Automating Incident Response in AWS with Guard Duty & Lambda

I had a quick play today Automating Investigations in response to AWS GuardDuty Detections.

Malware > Guard Duty > Lambda Function > Auto Capture and Investigation

Walk-through and sample code below! If you want to test this out yourself, you can now deploy a free trial straight from https://www.cadosecurity.com/free-investigation/

In Guard Duty you can increase how often “repeat alarms” are sent - this is useful for testing (GuardDuty > Settings).

To trigger the Guard Duty alarms either click “Generate Sample Findings”? (GuardDuty > Settings) or run our tool at https://github.com/cado-security/CloudAndContainerCompromiseSimulator

Create a Lambda function that is triggered by GuardDuty in EventBridge. I was pleasantly surprised to find it’s just a couple of clicks to hook it up - no need to mess around with SNS or WebHooks!

For the Lambda function, just get the AWS Instance ID from the event and call the Cado Response API with it:

For ECS Fargate you’ll need the task name, more on that to come…

This took me about 15 minutes to set up. And what you get from that is… about 10 minutes after the GuardDuty is triggered - Cado goes and collects a full copy of the system before it’s destroyed and hunts through it for logs, malware etc:

You can also enable exporting the GuardDuty logs and the Cado output into an S3 bucket, which you can then e.g. import into Splunk through the Splunk AWS app. We can push out tons of logs for a compromised system if you want them all.

What that means is you now get in your SIEM the original Guard Duty alert from AWS detections on the API & Network side of the house - sitting side by side with the on disk detections, logs, even full file strings contents if you want it.

More on this @ https://www.cadosecurity.com/how-to-add-forensics-to-your-siem-and-start-automating-investigations/