below. Remember the hacker does not know the permissions on the role, so he may try many commands across the spectrum, so try a whole lot of options.

aws s3 ls --profile badbob

You can see GuardDuty finds this suspicious activity and reports it.

Note that in both cases, GuardDuty gives a whole lot of background information about the finding that helps the security team investigate this finding.

This includes an overview, resources involved in the finding, IAM details, Network details, the action in the finding, actor involved in the finding etc.

If you have enabled another AWS tool, AWS Detective at least 48 hours before you enabled GuardDuty, you would also see the option to investigate this finding in Detective.