Security Alerts

If you already had some findings, you should already have some logs. With that information, you are ready now to create security alerts, but you do not want to waste time and money responding to noisy false-positive alerts, so you can focus on high severity only.

According to a security research firm, FireEye, "Of the 17,000 malware alerts an organization receives each week, only 3,230 are considered reliable, and only 680 of the alerts are actually investigated" [5].

GuardDuty high-severity alerts include some of the following:

• Backdoor:EC2/C&CActivity.B!DNS
• Backdoor:EC2/DenialOfService.Tcp, Udp or DNS
• CryptoCurrency:EC2/BitcoinTool.B!DNS
• Trojan:EC2/DriveBySourceTraffic!DNS
• Trojan:EC2/DNSDataExfiltration

To simplify things, start by creating an alert that will trigger when one of those high-security alerts is found; from there, you can be more granular and selective by creating more complex alerts by target account or source IP. Just use your imagination and be creative.

To get familiar with the JSON data fields available, log in to the SIEM system and create a search for all GuardDuty data. Because high-severity alerts in GuardDuty fall within the numeric range 7 to 8.9, you must create the filter accordingly (Figure 8). The alert parses some JSON fields at search time, filters by severity (highlighted), and generates aggregated output by some specific fields, excluding the raw data.

Figure 8: Search with Sumo Logic for high-severity findings only.

If instead, you would prefer output showing the raw data, the results would look like Figure 9, with the severity highlighted. That specific finding is related to credentials misuse; the credentials were detected as having been used from an external IP address.

Figure 9: High-severity results for a possible credential exfiltration finding.

You can take things a step further and test your alerts by generating malicious traffic in your environment. Of the many tools out there for this purpose, one was specifically developed for this use case: the amazon-guardduty-tester script [6], which can be used as a proof-of-concept to generate several Amazon GuardDuty findings. Also from AWS is the amazon-guardduty-hands-on repo, which will instruct "by guiding you through enabling the detector, generating a variety of findings, and remediating those findings with Lambda functions" [7].

If you prefer something that is not vendor-specific, you can always use Network Flight Simulator [8], which is an open source utility used to generate malicious network traffic by performing several tests to simulate DNS tunneling, domain generation algorithm (DGA) traffic, requests to known active C2 destinations, and other suspicious traffic.

Bypass GuardDuty Detection

With some decent security alerts now in place, be aware that the tool does a good job detecting some issues, but it is not perfect and may miss some unknown malware, sources, and so on. However, there are still ways to bypass GuardDuty intentionally to evade detection on a network.

One example of detecting Kali Linux on the network is by identifying the user agent being used from the API call. The same happens if you are using Pentoo Linux or Parrot OS. By modifying the user agent, for example,

curl -H 'Boto/1.3.4 Python/3.7.0 MacOs/ Botocore/1.11.0'

GuardDuty will not identify those systems.

GuardDuty uses the default AWS DNS resolvers to find issues, so if someone changes the default configuration and adds a Google DNS (i.e., 8.8.8.8 or 8.8.4.4), the attacker can query any domain without being detected.

As you saw earlier, the alert in Figure 8 triggered because it detected compromised AWS instance credentials outside of its environment. The issue – and I'm not sure whether this has been fixed already by AWS – is that it must also be detected from an internal instance. Even so, a hacker can create a new instance inside the account and use those stolen credentials from there without being detected.

Conclusions

GuardDuty, like many tools, has some gaps. For the price of the service and its simplicity of use, I am confident that it will save you a great deal of time in implementation and deployment. You should definitely enable it in all regions and benefit from the free 30-day trial. Experience it, play with, get familiar, and do some investigations. I have not talked about integrations, but GuardDuty has a large variety of security vendors with which to integrate.