Upgrade to PRO for Only $50/Year—Limited-Time Offer! 🔥

GuardDutyの深淵を覗いて、君もGuardDutyマスターになろう!

 GuardDutyの深淵を覗いて、君もGuardDutyマスターになろう!

DevelopersIO 2023で登壇した資料です。
解説は以下をご確認ください。

cm-usuda-keisuke

July 08, 2023
Tweet

More Decks by cm-usuda-keisuke

Other Decks in Technology

Transcript

  1. ⾃⼰紹介 ⾅⽥佳祐(うすだけいすけ) ・クラスメソッド株式会社 / AWS事業本部 シニアソリューションアーキテクト セキュリティチームリーダー AWS公認インストラクター 2021 APN

    Ambassador 2023 APN AWS Top Engineers (Security) ・CISSP ・Security-JAWS運営 ・好きなサービス: Amazon GuardDuty AWS Security Hub Amazon Detective みんなのAWS (技術評論社) Amazon GuardDuty AWS Security Hub Amazon Detective 3
  2. Amazon GuardDutyとは 14 • 脅威検知サービス • CloudTrail / VPC Flow

    Logs / DNS Logsを バックグラウンドで⾃動収集(利⽤者の⼿間な し) • ポチッと有効化するだけ • IAM / EC2 / S3に関するインシデントを検知 • 脅威インテリジェンスと連携 • 機械学習による異常識別
  3. 他のAWSサービスとの関連性 20 • Amazon Detective • GuardDutyで検知した内容の相関分析 • AWS Security

    Hub • 連携したりしなかったり、チェック強め • AWS Organizations • 連携してマルチアカウント展開
  4. 対応しているタイプ 22 • EC2 / IAM / S3: 2017/11(リリース時) •

    S3: 2020/07(追加ログでの検知) • EKS Audit Log: 2022/01 • https://dev.classmethod.jp/articles/guardduty-for-eks- protection/ • Malware Protection: 2022/07 • https://dev.classmethod.jp/articles/guardduty-support- malware-protection/
  5. 対応しているタイプ 23 • RDS: 2023/03 • https://dev.classmethod.jp/articles/amazon-guardduty- rds-protection-aurora-ga/ • EKS

    Runtime: 2023/03 • https://dev.classmethod.jp/articles/amazon-guardduty- runtime-monitoring-manual-setup-overview/ • Lambda: 2023/04 • https://dev.classmethod.jp/articles/update_guardduty_lambda_protection/
  6. まずはFindings⾃体への理解を深める 30 Discovery:S3/AnomalousBehavior Discovery:S3/MaliciousIPCaller Discovery:S3/MaliciousIPCaller.Custom Discovery:S3/TorIPCaller Exfiltration:S3/AnomalousBehavior Exfiltration:S3/MaliciousIPCaller Impact:S3/AnomalousBehavior.Delete Impact:S3/AnomalousBehavior.Permission

    Impact:S3/AnomalousBehavior.Write Impact:S3/MaliciousIPCaller PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux UnauthorizedAccess:S3/TorIPCaller UnauthorizedAccess:S3/MaliciousIPCaller.Custom CredentialAccess:IAMUser/AnomalousBehavior DefenseEvasion:IAMUser/AnomalousBehavior Discovery:IAMUser/AnomalousBehavior Exfiltration:IAMUser/AnomalousBehavior Impact:IAMUser/AnomalousBehavior InitialAccess:IAMUser/AnomalousBehavior PenTest:IAMUser/KaliLinux PenTest:IAMUser/ParrotLinux PenTest:IAMUser/PentooLinux Persistence:IAMUser/AnomalousBehavior Stealth:IAMUser/PasswordPolicyChange UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration. InsideAWS Policy:S3/AccountBlockPublicAccessDisabled Policy:S3/BucketAnonymousAccessGranted Policy:S3/BucketBlockPublicAccessDisabled Policy:S3/BucketPublicAccessGranted PrivilegeEscalation:IAMUser/AnomalousBehavior Recon:IAMUser/MaliciousIPCaller Recon:IAMUser/MaliciousIPCaller.Custom Recon:IAMUser/TorIPCaller Stealth:IAMUser/CloudTrailLoggingDisabled Stealth:S3/ServerAccessLoggingDisabled UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B UnauthorizedAccess:IAMUser/MaliciousIPCaller UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom UnauthorizedAccess:IAMUser/TorIPCaller Policy:IAMUser/RootCredentialUsage UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration. OutsideAWS Backdoor:EC2/C&CActivity.B!DNS CryptoCurrency:EC2/BitcoinTool.B!DNS Impact:EC2/AbusedDomainRequest.Reputation Impact:EC2/BitcoinDomainRequest.Reputation Impact:EC2/MaliciousDomainRequest.Reputation Impact:EC2/SuspiciousDomainRequest.Reputation Trojan:EC2/BlackholeTraffic!DNS Trojan:EC2/DGADomainRequest.B Trojan:EC2/DGADomainRequest.C!DNS Trojan:EC2/DNSDataExfiltration Trojan:EC2/DriveBySourceTraffic!DNS Trojan:EC2/DropPoint!DNS Trojan:EC2/PhishingDomainRequest!DNS UnauthorizedAccess:EC2/MetadataDNSRebind Execution:Container/MaliciousFile Execution:Container/SuspiciousFile Execution:EC2/MaliciousFile Execution:EC2/SuspiciousFile Execution:ECS/MaliciousFile Execution:ECS/SuspiciousFile Execution:Kubernetes/MaliciousFile Execution:Kubernetes/SuspiciousFile CredentialAccess:Kubernetes/MaliciousIPCaller CredentialAccess:Kubernetes/MaliciousIPCaller.Custom CredentialAccess:Kubernetes/SuccessfulAnonymousAccess CredentialAccess:Kubernetes/TorIPCaller DefenseEvasion:Kubernetes/MaliciousIPCaller DefenseEvasion:Kubernetes/MaliciousIPCaller.Custom DefenseEvasion:Kubernetes/SuccessfulAnonymousAccess DefenseEvasion:Kubernetes/TorIPCaller Discovery:Kubernetes/MaliciousIPCaller Discovery:Kubernetes/MaliciousIPCaller.Custom Discovery:Kubernetes/SuccessfulAnonymousAccess Discovery:Kubernetes/TorIPCaller Execution:Kubernetes/ExecInKubeSystemPod Impact:Kubernetes/MaliciousIPCaller Impact:Kubernetes/MaliciousIPCaller.Custom Impact:Kubernetes/SuccessfulAnonymousAccess Impact:Kubernetes/TorIPCaller Persistence:Kubernetes/ContainerWithSensitiveMount Persistence:Kubernetes/MaliciousIPCaller Persistence:Kubernetes/MaliciousIPCaller.Custom Persistence:Kubernetes/SuccessfulAnonymousAccess Persistence:Kubernetes/TorIPCaller Policy:Kubernetes/AdminAccessToDefaultServiceAccount Policy:Kubernetes/AnonymousAccessGranted Policy:Kubernetes/KubeflowDashboardExposed Policy:Kubernetes/ExposedDashboard PrivilegeEscalation:Kubernetes/PrivilegedContainer Backdoor:Lambda/C&CActivity.B CryptoCurrency:Lambda/BitcoinTool.B Trojan:Lambda/BlackholeTraffic Trojan:Lambda/DropPoint UnauthorizedAccess:Lambda/MaliciousIPCaller.Custom UnauthorizedAccess:Lambda/TorClient UnauthorizedAccess:Lambda/TorRelay CredentialAccess:RDS/AnomalousBehavior.FailedLogin CredentialAccess:RDS/AnomalousBehavior.SuccessfulBruteF orce CredentialAccess:RDS/AnomalousBehavior.SuccessfulLogin CredentialAccess:RDS/MaliciousIPCaller.FailedLogin CredentialAccess:RDS/MaliciousIPCaller.SuccessfulLogin CredentialAccess:RDS/TorIPCaller.FailedLogin CredentialAccess:RDS/TorIPCaller.SuccessfulLogin Discovery:RDS/MaliciousIPCaller Discovery:RDS/TorIPCaller Backdoor:Runtime/C&CActivity.B Backdoor:Runtime/C&CActivity.B!DNS CryptoCurrency:Runtime/BitcoinTool.B CryptoCurrency:Runtime/BitcoinTool.B!DNS DefenseEvasion:Runtime/FilelessExecution DefenseEvasion:Runtime/ProcessInjection.Proc DefenseEvasion:Runtime/ProcessInjection.Ptrace DefenseEvasion:Runtime/ProcessInjection.VirtualMemoryWri te Execution:Runtime/NewBinaryExecuted Execution:Runtime/NewLibraryLoaded Execution:Runtime/ReverseShell Impact:Runtime/AbusedDomainRequest.Reputation Impact:Runtime/BitcoinDomainRequest.Reputation Impact:Runtime/CryptoMinerExecuted Impact:Runtime/MaliciousDomainRequest.Reputation Impact:Runtime/SuspiciousDomainRequest.Reputation PrivilegeEscalation:Runtime/CGroupsReleaseAgentModified PrivilegeEscalation:Runtime/ContainerMountsHostDirectory PrivilegeEscalation:Runtime/DockerSocketAccessed PrivilegeEscalation:Runtime/RuncContainerEscape PrivilegeEscalation:Runtime/UserfaultfdUsage Trojan:Runtime/BlackholeTraffic Trojan:Runtime/BlackholeTraffic!DNS Trojan:Runtime/DropPoint Trojan:Runtime/DGADomainRequest.C!DNS Trojan:Runtime/DriveBySourceTraffic!DNS Trojan:Runtime/DropPoint!DNS Trojan:Runtime/PhishingDomainRequest!DNS UnauthorizedAccess:Runtime/MetadataDNSRebind UnauthorizedAccess:Runtime/TorClient UnauthorizedAccess:Runtime/TorRelay Backdoor:EC2/C&CActivity.B Backdoor:EC2/DenialOfService.Dns Backdoor:EC2/DenialOfService.Tcp Backdoor:EC2/DenialOfService.Udp Backdoor:EC2/DenialOfService.UdpOnTcpPorts Backdoor:EC2/DenialOfService.UnusualProtocol Backdoor:EC2/Spambot Behavior:EC2/NetworkPortUnusual Behavior:EC2/TrafficVolumeUnusual CryptoCurrency:EC2/BitcoinTool.B DefenseEvasion:EC2/UnusualDNSResolver DefenseEvasion:EC2/UnusualDoHActivity DefenseEvasion:EC2/UnusualDoTActivity Impact:EC2/PortSweep Impact:EC2/WinRMBruteForce Recon:EC2/PortProbeEMRUnprotectedPort Recon:EC2/PortProbeUnprotectedPort Recon:EC2/Portscan Trojan:EC2/BlackholeTraffic Trojan:EC2/DropPoint UnauthorizedAccess:EC2/MaliciousIPCaller.Custom UnauthorizedAccess:EC2/RDPBruteForce UnauthorizedAccess:EC2/SSHBruteForce UnauthorizedAccess:EC2/TorClient UnauthorizedAccess:EC2/TorRelay 現在アクティブなFinding types⼀覧(164個) https://docs.aws.amazon.com/ja_jp/guardduty/latest /ug/guardduty_finding-types-active.html
  7. アーカイブされたFinding types 31 Exfiltration:S3/ObjectRead.Unusual Impact:S3/PermissionsModification.Unusual Impact:S3/ObjectDelete.Unusual Discovery:S3/BucketEnumeration.Unusual Persistence:IAMUser/NetworkPermissions Persistence:IAMUser/ResourcePermissions Persistence:IAMUser/UserPermissions

    PrivilegeEscalation:IAMUser/Administrative Permissions Recon:IAMUser/NetworkPermissions Recon:IAMUser/ResourcePermissions Recon:IAMUser/UserPermissions ResourceConsumption:IAMUser/ComputeRe sources Stealth:IAMUser/LoggingConfigurationModif ied UnauthorizedAccess:IAMUser/ConsoleLogin UnauthorizedAccess:EC2/TorIPCaller Backdoor:EC2/XORDDOS Behavior:IAMUser/InstanceLaunchUnusual CryptoCurrency:EC2/BitcoinTool.A UnauthorizedAccess:IAMUser/UnusualASNC aller アーカイブされたFinding types(19個) https://docs.aws.amazon.com/ja_jp/guardduty/latest/ug/guardduty_finding-types-retired.html
  8. Finding typesのフォーマット 32 CryptoCurrency:EC2/BitcoinTool.B!DNS ThreatPurpose(必須) 攻撃の⽬的 18種類 ResourceTypeAffected(必須) 攻撃対象のリソース EC2、S3、IAM、EKSなど

    ThreatFamilyName(必須) 攻撃の種類 66種類 DetectionMechanism(オプション) 検知した⽅法 20種類 Artifact(オプション) 攻撃に利⽤したリソース DNSのみ https://docs.aws.amazon.com/ja_jp/guardduty/latest/ug/guardduty_finding-format.html
  9. Findingsの中⾝ 38 おおまかなFindingsの中⾝であるJSONの説明は 省略する(AccountId / Region / Titleとか) 処理していく上で⼤事なのは $.Resource.ResourceTypeや周辺リソースと

    $.Service.Action.ActionType周辺 これらについて詳細に⾒ていく 詳細はユーザーガイド: https://docs.aws.amazon.com/ja_jp/guardduty/latest/ug/guardduty_findings-summary.html
  10. ResourceType 49 脅威の影響を受けているリソースのタイプ “Resource”配下にあり、”ResourceType”でど れか1つが指定されている Instance / AccessKey / S3Bucket

    / EKSCluster / ECSCluster / Container / RDSDBInstance / Lambda 複数のリソースが“Resource”配下にある場合も ある
  11. "ResourceType": "ECSCluster" 54 ほんとに検知できるのかわからない Malware Protectionの2つだけ対象 • Execution:Container/MaliciousFile • Execution:Container/SuspiciousFile

    試してみるとEC2タイプで上がってくるので検知 させられなかった “ResourceType”: ”Container“も同じ
  12. 74