Leadline Inc.Leadline Inc.
Control Requirements

COM-08: Quarterly Internal Network Scans

Implementation of quarterly internal network vulnerability scanning and remediation tracking using AWS GuardDuty

Control Description

On a quarterly basis, internal network scans are performed to detect new and unknown vulnerabilities. Remediation of all critical/high vulnerabilities is tracked within a ticketing system and is completed within X business days.

Plain Meaning

This control requires conducting comprehensive vulnerability scans of the internal network every three months to identify security weaknesses. When critical or high-severity vulnerabilities are found, they must be documented in a ticketing system and fixed within a specified timeframe. The process should be systematic and trackable to ensure all identified issues are properly addressed.

Implementation with AWS GuardDuty

Primary Solution: AWS GuardDuty

We utilize AWS GuardDuty as our primary internal network scanning and threat detection solution. GuardDuty provides continuous monitoring and automated threat detection across our AWS infrastructure, including the VPC network components detailed in COM-06.

GuardDuty Capabilities for Network Scanning

1. VPC Flow Log Analysis

  • Continuous Monitoring: Analyzes VPC Flow Logs for suspicious network activity
  • Anomaly Detection: Identifies unusual traffic patterns and potential threats
  • Geographic Analysis: Detects traffic from suspicious geographic locations
  • Port Scanning Detection: Identifies potential reconnaissance activities

2. DNS Query Analysis

  • Malicious Domain Detection: Identifies communication with known malicious domains
  • Data Exfiltration: Detects potential data exfiltration attempts
  • Command & Control: Identifies C2 communication patterns
  • DNS Tunneling: Detects DNS-based data exfiltration

3. CloudTrail Analysis

  • API Anomalies: Detects unusual API calls and access patterns
  • Privilege Escalation: Identifies potential privilege escalation attempts
  • Resource Hijacking: Detects unauthorized resource access
  • Account Compromise: Identifies suspicious account activities

Quarterly Scanning Schedule

Q1 (January-March)

  • Week 1: Full network scan initiation
  • Week 2: Analysis and prioritization of findings
  • Week 3: Remediation planning and ticketing
  • Week 4: Progress review and escalation

Q2 (April-June)

  • Week 1: Full network scan initiation
  • Week 2: Analysis and prioritization of findings
  • Week 3: Remediation planning and ticketing
  • Week 4: Progress review and escalation

Q3 (July-September)

  • Week 1: Full network scan initiation
  • Week 2: Analysis and prioritization of findings
  • Week 3: Remediation planning and ticketing
  • Week 4: Progress review and escalation

Q4 (October-December)

  • Week 1: Full network scan initiation
  • Week 2: Analysis and prioritization of findings
  • Week 3: Remediation planning and ticketing
  • Week 4: Annual review and planning for next year

GuardDuty Configuration

Detection Settings

{
  "guardduty": {
    "enabled": true,
    "detectorId": "detector-1234567890",
    "findingsPublishingFrequency": "FIFTEEN_MINUTES",
    "dataSources": {
      "s3Logs": {
        "enable": true
      },
      "kubernetes": {
        "auditLogs": {
          "enable": true
        }
      },
      "malwareProtection": {
        "scanEc2InstanceWithFindings": {
          "ebsVolumes": {
            "enable": true
          }
        }
      }
    }
  }
}

VPC Flow Logs Integration

  • Enabled: All subnets have VPC Flow Logs enabled
  • Retention: 90 days for analysis and compliance
  • Destination: CloudWatch Logs for GuardDuty analysis
  • Filtering: Custom filters for specific traffic patterns

Finding Severity Classification

Critical Findings (Remediation: 24 hours)

  • Active malware infections
  • Confirmed data exfiltration attempts
  • Privilege escalation activities
  • Unauthorized administrative access

High Severity Findings (Remediation: 72 hours)

  • Suspicious network connections
  • Unusual API activity patterns
  • Potential reconnaissance activities
  • Geographic anomalies

Medium Severity Findings (Remediation: 1 week)

  • Unusual traffic patterns
  • Suspicious DNS queries
  • Potential policy violations
  • Configuration drift

Low Severity Findings (Remediation: 2 weeks)

  • Informational alerts
  • Baseline deviations
  • Minor configuration issues
  • False positives

Ticketing System Integration

Jira Integration

  • Project: Security Operations
  • Issue Type: Vulnerability
  • Custom Fields:
    • Severity Level
    • AWS Resource ID
    • Finding Type
    • Remediation Deadline
    • Assigned Team

Automated Ticketing Workflow

  1. GuardDuty Finding: Detected by continuous monitoring
  2. Severity Assessment: Automated classification based on GuardDuty severity
  3. Ticket Creation: Automatic Jira ticket creation with findings details
  4. Assignment: Automatic assignment to appropriate team
  5. Tracking: Progress tracking and deadline monitoring
  6. Closure: Verification and ticket closure upon remediation

Remediation Tracking

Critical Vulnerabilities (24 hours)

  • Escalation: Immediate notification to security team
  • Status Updates: Hourly progress updates
  • Management Review: Daily management review until resolved
  • Post-Incident: Detailed post-incident analysis

High Vulnerabilities (72 hours)

  • Daily Updates: Daily progress updates
  • Team Coordination: Cross-team coordination as needed
  • Documentation: Detailed remediation documentation
  • Verification: Post-remediation verification

Medium/Low Vulnerabilities (1-2 weeks)

  • Weekly Reviews: Weekly progress reviews
  • Resource Allocation: Appropriate resource allocation
  • Documentation: Standard remediation documentation
  • Verification: Post-remediation verification

Reporting and Compliance

Quarterly Reports

  • Executive Summary: High-level findings and trends
  • Detailed Findings: Complete list of all findings
  • Remediation Status: Progress on vulnerability remediation
  • Risk Assessment: Updated risk assessment based on findings
  • Recommendations: Strategic recommendations for improvement

Compliance Evidence

  • GuardDuty Logs: Complete logs for audit purposes
  • Ticketing Records: Jira tickets with full remediation history
  • Remediation Documentation: Detailed remediation procedures
  • Verification Records: Post-remediation verification evidence

Continuous Improvement

Process Optimization

  • False Positive Analysis: Regular review of false positives
  • Detection Tuning: Continuous tuning of detection rules
  • Automation Enhancement: Increasing automation of remediation
  • Team Training: Regular training on new threats and tools

Technology Updates

  • GuardDuty Features: Adoption of new GuardDuty capabilities
  • Integration Enhancement: Improved integration with other tools
  • Workflow Optimization: Streamlined remediation workflows
  • Reporting Enhancement: Improved reporting and analytics

Network Performance Monitoring

AWS Load Balancer Performance Monitoring

AWS GuardDuty Threat Detection

GuardDuty Security Dashboard

AWS Documentation

Internal Resources

COM-07: Unauthorized Network Access Monitoring

Implementation of monitoring solution to detect unauthorized network access with automated alerts

COM-09: Annual External Scanning by Third Party

Implementation of annual external vulnerability scanning by third party for internet-facing infrastructure using OWASP ZAP, Snyk, and WAF