GuardDuty in the real world – Introduction to AWS Security Services

by Britanee Kane Posted on

GuardDuty in the real world

A real-world application of GuardDuty can be exemplified in the following scenario.

Scenario

A financial services company with a complex AWS environment, running workloads on both EC2 instances and Lambda functions, noticed an unusual surge in resource utilization. Traditional security measures were insufficient in identifying the root cause, leading the company to use GuardDuty for a more comprehensive analysis.

Solution

GuardDuty immediately began its investigation by analyzing VPC flow logs and scanning Amazon EBS volumes. The service quickly flagged unauthorized crypto mining activities affecting both EC2 instances and Lambda functions from the following observations:

  • EC2 instances: GuardDuty’s malware scanning feature for EBS volumes detected malware on an EBS volume attached to a compromised EC2 instance
  • Lambda functions: The analysis of VPC flow logs by GuardDuty revealed unusual network patterns related to the Lambda functions, suggesting they were being manipulated for crypto mining

Outcome

Upon further investigation, it was discovered that the compromised EC2 instance was exfiltrating credentials that were then used from an external AWS account to manipulate the code of a Lambda function for crypto-mining purposes. GuardDuty’s EC2 instance credentials exfiltration detection feature played a crucial role in identifying this sophisticated attack vector.

The company took the following immediate action:

  • Isolated the compromised EBS volume and initiated a malware removal process
  • Terminated the affected Lambda functions and EC2 instances to stop the crypto-mining activities
  • Conducted a forensic analysis using VPC flow logs to trace the source and nature of the Lambda function manipulation

It was also found that the IAM role assigned to the EC2 instance was overly permissive, allowing it to modify Lambda functions, which was not a required permission for its operational needs. This led to the following:

  • A review and tightening of IAM policies to ensure that EC2 instances had only the permissions they needed, reducing the risk of future incidents
  • Implementation of stricter network access controls and monitoring to safeguard against similar threats

This incident underscored the importance of GuardDuty’s multi-layered detection capabilities, including its malware scanning for EBS volumes, VPC flow logs analysis, and credentials exfiltration detection, in identifying and mitigating complex threats such as malware involving crypto mining.

Leave a Reply

Your email address will not be published. Required fields are marked *