关于前端:Amazon-GuardDuty-的新增功能-–-Amazon-EBS-卷的恶意软件检测

50次阅读

共计 13130 个字符,预计需要花费 33 分钟才能阅读完成。

亚马逊云科技开发者社区为开发者们提供寰球的开发技术资源。这里有技术文档、开发案例、技术专栏、培训视频、流动与比赛等。帮忙中国开发者对接世界最前沿技术,观点,和我的项目,并将中国优良开发者或技术举荐给寰球云社区。如果你还没有关注 / 珍藏,看到这里请肯定不要匆匆划过,点这里让它成为你的技术宝库!

借助 Amazon GuardDuty,您能够监控本人的 AWS 账户和工作负载以检测歹意流动。咱们于近日在 GuardDuty 中减少了检测恶意软件的性能。恶意软件用于危害工作负载、从新调整资源用处或未经受权拜访数据。启用 GuardDuty 恶意软件爱护 之后,当 GuardDuty 检测到您在 EC2 上运行的 EC2 实例或容器工作负载之一正在执行可疑操作时,就会启动恶意软件扫描。例如,当 EC2 实例与已知歹意的命令和管制服务器进行通信时,或者正在对其余 EC2 实例执行拒绝服务 (DoS) 或蛮力破解攻打时,就会触发恶意软件扫描。

GuardDuty 反对许多文件系统类型,该工具会扫描已知用于流传或蕴含恶意软件的文件格式,包含 Windows 和 Linux 可执行文件、PDF 文件、存档、二进制文件、脚本、安装程序、电子邮件数据库和一般电子邮件。

辨认出潜在的恶意软件后,将生成可操作的平安调查结果,其中蕴含威逼和文件名、文件门路、EC2 实例 ID、资源标签以及(如果是容器)容器 ID 和应用的容器映像等信息。GuardDuty 反对在 EC2 上运行的容器工作负载,包含客户治理的 Kubernetes 集群或个别 Docker 容器。如果容器由 Amazon Elastic Kubernetes Service (EKS) or Amazon Elastic Container Service (Amazon ECS) 治理,则调查结果还包含集群名称和工作或 pod ID,因而应用程序平安团队能够疾速找到受影响的容器资源。

与所有其余 GuardDuty 调查结果一样,恶意软件检测将发送到 GuardDuty 控制台,通过 Amazon EventBridge 推送,路由到 AWS Security Hub,而后在 Amazon Detective 中提供以发展事件调查。

++GuardDuty 恶意软件爱护的工作原理 ++

启用恶意软件爱护后,您将设置一个 Amazon Identity and Access Management (IAM) 服务相干角色,该角色授予 GuardDuty 执行恶意软件扫描的权限。对 EC2 实例启动恶意软件扫描时,GuardDuty 恶意软件爱护应用这些权限拍摄小于 1 TB 的附加 Amazon Elastic Block Store (EBS) 卷快照,而后在同一 Amazon 区域内的 Amazon 服务账户中复原 EBS 卷,以对它们进行恶意软件扫描。您能够应用标记,从这些权限和扫描中包含或排除 EC2 实例。这样,您无需部署安全软件或代理来监控恶意软件,扫描卷的操作也不会影响正在运行的工作负载。扫描实现后,将删除服务账户中的 EBS 卷和您账户中的快照。或者,您能够在检测到恶意软件时保留快照。

服务相干角色授予 GuardDuty 拜访用于加密 EBS 卷的 Amazon Key Management Service (Amazon KMS) 密钥的权限。如果对附加到可能受到入侵的 EC2 实例的 EBS 卷应用客户托管式密钥进行加密,则 GuardDuty 恶意软件爱护也会应用雷同的密钥来加密正本 EBS 卷。如果这些卷未加密,GuardDuty 将应用本人的密钥来加密正本 EBS 卷并确保隐衷。不反对应用 EBS 托管式密钥加密的卷。

云中的平安是您与 Amazon 独特承当的责任。作为防护机制,GuardDuty 恶意软件爱护应用的服务相干角色如果具备 GuardDutyExcluded 标签,则无奈对您的资源(例如 EBS 快照和卷、EC2 实例和 KMS 密钥)执行任何操作。在将 GuardDutyExcluded 设置为 true 的状况下标记快照后,GuardDuty 服务将无法访问这些快照。GuardDutyExclud 标签将取代任何蕴含标记。权限还会限度 GuardDuty 批改快照的形式,以便在与 GuardDuty 服务账户共享时无奈将其公开。

由 GuardDuty 创立的 EBS 卷始终是加密的。GuardDuty 只能在具备 GuardDuty 扫描 ID 标签的 EBS 快照上应用 KMS 密钥。在取得 EC2 检测后果后创立快照时,GuardDuty 会增加扫描 ID 标签。无奈从除 Amazon EBS 服务之外的任何其余上下文调用与 GuardDuty 服务账户共享的 KMS 密钥。扫描胜利实现后,将撤销 KMS 密钥授予并删除 GuardDuty 服务账户中的卷正本,从而确保 GuardDuty 服务在实现扫描操作后无法访问您的数据。

++ 为 Amazon 账户启用恶意软件爱护 ++

如果您尚未应用 GuardDuty,则在为本人的账户激活 GuardDuty 时,默认状况下会启用恶意软件爱护。我曾经在应用 GuardDuty,因而须要从控制台启用恶意软件爱护。如果您正在应用 Amazon Organizations,您的代理管理员账户能够为现有成员账户启用此性能,并配置是否应主动注册组织中的新 Amazon 账户。

在 GuardDuty 控制台中,我抉择导航窗格中 Settings(设置)下的 Malware Protection(恶意软件爱护)。在其中,我抉择 Enable(启用),而后抉择 Enable Malware Protection(启用恶意软件爱护)。

屏幕截图在扫描后会主动删除。在 General settings(惯例设置)中,我能够抉择将检测到恶意软件的屏幕截图保留在我的 Amazon 账户中,并将其用于进一步剖析。

Scan options(扫描选项)中,我能够配置蕴含标签的列表,以便只扫描带有这些标签的 EC2 实例;或者排除标签,以便跳过列表中蕴含标签的 EC2 实例。

++ 测试恶意软件爱护 GuardDuty 检测后果 ++

为了生成几个 Amazon GuardDuty 检测后果,包含新的恶意软件爱护检测后果,我克隆了 Amazon GuardDuty Tester 存储库:

$ git clone https://github.com/awslabs/amazon-guardduty-tester

首先,我应用 guardduty-tester.template 文件创建一个 Amazon CloudFormation 堆栈。堆栈准备就绪后,我会依照阐明将 SSH 客户端配置为通过堡垒主机登录到测试器实例。而后,我连贯到测试器实例:

$ ssh tester

从测试器实例中,我启动 guardduty_tester.sh 脚本来生成检测后果:

$ ./guardduty_tester.sh 

*********************************************************************
* Test #1 - Internal port scanning                                    *
* This simulates internal reconaissance by an internal actor or an   *
* external actor after an initial compromise.This is considered a    *
* low priority finding for GuardDuty because its not a clear indicator*
* of malicious intent on its own.                                     *
*********************************************************************


Starting Nmap 6.40 (http://nmap.org) at 2022-05-19 09:36 UTC
Nmap scan report for ip-172-16-0-20.us-west-2.compute.internal (172.16.0.20)
Host is up (0.00032s latency).
Not shown: 997 filtered ports
PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   closed http
5050/tcp closed mmcc
MAC Address: 06:25:CB:F4:E0:51 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 4.96 seconds

-----------------------------------------------------------------------

*********************************************************************
* Test #2 - SSH Brute Force with Compromised Keys                     *
* This simulates an SSH brute force attack on an SSH port that we    *
* can access from this instance.It uses (phony) compromised keys in  *
* many subsequent attempts to see if one works.This is a common      *
* techique where the bad actors will harvest keys from the web in     *
* places like source code repositories where people accidentally leave*
* keys and credentials (This attempt will not actually succeed in     *
* obtaining access to the target linux instance in this subnet)       *
*********************************************************************

2022-05-19 09:36:29 START
2022-05-19 09:36:29 Crowbar v0.4.3-dev
2022-05-19 09:36:29 Trying 172.16.0.20:22
2022-05-19 09:36:33 STOP
2022-05-19 09:36:33 No results found...
2022-05-19 09:36:33 START
2022-05-19 09:36:33 Crowbar v0.4.3-dev
2022-05-19 09:36:33 Trying 172.16.0.20:22
2022-05-19 09:36:37 STOP
2022-05-19 09:36:37 No results found...
2022-05-19 09:36:37 START
2022-05-19 09:36:37 Crowbar v0.4.3-dev
2022-05-19 09:36:37 Trying 172.16.0.20:22
2022-05-19 09:36:41 STOP
2022-05-19 09:36:41 No results found...
2022-05-19 09:36:41 START
2022-05-19 09:36:41 Crowbar v0.4.3-dev
2022-05-19 09:36:41 Trying 172.16.0.20:22
2022-05-19 09:36:45 STOP
2022-05-19 09:36:45 No results found...
2022-05-19 09:36:45 START
2022-05-19 09:36:45 Crowbar v0.4.3-dev
2022-05-19 09:36:45 Trying 172.16.0.20:22
2022-05-19 09:36:48 STOP
2022-05-19 09:36:48 No results found...
2022-05-19 09:36:49 START
2022-05-19 09:36:49 Crowbar v0.4.3-dev
2022-05-19 09:36:49 Trying 172.16.0.20:22
2022-05-19 09:36:52 STOP
2022-05-19 09:36:52 No results found...
2022-05-19 09:36:52 START
2022-05-19 09:36:52 Crowbar v0.4.3-dev
2022-05-19 09:36:52 Trying 172.16.0.20:22
2022-05-19 09:36:56 STOP
2022-05-19 09:36:56 No results found...
2022-05-19 09:36:56 START
2022-05-19 09:36:56 Crowbar v0.4.3-dev
2022-05-19 09:36:56 Trying 172.16.0.20:22
2022-05-19 09:37:00 STOP
2022-05-19 09:37:00 No results found...
2022-05-19 09:37:00 START
2022-05-19 09:37:00 Crowbar v0.4.3-dev
2022-05-19 09:37:00 Trying 172.16.0.20:22
2022-05-19 09:37:04 STOP
2022-05-19 09:37:04 No results found...
2022-05-19 09:37:04 START
2022-05-19 09:37:04 Crowbar v0.4.3-dev
2022-05-19 09:37:04 Trying 172.16.0.20:22
2022-05-19 09:37:08 STOP
2022-05-19 09:37:08 No results found...
2022-05-19 09:37:08 START
2022-05-19 09:37:08 Crowbar v0.4.3-dev
2022-05-19 09:37:08 Trying 172.16.0.20:22
2022-05-19 09:37:12 STOP
2022-05-19 09:37:12 No results found...
2022-05-19 09:37:12 START
2022-05-19 09:37:12 Crowbar v0.4.3-dev
2022-05-19 09:37:12 Trying 172.16.0.20:22
2022-05-19 09:37:16 STOP
2022-05-19 09:37:16 No results found...
2022-05-19 09:37:16 START
2022-05-19 09:37:16 Crowbar v0.4.3-dev
2022-05-19 09:37:16 Trying 172.16.0.20:22
2022-05-19 09:37:20 STOP
2022-05-19 09:37:20 No results found...
2022-05-19 09:37:20 START
2022-05-19 09:37:20 Crowbar v0.4.3-dev
2022-05-19 09:37:20 Trying 172.16.0.20:22
2022-05-19 09:37:23 STOP
2022-05-19 09:37:23 No results found...
2022-05-19 09:37:23 START
2022-05-19 09:37:23 Crowbar v0.4.3-dev
2022-05-19 09:37:23 Trying 172.16.0.20:22
2022-05-19 09:37:27 STOP
2022-05-19 09:37:27 No results found...
2022-05-19 09:37:27 START
2022-05-19 09:37:27 Crowbar v0.4.3-dev
2022-05-19 09:37:27 Trying 172.16.0.20:22
2022-05-19 09:37:31 STOP
2022-05-19 09:37:31 No results found...
2022-05-19 09:37:31 START
2022-05-19 09:37:31 Crowbar v0.4.3-dev
2022-05-19 09:37:31 Trying 172.16.0.20:22
2022-05-19 09:37:34 STOP
2022-05-19 09:37:34 No results found...
2022-05-19 09:37:35 START
2022-05-19 09:37:35 Crowbar v0.4.3-dev
2022-05-19 09:37:35 Trying 172.16.0.20:22
2022-05-19 09:37:38 STOP
2022-05-19 09:37:38 No results found...
2022-05-19 09:37:38 START
2022-05-19 09:37:38 Crowbar v0.4.3-dev
2022-05-19 09:37:38 Trying 172.16.0.20:22
2022-05-19 09:37:42 STOP
2022-05-19 09:37:42 No results found...
2022-05-19 09:37:42 START
2022-05-19 09:37:42 Crowbar v0.4.3-dev
2022-05-19 09:37:42 Trying 172.16.0.20:22
2022-05-19 09:37:46 STOP
2022-05-19 09:37:46 No results found...

-----------------------------------------------------------------------

*********************************************************************
* Test #3 - RDP Brute Force with Password List                        *
* This simulates an RDP brute force attack on the internal RDP port  *
* of the windows server that we installed in the environment. It uses*
* a list of common passwords that can be found on the web.This test  *
* will trigger a detection, but will fail to get into the target      *
* windows instance.                                                   *
*********************************************************************

Sending 250 password attempts at the windows server...
Hydra v9.4-dev (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-05-19 09:37:46
[WARNING] rdp servers often don't like many connections, use -t 1 or -t 4 to reduce the number of parallel connections and -W 1 or -W 3 to wait between connection to allow the server to recover
[INFO] Reduced number of tasks to 4 (rdp does not like many parallel connections)
[WARNING] the rdp module is experimental.Please test, report - and if possible, fix.
[DATA] max 4 tasks per 1 server, overall 4 tasks, 1792 login tries (l:7/p:256), ~448 tries per task
[DATA] attacking rdp://172.16.0.24:3389/
[STATUS] 1099.00 tries/min, 1099 tries in 00:01h, 693 to do in 00:01h, 4 active
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-05-19 09:39:23

-----------------------------------------------------------------------

*********************************************************************
* Test #4 - CryptoCurrency Mining Activity                            *
* This simulates interaction with a cryptocurrency mining pool which *
* can be an indication of an instance compromise.In this case, we are*
* only interacting with the URL of the pool, but not downloading      *
* any files.This will trigger a threat intel based detection.        *
*********************************************************************

Calling bitcoin wallets to download mining toolkits

-----------------------------------------------------------------------

*********************************************************************
* Test #5 - DNS Exfiltration                                          *
* A common exfiltration technique is to tunnel data out over DNS      *
* to a fake domain. Its an effective technique because most hosts    *
* have outbound DNS ports open. This test wont exfiltrate any data,  *
* but it will generate enough unusual DNS activity to trigger the     *
* detection.                                                          *
*********************************************************************

Calling large numbers of large domains to simulate tunneling via DNS

*********************************************************************
* Test #6 - Fake domain to prove that GuardDuty is working            *
* This is a permanent fake domain that customers can use to prove that*
* GuardDuty is working. Calling this domain will always generate the *
* Backdoor:EC2/C&CActivity.B!DNS finding type                         *
*********************************************************************

Calling a well known fake domain that is used to generate a known finding

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.amzn2.5.2 <<>> GuardDutyC2ActivityB.com any
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11495
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;GuardDutyC2ActivityB.com.    IN    ANY

;; ANSWER SECTION:
GuardDutyC2ActivityB.com.6943    IN    SOA    ns1.markmonitor.com. hostmaster.markmonitor.com.2018091906 86400 3600 2592000 172800
GuardDutyC2ActivityB.com.6943    IN    NS    ns3.markmonitor.com.
GuardDutyC2ActivityB.com.6943    IN    NS    ns5.markmonitor.com.
GuardDutyC2ActivityB.com.6943    IN    NS    ns7.markmonitor.com.
GuardDutyC2ActivityB.com.6943    IN    NS    ns2.markmonitor.com.
GuardDutyC2ActivityB.com.6943    IN    NS    ns4.markmonitor.com.
GuardDutyC2ActivityB.com.6943    IN    NS    ns6.markmonitor.com.
GuardDutyC2ActivityB.com.6943    IN    NS    ns1.markmonitor.com.

;; Query time: 27 msec
;; SERVER: 172.16.0.2#53(172.16.0.2)
;; WHEN: Thu May 19 09:39:23 UTC 2022
;; MSG SIZE  rcvd: 238


*****************************************************************************************************
预期的 GuardDuty 检测后果

测试 1:外部端口扫描
预期的检测后果:EC2 实例 i-011e73af27562827b 正在对近程主机执行出站端口扫描。172.16.0.20
检测后果类型:Recon:EC2/Portscan

测试 2:应用泄露密钥的 SSH 蛮力攻打
预期有两个检测后果 - 一个用于出站检测,另一个用于入站检测
出站:i-011e73af27562827b 正在对 172.16.0.20 进行 SSH 蛮力攻打
入站:172.16.0.25 正在对 i-0bada13e0aa12d383 进行 SSH 蛮力攻打
检测后果类型:UnauthorizedAccess:EC2/SSHBruteForce

测试 3:应用明码列表的 RDP 蛮力攻打
预期有两个检测后果 - 一个用于出站检测,另一个用于入站检测
出站:i-011e73af27562827b 正在对 172.16.0.24 进行 RDP 蛮力攻打
入站:172.16.0.25 正在对 i-0191573dec3b66924 进行 RDP 蛮力攻打
检测后果类型:UnauthorizedAccess:EC2/RDPBruteForce

测试 4:加密货币流动
预期的检测后果:EC2 实例 i-011e73af27562827b 正在查问与比特币流动相干的域名
检测后果类型:CryptoCurrency:EC2/BitcoinTool.B!DNS

测试 5:DNS 浸透
预期的检测后果:EC2 实例 i-011e73af27562827b 正在尝试查问与泄露数据类似的域名
检测后果类型:Trojan:EC2/DNSDataExfiltration

测试 6:C&C 流动
预期检测后果:EC2 实例 i-011e73af27562827b 正在查问与已知命令与管制服务器关联的域名。检测后果类型:Backdoor:EC2/C&CActivity.B!DNS

几分钟后,检测后果将显示在 GuardDuty 控制台中。在顶部,我看到了新的恶意软件爱护性能发现的歹意文件。其中一个检测后果与 EC2 实例相干,另一个与 ECS 集群相干。

首先,我抉择与 EC2 实例相干的检测后果。在面板中,我看到无关实例和歹意文件的信息,例如文件名和门路。在 Malware scan details(恶意软件扫描详细信息)局部中,Trigger finding ID(触发检测后果 ID)指向触发恶意软件扫描的原始 GuardDuty 检测后果。就我而言,最后的检测后果是此 EC2 实例正在对另一个 EC2 实例执行 RDP 蛮力攻打。

在此处,我抉择 Investigate with Detective(应用 Detective 考察),而后间接从 GuardDuty 控制台转到 Detective 控制台,从中可视化 EC2 实例、Amazon 账户和受检测后果影响的 IP 地址的 Amazon CloudTrail 和 Amazon Virtual Private Cloud (Amazon VPC) 流数据。应用 Detective,我能够剖析、考察和确定 GuardDuty 发现的可疑流动的根本原因。

抉择与 ECS 群集相干的检测后果时,我将取得无关受影响资源的更多信息,例如 ECS 集群、工作、容器和容器映像的详细信息。

应用 GuardDuty 测试器脚本能够更轻松地测试 GuardDuty 与您应用的其余平安框架的整体集成,以便在检测到真正的威逼时做好筹备。

++ 将 GuardDuty 恶意软件防护爱护与 Amazon Inspector 进行比拟 ++

此时,您可能会问本人 GuardDuty 恶意软件爱护与 Amazon Inspector 有何关系,Amazon Inspector 是一项扫描 AWS 工作负载的软件破绽和意外网络裸露的服务。这两种服务相辅相成,提供不同的保护层:

  • Amazon Inspector 通过辨认和修复已知软件和应用程序破绽提供被动防护,这些破绽是攻击者入侵资源和装置恶意软件的入口点。
  • GuardDuty 恶意软件爱护可检测到沉闷运行的工作负载中存在的恶意软件。此时,零碎曾经受损,然而 GuardDuty 能够限度感化的工夫,并在零碎受损导致影响业务的事件之前采取措施。

++ 可用性和定价 ++

Amazon GuardDuty 恶意软件爱护现已在所有提供 GuardDuty 的 Amazon 区域推出,不包含 AWS 中国(北京)、Amazon 中国(宁夏)、Amazon GovCloud(美国东部)和 Amazon GovCloud(美国西部)区域。

在公布时,GuardDuty 恶意软件爱护已与以下合作伙伴产品集成:

  • BitDefender
  • CloudHesive
  • Crowdstrike
  • Fortinet
  • Palo Alto Networks
  • Rapid7
  • Sophos
  • Sysdig
  • Trellix

应用 GuardDuty,您无需部署安全软件或代理来监控恶意软件。您只需为文件系统中扫描的 GB 量(而不是 EBS 卷的大小)和 EBS 快照保留在您账户中的工夫付费。除非您在发现恶意软件时启用快照保留性能,否则 GuardDuty 创立的所有 EBS 快照都会在扫描后主动删除。无关更多信息,请参阅 GuardDuty 定价和 EBS 定价。请留神,GuardDuty 仅扫描小于 1 TB 的 EBS 卷。为了帮忙您管制老本并防止反复警报,同一卷的扫描频率不会超过每 24 小时一次。

应用 Amazon GuardDuty 检测歹意流动并爱护您的应用程序免受恶意软件侵害。
— Danilo

正文完
 0