Skip to main content
Sumo Logic

Lab 9 - Threat Intel baseline with AWS GuardDuty Global Intelligence

In the practical use of AWS GuardDuty we may get too many false positives. Screen Shot 2020-09-01 at 10.10.59 PM.pngAs a SecOps user, we need insights that are prioritized as important threats. For example, did you know that 80% of the threat intel is reconnaissance? Which is usually a preliminary step toward a further attack seeking to exploit a system? The whole idea behind Global Intelligence for AWS GuardDuty is really around using global context to help SecOps users determine what they need to give attention to.

In this lab you will become familiar with the 12 threat purposes of AWS GuardDuty and their meanings. Then you will apply Global Intelligence threat intel to your data, using our Global Intelligence for Amazon GuardDuty app. You will detect the threats we are experiencing. Apply a baseline comparison using our company's threat intel, and evaluate the prioritized action plan for a response.

Threat purposes

Screen Shot 2020-04-17 at 4.12.59 PM.png

 

Threats indicating the primary purpose of a threat or a potential attack 

1 Backdoor Screen Shot 2020-09-01 at 9.51.47 PM.png Indicates that the attack has compromised an AWS resource and is capable of contacting its home command and control (C&C) server to receive further instructions for malicious activity.
2 Behavior Screen Shot 2020-09-01 at 9.46.51 PM.png Indicates that GuardDuty is detecting activity or activity patterns that are different from the established baseline for a particular AWS resource.
3

Cryptocurrency

Screen Shot 2020-09-01 at 9.41.41 PM.png Indicates that GuardDuty is detecting software that is associated with cryptocurrencies (for example, Bitcoin)
4

Pentest

Screen Shot 2020-09-01 at 9.40.47 PM.png Sometimes owners of AWS resources or their authorized representatives intentionally run tests against AWS applications to find vulnerabilities, like open security groups or access keys that are overly permissive. These pen tests are done in an attempt to identify and lock down vulnerable resources before they are discovered by attackers.

However, some of the tools used by authorized pen testers are freely available, and therefore can be used by unauthorized users or attackers to run probing tests. Although GuardDuty can't identify the true purpose behind such activity, the Pentest value indicates that GuardDuty is detecting such activity and that it is similar to the activity generated by known pen testing tools. Therefore, it can be a potential attack.
5 Persistence Screen Shot 2020-09-01 at 9.51.47 PM.png Indicates that a principal in your AWS environment is exhibiting behavior that is different from the established baseline. For example, this principal has no prior history of updating network configuration settings, or updating policies or permissions attached to AWS users or resources.
6 Policy Screen Shot 2020-09-01 at 9.46.51 PM.png Indicates that your AWS account is exhibiting behavior that goes against recommended security best practices.
7

PrivilegeEscalation

Screen Shot 2020-09-01 at 9.43.46 PM.png Informs you that a specific principal in your AWS environment is exhibiting behavior that can be indicative of a privilege escalation attack.
8

Recon

Screen Shot 2020-09-01 at 9.42.21 PM.png Indicates that a reconnaissance attack is underway, scoping out vulnerabilities in your AWS environment by probing ports, listing users, database tables, and so on.
9 ResourceConsumption Screen Shot 2020-09-01 at 9.48.23 PM.png Indicates that a principal in your AWS environment is exhibiting behavior that is different from the established baseline. For example, this principal has no prior history of launching EC2 instances.
10 Stealth Screen Shot 2020-09-01 at 9.43.46 PM.png Indicates that an attack is actively trying to hide its actions and its tracks. For example, an attack might use an anonymizing proxy server, making it virtually impossible to gauge the true nature of the activity.
11 Trojan Screen Shot 2020-09-01 at 9.43.46 PM.png Indicates that an attack is using Trojan programs that silently carry out malicious activity. Sometimes this software takes on an appearance of a legitimate program. Sometimes users accidentally run this software. Other times this software might run automatically by exploiting a vulnerability.
12 UnauthorizedAccess Screen Shot 2020-09-01 at 9.50.28 PM.png Indicates that GuardDuty is detecting suspicious activity or a suspicious activity pattern by an unauthorized individual.

Lab Activity

What threats are we experiencing?

  1. In your personal folder, open Global Intelligence for Amazon GuardDuty, click Global Intelligence for Amazon GuardDuty. Then click on the first dashboard listed, click GI GuardDuty - 01 Global Baseline. The global baseline is a collection of stats averaged over Amazon GuardDuty findings for all Sumo Logic customers over the prior 7 days. The threat types detected are listed on the left.

Screen Shot 2020-04-16 at 3.25.51 PM.png

  1. As we scroll down we can see Global Threat Share broken down by percentages for resource type and severity. As it turns our most of our resource attacks happen to be on EC2 instances. The threat severities are shown on the right by high (red), medium (blue), and low (green).

    Screen Shot 2020-09-01 at 10.30.54 PM.png
     
  2. Scroll down to the Global Threat Map and in the upper right corner of the panel click Screen Shot 2020-09-01 at 10.37.29 PM.png to enlarge the panel to full screen. You can see the flow of attacks in GuardDuty happening worldwide. For the example below, you see many attacks focused on the US. You may also see attacks happening on Japan and Australia. Since our Global Intelligence is continuously updating, your results will possibly be different. If you hover over a line you can get details such as the location source and destination. 

    Screen Shot 2020-09-01 at 10.39.29 PM.png
     
  3. To see your Rare Threats compared to global intelligence scroll down to the bottom panel. Rare threats are very important to early detection and are less than 0.2% of global intelligence findings. You will want to act on these very quickly.

Screen Shot 2020-07-08 at 3.43.00 PM.png

How does your data compares with others?

  1. Then open the second dashboard, click GI GuardDuty - 02 Your Company v. Baseline.This dashboard compares your company's threat profile, based on Amazon GuardDuty findings, with the average threat profile of Sumo Logic customers. The GuardDuty threat score is between 0 (LOW RISK) and 100 (HIGH RISK). It is computed by combining factors including the severity, number and rarity of findings and their unusualness compared to the population of Sumo Logic customers. Due to the nature of our training environment we have a high risk score at 100% mostly due to reconaissance.

Screen Shot 2020-04-16 at 3.27.02 PM.png

 

  1. If we continue to scroll down, the last 2 rows of panels for severity comparisons between Global Intelligence and your data appear along with the Action Plan. The action plan prioritizes findings based on the greatest impact on GuardDuty threat posture when remediated. In any given time period, the contribution of each Threat Name to the Rel Score Impact is driven by its Severity, Findings Count, and Rarity and by the unusualness of findings compared to the population of Sumo Logic customers.This concept is quantified by the relative score impact in the Action Plan below.

Screen Shot 2020-09-01 at 11.06.19 PM.png

 

  1. To see our own company's stats (training environment depicted) for Amazon GuardDuty findings, click GI GuardDuty - 03 Findings Analysis. Scroll down to the bottom and observe all the panels in this dashboard detecting all the 12 aspects of AWS GuardDuty threat intelligence. In the next lab, we will learn how to further investigate AWS GuardDuty threat intel.

    Screen Shot 2020-09-01 at 11.27.46 PM.png


To protect customer data, all unique identifiers are screened out of any benchmark results. For more information contact support@sumologic.com.


Quiz (True or False?)

  1. Three of the twelve AWS GuardDuty threats are recon, privilege escalation, and policy.

  2. To baseline your companies data with Sumologic Global Intelligence use the 03 dashboard.

  3. In any given time period, the contribution of each Threat Name to the Rel Score Impact is driven by its Severity, Findings Count, and Rarity and by the unusualness of findings compared to the population of Sumo Logic customers.

Summary

Congratulations! You’ve completed these tasks:

  1. Become familiar with the 12 threat purposes of AWS GuardDuty and their meanings.

  2. Apply Global Intelligence threat intel to your data, using our Global Intelligence for Amazon GuardDuty app.

  3. Detect threats.

  4. Apply a threat intel baseline comparison.

  5. Evaluate the prioritized action plan for a response.