Amazon GuardDuty: AI-Driven Cloud Security with Advanced Threat Detection

NewsAmazon GuardDuty: AI-Driven Cloud Security with Advanced Threat Detection

Enhanced AI/ML Threat Detection in Amazon GuardDuty: A Comprehensive Guide

Amazon has unveiled a significant upgrade to its cloud security offering, Amazon GuardDuty, introducing advanced AI/ML threat detection features. This development leverages the extensive cloud visibility and scalability of AWS, aiming to enhance threat detection for applications, workloads, and data. The newly introduced GuardDuty Extended Threat Detection utilizes sophisticated artificial intelligence and machine learning (AI/ML) techniques to identify both known and previously unrecognized attack sequences. This advancement is designed to provide a more comprehensive and proactive approach to cloud security, addressing the complexities of modern cloud environments and the constantly evolving landscape of security threats. It simplifies the process of threat detection and response for organizations.

The Challenges of Security Event Management

Organizations today face the daunting task of efficiently analyzing and responding to the vast number of security events generated across their cloud environments. As security threats become more frequent and sophisticated, it becomes increasingly challenging to detect and respond to attacks that unfold as sequences of events over time. Security teams often struggle to piece together related activities that may be part of a larger attack, potentially missing critical threats or responding too late to prevent substantial impact.

Addressing Security Challenges with GuardDuty Extended Threat Detection

To tackle these challenges, Amazon has expanded GuardDuty’s capabilities with new AI/ML features that correlate security signals to identify active attack sequences in AWS environments. These sequences may include multiple steps taken by an adversary, such as privilege discovery, API manipulation, persistence activities, and data exfiltration. The new feature introduces attack sequence findings, a novel type of GuardDuty finding with critical severity. This level of severity is reserved for findings with the highest confidence and urgency. The attack sequence findings come with a natural language summary explaining the threat’s nature and significance, observed activities mapped to tactics and techniques from the MITRE ATT&CK® framework, and prescriptive remediation recommendations based on AWS best practices.

Enhancements in Threat Detection and Actionability

GuardDuty Extended Threat Detection introduces new attack sequence findings, improving the actionability of existing detections in areas such as credential exfiltration, privilege escalation, and data exfiltration. This enhancement enables GuardDuty to offer composite detections that span multiple data sources, time periods, and resources within an account, providing a more comprehensive understanding of sophisticated cloud attacks.

How to Leverage the New AI/ML Threat Detection in Amazon GuardDuty

To explore the new AI/ML threat detection capabilities, users can access the Amazon GuardDuty console and explore the new widgets on the Summary page. The overview widget now enables users to view the number of attack sequences and delve into the details of these sequences. In cloud environments, multistage attacks are often revealed, but the sophisticated attack sequences are low in volume and account for a small fraction of the total findings. In larger cloud environments, while there may be hundreds or even thousands of findings, the number of attack sequences will likely remain relatively small in comparison.

Additionally, a new widget helps users view findings broken down by severity, making it easier to quickly pivot into and investigate specific findings of interest. The findings are now sorted by severity, providing a clear overview of the most critical issues, including a new critical severity category that ensures the most urgent detections are immediately brought to the user’s attention. Users can also filter out attack sequences by selecting "Top attack sequences only."

Automatic Enablement and Zero Additional Costs

This new capability is enabled by default, requiring no additional steps for activation. There are no extra costs for this feature beyond the underlying charges for GuardDuty and its associated protection plans. As additional GuardDuty protection plans are enabled, this capability will offer more integrated security value, helping users gain deeper insights into their security posture.

Types of Findings and Their Significance

The new feature allows users to observe two types of findings:

  1. Data Compromise: This indicates a potential data compromise, which can be a part of a larger ransomware attack. Data is often the most critical asset for organizations, making this an area of significant concern.
  2. Compromised Credential Type: This finding helps detect the misuse of compromised credentials, typically during the early stages of an attack in the cloud environment.

    Diving Into a Data Compromise Finding

    One example of a data compromise finding is a potential data compromise of one or more Amazon S3 buckets involving a sequence of actions over multiple signals associated with a user in the account. This finding indicates that data has been compromised across multiple Amazon S3 buckets with multiple associated signals.

    The summary associated with this finding provides key details, including the specific user (identified by their principal ID) who performed the actions, the account and resources affected, and the extended time period over which the activity occurred. This information helps users quickly understand the scope and severity of the potential compromise.

    The finding includes eight distinct signals observed over a nearly 24-hour period, indicating the use of multiple tactics and techniques mapped to the MITRE ATT&CK® framework. This broad coverage across the attack chain—from credential access, to discovery, evasion, persistence, and even impact and exfiltration—suggests this may indeed be a true positive incident. The finding also highlights a concerning technique of data destruction, which is particularly alarming.

    Additionally, GuardDuty provides further security context by highlighting sensitive API calls, such as the user deleting the AWS CloudTrail trail. This type of evasive behavior, coupled with the creation of new access keys and actions targeting Amazon S3 objects, further underscores the severity and potential scope of the incident. Based on the information presented in this finding, users would likely want to investigate the incident more thoroughly.

    Reviewing ATT&CK Tactics and Security Context

    Reviewing the ATT&CK tactics associated with the findings provides visibility into the specific tactics involved, whether it’s a single tactic or multiple. GuardDuty also offers security indicators that explain why the activity was flagged as suspicious and assigned a critical severity, including the high-risk APIs called and the tactics observed.

    Further investigation into the actor responsible provides additional context, including how the user connected to and carried out these actions, along with the network locations. This information is crucial for understanding the full scope and nature of the incident, aiding in investigation and response. Users can follow prescriptive remediation recommendations based on AWS best practices, offering actionable insights to swiftly address and resolve identified detections. These tailored recommendations help improve cloud security posture and ensure alignment with security guidelines.

    Sorting and Analyzing Signals

    The Signals tab can be sorted by newest or oldest first. When responding to an active attack, users should start with the latest signals to quickly understand and mitigate the situation. For post-incident review, users can trace back from the initial activities. Diving into each activity provides detailed information about the specific finding. A quick view through indicators, actors, and endpoints summarizes what occurred and who took action.

    Resources Tab for Detailed Investigation

    The Resources tab offers another way to access details, allowing users to check the different buckets involved and the access keys. For each resource, users can review the tactics and techniques that occurred. Selecting an open resource allows users to pivot directly to the relevant console for more details.

    Simplified Contextual Data View

    Amazon has introduced a full-page view for GuardDuty findings, making it easier to see all the contextual data in one place. However, the traditional findings page with a side panel is still available for those who prefer that layout, offering a quick view of the details for specific findings.

    Automatic Activation and Integration

    GuardDuty Extended Threat Detection is automatically enabled for all GuardDuty accounts in a Region, utilizing foundational data sources without requiring additional protection plans. Enabling additional protection plans expands the range of security signals analyzed, enhancing the service’s ability to identify complex attack sequences. GuardDuty recommends activating S3 Protection to detect potential data compromises in Amazon S3 buckets. Without S3 Protection enabled, GuardDuty cannot generate S3-specific findings or identify attack sequences involving S3 resources, limiting its capacity to detect data compromise scenarios in Amazon S3 environments.

    Integration with Existing Workflows

    GuardDuty Extended Threat Detection integrates with existing GuardDuty workflows, including the AWS Security Hub, Amazon EventBridge, and third-party security event management systems.

    Availability and Benefits

    Amazon GuardDuty Extended Threat Detection significantly enhances cloud security by automating the analysis of complex attack sequences and providing actionable insights. This helps users focus on addressing the most critical threats efficiently, reducing the time and effort required for manual analysis. These capabilities are automatically enabled for all new and existing GuardDuty customers at no additional cost in all commercial AWS Regions where GuardDuty is supported.

    For more information and to start benefiting from these new capabilities, users can visit the Amazon GuardDuty documentation.

    Original Source

For more Information, Refer to this article.

Neil S
Neil S
Neil is a highly qualified Technical Writer with an M.Sc(IT) degree and an impressive range of IT and Support certifications including MCSE, CCNA, ACA(Adobe Certified Associates), and PG Dip (IT). With over 10 years of hands-on experience as an IT support engineer across Windows, Mac, iOS, and Linux Server platforms, Neil possesses the expertise to create comprehensive and user-friendly documentation that simplifies complex technical concepts for a wide audience.
Watch & Subscribe Our YouTube Channel
YouTube Subscribe Button

Latest From Hawkdive

You May like these Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.