Introduction
This document describes the out of the box use cases supported by integrating Recorded Future as a threat intelligence detection source in Amazon GuardDuty. With this integration, Amazon GuardDuty users can incorporate Recorded Future to:
- Detect potential threats and malicious traffic in the network before impact by correlating against telemetry data.
- Reduce time to verdict and risk to the organization.
- Increase efficiency by passing generated findings through AWS CloudWatch events and AWS Lambda to set up automated preventative actions.
For detailed information on how to install and configure the integration, please refer to the installation guide found here. Click here to get the Recorded Future Cloud Formation template. This is needed to complete the Recorded Future for Guard Duty installation (see page 3 on installation guide). To see the integration with Recorded Future data, click here, which will open in Recorded Future University.
Threat Detection Use Cases
COVID-19
To identify IPs in your AWS environment that have been identified as being leveraged, please enable the following Risk Lists within Amazon GuardDuty:
-
covid_
resolved_ips
The set of IPs is derived from the COVID-19 Related Domain Lure : Malicious. Our Security Intelligence Platform automatically checks these domains against allowlists, evaluates the domains for technical evidence of maliciousness, and provides clarity to the small fraction of these domains which are convicted as lures. The IPs are generated by cross-referencing the IPs the malicious domains resolve to with the Risk Lists categorized as Very Malicious, Malicious, and Suspicious. Detections of these IPs indicate potential malicious activity associated with COVID-19.
High Fidelity Malicious IPs
To identify high fidelity malicious IPs in your AWS environment, please enable the following Risk Lists within Amazon GuardDuty:
- recent_insikt_group_riskrule
- recent_intrusion_method_riskrule
- c2_communicating_scf_ips
The three Risk Lists above all contain high fidelity indicators associated with confirmed attacks from different perspectives. The Recent Insikt Group Risk Rule provided human validated indicators that have been associated with Analyst Notes published by Insikt, the Recorded Future Research Team. The Recent Intrusion Method Risk Rule will provide IPs determined to be associated with execution. This can include being directly associated to Malware families, Vulnerabilities, or Attack Vectors. Lastly, the Recently Active C&C Server Security Control Feed provides recently confirmed C2 communications with infected machines or adversary control by Recorded Future Network Traffic Analysis. These 3 lists are highly vetted and considered high risk in any environment.
Phishing
To identify connections to known phishing hosts in your AWS environment, please enable the following Risk List within Amazon GuardDuty:
- phishing_host_riskrule
This list contains IPs that have been confirmed to host known phishing sites. By alerting on these IPs, you are enabling a proactive detection of phishing activity.
Insider Threat / Policy Violations / Advanced Adversary
To identify connections to known TOR Nodes and Open Proxy in your AWS environment, please enable the following Risk List within Amazon GuardDuty:
- tor_node_riskrule
- open_proxy_riskrule
- linked_to_apt_riskrule
This can be used to identify three primary types of activity: Policy Violation, Insider Threat, and Advanced Adversaries. The most common type of activity identified with these Risk Lists is policy violations by employees. If a malicious insider is attempting to exfiltrate data, they may try to cover their tracks by moving the data through a TOR network. Further, an advanced adversary may use the same logic to hide their activities. If policy violations are not of interest, this may have a higher false positive rate. Connecting to Open Proxies is not common practice in an enterprise environment. Open Proxy is commonly used in post compromise situations by malicious Actors as a way to move laterally in your environment or to get out of the environment without detection as this would evade the existing proxy infrastructure. Another way to identify Advanced Adversaries in your environment is via the Linked to APT Risk List, which contains IPs that have recently been linked to a Nation State Sponsored Threat Actor. An Advanced Persistent Threat group is likely to use the same infrastructure for an extended period of time. Instead of changing their core infrastructure, APT groups will usually change techniques instead to evade detection as this is usually a cheaper alternative for the group.
Score-based detection
To identify connections to IPs that have a high risk score, please enable the following Risk List within Amazon GuardDuty:
- ip_risklist_gte_90
- ip_risklist_gt_65
This approach is less tailored to use cases, and a great starting point for those new to Threat Intelligence. We support 2 different score based risk lists within the GuardDuty integration that allows for flexiblity in approach.
Ip_risklist_gt_65 list will include all IPs that have been identified as malicious or very malicious with a Risk Score over 65. Enabling this risk list provides more coverage over a greater variety of threats but may have a higher false positive rate. As you respond to alerts over time, you may find there are some types of indicators that are more likely to be a false positive in your environment based on the Risks Lists. We recommend keeping track of the Risk Rules associated with the incidents in your environment as it may be advantageous to evolve into more of a use case based approach long term.
Ip_risklist_gte_90 list will include all IPs that have been identified as very malicious with a Risk Score over 90. The indicators are typically confirmed to be associated with command and control activity and therefore considered very high risk to your organization. This risk list gives you coverage from the worst of the worst in threat intelligence. The natural progression is to advance your GuardDuty integration with the addition of more Risk Lists over time to achieve specific use cases with a lower Risk Scoring threshold.
*Details on the Risk Rules that ultimately populate the Risk Lists can be found here.