Act on Critical Security Findings

Alarms for Critical Security Findings

It is recommended to configure alerts for critical findings mail messages sent via Amazon SNS , or via integrations using AWS Lambda to Instant messaging services such as Slack.

Centralization of findings and acting on those alarms

Ensure someone on your organization is acting on critical security findings as they are detected. The improvement to the security posture that detective controls such as Amazon GuardDuty provide is only when there’s someone analyzing the findings (at least the critical/high severity findings as a QuickWin), and takes action to remediate.

A simple way to centrally visualize the critical security findings and simplify the configuration of these alarms for multiple services is to enable AWS Security Hub to centralize the security findings and configure automatic notifications. (there’s no cost for the first 10,000 events/account/region/month and the cost over that free tier is only $0.00003 per event, see pricing below)

If you have already a Security Information and Event Management (SIEM) solution in your organization, you can also send the security findings from Amazon GuardDuty and other sources to the SIEM, and launch alerts from there.

How to react

If you don’t know how to act on these critical findings and you believe your account may be compromised, open a support ticket, and engage with the AWS Customer Incident Response Team (AWS CIRT) . The CIRT team provides free assistance on incident response for customers having an active security incident. If you have AWS Enterprise support also contact your AWS Technical Account Manager.

Examples of Critical findings you should act immediately

  • Receiving an Abuse notification from AWS (which means your account is attacking another AWS Customer, and therefore it’s probably compromised)
  • An Exposed Access Key (via notification, Trusted Advisor)
  • An Amazon GuardDuty Critical finding such as connections to a Command & Control, or a TOR client (which indicates an outgoing connection through the anonymization network, a common indicator of malware presence). More information is available on the GuardDuty documentation

Risk Mitigation

  • Security Controls that identify risks, and detective controls, without someone (a human) or something (an automation) taking action to investigate and contain the threats does not provide additional security.

Guidance for assessments

  • Is the person or team for this task defined ?
  • Are they trained to do the job ?
  • Are alarms configured that reach more than one person ?
  • Are you centralizing security findings on AWS Security Hub for all your organization, and all your regions ?
  • Were you aware of the existance of the AWS CIRT ?
  • Can your team diferenciate a risk from an Active Security incident ?

Pricing

https://aws.amazon.com/security-hub/pricing
The service has a 30-day trial period (free trial)
The service has a page to verify current usage and estimate future usage.

The AWS Customer Incident Response Team (AWS CIRT) provides FREE support on Active security incidents.