Extend AWS GuardDuty to Shield Your Cloud Deployment from Attacks

August 28, 2019

In this blog, I will explain how you can leverage AWS GuardDuty findings to prevent malicious IPs and domains from accessing your AWS-hosted applications by using Illumio Shield (AWS lambda function).


About AWS GuardDuty

Amazon GuardDuty, a threat detection service, protects AWS accounts and workloads by continuously monitoring for malicious and unauthorized behavior to identify escalation of privileges, use of exposed credentials, or communication with malicious IPs, URLs, or domains. It utilizes several sources of network and endpoint telemetry, including CloudTrail event logs, DNS logs, and VPC Flow Logs. GuardDuty findings use integrated threat intelligence feeds and machine learning algorithms to detect anomalies in AWS accounts and workload activity, which helps customers continuously monitor their AWS cloud environments for imminent attacks.


Benefits of Integration

Illumio Adaptive Security Platform (ASP) easily integrates with Amazon GuardDuty to shield your AWS environments dynamically and prevent imminent attacks. Key benefits include:

  • Incorporating threat intel from external threat feeds in real time with Illumio segmentation policy
  • Automated response action using AWS Lambda which utilizes GuardDuty findings dynamically
  • Enhanced threat protection by integrating threat intelligence with Illumio ASP


Illumio ASP and GuardDuty Integration

Illumio ASP uses the threat intel or information received from GuardDuty findings to extract malicious IPs and domains and to update the threat list on the Illumio Policy Compute Engine (PCE) using an AWS Lambda function. The following example describes how the integration between Illumio ASP and GuardDuty works:

Consider a three-tier application that is deployed in an AWS cloud environment. The applications instances (see figure 1) are secured by Illumio segmentation policies, which whitelists known allowed network connections, thereby preventing any attacks from unknown entities. The SOC operator has opened public access to the website, which can cause malicious domains and IPs to try and exploit the web instances. In Illumio ASP's real-time application dependency map (Illumination), the green lines indicate allowed policy flows and the red lines indicate blocked flows (or no policy).


Guardduty Illumination

Figure 1: Production Web Application Instances shown in Illumination


The SOC operator is alerted of these malicious IPs and domains by GuardDuty findings with integrated threat intelligence. This information will be automatically utilized by Illumio ASP to update the threat list in order to secure the production workloads against external bad actors or malicious IPs, URLs, and domains. The following workflow shows where Illumio ASP will utilize the GuardDuty findings to take preventive action for imminent attacks:



Figure 2: Illumio GuardDuty Shield Workflow


Integration Demo

Let me quickly demonstrate how GuardDuty threat information is utilized by Illumio ASP to secure web application instances deployed in a production environment.


Screencast: Demo of Illumio GuardDuty Shield


As seen in the screencast:

  1. AWS GuardDuty utilizes multiple input sources including VPC flow logs, DNS logs, and AWS CloudTrail event logs, in addition to external threat intel feeds.
  2. It generates findings alerting the customers about SSH brute force attacks, port probes, and port scans performed by malicious domains or IP addresses.
  3. These findings trigger generation of a CloudWatch event, which will be a trigger for the Illumio GuardDuty Shield Lambda function.
  4. This Lambda function will examine the alert and extract the malicious IPs.
  5. It invokes the Illumio PCE API to update the threat list that will narrow down the scope of the rule so that malicious IPs are specifically blocked by the Illumio policy and cannot reach the web instance.

To learn more about Illumio, go to www.illumio.com/what-we-do.