Automated Incident Response with SOAR and AWS

D3 Smart SOAR offers 12 out-of-the-box integrations with Amazon Web Services (AWS) products. These include:

• AWS CloudTrail
• AWS CloudWatch
• AWS EC2
• AWS ECS
• AWS EKS
• AWS S3
• AWS SQS
• AWS SSM
• AWS ECR
• AWS IAM
• AWS Security Hub
• AWS Guard Duty

In this integration spotlight, we will focus on AWS GuardDuty and AWS Elastic Compute Cloud (EC2) to demonstrate how you can use automated playbooks to assist with asset management and incident response.

Manage GuardDuty Findings

With the AWS GuardDuty integration, users can create new detection policies, update watchlists, and archive findings when incidents are resolved. The following is a playbook that updates IOC watchlists based on findings created by active detections:

1. Fetch Event: The workflow commences by retrieving specific event data that has triggered a GuardDuty alert. This provides detailed information on the nature of the security incident, such as the affected resources and the behaviors that were flagged as suspicious.
2. Get Detector Details: Next, the workflow queries for details about the GuardDuty detector overseeing the environment where the event occurred. This includes configurations and status, helping analysts to understand the detection capabilities in place at the time of the event.
3. Update IP Set: The IP Set — essentially a list of known or suspicious IP addresses — is then updated. If the event involves an IP address that needs to be flagged for future monitoring or excluded, it will be added to or removed from the IP Set.
4. Update Threat Intel Set: Similar to the IP Set, the Threat Intelligence Set is also updated. This is a list of known malicious domains, hashes, and other indicators of compromise (IoCs). Any new IoCs associated with the event are added to improve future threat detection capabilities.
5. Archive Findings: Finally, the findings that led to the event are archived. This could be because they have been remediated, are false positives, or are non-actionable but need to be stored for compliance or forensic purposes.

Isolate a Compromised EC2 Instance

This workflow aims to secure AWS EC2 instances that may be compromised or under investigation. The playbook works as follows:

1. Retrieve Instance Details: The playbook collects detailed information about the instance, such as network interface IDs, security group IDs, and more.
2. Acquire Security Group Information: This step uses the security group IDs from the previous task to fetch details of the Security Group associated with the EC2 instance. This data will include inbound and outbound traffic rules, thereby revealing the network access permissions for the instance.
3. Initiate Snapshot: Prior to the isolation, a snapshot of the EC2 instance is captured. This serves dual purposes: facilitating forensic analysis and providing a recovery point in case of unintended consequences.
4. Quarantine Instance: Finally, the EC2 instance is transferred into the “Quarantine” Security Group. This Security Group has been configured with restrictive network rules designed to isolate the instance.

Takeaway

D3 Smart SOAR offers a robust suite of AWS integrations, allowing for seamless and automated security operations across a range of AWS services. Specifically focusing on AWS GuardDuty and AWS EC2, we’ve illustrated how automated playbooks can significantly enhance asset management and incident response. Connecting AWS technology with other security tools is where Smart SOAR shines. When used in playbooks along with email, network, and endpoint security tools that are not owned by AWS, security teams can create an integrated technology environment and save crucial time moving between tools to review alerts, retrieve contextual information, and isolate threats.