I get this AWS GuardDuty warning:
UnauthorizedAccess:EC2/MaliciousIPCaller.Custom
An EC2 instance is making connections to an IP address on a custom threat list.
Default severity: Medium
The above warning seems to imply that an attacker was successful in connecting to the EC2 machine, and started to make connections to an IP address in our configured GuardDuty "malicious IP list". But some places online say that the message means that an IP on the "malicious IP list" only TRIED to connect to it... Another possibility, to me, could be that we have a valid user coming from an IP address in our "naughty list" and getting valid HTTP responses (i.e. maybe some org/ISP/etc made it on the "Malicious IP list" because of some bad users but the actual client, in this case, was maybe just fine).
- the default severity on this warning is medium... If someone from our denylist is actually connecting to our EC2, this feels like a CRITICAL to me...
- the message says "An EC2 instance is making connections to an IP address on a custom threat list"; that's what's super concerning to me: present tense, plural!
- but maybe our HTTP backend server is talking to a good/normal person? Is that one of the possibilities? Can an HTTP response be considered as "making connections"? To me, that would be "no", it's a response, not initiating a new connection... But we've all seen badly worded "warnings" which actually mean something else...
For sure, this alarm made us review and tighten our SecurityGroups, ACLs, etc. And we've shutdown the EC2 machine. And I'm still searching in logs to determine exactly what happened. But there's a very important distinction between TRIED/PROBED and SUCCESS. Because if they were actually able to connect, we'll want to look closely what they might've staged on/from that EC2 machine, and onto the rest of the AWS Account in which the EC2 machine runs... We might even consider rebuilding our AWS account from scratch (something we can't do easily right now, because this is an old account with some things setup pre-"InfrastructureAsCode").
NOTE: the MaliciousIPCaller.Custom IP address list is something we configured in GuardDuty (IP denylists are widely available). And now that the warning triggered, I'm not sure what it EXACTLY means. Anyone know what it EXACTLY means? Were we "probed"? Or did they breach our EC2 and took control of it (before we finally shut it down)? OR could this simply mean that our HTTP server installed on our EC2 machine was talking HTTP to some of our customer [~false positive]? Thanks!
I believe this GuardDuty alert is specifically for the EC2 initiating the outbound connection to a malicious IP rather than responding to an inbound one. I would operate under the basis that the instance is compromised until you determine that it is not. Isolate the instance and investigate.