Profile Applicability:
Level 1
Description:
Amazon GuardDuty is a threat detection service that continuously monitors your AWS environment for malicious activity, unauthorized behavior, or security vulnerabilities. High-severity findings are the most critical alerts generated by GuardDuty, indicating significant security threats, such as unauthorized access attempts, compromised resources, or other activities that pose a major risk to your AWS environment.
When high severity findings are generated, it is critical to investigate, remediate, and mitigate these threats as quickly as possible to protect your AWS resources and data. This SOP ensures that proper actions are taken when GuardDuty raises high-severity findings, ensuring a swift response to mitigate the identified risks.
Rationale:
Handling high severity findings is essential for:
Rapid Response: Quick action can prevent further damage from security incidents or unauthorized access.
Risk Mitigation: Addressing high-severity findings reduces the overall risk to your environment and minimizes the impact of potential attacks.
Compliance: By managing high-severity findings promptly, organizations can maintain compliance with industry security standards and regulations.
Continuous Security: Ensures that security is continuously monitored and improved through proactive mitigation of threats.
Impact:
Pros:
Reduced Security Risk: Addressing high-severity findings helps reduce the attack surface and mitigates potential security breaches.
Regulatory Compliance: Ensures compliance with security best practices and industry standards by addressing critical vulnerabilities promptly.
Improved Incident Response: Rapid action improves your security posture and the organization's ability to respond to potential incidents.
Cons:
Resource Intensive: Responding to high-severity findings may require additional resources, such as personnel or time, depending on the nature of the issue.
False Positives: GuardDuty may generate high-severity findings that are false positives, which may require additional investigation before taking action.
Default Value:
By default, GuardDuty generates findings based on detected threats, including high-severity findings. However, GuardDuty will not take corrective actions automatically; these findings must be manually reviewed and addressed by security teams.
Pre-requisite:
AWS IAM Permissions:
guardduty:DescribeFindings
guardduty:GetFinding
guardduty:UpdateFindings
sns:Publish (for sending alerts)
AWS CLI installed and configured.
Amazon GuardDuty should be enabled in your AWS account.
CloudWatch set up for finding alerts.
Basic understanding of GuardDuty findings and severity levels.
Remediation:
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to GuardDuty under Services.
In the GuardDuty Dashboard, go to the Findings section.
Filter findings by severity to view the high-severity findings.
Click on each finding to view the details, including:
Type of threat (e.g., unauthorized access, compromised instances).
Resource(s) affected (e.g., EC2 instance, S3 bucket).
Time of detection and finding description.
Investigate the findings and confirm their legitimacy by analyzing the relevant logs (e.g., CloudTrail, VPC Flow Logs).
Using AWS CLI:
To list high-severity GuardDuty findings, run the following command:
aws guardduty list-findings --filter "severity=HIGH"
To describe each finding in more detail, run:
aws guardduty get-findings --finding-arns <finding-arn>
Review the findings and understand the type of threat (e.g., UnauthorizedAccess:EC2/SSHBruteForce).
Implementation Steps:
Using AWS Console:
Sign in to the AWS Management Console and navigate to GuardDuty.
Under the Findings section, filter for high-severity findings.
Investigate the findings by checking the affected resources, reviewing related logs (CloudTrail, VPC Flow Logs, etc.), and verifying the legitimacy of the threat.
Remediate the findings by:
Terminating compromised EC2 instances.
Revoking access to unauthorized users or IP addresses.
Patching vulnerable resources.
Isolating affected resources to prevent further damage.
Set up SNS notifications or CloudWatch Alarms to alert the team of critical findings in the future.
Monitor the findings and confirm that corrective actions have resolved the issue.
Using AWS CLI:
List the high-severity findings:
aws guardduty list-findings --filter "severity=HIGH"
Get the detailed information about the findings:
aws guardduty get-findings --finding-arns <finding-arn>
Remediate any issues found, such as:
Terminating compromised instances:
aws ec2 terminate-instances --instance-ids <instance-id>
Revoke unauthorized access:
aws iam delete-access-key --user-name <username> --access-key-id <access-key-id>
Set up SNS notifications for future high-severity findings:
aws sns publish --topic-arn <sns-topic-arn> --message "High-severity GuardDuty finding detected."
Backout Plan:
If addressing high-severity findings causes issues or further damage:
Revert any changes made to affected resources (e.g., EC2 instances, IAM roles).
Restore instances from backup or snapshot if necessary.
Revert any access changes if valid users were mistakenly blocked.
Ensure that GuardDuty is properly configured and adjust detection sensitivity if necessary.
Revalidate the resources to ensure they are properly functioning and not impacted by remediation actions.
Note:
Automation: Automate remediation by integrating GuardDuty with AWS Lambda or CloudWatch to trigger responses such as instance isolation or automatic alerting when high-severity findings occur.
Incident Response Plan: Include GuardDuty findings in your incident response plan to ensure swift resolution of critical threats.