In the practical use of AWS GuardDuty we may get too many false positives. As a SecOps user, we need insights that are prioritized as important threats. For example, did you know that 80% of the threat intel is reconnaissance? Which is usually a preliminary step toward a further attack seeking to exploit a system? The whole idea behind Global Intelligence for AWS GuardDuty is really around using global context to help SecOps users determine what they need to give attention to.
In this lab you will become familiar with the 12 threat purposes of AWS GuardDuty and their meanings. Then you will apply Global Intelligence threat intel to your data, using our Global Intelligence for Amazon GuardDuty app. You will detect the threats we are experiencing. Apply a baseline comparison using our company's threat intel, and evaluate the prioritized action plan for a response.
Threats indicating the primary purpose of a threat or a potential attack
|1||Backdoor||Indicates that the attack has compromised an AWS resource and is capable of contacting its home command and control (C&C) server to receive further instructions for malicious activity.|
|2||Behavior||Indicates that GuardDuty is detecting activity or activity patterns that are different from the established baseline for a particular AWS resource.|
|Indicates that GuardDuty is detecting software that is associated with cryptocurrencies (for example, Bitcoin)|
|Sometimes owners of AWS resources or their authorized representatives intentionally run tests against AWS applications to find vulnerabilities, like open security groups or access keys that are overly permissive. These pen tests are done in an attempt to identify and lock down vulnerable resources before they are discovered by attackers.
However, some of the tools used by authorized pen testers are freely available, and therefore can be used by unauthorized users or attackers to run probing tests. Although GuardDuty can't identify the true purpose behind such activity, the Pentest value indicates that GuardDuty is detecting such activity and that it is similar to the activity generated by known pen testing tools. Therefore, it can be a potential attack.
|5||Persistence||Indicates that a principal in your AWS environment is exhibiting behavior that is different from the established baseline. For example, this principal has no prior history of updating network configuration settings, or updating policies or permissions attached to AWS users or resources.|
|6||Policy||Indicates that your AWS account is exhibiting behavior that goes against recommended security best practices.|
|Informs you that a specific principal in your AWS environment is exhibiting behavior that can be indicative of a privilege escalation attack.|
|Indicates that a reconnaissance attack is underway, scoping out vulnerabilities in your AWS environment by probing ports, listing users, database tables, and so on.|
|9||ResourceConsumption||Indicates that a principal in your AWS environment is exhibiting behavior that is different from the established baseline. For example, this principal has no prior history of launching EC2 instances.|
|10||Stealth||Indicates that an attack is actively trying to hide its actions and its tracks. For example, an attack might use an anonymizing proxy server, making it virtually impossible to gauge the true nature of the activity.|
|11||Trojan||Indicates that an attack is using Trojan programs that silently carry out malicious activity. Sometimes this software takes on an appearance of a legitimate program. Sometimes users accidentally run this software. Other times this software might run automatically by exploiting a vulnerability.|
|12||UnauthorizedAccess||Indicates that GuardDuty is detecting suspicious activity or a suspicious activity pattern by an unauthorized individual.|
What threats are we experiencing?
- In your personal folder, open Global Intelligence for Amazon GuardDuty, click Global Intelligence for Amazon GuardDuty. Then click on the first dashboard listed, click GI GuardDuty - 01 Global Baseline. The global baseline is a collection of stats averaged over Amazon GuardDuty findings for all Sumo Logic customers over the prior 7 days. The threat types detected are listed on the left.
- As we scroll down we can see Global Threat Share broken down by percentages for resource type and severity. As it turns our most of our resource attacks happen to be on EC2 instances. The threat severities are shown on the right by high (red), medium (blue), and low (green).
- Scroll down to the Global Threat Map and in the upper right corner of the panel click to enlarge the panel to full screen. You can see the flow of attacks in GuardDuty happening worldwide. For the example below, you see many attacks focused on the US. You may also see attacks happening on Japan and Australia. Since our Global Intelligence is continuously updating, your results will possibly be different. If you hover over a line you can get details such as the location source and destination.
- To see your Rare Threats compared to global intelligence scroll down to the bottom panel. Rare threats are very important to early detection and are less than 0.2% of global intelligence findings. You will want to act on these very quickly.
How does your data compares with others?
Then open the second dashboard, click GI GuardDuty - 02 Your Company v. Baseline.This dashboard compares your company's threat profile, based on Amazon GuardDuty findings, with the average threat profile of Sumo Logic customers. The GuardDuty threat score is between 0 (LOW RISK) and 100 (HIGH RISK). It is computed by combining factors including the severity, number and rarity of findings and their unusualness compared to the population of Sumo Logic customers. Due to the nature of our training environment we have a high risk score at 100% mostly due to reconaissance.
- If we continue to scroll down, the last 2 rows of panels for severity comparisons between Global Intelligence and your data appear along with the Action Plan. The action plan prioritizes findings based on the greatest impact on GuardDuty threat posture when remediated. In any given time period, the contribution of each Threat Name to the Rel Score Impact is driven by its Severity, Findings Count, and Rarity and by the unusualness of findings compared to the population of Sumo Logic customers.This concept is quantified by the relative score impact in the Action Plan below.
- To see our own company's stats (training environment depicted) for Amazon GuardDuty findings, click GI GuardDuty - 03 Findings Analysis. Scroll down to the bottom and observe all the panels in this dashboard detecting all the 12 aspects of AWS GuardDuty threat intelligence. In the next lab, we will learn how to further investigate AWS GuardDuty threat intel.
To protect customer data, all unique identifiers are screened out of any benchmark results. For more information contact email@example.com.
Quiz (True or False?)
Three of the twelve AWS GuardDuty threats are recon, privilege escalation, and policy.
To baseline your companies data with Sumologic Global Intelligence use the 03 dashboard.
In any given time period, the contribution of each Threat Name to the Rel Score Impact is driven by its Severity, Findings Count, and Rarity and by the unusualness of findings compared to the population of Sumo Logic customers.
Congratulations! You’ve completed these tasks:
Become familiar with the 12 threat purposes of AWS GuardDuty and their meanings.
Apply Global Intelligence threat intel to your data, using our Global Intelligence for Amazon GuardDuty app.
Apply a threat intel baseline comparison.
Evaluate the prioritized action plan for a response.