AWS re/Start Lab · Seguridad

Malware Protection Using an AWS Network Firewall

This lab focuses on hardening a network perimeter against malware threats. Specifically, the lab involves updating AWS Network Firewall policies with stateful rule groups that actively block attempts to access URLs known for hosting malicious actor files.

Lab Summary

Demonstrated risk remediation by modifying the initial AWS Network Firewall configuration. Successfully established Stateful Rule Groups employing Suricata IPS criteria, effectively severing network connections targeting known malicious endpoints.

Firewall Configuration

Updated default stateless actions on the active firewall policy to specifically forward network packets to a stateful firewall rule group for deeper contextual inspection.

Malware Blocking Execution

Defined and engaged Suricata compatible rule strings parsing HTTP request streams, rejecting payloads originating from dangerous Uniform Resource Identifiers (URIs).

Step-by-Step Walkthrough

Detailed documentation of generating testing criteria and refining the firewall structure.

01

Confirm reachability baseline

  • Logged into the pre-configured TestInstance utilizing Session Manager within Systems Manager.
  • Operated typical client behavior by firing consecutive wget commands pointing at malware payload directories spanning external testing endpoints (e.g., wicar.org).
  • Validated the files had successfully bypassed the gateway and populated inside the isolated terminal.
Downloaded malware via terminal
Terminal: Validating that external threats are currently unblocked by the baseline firewall
02

Inspect the network firewall

  • Navigated to VPC > Network Firewalls to open the actively configured LabFirewall resources.
  • Opened the overarching LabFirewallPolicy and modified the Stateless default actions attribute.
  • Set the action behavior to Forward to stateful rule groups directing unfiltered packets to undergo heavy inspection.
Stateless Actions Configuration Updated
VPC: Changing stateless defaults to trigger deeper contextual evaluation
03

Create a firewall rule group

  • Generated a new Network firewall rule group configured expressly as a Stateful rule group implementing Suricata compatible rule string definitions.
  • Injected Intrusion Prevention System (IPS) rule syntaxes engineered specifically to identify and block traffic pointing strings containing the malicious URIs paths (e.g., js_crypto_miner.html and java_jre17_exec.html).
Creating Rules Configuration
VPC: Supplying Suricata IPS rule definitions via string configurations
04

Attach a rule group to the network firewall

  • Accessed the existing LabFirewall policy settings to bind the newly instantiated rule group configuration.
  • Added the created StatefulRuleGroup explicitly into the unmanaged stateful rule groups array map.
Successfully updated firewall rule array addition
VPC: Policy effectively bound. The firewall engages the Suricata filters dynamically.
05

Validate the solution

  • Re-connected to the vulnerable TestInstance to execute subsequent network penetration assessments.
  • Attempted identical wget transfers mirroring the initial baseline testing sequence.
  • Observed HTTP request sent, awaiting response... loops, validating that outgoing request packets were immediately trapped, filtered, and discarded at the boundary before initiating active connections.
  • Removed the historically breached payload files via the rm deletion command.
Wget stalling due to dropped packets
Terminal: Successful intrusion prevention. Wget requests are dropped continuously.

Command Reference

Quick reference of the Linux CLI commands executed in the terminal.

cmd

wget

A non-interactive network downloader used to fetch files from remote sources over HTTP, HTTPS, or FTP.

  • wget <url> : Downloads the specified URL file into the current working directory.
cmd

rm

Removes files or directories residing on the file system.

  • rm <file1> <file2> : Completely deletes multiple file references dynamically spanning parameters.

Key Learnings

What Was Actually Learned

Differences characterizing Stateless checks prioritizing evaluation latency against deep packet inspecting Stateful evaluation.
How to securely forward standard packet behaviors into distinct Stateful Rule Groups for targeted assessments.
How to engage sophisticated Intrusion Prevention Systems (IPS) capabilities via standard open-source Suricata syntax algorithms.
How dropped packets externally visualize on endpoints via continuously stalling command attempts.

Technical Conclusion

This lab highlighted how comprehensive security perimeters require multi-layered approaches. An unhardened firewall blindly permits malicious traffic inherently by defaulting behaviors to straightforward stateless rulesets primarily optimized for speed and connection validity over contextual threat inspection.

Expanding the capabilities of AWS Network Firewall natively through powerful IPS standards like Suricata allows organizations to explicitly identify, dissect, and intercept advanced adversarial traffic originating externally or laterally dynamically based completely upon specific threat payloads.