SecuritySecurity Alert Triage Runbook

Integrations

Shows which AWS tools are configured to provide security visibility. This also includes tools that are planned for implementation.

Implemented

  • AWS Guard Duty

Planned for Implementation

  • AWS Macie
  • AWS Inspector
  • AWS Detective

Summary

This document will be used to identify false positives as well as steps that are required to triage events generated from AWS Security Tools.

AWS Guard Duty

A threat detection service that continuously monitors for malicious or unauthorized behavior to help you protect your AWS accounts and workloads.

Focused On: User and Entity Behavior Analytics (UEBA), Network Intrusion Detection Systems (IDS)

False Positives

  1. Connections to and from host 165.227.16.16 on any port.

Alerts

Behavior:EC2/NetworkPortUnusual

EC2 instance is communicating with a remote host on an unusual port. See here for more details on this type of alert.

  1. Determine which EC2 instances is communicating with and on what port. The alert will provide this information.
  2. Based on the alert determine the destination port and ip address of the communication.
  3. Is the destination port a standard port or an unusual port?
  4. Is the destination ip address a known host?
  5. For this system that is responsible for the communication, is this expected traffic and has communication with host happened before? Check ELK
  6. If the traffic is expected, no further action is required.
  7. If question 3-5 cannot be answered, find the system owner immediately to determine if this is legitimate traffic. This should be tracked using a github issue.

Policy:IAMUser/RootCredentialUsage

  1. We acknowledge the need to move away from using root credentials, and are tracking the work needed to do this in issue #210. For now these alerts can ignored

Recon:EC2/PortProbeUnprotectedPort

EC2 instance has an unprotected port which is being probed by a known malicious host. See here for more details on this type of alert.

This alert should not happen to often since we typically do not expose systems directly to the Internet. If this alert occurs, look into it expediently.

Note that systems that are exposed to the Internet by design will be probed from time-to-time by malicious actors. This is life on the Internet. In the future we can discuss temporarily blocking these IPs when such activities are alerted upon using lambda.

  1. Review the instance which is being probed. Is this system suppose to be exposed to the Internet? If not, escalate to IGOR Team Leads immediately as this can be a potential security issue.
  2. If the system is designed to be exposed to the Internet, confirm that the service being accessed based on the port number is also suppose to be exposed to the Internet. If not, escalate to IGOR Team Leads immediately as this can be a potential security issue.

UnauthorizedAccess:EC2/TorIPCaller

IP address 91.109.29.81 on the Tor Anonymizing Proxy network is communicating with an EC2 instance. See here for more details on this type of alert.

Pen Test GuidanceSentinel Policy-as-Code