New! GuardDuty Malware Protection
Introduction to GuardDuty Malware Protection
In today’s landscape of escalating frequency, scale and complexity of attacks it’s important to use every tool at your disposal to increase your defenses and decrease your attack footprint. AWS has stepped up previously with services such as GuardDuty, Security Hub, and Inspector. GuardDuty provides intelligent threat detection by monitoring your accounts for malicious activity. Now we have a powerful new addition to GuardDuty’s functionality: GuardDuty Malware Protection!
This service automatically triggers on detection of possibly compromised EC2 instances based on leading indicators identified by GuardDuty. Upon triggering, GuardDuty’s compute then scans the affected resource for malware. The service detects malware on both EC2 Instances and containers. No additional software installation is required, and system performance is not affected by this service. There are also protections available for ECS and Kubernetes. In order to use it, the feature must be enabled in GuardDuty (and can be enabled across your AWS Organization!).
In order for GuardDuty to scan for malware and not affect performance, GuardDuty creates a snapshot of the EBS volumes attached to the instance and replica EBS volumes are created in the GuardDuty account to scan. The replica volumes are automatically deleted once the scan is done. If GuardDuty detects malware on the instance, a new finding is generated with details and location.
Features
- No additional software installation is required
- Does not affect system performance
- You can enable or disable malware protection for any account, or region, at any time
- Works for EBS-backed EC2 instances, ECS, and Kubernetes
Setup of the Service
Setting up the service is as simple as checking some boxes. The service can be setup in a single account or via AWS Organizations. If taking this approach, single or multiple accounts can be added. When working with AWS Organizations, the administrator can configure malware scanning for all member accounts. The member accounts will then follow the parent account settings. Member accounts cannot modify settings for this feature from their console.
You can choose to have malware scanning turned on for all existing and new accounts in the organization. Alternatively, selective accounts can be turned on for this feature.
Additionally, inclusion or exclusion tags can be used to further refine what gets scanned. If using inclusion tags, only the instances with the inclusion tag will be scanned. For exclusion tags, only the instances without exclusion tags will be scanned.
How it Works
The flow goes as follows: GuardDuty findings trigger a scan, then the scan reports the findings and results via GuardDuty, which you can process manually or via EventBridge.
When GuardDuty detects an instance exhibiting suspicious behavior, this finding will trigger a malware scan of the instance or container. Before beginning the scan, GuardDuty will take a snapshot of the affected EBS volume, create a new volume from the snapshot, and then scan it utilizing GuardDuty’s compute. The snapshot is tagged with a key of GuardDutyCreated and a value of true. Once the scan is completed, the findings are published and the replica volume and snapshot are deleted. This ensures isolation and not impacting the performance of the affected instance.
Aside from the details available in the GuardDuty console, a CloudWatch log is also added under the log group: /aws/guardduty/malware-scan-events. This contains the triggering findings and scan details.
Important notes:
- The EBS volume must be 1TB or smaller
- GuardDuty will scan volumes that are unencrypted with its own key
- If you are using a customer managed KMS key, the same key will be used for the replica volumes
- If EBS encryption is used, the volume will not be scanned
- A service-linked role is used for EBS access and metadata retrieval
Testing and Validation
The new findings in GuardDuty Malware Protection are of the category ‘Execution’ and value of Malicious or Suspicious File. These findings occur for EC2, ECS, Container, and Kubernetes.
- MaliciousFile: Malware was found on the instance. Remediation should follow either manually or via integration automation through your SIEM.
- SuspiciousFile: While malware may not have been found, files which contain adware, spyware, or dual use tools have been found. Review the findings and determine whether those files or tools are legitimate (e.g., network scanning tools can be used for legitimate purposes or for attack scanning).
Service Value
GuardDuty Malware Protection provides additional value to organizations and coexists with other anti-malware solutions, increasing an organization’s security posture through defense in depth. This defense in depth provides protection where:
- The installation of a software agent may be infeasible, or there may be performance concerns
- There may be unintended gaps of your agent-based antimalware solution — due to gaps in configuration management, change management automation, or even cases of more aggressive malware actively seeking and disabling software-based solutions
- Consumption-based pricing scales with your organization
Extensibility
For those familiar with GuardDuty, findings are emitted via EventBridge, which creates immense capabilities for integration with other systems and organizational processes. GuardDuty Malware Protection also emits events via EventBridge, allowing sending of findings to:
- Service Management (ticketing) systems
- Escalation systems
- SIEMs
- Automated response and recovery playbooks
Extensibility and automation is crucial to ensuring consistently applied response to a finding, measurement of response to findings and, by leveraging automation, an instance can be isolated/destroyed and its memory and storage can be captured for forensic purposes without the need for human intervention.
Conclusion
GuardDuty Malware Protection is a natural extension to GuardDuty as a common step upon identification of leading indicators of malware is to positively identify the presence of malware stored or running in associated compute environments. Its integration with other AWS services, and extensibility via EventBridge serve to make implementation and integration a straightforward exercise with measurable value to your organization’s security posture.
— Jorge Rodriguez, Senior Lead Cloud Engineer, CloudHesive and Patrick Hannah, CTO, CloudHesive