Amazon EC2 instances are used to host a variety of workloads including third-party software and custom-developed software deployed by application teams within organizations. AMS provides and encourages you to deploy your workloads on images that are patched and maintained on an ongoing basis by AMS.
During the operation of instances, AMS monitors for anomalies in behavior or activity through a variety of security detection controls, including Amazon GuardDuty, Endpoint Protection, Network Traffic, and Amazon internal Threat Intelligence feeds.
AMS customers with the AMS Advanced operating model automatically have the endpoint security (EPS) monitoring client installed on provisioned resources. This makes sure that the resources are monitored and supported 24x7, including the creation of a security incident when an event is detected.
AMS also monitors GuardDuty Malware Findings. These are available on both AMS Advanced and AMS Accelerate, if enabled. See Malware Protection in Amazon GuardDuty for more information.
Note
If you opted for Bring Your Own EPS, then the process for incident response differs from what's outlined on this page. For more information, see the referenced documentation.
When malware is detected, an incident is created and you are notified of the event. This notification is followed by any remediation activities that occurred. AMS Operations investigates, performs data collection, triage and analysis, and then performs containment activities at your direction, followed by post event analysis.
Phase A: Detect
AMS monitors for events on instances with GuardDuty and end point security solution monitoring. AMS determines the appropriate enrichment and triage activities to help you make containment or risk acceptance decisions based on the finding or alert type.
Data collection is performed based on the finding type. Data collection involves querying multiple data sources both inside and outside of the affected account to build a picture of the activity observed or the configurations of concern.
AMS performs correlation of the finding with any other alarms and alerts or telemetry from any impacted accounts or AMS threat intelligence platforms.
Phase B: Analyze
After data is collected, it's analyzed to identify any activity or indicators of concern. During this phase of the investigation, AMS partners with you to integrate business and domain knowledge of the instances and workloads to help understand what's expected and what's out of the ordinary.
Some examples of the information provided during the investigation to support internal checks includes:
Account Information: What account was the malware activity observed on?
Instance Details: What instance(s) are implicated with the malware events?
Event timestamp: When did the alert trigger?
Workload Information: What is running on the instance?
Malware details, if relevant: Families of malware and Open Source information about the malware.
Users or Role Details: What users or roles are affected by and involved in the activity?
Activity Records: What activities are recorded on the instance? These are in the form of CloudWatch events, and system events from the instance. Understanding how to read these logs will aid you in investigation
Network Activity: What endpoints are connecting to the instance, what the instance is connecting to, and what is the traffics analysis?
It's a best practice to be prepared to receive investigation information, and have a plan about how to contact the appropriate points of contact for accounts, instances and workloads within your organization. Understanding your network topology and expected connection can help accelerate impact analysis. Knowledge of planned penetration testing in the environment and recent deployments performed by application owners can also speed up the investigation.
If you determine that the activity is planned and authorized, then the incident is updated and the investigation ends. If compromise is confirmed, then you and AMS determine the appropriate containment plan.
Phace C: Contain and Eradicate
AMS partners with you to determine appropriate containment activities based on the data collected and information known. Containment options include but are not limited to:
Preserving data through snapshots
Modifying network rules to limit traffic in or out of instances
Modifying SCP, IAM user and role policies to limit access
Terminating, Suspending or Turning off Instances
Terminating any persistent connections
Rotating appropriate credentials/keys
If you opt to perform eradication activity against the instance, then AMS supports you in achieving this. Options include, but are not limited to:
Removing any unwanted software
Rebuilding the instance from a clean fully patched image and redeploying applications and configuration
Restoring the instance from a previous backup
Deploying applications and services on to another instance within your account that might be suitable to host the workloads.
It's important to determine how the malware was delivered and run on the instance before restoration of service to make sure that any additional controls are applied to prevent reoccurrence of the malware on the instance. AMS provides additional insights or information to your forensics partners or teams as necessary to support forensics.
At this point, you work with AMS Operations for the recovery activities. AMS works closely with you to minimize disruption to the workloads and secure the instances.
Post Incident Report
As required, AMS initiates the investigation review process to identify lessons learned. As part of completing a COE, AMS communicates relevant findings to you to help you improve your incident response process.
AMS documents the final details of the investigation, collects appropriate metrics, and reports the incident to AMS internal teams that require information, including your assigned CSDM and CA.
