GuardDutyを使ったサイバー攻撃の検出と分析.pdf

AWS GuardDutyΛ࢖ͬͨ
αΠόʔ߈ܸͷݕग़ɾ෼ੳ
2018/07/29 by @ken5scal
'SPN4PGUXBSF

View Slide

AWS࢖ͬͯΔਓ!

View Slide

GuardDuty࢖ͬͯΔਓ!

View Slide

·ͣͪ͜ΒΛޚཡ͍ͩ͘͞
IUUQTXXXTMJEFTIBSFOFU"NB[PO8FC4FSWJDFT+BQBOBXTCMBDLCFMUPOMJOF
TFNJOBSBNB[POHVBSEEVUZ

View Slide

׬

View Slide

1. GuardDuty in nutshell
2. Why GuardDuty?
3. GuardDuty in Folio
4. GuardDuty in Future
໨࣍

View Slide

GuardDuty in NutShell

View Slide

GuardDuty in nutshell
- 2017/11ʹϦϦʔε
- ڴҖͷݕ஌
- ػցֶशΛ࢖ͬͨݕ஌
- ΫΠοΫσϓϩΠ

View Slide

- 2017/11ʹϦϦʔε
- ڴҖͷݕ஌
- IAM΍EC2पΓʹಛԽ
- ΫΠοΫσϓϩΠ

View Slide

ڴҖͷݕ஌

View Slide

- 2017/11ʹϦϦʔε
- ڴҖͷݕ஌
- ΫΠοΫσϓϩΠ

View Slide

ػցֶश - σʔλ in AWS
- AWS಺ͷϦιʔε
- VPC Flow Logs
- DNS Logs
- CloudTrail Events Logs

View Slide

ػցֶश - σʔλ from ΠϯςϦδΣϯε
- ΦʔϓϯͳΠϯςϦδΣϯεσʔλ
- Taxii, STIX, OTX
- ΠϯςϦδΣϯεσʔλ from αʔϏε
- Alien Vault, Fire Eye, Proof Point

View Slide

- 2017/11ʹϦϦʔε
- ڴҖͷݕ஌
- ΫΠοΫσϓϩΠ

View Slide

ΫΠοΫσϓϩΠ
- σϓϩΠ in 30sec
- ःஅͳͲ͸ͳ͍ͷͰγεςϜతͳӨڹͳ͠
- ۚમతӨڹ͸ݕূՄ

View Slide

View Slide

ूத؅ཧ΋Մೳ
- ϦʔυλΠϜؚΊͯ30ඵʢ3εςοϓʣ

View Slide

ΫΠοΫσϓϩΠ
- γεςϜతͳӨڹͳ͠

View Slide

ΫΠοΫσϓϩΠ
- ःஅͳͲ͸ͳ͍ͷͰγεςϜతͳӨڹͳ͠
- 30೔ؒແྉ
- ͦͷޙ:
- CloudTrail: 1,000,000events/month
- VPC Flow Log, DNC Log: 1GB/month

View Slide

ֹۚྫ:
IUUQTBXTBNB[PODPNKQHVBSEEVUZQSJDJOH

View Slide

Why GuardDuty?

View Slide

Why GuardDuty?
- AWSͰ͸૝ఆ͢΂͖ڴҖͷछྨ͕૿͑Δ
- ैདྷͷݕ஌ϩδοΫͰ͸ෆ଍

View Slide

ࠓ·ͰͷڴҖݕ஌
in
αʔϏε؀ڥ

View Slide

ैདྷͷߏ੒
4*&.
8"' -#
8"' -#

'JSFXBMM 'JSFXBMM
*%4
1SPYZ
'JMF
*OUFHSJUZ
'JMF
*OUFHSJUZ
'JMF
*OUFHSJUZ

View Slide

Firewall
- Πϯλʔωοτͱͷڥք๷ޚ
- L3~4ϨΠϠʔͷstatefulͳηογϣϯपΓͷݕ஌
- ྫ: ωοτϫʔΫ੍ޚ
- ྫ: ϙʔτ੍ޚ
- ྫ: syn flood߈੍ܸޚ
- Untrust΍TrustͳκʔϯΛఆٛ
- Juniper Network, Cisco, Yamaha…
- ࠓͷ࣌୅ʮͰʁʯͱͳΓ͕ͪ

View Slide

IDS/IPS
- ௨৴಺༰ͷݕ஌ɾγάωνϟϕʔε
- ϛυϧ΢ΣΞܥγάωνϟଟΊ
- ྫ: σΟϨΫτϦτϥόʔαϧ
- ྫ: CVEεϖγϑΟοΫ
- SnortͳͲ
- νϡʔχϯά is େม

View Slide

WAF
- Πϯλʔωοτͱͷڥք๷ޚͦͷ2
- L7ͷHTTP(S)ʹಛԽͨ͠ݕ஌ɾγάωνϟϕʔε
- LBʢ࠷ۙ͸CDNʣͱ૊Έ߹ΘͤͰ࢖ΘΕ͕ͪ
- 2013೥Ҡߦʹ૿͑࢝Ίͨҹ৅ in Japan
- BigIP ASM, Imperva, AWS WAF, Fastly, Akamai Kona
- νϡʔχϯά is େม

View Slide

Proxy
- Πϯλʔωοτʹग़ΔHTTP(S), SSHͷFQDNݕ஌
- ϗϫΠτϦετ΍ϒϥοΫϦετͷ؅ཧ
- SquidͳͲ
- ϗϫΠτϦετͳͲͷ؅ཧ is େม͔΋

View Slide

File Integrity
- ϑΝΠϧͷෆਖ਼ͳվ͟Μ΍ઃஔΛݕ஌
- TripwireͳͲ
- ΤʔδΣϯτͷ؅ཧ is େม

View Slide

SIEM
- Security Information and Event Managementͷུ
- ઌड़ͷ੡඼܈ͷϩάΛू໿͠ɺΠϕϯτΛ؅ཧ͢Δ
- ྫ: ୹࣌ؒͰFirewallʹର͠ɺಉҰૹ৴ݩ͔ΒN݅ͷDeny௨৴͕͋ͬͨ
ΒΞϥʔτΛ্͛Δ
- ྫ: WAFͰSQL߈ܸγάωνϟʹͻ͔͔ͬΔϦΫΤετʹ200Λฦͨ͠
ΒΞϥʔτΛ্͛Δ
- ArchSight, Splunk, Sumo-logic, ELK, Graylog
- Eventͷઃఆ is େม

View Slide

ڴҖͷݕ஌
ͦΕͧΕͷιϦϡʔγϣϯ͕ͲͷΑ͏ͳηΩϡϦςΟϦεΫ

View Slide

ଟ૚๷ޚ(ݕ஌)
IUUQTXXXMPDLIFFENBSUJODPNFOVTDBQBCJMJUJFTDZCFSDZCFSLJMMDIBJOIUNM

View Slide

Applicable to AWSʁ
　　　　　　　_,,;' '" '' ゛''" ゛' ';;,,
　　　　　　（rヽ,;''"""''゛゛゛'';, ﾉｒ）
　　　　　　,;'゛ i ＿　　、＿ iヽ゛';,　　　　お前AWSでも同じことできんの？
　　　　　 ,;'" ''| ヽ・〉　〈・ノ |ﾞ゛ `';,
　　　　　 ,;''　"|　　 ▼　　 |ﾞ゛　`';,
　　　　　 ,;''　　ヽ＿人＿ /　　,;'_
　　　　／ｼ、　ヽ⌒⌒ /　　ﾘ　＼
　　　　|　　　"ｒ,,　｀"'''ﾞ´　　,,ﾐ゛　　 |
　　　　|　　　　ﾘ、　　　　,ﾘ　　　　|
　　　　|　　　i 　　゛ｒ、ﾉ,,ｒ"　i　　　_|
　　　　|　　　｀ー――----┴ ⌒´ ）
　　　　（ヽ　＿＿＿＿＿＿ ,, ＿´）
　　　　（_⌒ ＿＿＿＿＿＿ ,, ィ
　　　　　　丁　　　　　　　　　　 |
　　　　　　 |　　　　　　　　　　　|

View Slide

ҟͳΔύϥμΠϜ(AWSʹݶΒͣʣ
- ಛੑ্ɺैདྷͷߏ੒Ͱ͸ͳ͔ͬͨ੬ऑੑ͕͋Δ
- Ϋϥ΢υαʔϏεͱͯ͠ͷΞΧ΢ϯτ
- Ϧιʔεͱݖݶ
- ෺ཧతͳ੍໿͕؇͍Ϧιʔε
- ಈతʹεέʔϧΞ΢τ͢ΔϦιʔε
- Pay as you GoͳϦιʔε

View Slide

ڴҖݕ஌
in
GuardDuty

View Slide

ݕ஌Ͱ͖ΔڴҖ
&$
*".
#BDLEPPS
$SZQUP
$VSSFODIZ
1FOUFTU
1FSTJTUFODF
3FDPO
#FIBWJPSJBM
5SB⒏D
7PMVNF
4UFBMUI
5SPKBO
6OBVUIPSJ[FE
"DDFTT
$POTPMF-PHJO
*OTUBODF
$SFEFOUJBM
&YpMUSBUJPO
- Ϧιʔε
- ໨త
- ڴҖͷछྨ
- ୔ࢁ
IUUQTEPDTBXTBNB[[email protected][FE

View Slide

ݟग़͠
https://goo.gl/efpZeL

View Slide

&$
*".
#BDLEPPS
$SZQUP
$VSSFODIZ
1FOUFTU
1FSTJTUFODF
3FDPO
#FIBWJPSJBM
5SB⒏D
7PMVNF
4UFBMUI
5SPKBO
6OBVUIPSJ[FE
"DDFTT
$POTPMF-PHJO
*OTUBODF
$SFEFOUJBM
&YpMUSBUJPO
- Ϧιʔε
- ໨త
IUUQTEPDTBXTBNB[[email protected][FE
ݕ஌Ͱ͖ΔڴҖ

View Slide

શ͕ͯFʹͳΔGʹͳΒͳ͍
- ࠓ·ͰͷڴҖͱݕ஌ is not ϨΨγʔ
- ͳͷͰɺͱΓ͋͑ͣΦϯʹ͓ͯ͜͠͏ʂ

View Slide

Q & A
- part 1

View Slide


View Slide

GuardDuty in Folio

View Slide

GuardDuty in Folio
- ͍͘Β͔͔ͬͯΔʁ
- ޡݕ஌͋Δʁ
- Ϣʔεέʔεʁ

View Slide

GuardDuty in Folio
- ޡݕ஌͋Δʁ
- Ͳ͏͍͏෩ʹ࢖ͬͯΔʁ

View Slide

͍͘Β͔͔ͬͯΔʁ
- 11ΞΧ΢ϯτશ෦ͰonɻϝΠϯ͸ap-northeast1

View Slide

Ձ֨
EBZ

View Slide

GuardDuty in Folio
- ޡݕ஌͋Δʁ
- Ͳ͏͍͏෩ʹ࢖ͬͯΔʁ

View Slide

ࠓͷॴ
ʢগʣ
ͳ͍

View Slide

ࠓ·Ͱͷݕ஌
- Recon:EC2/PortProbeUnprotectedPort
- UnauthorizedAccess:IAMUser/UnusualASNCaller
- Behavior:EC2/NetworkPortUnusual
- Pentest:IAMUser/KaliLinux

View Slide

൑அϙΠϯτ࡟ݮ
- ࣗಈArchive
- ݕࡧϑΟϧλʔʹʮAuto-archiveΦϓγϣϯʯΛ͚ͭΕ͹͓̺

View Slide

GuardDuty in Folio
- ޡݕ஌͋Δʁ
- Ϣʔεέʔεʁ

View Slide

Ϣʔεέʔε
- ॏཁ౓ʹԠͨ͡Ξϥʔτ
- νέοτ؅ཧ։࢝
- ࣗಈForensic४උ

View Slide

جຊతʹ͸LambdaͰ֦ு
{
"version": "0",
"id": "c8c4daa7-a20c-2f03-0070-b7393dd542ad",
"detail-type": "GuardDuty Finding",
"source": "aws.guardduty",
"account": "123456789012",
"time": "1970-01-01T00:00:00Z",
"region": "us-east-1",
"resources": [],
"detail": {
"schemaVersion": "2.0",
"accountId": "123456789012",
"region": "ap-northeast-1",
"type": "UnauthorizedAccess:EC2/RDPBruteForce",
"resource": {
"resourceType": "Instance",
"instanceDetails": {
"instanceId": "i-99999999",
"instanceType": "m3.xlarge",
"launchTime": "2016-08-02T02:05:06Z",
"platform": null,
"productCodes": [
{
"productCodeId": "GeneratedFindingProductCodeId",
"productCodeType": "GeneratedFindingProductCodeType
}
],
"iamInstanceProfile": {
"arn": "GeneratedFindingInstanceProfileArn",
"id": "GeneratedFindingInstanceProfileId"
},
"networkInterfaces": [
{
"ipv6Addresses": [],
"networkInterfaceId": "eni-bfcffe88",
"privateDnsName": "GeneratedFindingPrivateDnsName",

View Slide

Slack௨஌

View Slide

Slack௨஌
func main() {
lambda.Start(HandleRequest)
}
func HandleRequest(request CloudWatchEventForGuardDuty) {
if err := postOnSlack(request); err != nil {
log.Fatal().Err(err).Msg("failed.")
}
}
func mapSeverityToLevel(request CWEvent) (*Severity, error) {
severity := request.Detail.Severity
s := &Severity{}
s.AccountAlias = request.Detail.AccountID
if 0 <= severity && severity < 4 {
s.Level = "Low"
s.Color = "#707070"
return s, nil
} else if 4 <= severity && severity < 7 {
s.Level = "Medium"
s.Color = "warning"
return s, nil
} else if severity < 10 {
s.Level = "High"
s.Color = "danger"
s.Announce = true
return s, nil
}
return nil, errors.New("Severity was not in right range: 0~10.0")
}

View Slide

Slack௨஌
func postOnSlack(request CWevent) error {
severity, err := initializeSeverity(request.Detail.Severity)
if err != nil {
return err
}
pretext := "'" + request.Detail.Type + "' type found."
if severity.Announce {
pretext = " " + pretext
}
attachment := slack.Attachment{
Color: severity.Color,
Pretext: pretext,
Title: request.Detail.Title,
Fields: []slack.AttachmentField{
{
Title: "Severity",
Value: severity.Level,
Short: true,
},
{
Title: "Account",
Value: request.Detail.AccountID,
Short: true,
},
{
Title: "Description",
Value: request.Detail.Description,
Short: false,
},
},
}
payload := slack.PostMessageParameters{
Attachments: []slack.Attachment{attachment},
}
body, err := json.Marshal(payload)
if err != nil {
return errors.New("failed to encode payload")
}
if _, err := http.Post(slackURL, contentType, bytes.NewReader(body)
!= nil {
return errors.New(fmt.Sprintf("posting Slack failed: %v", err))
}
return nil
}

View Slide

JIRAνέοτ࡞੒

View Slide

ݟग़͠
func postOnJira(request CloudWatchEventForGuardDuty, c chan error) {
defer close(c)
body := &JiraIssueCreateRequest{
Fields: struct {
Project struct {
ID string `json:"id"`
} `json:"project"`
Summary string `json:"summary"`
Description string `json:"description"`
IssueType struct {
} `json:"issuetype"`
}{
Project: struct {
}{ID: jiraProjectId},
Summary: request.Detail.Title,
Description: request.Detail.Description + " in account: " + request.Detail.AccountI
IssueType: struct {
}{ID: jiraIssueTypeId},
},
}
payload, err := json.Marshal(body)
if err != nil {
c return
}
req, _ := http.NewRequest(http.MethodPost, jiraURL, bytes.NewBuffer(payload))
req.Header.Add("Authorization", jiraBasicAuthentication)
req.Header.Add("Content-Type", contentType)
log.Info().Str("status", "sending a posting a request Jira").Msg("ok")
// TODO Handle non 200 case
if _, err := http.DefaultClient.Do(req); err != nil {
c return
}
log.Info().Str("status", "finishing a request Jira").Msg("ok")
}
func HandleRequest(request CloudWatchEventForGuardDuty) (err error) {
errJIRAChan, errPDChan := make(chan error), make(chan error)
go postOnPagerDuty(request, errPDChan)
go postOnJira(request, errJIRAChan)
ok1, ok2:= true, true
for ok1 || ok2 {
select {
case err, ok1 = if err != nil && ok1 {
log.Info().Err(err).Str("app", "jira").Msg(err.Error())
}
log.Info().Err(err).Str("app",
"PagerDuty").Msg(err.Error())
}
}
}
return err
}
func getAccountAlias(accountId string) string {
if v, ok := accountMap[accountId]; ok {
return v
}
return accountId
}

View Slide

PagerDuty࿈ܞ

View Slide

ݟग़͠
func HandleRequest(request CloudWatchEventForGuardDuty) (err error) {
errJIRAChan, errPDChan := make(chan error), make(chan error)
go postOnPagerDuty(request, errPDChan)
go postOnJira(request, errJIRAChan)
ok1, ok2:= true, true
for ok1 || ok2 {
select {
log.Info().Err(err).Str("app", "jira").Msg(err.Error())
}
log.Info().Err(err).Str("app", "PagerDuty").Msg(err.Error())
}
}
}
return err
}
func getAccountAlias(accountId string) string {
if v, ok := accountMap[accountId]; ok {
return v
}
return accountId
}
func postOnPagerDuty(request CloudWatchEventForGuardDuty, c chan error) {
defer close(c)
client := pagerduty.NewClient(pagerDutyToken)
priorities, err := client.ListPriorities()
if err != nil {
c return
}
var priority string
severity := request.Detail.Severity
if 0 <= severity && severity < 4 {
priority = priorities.Priorities[2].ID
} else if 4 <= severity && severity < 7 {
} else if severity < 10 {
}
o := pagerduty.CreateIncidentOptions{
Title: request.Detail.Title,
Service: pagerduty.APIReference{
ID: pagerDutyServiceId,
Type: "service_reference",
},
Priority: pagerduty.APIReference{
ID: priority,
Type: "priority_reference",
},
Body: pagerduty.APIDetails{
Type: "incident_body",
Details: request.Detail.Description + " in account: " +
getAccountAlias(request.Detail.AccountID),
},
}
_, err = client.CreateIncident(pagerDutyEmail, &pagerduty.CreateIncident{o})
if err != nil {
c return
}
}

View Slide

ࣗಈִ཭(Forensic४උʣ
TOBQTIPU

ᶃ
ᶄ
ᶅ ᶆ
- "Digital Forensic Analysis of
Amazon Linux EC2 Instances”
by SANSͷҰ෦ΛίʔυԽ
AWS FIntech ϦϑΝϨϯεΨΠ
υ
IUUQTXXXTBOTPSHSFBEJOHSPPNXIJUFQBQFST
DMPVEEJHJUBMGPSFOTJDBOBMZTJTBNB[POMJOVYFD
JOTUBODFT

View Slide

Snapshotੜ੒
TOBQTIPU
ᶃ

View Slide

ݟग़͠
// Take SnapShot of suspected EC2 instance for taking evidence
func (e *EC2Forensic) CreateEvidenceSnapshot() (snapshotId string, err error) {
describeEc2AttributeInput := &ec2.DescribeInstanceAttributeInput{
Attribute: aws.String("blockDeviceMapping"),
InstanceId: aws.String(e.InstanceId),
}
createSnapshotInput := &ec2.CreateSnapshotInput{
Description: aws.String("Snapshot taken for forensic purpose"),
TagSpecifications: []*ec2.TagSpecification{
{
ResourceType: aws.String("snapshot"),
Tags: []*ec2.Tag{{Key: aws.String("Name"), Value: aws.String("forensic-snapshot")}},
},
},
}
output, err := e.svc.DescribeInstanceAttribute(describeEc2AttributeInput)
if err != nil {
return "", err
}
createSnapshotInput.VolumeId = output.BlockDeviceMappings[0].Ebs.VolumeId
snapShot, err := e.svc.CreateSnapshot(createSnapshotInput)
if err != nil {
return "", err
}
// Check State
var snapShotState string
for snapShotState != "completed" {
output, err := e.svc.DescribeSnapshots(&ec2.DescribeSnapshotsInput{SnapshotIds: []*string{snapShot.SnapshotId}})
if err != nil {
return "", nil
}
snapShotState = *output.Snapshots[0].State
}
return *snapShot.SnapshotId, nil
}

View Slide

EBSੜ੒
TOBQTIPU

ᶄ

View Slide

ݟग़͠
func (e *EC2Forensic) CreateEvidenceEBS(snapshotId string) (volumeId string, err error) {
input := &ec2.CreateVolumeInput{
//ToDO Dynamically retrieve AZ from subnet-id
AvailabilityZone: aws.String("ap-northeast-1a"),
SnapshotId: aws.String(snapshotId),
{
ResourceType: aws.String("volume"),
Tags: []*ec2.Tag{{Key: aws.String("Name"), Value: aws.String("forensic-ebs-volume")}},
},
},
}
output, err := e.svc.CreateVolume(input)
if err != nil {
return "", err
}
// Check State
var volumeState string
if volumeState != "ok" {
output, err := e.svc.DescribeVolumeStatus(&ec2.DescribeVolumeStatusInput{
VolumeIds: []*string{output.VolumeId},
})
if err != nil {
return "", err
}
volumeState = *output.VolumeStatuses[0].VolumeStatus.Status
}
return *output.VolumeId, nil
}

View Slide

Forensic༻EC2ੜ੒
TOBQTIPU

ᶅ

View Slide

ݟग़͠
func (e *EC2Forensic) StartForensicWorkstation() (workstationId string, err error) {
input := &ec2.RunInstancesInput{
{
ResourceType: aws.String("instance"),
Tags: []*ec2.Tag{
{Key: aws.String("Name"), Value: aws.String("forensic-workstation")},
{Key: aws.String("Target"), Value: aws.String(e.InstanceId)},
},
},
},
MaxCount: aws.Int64(1),
MinCount: aws.Int64(1),
SecurityGroupIds: []*string{aws.String(forensicSgId)},
SubnetId: aws.String(forensicSubnetId),
// Recommended in https://www.sans.org/reading-room/whitepapers/cloud/digital-forensic-analysis-amazon-linux-ec2-instances-38235?
InstanceType: aws.String("t2.large"),
// Latest(2018/07/15) ami id of Ubuntu Server 16.04 LTS (HVM), SSD Volume Type
// Recommended in https://www.sans.org/reading-room/whitepapers/cloud/digital-forensic-analysis-amazon-linux-ec2-instances-38235?
ImageId: aws.String("ami-940cdceb"),
}
output, err := e.svc.RunInstances(input)
if err != nil {
return "", err
}
var instanceState string
for instanceState != "running" {
output, err := e.svc.DescribeInstanceStatus(&ec2.DescribeInstanceStatusInput{
InstanceIds: []*string{output.Instances[0].InstanceId},
IncludeAllInstances: aws.Bool(true),
})
if err != nil {
return "", err
}
instanceState = *output.InstanceStatuses[0].InstanceState.Name
}
return *output.Instances[0].InstanceId, nil
}

View Slide

EBSΞλον
TOBQTIPU

ᶆ

View Slide

ݟग़͠
func (e *EC2Forensic) AttachEvidenceToWorkstation(workstationId, evidenceVolumeId string) (err error) {
_, err = e.svc.AttachVolume(&ec2.AttachVolumeInput{
InstanceId: aws.String(workstationId),
VolumeId: aws.String(evidenceVolumeId),
Device: aws.String("/dev/sdf"),
})
return
}
func notify(isFailed bool, isCompleted bool, message string) {
var color string
var status string
if isFailed {
color = "warning"
status = “failed"
} else if isCompleted {
color = "good"
status = "completed"
} else {
color = "#707070"
status = "completed"
}
log.Info().Str("duration", returnDuration()).Str("status", message).Msg(status)
payload := slack.PostMessageParameters{
Attachments: []slack.Attachment{{
Color: color,
Pretext: "Forensic Preparation Status",
Title: message,
}},
}
body, err := json.Marshal(payload)
if err != nil {
log.Info().Str("status", "failed").Msg("slack notification failed: failed to encode payload")
}
if _, err := http.Post(slackURL, "application/json", bytes.NewReader(body)); err != nil {
log.Info().Str("status", "failed").Msg("slack notification failed: http post failed")
}

View Slide

͓·͚

View Slide

݁࿦: GuadDuty͸͍͍ͧ!

View Slide

Future GuardDuty in Folio

View Slide

ಛఆͷૹ৴ݩIP or ѼઌPort΁ͷDeny௨৴ٸ૿ͷݕ஌
- ߈ܸͷ༧ஹͱͯ͠Α͋͘Δ
- ࢓૊Έ্Ͱ͖ͳ͍
- ಉ͡ݕ஌͸ॳճҎ߱ɺ6࣌ؒຖʹCloudWatchʹग़ྗ͞ΕΔ
- Ξϥʔτͱͯ͠͸্͍͛ͨ

View Slide

ର৅Ϧιʔεͷ֦ॆ
- ʮσʔλ࿙͍͑ʯϦεΫʹඥͮ͘ڴҖ
- ීஈͳ͍IP/EC2͔ΒͷRDB΁ͷΞΫηεɺΫΤϦ࣮ߦ
- ීஈͳ͍IP/EC2͔ΒͷS3΁ͷҎԼಉจ
- ීஈͷNഒͳOutbound VPC Flow logͷൃੜ
- Macieʹظ଴ʁ

View Slide

ΞϥʔτʹΑΔεΩʔϚͷ౷Ұ
- ݕ஌಺༰ʹΑͬͯJSONεΩʔϚ͕ҟͳΔ
- ͦͷࠩ෼ٵऩ
- ֤ݕ஌͝ͱͷJSONྫ΄͍͠…

View Slide

{
"version": "0",
"account": "123456789012",
"time": "1970-01-01T00:00:00Z",
"resources": [],
"detail": {
"accountId": "123456789012",
"type": "UnauthorizedAccess:EC2/RDPBruteForce",
"resource": {
"resourceType": "Instance",
"instanceDetails": {
"instanceId": "i-99999999",
"instanceType": "m3.xlarge",
"launchTime": "2016-08-02T02:05:06Z",
"platform": null,
"productCodes": [
{
"productCodeId":
"GeneratedFindingProductCodeId",
"productCodeType":
"GeneratedFindingProductCodeType"
}
],
{
"version": "0",
"account": "123456789012",
"time": "1970-01-01T00:00:00Z",
"resources": [],
"detail": {
"accountId": "123456789012",
"partition": "aws",
"id": "08b1830ad3896e10860152a387a36b00",
"arn": "arn:aws:guardduty:ap-northeast-1:123456789012:detector/e6b15a3c39d02cb9287
"type": "UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration",
"resource": {
"resourceType": "AccessKey",
"accessKeyDetails": {
"accessKeyId": "GeneratedFindingAccessKey
"principalId": "GeneratedFindingPrincipal
"userType": "IAMUser",
"userName": "GeneratedFindingUserName"
}
},
"ipAddressV4": "198.51.100.1"
}
],
"sample": true
},
"eventFirstSeen": "2018-04-27T07:51:12.402Z",
"eventLastSeen": "2018-05-11T14:07:26.951Z",
"archived": true,
"count": 37
},
"severity": 8,
શવҧ͏
ʢݕ஌ର৅ͷϦιʔεʣ
&$PS*".

View Slide

"service": {
"serviceName": "guardduty",
"detectorId": "e6b15a3c39d02cb928758a13a65eb04e",
"action": {
"actionType": "AWS_API_CALL",
"awsApiCallAction": {
"api": "GeneratedFindingAPIName",
"serviceName":
"GeneratedFindingAPIServiceName",
"callerType": "Remote IP",
"remoteIpDetails": {
"ipAddressV4": "198.51.100.0",
"organization": {
"asn": "-1",
"asnOrg": "GeneratedFindingASNOrg",
"isp": "GeneratedFindingISP",
"org": "GeneratedFindingORG"
},
"country": {
"countryName":
"GeneratedFindingCountryName"
},
"city": {
"cityName": "GeneratedFindingCityName"
},
"geoLocation": {
"service": {
"serviceName": "guardduty",
"detectorId": "e6b15a3c39d02cb928758a13a65eb04e",
"action": {
"actionType": "NETWORK_CONNECTION",
"networkConnectionAction": {
"connectionDirection": "INBOUND",
"remoteIpDetails": {
"ipAddressV4": "198.51.100.0",
"organization": {
"asn": "-1",
"asnOrg": "GeneratedFindingASNO
"isp": "GeneratedFindingISP",
"org": "GeneratedFindingORG"
},
"country": {
"countryName": "GeneratedFindin
},
"city": {
"cityName": "GeneratedFindingCi
},
"geoLocation": {
"lat": 0,
"lon": 0
}
},
શવҧ͏
5ISFBEͷ"DUJPOʣ
&$PS*".

View Slide

Conﬁdence

View Slide

ϚελʔΞΧ΢ϯτ΁ͷ৘ใू໿
- Bill৘ใ΋ϚελʔΞΧ΢ϯτʹू໿͍ͨ͠
- Region·͍ͨͰ΋ू໿͍ͨ͠
- ֤ΠϕϯτͷCloudTrail΁ͷϦϯΫ΋΄͍͠

View Slide

ଞͷAWSηΩϡϦςΟϦιʔεͱͷ࿈ܞ
- ࣗಈతʹCloudTrailͱඥ෇͚Δ
- Config΁ͷઃఆ௥Ճਪ঑Λ͢Δ
- ͳͲ

View Slide


View Slide

Q & A
- part 2

View Slide

ಊʑͱͨ͠ݟग़͠

View Slide

Thank you!
@ken5scal

View Slide

GuardDutyを使ったサイバー攻撃の検出と分析.pdf

GuardDutyを使ったサイバー攻撃の検出と分析.pdf

Kengo Suzuki

More Decks by Kengo Suzuki

Other Decks in Technology

Featured

Transcript