Amazon GuardDuty Security Review


Amazon GuardDutySecurity ReviewPrepared by:Andrew McKenna, Principal ConsultantDimitris Kamenopoulos, Information Security OfficerKeith Lee, Senior Penetration TesterForegenix Inc. 75 State St., 1st Floor, Boston, MA, 02109 USA 1 (877) 418 4774

AWS SecurityServices1Executive SummaryCloud Technologies are largely subject to the same attack vectors seen in moretraditional on-premise deployments, and therefore when it comes to cyber security,they require the same level of attention. However, Cloud Technologies like AmazonWeb Services (AWS) also introduce new opportunities for more effective defence,and the correct understanding of this is critical for a successful cyber security strategy.Cloud providers can sometimes struggle to provide a granular level of access tointernal security events and other interesting system behavior indicators, but whenthese are available, cyber security vendors can consume them and use them togenerate appropriate security responses. AWS provides a dedicated service for thistask, Amazon GuardDuty.Foregenix has been engaged by AWS to perform an independent cyber securityassessment of GuardDuty and produce an opinion in relation to how the servicecompares with other recognised industry solutions in relation to three specific areas:1. Ability to detect suspected intrusions and alert personnel to suspicious activity2. Ability to support PCI DSS compliance requirements3. Ability to deploy and activate without expert skillsThe Testing EnvironmentForegenix configured a lab environment to perform testing using extensive andcomplex attack playbooks. The lab environment simulated a real world deploymentcomposed of a web server, a bastion box and an internal server used for centralisedevent logging. The environment was left running under normal operating conditionsfor more than 45 days in order to allow all tested solutions to build up a baseline ofpatterns for standard environmental behaviour, from which to detect anomalies lateron.The test, initially focused on Amazon GuardDuty, also included Host-based IDSsolutions from other vendors available in the AWS marketplace.Amazon GuardDuty Review1

AWS SecurityServicesOur findings2Amazon GuardDuty demonstrated being a very effective tool in any organisation’sAWS Cloud defensive arsenal; it was found to be extremely simple to deploy andactivate, and required no specialised skills to operate. GuardDuty, by operating atthe AWS plane and analysing DNS requests, VPC traffic flow and CloudTrail events,was able to identify threats which could not be identified by other tools withoutextensive customisation. While the combination of these features make GuardDutya unique offering, there is still space for improvement and collaboration with othertools when it comes to threat detection for other layers of the attack plane. As a result,Foregenix believes that GuardDuty presents an ideal solution for AWS customersfacing compliance challenges, but that in order to achieve a comprehensive in-depthdefensive posture within the AWS Cloud, the use of GuardDuty should be lightlycomplemented by other threat detection technologies.An overview of currentIntrusion Detection SystemsIntrusion Detection and Prevention Systems (IDS & IPS) are tools which are used todetect malicious activity or threats within networks and/or systems. These solutionsare generally network-focused or host-based and each implementation addressesa subset of the threat landscape. That is to say, these implementations are notinterchangeable and act on different inputs and, therefore, will detect different threats.From a compliance perspective, the requirement is typically to ensure an IDS/IPS isin place. From a security perspective, one may favour one over the other for a giventhreat profile or both can be used to address different threats.To further develop on the above, implementations are generally signature-based orbehaviour-based. Signature based - the tool maintains an inventory of indicators of compromise orthreat vectors and generates alerts once such is identified.Behavior based - the tool learns what is normal behavior over time and considersthis to be a behavioral baseline for a given environment. Anomalous activity whichdeviates from the baseline is flagged as a potential threat.GuardDuty’s functionality is similar to that of a Network IDS and uses a hybrid approachto detection meaning it analyses traffic for signature matches as well as monitorsfor deviations from baseline activity (AWS recommends a 45 day behaviour learningphase). As GuardDuty spans the entire VPC, it monitors north/south traffic as well aseast/west.GuardDuty analyses events from multiple AWS data sources, such as AWS CloudTrail,Amazon GuardDuty Review2

AWS SecurityServicesAmazon VPC Flow Logs, and DNS logs and detects suspicious activity based on threatintelligence feeds received from AWS and other services such as CrowdStrike. AWSCloudTrail performs logging and monitoring of account activities related to actionsacross the AWS infrastructure. VPC Flow captures information about IP traffic goingto and from network interfaces. DNS logs DNS queries received by the AWS DNSservers.There is currently no single IDS implementation which addresses cloud, network andhost threat spaces for the AWS Cloud.Approach to testing and analysisForegenix set up a VPC with six subnets (three private and three public). Two of theprivate subnets were used exclusively for RDS (see below), while the third one wasused by EC2.The VPC layout is depicted below:Web/ SSH trafficand attacksInternetMalicious outgoing trafficPublic Subnet A(Internet Access)External jump boxSSH TrafficInternal IDS & SIEM EventsInternal jump boxOther IDS ConsolesSSH traffic/ internalIDS & SIEM EventsInternal IDS/SIEMserverPublic subnet B(Internal/External bridge)Private Subnet A(Internal IDS/SIEM server)Other IDS Agent Traffic(Events etc)Public Subnet C(Other IDS Installations)Other IDS DatabaseTrafficPrivate Subnet B/C(RDS instance used byother IDS)Events, licensing etcCollector & Dashboardservices for otherIDS solutionsAmazon GuardDuty Review3

AWS SecurityServicesPublic subnetsOn the first public subnet Foregenix deployed a Linux instance running both a webserver and an SSH server, and configured it to accept relevant traffic from the internet.This was deemed “the entry point” to our VPC, as no other instance was configured toaccept incoming traffic from the internet.On the second public subnet Foregenix deployed a bastion host, a Linux instancerunning an SSH server. It was configured to accept SSH traffic from the entry point(above), and all other instances were configured to only accept SSH traffic from thebastion. Although the bastion was deployed on a public subnet its security groupsblocked any traffic coming from the Internet; it was deployed in this way to allow foremergency connections from a white-listed public IP address.The third public subnet was used to deploy several instances of other IDS solutions(both commercial and open source), following their own AWS CloudFormationtemplates.Private subnetsThe first EC2 private subnet hosted a Linux instance, configured to accept SSH trafficonly from the bastion box. This instance was also used for event log collection on port1514/UDP.The other two private subnets were created to host an RDS instance.Four different IDS systems were deployed within the test environment and attackswere run to/from the two public instances.The inclusion of various IDS systems in testing was intended to provide a performancebaseline in order to identify if GuardDuty’s detection and alerting capabilities areconsistent with those of other solutions.Initial FindingsAmazon GuardDutyAmazon GuardDuty was unique in detecting DNS-based malicious activity such aslookups for bitcoin domains. It was also successful in detecting IAM-level activity suchas attempts at credential exfiltration. Interestingly, it did not report our brute forceSSH attacks (run as part of the tests) but did report genuine brute force SSH attackstargeting the same instances from several internet sources.Amazon GuardDuty Review4

AWS SecurityServicesAmazon GuardDuty specific findingsAmazon GuardDuty classifies threat families in the following “Active Finding Types”.These classes are well documented in the GuardDuty User Guide. Backdoor Finding TypesBehavior Finding TypesCryptoCurrency Finding TypesPenTest Finding TypesPersistence Finding TypesPolicy Finding TypesPrivilegeEscalation Finding TypesRecon Finding TypesResourceConsumption Finding TypesStealth Finding TypesTrojan Finding TypesUnauthorized Finding TypesAs mentioned above, during the analysis phase it was found that GuardDuty raisedalerts in response to both Foregenix’s controlled activity and also real world attacksagainst the services exposed to the Internet. Details and examples of the GuardDutyevents and alerts can be found in the Appendix.Amazon GuardDuty Review5

AWS SecurityServicesBelow is the breakdown of the specific threats groupedby each of the Active Finding Types.Active Finding TypesSub FindingsBackdoor Finding r:EC2/DenialOfService.UnusualProtocolBehavior Finding rafficVolumeUnusualCryptoCurrency Finding rency:EC2/BitcoinTool.BPenTest Finding otLinuxPenTest:IAMUser/PentooLinuxPersistence Finding ence:IAMUser/ResourcePermissionsPolicy Finding icy:IAMUser/RootCredentialUsagePrivilegeEscalation Finding missionsRecon Finding n ourcesStealth Finding ConfigurationModifiedAmazon GuardDuty Review6

AWS SecurityServicesActive Finding TypesSub FindingsTrojan Finding ingDomainRequest!DNSUnauthorized Finding rClientUnauthorizedAccess:EC2/TorRelayAmazon GuardDuty Review7

AWS SecurityServicesAmazon GuardDuty and PCI ComplianceThe PCI DSS is not prescriptive regarding the type of IDS deployed (i.e. network or host-based) norregarding the categories of events an IDS should be able to detect (we detailed above that there isa separation between what network and host-based deployments can detect). Rather, the PCI DSSrequires security controls are in place to detect intrusions at the perimeter and at critical points withinthe cardholder data environment. GuardDuty, working across the AWS network plane, performinginspection of various event sources and applying a blend of signature-based and behavior-basedanalytics and detection thereupon, proves to be a robust IDS service which can meet the relevantrequirements of PCI DSS, with minimal human support.The specific controls for IDS within the PCI Data Security Standard are enumerated withinRequirement 11.4. The following are the relevant PCI requirements and the results in relation to ourtesting of GuardDuty:Requirement11.4.a Examine system configurations andnetwork diagrams to verify that techniques(such as intrusion-detection systems and/orintrusion-prevention systems) are in place tomonitor all traffic: At the perimeter of the cardholder dataenvironment. At critical points in the cardholder dataenvironment.11.4.b Examine system configurations andinterview responsible personnel to confirmintrusion-detection and/or intrusion-preventiontechniques alert personnel of suspectedcompromises.11.4.c Examine IDS/IPS configurations andvendor documentation to verify intrusiondetection, and/or intrusion-preventiontechniques are configured, maintained, andupdated per vendor instructions to ensureoptimal protection.Amazon GuardDuty ReviewFindingIn PlaceAmazon GuardDuty monitors DNS, VPC Flowand CloudTrail logs - this includes all traffic atthe perimeter of, and critical points in, the AWSportion of an organisation’s cardholder dataenvironment.In PlaceAmazon GuardDuty can be configured to notifypersonnel of suspected compromises via emailor SMS message.In PlaceAn organisation leveraging the AmazonGuardDuty service can rely on AWS’ PCIAttestation of Compliance including theGuardDuty service. Once the service isenabled, no additional configuration is requiredby the customer to configure, maintain orupdate the service. Responsibility for thisrequirement is assessed within AWS’ owncompliance and responsibility does not lie withthe customer.8

AWS SecurityServices3CONCLUSIONS &RECOMMENDATIONSAfter testing a number of solutions available in the AWS marketplace using variousintrusion playbooks and technical tools, Foregenix found that no single solution providescomplete ‘out of the box’ coverage across all possible intrusion types. However, asa network or non-host-based IDS, Amazon GuardDuty was successful in detectingand alerting on all intrusion attempts with nocustomisationrequired. In this regard, GuardDuty scoredmuchhigherthan all other competing solutions and wascertainly the most successful option interms of detecting AWS-specific threats.This is not to suggest other solutionsdo not have significant or similarthreatdetectioncapabilities,however achieving comparableresults would require additionalcustomisation effort.From an optimal cyber security standpoint, in order to achieve the highest possiblethreat detection rate, Foregenix believes AWS customers should leverage the best ofboth worlds: deploy a Host-based IDS for protecting the instances from the “inside”, andGuardDuty to protect the surrounding “cloud” as well as the host’s external environmentalbehaviour. Testing demonstrated that such a configuration would provide the mosteffective cyber security alternative for an AWS Cloud environment running both EC2instances and serverless infrastructure.Amazon GuardDuty Review9

AWS SecurityServicesAppendixBelow is the list of tools that were used during the review ofAmazon iptionCrowbar is a brute force tool which supportsOpenVPN, Remote Desktop Protocol, SSHPrivate Keys and VNC Keys GoldenEye Layer 7 (KeepAlive NoCache)DoS Test Toolhttp://www.hping.orgHping is a command-line oriented TCP/IPpacket cLow Orbital Ion Cannon Load Tester Medusa is intended to be a speedy, masmedusa.htmlsively parallel, modular, login threaded CPU miner for niff-ng/Mausezahn is a fast traffic generator writtennetsniff-ngin C which allows you to send nearly everypossible and impossible packet is used to discover hosts and services on a computer network by sendingpackets and analyzing the responses. Nmapprovides a number of features for probingcomputer networks is a free non-caching web proxy withijbswa/filtering capabilities for enhancing privacy,manipulating cookies and modifying webpage data and HTTP headers before thepage is rendered by the browser Proxychains - a tool that forces any TCPconnection made by any given application to follow through proxy like TOR orany other SOCKS4, SOCKS5 or HTTP(S)proxy. Supported auth-types: “user/pass” forSOCKS4/5, “basic” for HTTP bandwidth DoS tool is a suite of free Open Sourceutilities for editing and replaying previouslycaptured network traffic is free and open-source software forload/enabling anonymous inia is a framework for performing layer2 attacksAmazon GuardDuty Review10

AWS SecurityServicesBelow is a list of threat intelligence feeds that were usedduring the testing. v azon GuardDuty Review11

Head QuartersMEALATAMForegenix Ltd.8-9 High Street, MarlboroughSN8 1AAUnited KingdomForegenix (Pty) Ltd.58 Peter Place, Sandton2060South AfricaForegenix do BrasilAv. Paulista 2064/2086, 14 andarEd. Paulista, São PauloBrasil 44 845 309 6232 27 860 44 4461 55 11 98781 4241North AmericaEuropeAPACForegenix Inc75 State Street, 1st FloorBoston, MA, 02109United StatesForegenix Germany GMbH.Betzelsstrabe 27, 55116MainzGermanyForegenix (Pty) Ltd.1 Market Street, SydneyNSW 2000Australia 1 877 418 4774 49 6131 2188747 61 420 904 914

The inclusion of various IDS systems in testing was intended to provide a performance baseline in order to identify if GuardDuty's detection and alerting capabilities are consistent with those of other solutions. Amazon GuardDuty Amazon GuardDuty was unique in detecting DNS-based malicious activity such as lookups for bitcoin domains.