SlideShare a Scribd company logo

Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks

Amazon Web Services
Amazon Web Services

Learning Objectives: - How to safely generate a number of Amazon GuardDuty findings - How to analyze Amazon GuardDuty findings - How to think about remediation of threats

1 of 29
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Greg McConnel, Senior Solutions Architect 4/30/18 Amazon GuardDuty - Let's Attack My Account! (0414-SID)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Webinar prerequisites To get the most out of this session, you must be comfortable with several building blocks: Amazon GuardDuty Amazon EC2 Amazon CloudWatch AWS Lambda IAM
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Agenda • Quick and Easy Reproductions • Introduction to GuardDuty • Quick and Easy Automated Remediations • Introduction to GuardDuty Remediations • Advanced Reproductions • Additional GuardDuty Topics
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Quick and Easy Reproductions
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Quick and Easy Reproductions • Just expose ports on an EC2 instance to the Internet • “port probe unprotected port” • Expose ports 22 or 3389 - “brute force attacks”
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Quick and Easy Reproductions • Port scan (nmap –Pn) from “compromised instance” to “internal server” • “port scan” finding • Ping from “compromised instance” to “malicious host” • “EC2 (unauthorized access) malicious IP caller (custom)” finding • API calls from "malicious host” • “IAM (unauthorized access and recon) malicious IP caller (custom)” findings
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Quick and Easy Reproductions Full Name Reproduction Threat Purpose Resource Type Threat Family Name Custom Recon:EC2/PortProbeUnprotectedPort Expose instance to the Internet - wait Recon EC2 Port Probe Unprotected Port Recon:EC2/Portscan nmap -Pn to private IP of another EC2 instance (same VPC) Recon EC2 Portscan UnauthorizedAccess:EC2/MaliciousIPCaller.Custom Ping EC2 instance from another instance (destination EIP in custom threat list) Unauthorized Access EC2 Malicious IP Caller Custom Recon:IAMUser/MaliciousIPCaller.Custom API calls from EC2 (EIP in custom threat list) Recon IAMUser Malicious IP Caller Custom UnauthorizedAccess:IAMUser/MaliciousIPCaller.Cus tom API calls from EC2 (EIP in custom threat list) Unauthorized Access IAMUser Malicious IP Caller Custom UnauthorizedAccess:IAMUser/InstanceCredentialExf iltration API calls from external host using temp creds from IAM role for EC2 Unauthorized Access IAMUser Instance Credential Exfiltration Blogpost Pending https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Quick and Easy Reproductions 1. The compromised instance connects to the malicious host and port scans internal server. The EIP on the malicious host is in a custom threat list. This traffic is logged in VPC Flow Logs. 2. GuardDuty is monitoring VPC Flow Logs (in addition to CloudTrail Logs and DNS Logs) and analyzing this based on threat lists, machine learning, baselines, etc. 3. GuardDuty generates two findings regarding this activity and sends these to the GuardDuty console and CloudWatch Events. The findings are: Recon:EC2/Portscan & UnauthorizedAccess:EC2/MaliciousIPCaller.Custom 4. The CloudWatch Event rule triggers an SNS topic and Lambda function 5. SNS sends an e-mail with the finding information and/or delivers findings to a SIEM 6. Automated Remediation: Lambda performs an action on the compromised instance
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Quick and Easy Reproductions 1. Malicious host makes API calls. EIP on the instance is in a custom threat list. 2. API calls are logged in CloudTrail. 3. GuardDuty is monitoring CloudTrail Logs (in addition to VPC Flow Logs and DNS Logs) and analyzing this based on threat lists, machine learning, baselines, etc. 4. GuardDuty generates two findings regarding this activity and sends these to the GuardDuty console and CloudWatch Events. The findings are: Recon:IAMUser/MaliciousIPCaller.Custom & UnauthorizedAccess:IAMUser/MaliciousIPCaller.Cu stom 5. The CloudWatch Event rule triggers an SNS topic 6. SNS sends an e-mail with the finding information and/or delivers the finding to a SIEM
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Very Short GuardDuty Introduction
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. GuardDuty Threat Detection and Notification
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. GuardDuty Findings https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types.html
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. View the Findings
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Quick and Easy Automated Remediations
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Quick and Easy Reproductions 1. The compromised instance connects to the malicious host and port scans internal server. The EIP on the malicious host is in a custom threat list. This traffic is logged in VPC Flow Logs. 2. GuardDuty is monitoring VPC Flow Logs (in addition to CloudTrail Logs and DNS Logs) and analyzing this based on threat lists, machine learning, baselines, etc. 3. GuardDuty generates two findings regarding this activity and sends these to the GuardDuty console and CloudWatch Events. The findings are: Recon:EC2/Portscan & UnauthorizedAccess:EC2/MaliciousIPCaller.Custom 4. The CloudWatch Event rule triggers an SNS topic and Lambda function 5. SNS sends an e-mail with the finding information and/or delivers findings to a SIEM 6. Automated Remediation: Lambda performs an action on the compromised instance
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Responding to Findings: Remediation Automatic Remediation GuardDuty CloudWatch Events Lambda Amazon GuardDuty Amazon CloudWatch CloudWatch Event Lambda Function AWS Lambda
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. View the Remediation
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Advanced Reproductions
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Advanced Reproductions • Run CloudFormation template • SSH to Tester instance, run the script
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Advanced Reproductions Full Name Reproduction Threat Purpose Resource Type Threat Family Name UnauthorizedAccess:EC2/SSHBruteForce https://github.com/awslabs/amazon- guardduty-tester Unauthorized Access EC2 SSH Brute Force UnauthorizedAccess:EC2/RDPBruteForce https://github.com/awslabs/amazon- guardduty-tester Unauthorized Access EC2 RDP Brute Force Recon:EC2/Portscan https://github.com/awslabs/amazon- guardduty-tester Recon EC2 Portscan CryptoCurrency:EC2/BitcoinTool.B!DNS https://github.com/awslabs/amazon- guardduty-tester Cryptocurrency EC2 Bitcoin Tool Trojan:EC2/DNSDataExfiltration https://github.com/awslabs/amazon- guardduty-tester Trojan EC2 DNS Data Exfiltration https://github.com/awslabs/amazon-guardduty-tester
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Advanced Reproductions 1. Script running on Red Team instance makes calls to both the Linux and Windows instances for Brute Force Attacks 2. Script also makes DNS queries for additional findings. 3. GuardDuty is monitoring VPC Flow Logs (in addition to CloudTrail Logs and DNS Logs) and analyzing this based on threat lists, machine learning, baselines, etc. 4. GuardDuty generates a number of findings regarding this activity and sends these to the GuardDuty console and CloudWatch Events.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Additional GuardDuty Topics
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. GuardDuty Account Relationships • Adding accounts to the service is simple and done via the console or API. • Invites accepted from an account will be designated as “Member” accounts. The requestor will be the “Master” account. Member Account …. . 1 Member Account 1000 (max) Master Account Can Do the Following to ALL accounts: • Generate Sample Findings • Configure and View/Manage Findings • Suspend GuardDuty Service • Upload and Manage Trusted IP and Threat IP List Can only disable own account. Member accounts must all be removed first and by the member account. Member Account Actions and Visibility is Limited to the Member Account. Each Account Billed Separately.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lists: Trusted and Threat IP Lists GuardDuty uses AWS developed threat intelligence and threat intelligence feeds from: • CrowdStrike • Proofpoint Expand Findings with Custom Trusted IP Lists and Known Threat Lists • Trusted IP lists whitelisted for secure communication with infrastructure and applications. • No Findings will be presented for IP Addresses on trusted lists (no false positives!) • Threat lists consist of known malicious IP addresses. • GuardDuty generates findings based on threat lists. Limits: 1 Trusted and 6 Threat Lists per Account TRUSTED IP LISTS KNOWN THREATS CUSTOMER and PARTNER PROVIDED +
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. GuardDuty Pricing* US East (N. Virginia) US East (Ohio) US West (Oregon) Asia Pacific (Mumbai) EU (Ireland) EU (London) EU (Paris) US West (N. California) Canada (Central) EU (Frankfurt) Asia Pacific (Seoul) Asia Pacific (Singapore) Asia Pacific (Sydney) Asia Pacific (Tokyo) South America (Sao Paulo) VPC Flow Log and DNS Log Analysis First 500 GB / month $1.00 $1.10 $1.15 $1.18 $1.75 Next 2000 GB / month $0.50 $0.55 $0.58 $0.59 $0.88 Over 2500 GB / month $0.25 $0.28 $0.29 $0.29 $0.44 AWS CloudTrail Event Analysis Per 1,000,000 events / month $4.00 $4.40 $4.60 $4.72 $7.00 Free Trial: Any new account to Amazon GuardDuty can try the service for 30-days at no cost. Provides access to the full feature set and detections during the free trial. GuardDuty will display the volume of logs processed and estimated daily average service charges to provide a tailored price estimate for GuardDuty to protect all AWS accounts. Simple Low Cost Pricing Model. Enabled on a Regional Basis. *EDP pricing discounts apply to the Amazon GuardDuty service.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. View the Findings
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Reproductions Summary EC2 Instance Malicious Host Any Host Recon:EC2/PortProbeUnprotectedPort – Low Severity UnauthorizedAccess:EC2/SSHBruteForce – Low Severity UnauthorizedAccess:EC2/RDPBruteForce – Low Severity Recon:EC2/Portscan – Low Severity UnauthorizedAccess:EC2/SSHBruteForce – High Severity UnauthorizedAccess:EC2/RDPBruteForce – High Severity Any Host External to AWS (using temp creds from IAM Role for EC2) API Endpoints UnauthorizedAccess:EC2/MaliciousIPCaller.Custom – Medium Severity Malicious Host (custom) UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration – High Severity Malicious Host (custom) UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom – Medium Severity Recon:IAMUser/MaliciousIPCaller.Custom – Medium Severity
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Get Started with Amazon GuardDuty Today 1. Log on to AWS Management Console 2. Enable GuardDuty in Master Account for Each Region to Monitor 3. Invite Member Accounts 4. Start Viewing Findings and Export 5. Set up CloudWatch Events to Log Findings 6. Respond to Findings GuardDuty to Slack integration: https://github.com/aws-samples/amazon-guardduty-to-slack Multi-account script: https://github.com/aws-samples/amazon-guardduty-multiaccount-scripts Testing scripts- https://github.com/awslabs/amazon-guardduty-tester
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you!

More Related Content

Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks

  • 1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Greg McConnel, Senior Solutions Architect 4/30/18 Amazon GuardDuty - Let's Attack My Account! (0414-SID)
  • 2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Webinar prerequisites To get the most out of this session, you must be comfortable with several building blocks: Amazon GuardDuty Amazon EC2 Amazon CloudWatch AWS Lambda IAM
  • 3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Agenda • Quick and Easy Reproductions • Introduction to GuardDuty • Quick and Easy Automated Remediations • Introduction to GuardDuty Remediations • Advanced Reproductions • Additional GuardDuty Topics
  • 4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Quick and Easy Reproductions
  • 5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Quick and Easy Reproductions • Just expose ports on an EC2 instance to the Internet • “port probe unprotected port” • Expose ports 22 or 3389 - “brute force attacks”
  • 6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Quick and Easy Reproductions • Port scan (nmap –Pn) from “compromised instance” to “internal server” • “port scan” finding • Ping from “compromised instance” to “malicious host” • “EC2 (unauthorized access) malicious IP caller (custom)” finding • API calls from "malicious host” • “IAM (unauthorized access and recon) malicious IP caller (custom)” findings
  • 7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Quick and Easy Reproductions Full Name Reproduction Threat Purpose Resource Type Threat Family Name Custom Recon:EC2/PortProbeUnprotectedPort Expose instance to the Internet - wait Recon EC2 Port Probe Unprotected Port Recon:EC2/Portscan nmap -Pn to private IP of another EC2 instance (same VPC) Recon EC2 Portscan UnauthorizedAccess:EC2/MaliciousIPCaller.Custom Ping EC2 instance from another instance (destination EIP in custom threat list) Unauthorized Access EC2 Malicious IP Caller Custom Recon:IAMUser/MaliciousIPCaller.Custom API calls from EC2 (EIP in custom threat list) Recon IAMUser Malicious IP Caller Custom UnauthorizedAccess:IAMUser/MaliciousIPCaller.Cus tom API calls from EC2 (EIP in custom threat list) Unauthorized Access IAMUser Malicious IP Caller Custom UnauthorizedAccess:IAMUser/InstanceCredentialExf iltration API calls from external host using temp creds from IAM role for EC2 Unauthorized Access IAMUser Instance Credential Exfiltration Blogpost Pending https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html
  • 8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Quick and Easy Reproductions 1. The compromised instance connects to the malicious host and port scans internal server. The EIP on the malicious host is in a custom threat list. This traffic is logged in VPC Flow Logs. 2. GuardDuty is monitoring VPC Flow Logs (in addition to CloudTrail Logs and DNS Logs) and analyzing this based on threat lists, machine learning, baselines, etc. 3. GuardDuty generates two findings regarding this activity and sends these to the GuardDuty console and CloudWatch Events. The findings are: Recon:EC2/Portscan & UnauthorizedAccess:EC2/MaliciousIPCaller.Custom 4. The CloudWatch Event rule triggers an SNS topic and Lambda function 5. SNS sends an e-mail with the finding information and/or delivers findings to a SIEM 6. Automated Remediation: Lambda performs an action on the compromised instance
  • 9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Quick and Easy Reproductions 1. Malicious host makes API calls. EIP on the instance is in a custom threat list. 2. API calls are logged in CloudTrail. 3. GuardDuty is monitoring CloudTrail Logs (in addition to VPC Flow Logs and DNS Logs) and analyzing this based on threat lists, machine learning, baselines, etc. 4. GuardDuty generates two findings regarding this activity and sends these to the GuardDuty console and CloudWatch Events. The findings are: Recon:IAMUser/MaliciousIPCaller.Custom & UnauthorizedAccess:IAMUser/MaliciousIPCaller.Cu stom 5. The CloudWatch Event rule triggers an SNS topic 6. SNS sends an e-mail with the finding information and/or delivers the finding to a SIEM
  • 10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Very Short GuardDuty Introduction
  • 11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. GuardDuty Threat Detection and Notification
  • 12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. GuardDuty Findings https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types.html
  • 13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. View the Findings
  • 14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Quick and Easy Automated Remediations
  • 15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Quick and Easy Reproductions 1. The compromised instance connects to the malicious host and port scans internal server. The EIP on the malicious host is in a custom threat list. This traffic is logged in VPC Flow Logs. 2. GuardDuty is monitoring VPC Flow Logs (in addition to CloudTrail Logs and DNS Logs) and analyzing this based on threat lists, machine learning, baselines, etc. 3. GuardDuty generates two findings regarding this activity and sends these to the GuardDuty console and CloudWatch Events. The findings are: Recon:EC2/Portscan & UnauthorizedAccess:EC2/MaliciousIPCaller.Custom 4. The CloudWatch Event rule triggers an SNS topic and Lambda function 5. SNS sends an e-mail with the finding information and/or delivers findings to a SIEM 6. Automated Remediation: Lambda performs an action on the compromised instance
  • 16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Responding to Findings: Remediation Automatic Remediation GuardDuty CloudWatch Events Lambda Amazon GuardDuty Amazon CloudWatch CloudWatch Event Lambda Function AWS Lambda
  • 17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. View the Remediation
  • 18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Advanced Reproductions
  • 19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Advanced Reproductions • Run CloudFormation template • SSH to Tester instance, run the script
  • 20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Advanced Reproductions Full Name Reproduction Threat Purpose Resource Type Threat Family Name UnauthorizedAccess:EC2/SSHBruteForce https://github.com/awslabs/amazon- guardduty-tester Unauthorized Access EC2 SSH Brute Force UnauthorizedAccess:EC2/RDPBruteForce https://github.com/awslabs/amazon- guardduty-tester Unauthorized Access EC2 RDP Brute Force Recon:EC2/Portscan https://github.com/awslabs/amazon- guardduty-tester Recon EC2 Portscan CryptoCurrency:EC2/BitcoinTool.B!DNS https://github.com/awslabs/amazon- guardduty-tester Cryptocurrency EC2 Bitcoin Tool Trojan:EC2/DNSDataExfiltration https://github.com/awslabs/amazon- guardduty-tester Trojan EC2 DNS Data Exfiltration https://github.com/awslabs/amazon-guardduty-tester
  • 21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Advanced Reproductions 1. Script running on Red Team instance makes calls to both the Linux and Windows instances for Brute Force Attacks 2. Script also makes DNS queries for additional findings. 3. GuardDuty is monitoring VPC Flow Logs (in addition to CloudTrail Logs and DNS Logs) and analyzing this based on threat lists, machine learning, baselines, etc. 4. GuardDuty generates a number of findings regarding this activity and sends these to the GuardDuty console and CloudWatch Events.
  • 22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Additional GuardDuty Topics
  • 23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. GuardDuty Account Relationships • Adding accounts to the service is simple and done via the console or API. • Invites accepted from an account will be designated as “Member” accounts. The requestor will be the “Master” account. Member Account …. . 1 Member Account 1000 (max) Master Account Can Do the Following to ALL accounts: • Generate Sample Findings • Configure and View/Manage Findings • Suspend GuardDuty Service • Upload and Manage Trusted IP and Threat IP List Can only disable own account. Member accounts must all be removed first and by the member account. Member Account Actions and Visibility is Limited to the Member Account. Each Account Billed Separately.
  • 24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lists: Trusted and Threat IP Lists GuardDuty uses AWS developed threat intelligence and threat intelligence feeds from: • CrowdStrike • Proofpoint Expand Findings with Custom Trusted IP Lists and Known Threat Lists • Trusted IP lists whitelisted for secure communication with infrastructure and applications. • No Findings will be presented for IP Addresses on trusted lists (no false positives!) • Threat lists consist of known malicious IP addresses. • GuardDuty generates findings based on threat lists. Limits: 1 Trusted and 6 Threat Lists per Account TRUSTED IP LISTS KNOWN THREATS CUSTOMER and PARTNER PROVIDED +
  • 25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. GuardDuty Pricing* US East (N. Virginia) US East (Ohio) US West (Oregon) Asia Pacific (Mumbai) EU (Ireland) EU (London) EU (Paris) US West (N. California) Canada (Central) EU (Frankfurt) Asia Pacific (Seoul) Asia Pacific (Singapore) Asia Pacific (Sydney) Asia Pacific (Tokyo) South America (Sao Paulo) VPC Flow Log and DNS Log Analysis First 500 GB / month $1.00 $1.10 $1.15 $1.18 $1.75 Next 2000 GB / month $0.50 $0.55 $0.58 $0.59 $0.88 Over 2500 GB / month $0.25 $0.28 $0.29 $0.29 $0.44 AWS CloudTrail Event Analysis Per 1,000,000 events / month $4.00 $4.40 $4.60 $4.72 $7.00 Free Trial: Any new account to Amazon GuardDuty can try the service for 30-days at no cost. Provides access to the full feature set and detections during the free trial. GuardDuty will display the volume of logs processed and estimated daily average service charges to provide a tailored price estimate for GuardDuty to protect all AWS accounts. Simple Low Cost Pricing Model. Enabled on a Regional Basis. *EDP pricing discounts apply to the Amazon GuardDuty service.
  • 26. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. View the Findings
  • 27. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Reproductions Summary EC2 Instance Malicious Host Any Host Recon:EC2/PortProbeUnprotectedPort – Low Severity UnauthorizedAccess:EC2/SSHBruteForce – Low Severity UnauthorizedAccess:EC2/RDPBruteForce – Low Severity Recon:EC2/Portscan – Low Severity UnauthorizedAccess:EC2/SSHBruteForce – High Severity UnauthorizedAccess:EC2/RDPBruteForce – High Severity Any Host External to AWS (using temp creds from IAM Role for EC2) API Endpoints UnauthorizedAccess:EC2/MaliciousIPCaller.Custom – Medium Severity Malicious Host (custom) UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration – High Severity Malicious Host (custom) UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom – Medium Severity Recon:IAMUser/MaliciousIPCaller.Custom – Medium Severity
  • 28. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Get Started with Amazon GuardDuty Today 1. Log on to AWS Management Console 2. Enable GuardDuty in Master Account for Each Region to Monitor 3. Invite Member Accounts 4. Start Viewing Findings and Export 5. Set up CloudWatch Events to Log Findings 6. Respond to Findings GuardDuty to Slack integration: https://github.com/aws-samples/amazon-guardduty-to-slack Multi-account script: https://github.com/aws-samples/amazon-guardduty-multiaccount-scripts Testing scripts- https://github.com/awslabs/amazon-guardduty-tester
  • 29. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you!