Automating threat detection and block suspicious hosts

aws Aug 04, 2020

Overview

At Halodoc, security is of paramount importance. There's no such as thing as "being too careful" when it comes to safeguarding resources and data. Though there is no foolproof way to keep attackers out of our network, to safeguard our digital assets, especially if they happen to they get in, is our prime responsibility.

Amazon GuardDuty is one of the security solutions provided by AWS to protect the AWS accounts and workloads. It is an Intrusion Detection tool that incorporates threat intelligence and machine learning to detect unusual behaviours such as a site is being attacked, hacked or malicious software got into the server.

AWS WAF is a web application firewall that helps protect the web applications or APIs against common web exploits by helping us create security rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that filter out specific traffic patterns you define.

Integration of Amazon GuardDuty with AWS Web Application Firewall helps us to create an automated workflow to monitor suspicious activities in our AWS environment and take necessary actions. With this solution, whenever GuardDuty detects any suspicious activity, it automatically updates the AWS Web application Firewall Web Access Control Lists (WebACLs) and VPC Network Access Control List (NACLs)  to block communication from the suspicious host and send a notification on slack. Since Halodoc infrastructure is hosted on AWS, this solution has turned out to be one of the best-suited solutions provided by AWS in terms of automating threat detection and remediation against the AWS environments.

The diagram below explains the workflow in Halodoc once the above solution is successfully deployed.

Workflow

Security findings are generated by GuardDuty. At Halodoc, the frequency of exporting the updated Active findings is set to 6 hours

CloudWatch Event is triggered to filter the finding type as mentioned in the template.

  1. If the finding type matches with conditions mentioned in the template, a Lambda function is triggered and the finding type is parsed to it.
  2. Two Lambda functions are invoked by the CloudWatch Event:

One that checks  for an existing host entry in our database (we use Amazon DynamoDB to store the state data for the blocked hosts). If it exists, it makes no change else it creates a rule inside AWS WAF and in VPC NACL.

The second lambda function runs every 1 hour to remove entries from WAF IPSets, VPC NACLs, and the Dynamo DB table that cross the retention period.

3. It then sends an alert to slack once the IP is blocked.

Here is a brief overview of the solution implemented at Halodoc for integration with Slack:

  1. Create a CloudFormation stack with the template provided in AWS official website to enable slack notifications of the GuardDuty findings.

Mention the incoming webhook URL and the slack channel name and severity level matching your environment as shown below:

2. Use CloudFormation services to create a deployment to enable integration of Amazon GuardDuty and AWS Web application Firewall. The template and the lambda scripts for this deployment are available on AWS official website.

  • Upload the deployment Lambda scripts to the S3 bucket in the region where deployment has to be done.
  • Download the template and update the GuardDuty findings suitable for your environment. The event is triggered based on GuardDuty findings mentioned here.
  • In the CloudFormation console choose Select Template option and pick the template that was created in the above step.
  • Provide the following input parameters with the details matching your environment in the Specify Stack Details page.

3. Once the Lambda function is created we need to test it by running a test event using the below script:

Subnet ID should be the one matching your environment.

When the test event is run, output should be as shown below:

4. Once the test event is executed, the DENY host entry is created in the NACL and also updated to the CloudFront WAF IPSet and to the ALB WAF IPSet as shown below. Hence we can confirm that the solution is working as designed.

From the console go to VPC→ Subnets→ select the subnet that was added in the test script mentioned above and verify that the new entry generated from the test event is created here.

From the console go to WAF & Shield, and then click on AWS WAF Classic view and select IP addresses. Select the region in which this solution is deployed –and then select the IPSet named GD2ACL ALB IPSet for blacklisted IP addresses.We can see the IP address added to the ALB IPSet as shown below.

Conclusion:

We have been benefited from Amazon GuardDuty to automatically update AWS Web Application Firewall (AWS WAF) and VPC Network Access Control Lists (ACLs) in response to GuardDuty findings. With just a few steps, you can use this sample solution to help mitigate threats by blocking communication with suspicious hosts.

References

https://aws.amazon.com/blogs/security/how-to-use-amazon-guardduty-and-aws-web-application-firewall-to-automatically-block-suspicious-hosts/

We're Hiring!

We are always looking out to hire for all roles in our tech team. If challenging problems that drive big impact enthral you, do reach out to us at careers.india@halodoc.com

About Halodoc

Halodoc is the number 1 all around Healthcare application in Indonesia. Our mission is to simplify and bring quality healthcare across Indonesia, from Sabang to Merauke. We connect 20,000+ doctors with patients in need through our teleconsultation service, we partner with 1500+ pharmacies in 50 cities to bring medicine to your doorstep, we partner with Indonesia's largest lab provider to provide lab home services, and to top it off we have recently launched a premium appointment service that partners with 500+ hospitals that allows patients to book a doctor appointment inside our application. We are extremely fortunate to be trusted by our investors, such as the Bill & Melinda Gates Foundation, Singtel, UOB Ventures, Allianz, Gojek, and many more. We recently closed our Series B round and in total have raised USD$100million for our mission. Our team works tirelessly to make sure that we create the best healthcare solution personalized for all of our patient's needs, and are continuously on a path to simplify healthcare for Indonesia.