Control Blast Radius with Amazon GuardDuty and Dome9 Log.ic

In a previous blog we talked about our integration with GuardDuty for faster mean time to detection. In this blog we will explore how Dome9 Log.ic (our new security intelligence technology) and Amazon GuardDuty working together can help you identify, investigate and remediate threats in the cloud.

Imagine this scenario: Due to misconfiguration in your environment, a hacker has been able to gain access to your webserver. Now, with the intruder in your environment you’re getting alerts from GuardDuty about communication with malicious IPs and potential credential compromise.

You must identify the blast radius: exactly what activity the intruder has performed and how they did it so you can block the intruder’s access, remediate the vulnerabilities, and restore the configuration to its proper state.

Find the Needle in the Haystack using Amazon GuardDuty

Here you can see the GuardDuty findings below. GD findings are also a great source for triggering CloudWatch events and alerts that can be used to invoke Lambda functions that can take necessary remediation activities.

[wp_colorbox_media url=”https://dome9.com/wp-content/uploads/2018/09/GD-1.png” type=”image” hyperlink=”https://dome9.com/wp-content/uploads/2018/09/GD-1.png” alt=””]

You can specifically filter and drill down into the finding related to the compromised instance.

[wp_colorbox_media url=”https://dome9.com/wp-content/uploads/2018/09/GD-4-1.png” type=”image” hyperlink=”https://dome9.com/wp-content/uploads/2018/09/GD-4-1.png” alt=””]

You can also navigate through the VPC flow logs and create search queries to find more information.

[wp_colorbox_media url=”https://dome9.com/wp-content/uploads/2018/09/GD-Magellan-2.png” type=”image” hyperlink=”https://dome9.com/wp-content/uploads/2018/09/GD-Magellan-2.png” alt=””]

You can search to see if SSH bruteforce attack was successful.

[wp_colorbox_media url=”https://dome9.com/wp-content/uploads/2018/09/GD-Magellan-1.png” type=”image” hyperlink=”https://dome9.com/wp-content/uploads/2018/09/GD-Magellan-1.png” alt=””]

When GD findings pop up, key questions arise around which EC2 instance was affected, which VPC was it a part of, which IAM user was affected and over what time period. This manual process of searching through the AWS console (above) & other 3rd party services (SIEM tools) can be complicated and time consuming. The most important question for you as a security admin to answer is whether you have spotted the attack in time or whether the intruder has already started performing malicious actions. In order to best answer this, you need a comprehensive threat detection and forensics investigation solution.

Investigate GuardDuty Findings using Dome9 Log.ic

Dome9 Log.ic is a security intelligence tool that enhances the Amazon GuardDuty service by providing incident investigation and custom policy alerting capabilities. SOC teams can look to Dome9 Log.ic to investigate GD findings in more detail.

1. Visualize Network Traffic

The explorer tool helps you interact with your network traffic/account activity and immediately assess the level of impact in your environment.

[wp_colorbox_media url=”https://dome9.com/wp-content/uploads/2018/09/Screen-Shot-2018-09-17-at-2.43.43-PM.png” type=”image” hyperlink=”https://dome9.com/wp-content/uploads/2018/09/Screen-Shot-2018-09-17-at-2.43.43-PM.png” alt=””]

You can immediately see a complete visualization of your network traffic across a specific time period which can instantly bring malicious activity to light.

2. Zoom Into the Compromise

Using Log.ic, you can dive deeper into a specific flow to investigate exactly what happened and identify the instance that was compromised.

[wp_colorbox_media url=”https://dome9.com/wp-content/uploads/2018/09/GD-2.png” type=”image” hyperlink=”https://dome9.com/wp-content/uploads/2018/09/GD-2.png” alt=””]

3. Explore Various Views

You can visualize traffic at an instance level or at a VPC level to get an overall topology view.

[wp_colorbox_media url=”https://dome9.com/wp-content/uploads/2018/09/Screen-Shot-2018-09-17-at-1.18.59-PM.png” type=”image” hyperlink=”https://dome9.com/wp-content/uploads/2018/09/Screen-Shot-2018-09-17-at-1.18.59-PM.png” alt=””]

[wp_colorbox_media url=”https://dome9.com/wp-content/uploads/2018/09/Screen-Shot-2018-09-17-at-2.48.20-PM.png” type=”image” hyperlink=”https://dome9.com/wp-content/uploads/2018/09/Screen-Shot-2018-09-17-at-2.48.20-PM.png” alt=””]

The ability to create custom queries that can help analyze the most important questions such as:

– A SSH brute force attack against an internet accessible EC2 instance was successful

[wp_colorbox_media url=”https://dome9.com/wp-content/uploads/2018/09/Screen-Shot-2018-09-17-at-3.53.11-PM.png” type=”image” hyperlink=”https://dome9.com/wp-content/uploads/2018/09/Screen-Shot-2018-09-17-at-3.53.11-PM.png” alt=””]

– Any instances communicated with a known malicious IP address (possibly indicating communication to C&C, scanners, spambot)

[wp_colorbox_media url=”https://dome9.com/wp-content/uploads/2018/09/GD-Magellan-4.png” type=”image” hyperlink=”https://dome9.com/wp-content/uploads/2018/09/GD-Magellan-4.png” alt=””]

– The IAM credentials for the instance were stolen and used to perform reconnaissance against the account (feature will be released soon)

Remediate with Dome9 Arc Platform

1. Fix Compromised Security Groups

Once you have identified and investigated Patient Zero, you need to modify the Security Group associated with the instance to prevent the attacker or anyone else from coming from a different IP. You can do that from Dome9 by navigating to the associated SG and limiting access, thereby restoring the configuration to a secure state. With full protection mode turned on, this corrected config is now the gold standard and any future config drift will be reversed.

[wp_colorbox_media url=”https://dome9.com/wp-content/uploads/2018/09/Screen-Shot-2018-09-17-at-2.54.20-PM.png” type=”image” hyperlink=”https://dome9.com/wp-content/uploads/2018/09/Screen-Shot-2018-09-17-at-2.54.20-PM.png” alt=””]

2. Ensure Access Keys are Rotated after Incident

You also need to ensure your IAM keys are rotated and revoke any active IAM sessions for the role to stop a potential backdoor access into your environment. If you have multiple keys and credentials in your environment, you can run a quick scan with the Dome9 GSL to highlight compromised credentials.

IamUser where createDate before(-90, 'days') and firstAccessKey.isActive='true' should have (firstAccessKey.lastRotated after(-90, 'days') and firstAccessKey.lastUsedDate > firstAccessKey.lastRotated )

With GuardDuty and Log.ic, customers can now easily identify, investigate and remediate threats within the full context of their environment. For more information check out www.dome9.com/Magellan