Friday, February 7, 2025

Enhanced AWS GuardDuty Threat Detection For Cloud Security

Introducing AWS GuardDuty Extended Threat Detection: Enhanced cloud security using AI/ML attack sequence identification.

It’s nice to present AWS GuardDuty‘s sophisticated AI/ML threat detection features. This new capability improves threat detection for your apps, workloads, and data by leveraging AWS’s vast cloud visibility and scalability. GuardDuty Extended Threat Detection provides a more thorough and proactive approach to cloud security by using advanced AI/ML to recognize both known and new attack sequences. By making threat detection and response easier, this improvement tackles the increasing complexity of contemporary cloud settings and the changing security threat landscape.

Myriad organizations struggle to analyze and respond to the myriad security events generated by their cloud infrastructures. Due to the frequency and sophistication of security threats, recognizing and responding to series of assaults has become harder. Security teams may overlook important threats or react too late to avoid a major effect since they frequently struggle to piece together similar activity that might be a part of a broader assault.

In order to overcome these obstacles, one can have added new AI/ML capabilities to AWS GuardDuty‘s threat detection capabilities, which correlate security signals to find current attack sequences in your AWS environment. These sequences may involve several actions performed by an attacker, including data exfiltration, persistence efforts, privilege discovery, and API manipulation. Attack sequence findings, a novel kind of GuardDuty finding with critical severity, are used to depict these detections. GuardDuty had never before utilized critical severity, saving it for results that were extremely urgent and certain.

Prescriptive remediation suggestions based on AWS best practices, observed actions linked to tactics and procedures from the MITRE ATT&CK framework, and a natural language explanation of the threat’s nature and relevance are all included in these new results, which introduce critical severity.

AWS GuardDuty Extended Threat Detection enhances the actionability of current detections in areas including data exfiltration, privilege escalation, and credential exfiltration while introducing new attack sequence results. This improvement gives you a more thorough grasp of complex cloud threats by allowing GuardDuty to provide composite detections that include several data sources, time periods, and resources inside an account.

How to utilize Amazon GuardDuty’s new AI/ML threat detection feature

The Amazon GuardDuty portal and go through the new widgets on the Summary page to see how AWS GuardDuty‘s AI/ML threat detection works. You may now see how many attack sequences you have and think about the specifics of those assault sequences with the aid of the overview widget. Multistage assaults are frequently found in cloud environments, however these complex attack sequences are rare and only make up a small portion of all results.

You may see a number of finds in the cloud environment for this specific account, but there are very few real assault sequences. The number of attack sequences will probably stay limited in compared to the hundreds or even thousands of discoveries you may observe in a bigger cloud environment.

A new widget that allows you to see the findings by severity has also been introduced. This facilitates swiftly focusing on and exploring particular results that pique your attention. The results are now arranged according to severity, giving you a comprehensive picture of the most important problems. Additionally, there is a new Critical severity category, which guarantees that the most urgent detections are brought to your notice right away. By selecting Top attack sequences exclusively, you can also filter just for attack sequences.

Top attack sequences exclusively, you can also filter just for attack sequences.
Image Credit To Amazon

You don’t need to do anything extra to get this new feature to operate because it is activated by default. Beyond the basic fees for GuardDuty and the related protection plans, there are no additional fees for this function. This feature will offer more integrated security value as you activate more AWS GuardDuty protection options, giving you deeper insights.

There are two kinds of results that you can see. The first is data compromise, which suggests that there may have been a data compromise that was a component of a more extensive ransomware operation. For the majority of clients, data is the most essential organizational asset, thus this is a significant worry. Compromise credential type is the second discovery, which aids in identifying the usage of compromised credentials, usually in the early phases of an attack in your cloud environment.

Lets to discuss one of the discoveries from the compromise data. “Potential data compromise of one or more S3 buckets involving a sequence of actions over multiple signals associated with a user in your account” will be my main topic. This discovery shows that nous have seen data breach across several buckets of Amazon Simple Storage Service (Amazon S3) with several related signals.

The particular user (identified by their main ID) who carried out the activities, the account and resources impacted, and the prolonged time period (almost a full day) over which the activity happened are among the important facts that are supplied in the summary that comes with this result. You may rapidly comprehend the extent and gravity of the possible compromise with the aid of this information.

Eight different signals were detected throughout a roughly 24-hour period in this result, suggesting the application of many strategies and tactics that are linked to the MITRE ATT&CK architecture. This may be a real positive occurrence, as evidenced by the extensive coverage of the attack chain, which includes credential access, discovery, evasion, persistence, impact, and exfiltration. The discovery also reveals a worrying method of data erasure, which is very troubling.

AWS GuardDuty also highlights important API actions, as when a user deletes the AWS CloudTrail trace, to add further security context. Together with the development of new access keys and activities directed at Amazon S3 objects, this kind of evasive activity serves to emphasize the incident’s seriousness and possible extent. You should probably look into this occurrence more carefully in light of the facts provided in this finding.

Examining the ATT&CK strategies linked to the results sheds light on the particular strategies whether one or more that were used. AWS GuardDuty also provides security indications, such as the high-risk APIs called and the methods seen, that provide an explanation for why the activity was deemed suspicious and given a critical severity.

If you go deeper, you may see specifics about the offending actor. The details include the network locations and the user’s method of connecting to and performing these tasks. This extra background aids in your comprehension of the incident’s complete extent and character, which is essential for both inquiry and reaction. Based on AWS best practices, you may adhere to prescriptive remediation suggestions that provide you with actionable insights to quickly address and resolve detected detections. You may strengthen your cloud security posture and guarantee compliance with security regulations with the aid of these customized advice.

You may order the Signals tab by oldest or newest first. To swiftly comprehend and lessen the impact of an active attack, you should begin with the most recent indications. You can go back to the original actions for a post-incident review. Examining each task in depth yields comprehensive details on the particular discovery. It also provide a brief overview of what happened and who intervened through Indicators, Actors, and Endpoints.

Accessing the Resources tab, where you can view the many buckets involved and the access keys, is an additional method of keeping track of the details. You can see which strategies and methods were used for each resource.

Accessing the Resources tab.
Image Credit To Amazon

To make it simpler to examine all of the contextual data in one location, one can have included a full-page view for AWS GuardDuty results. However, if you like the style that gives you a fast overview of the facts for individual results, you may still access the classic findings page using the side panel.

image 4
Image Credit To Amazon

By utilizing core data sources, GuardDuty Extended Threat Detection is immediately activated for every GuardDuty account within a region, negating the need for extra security plans. The service’s capacity to recognize intricate attack sequences is enhanced by enabling more protection plans, which broadens the scope of security signals examined. In particular, AWS GuardDuty advises turning on S3 Protection in order to identify any data breaches in Amazon S3 buckets.

GuardDuty’s ability to detect data breach situations in your Amazon S3 environment is limited if S3 Protection is not activated. This is because it is unable to provide S3-specific discoveries or recognize attack sequences using S3 resources.

AWS Security Hub, Amazon EventBridge, and third-party security event management systems are among the GuardDuty processes that GuardDuty Extended Threat Detection works with.

Now availability

By automating the study of intricate attack sequences and offering actionable insights, AWS GuardDuty Extended Threat Detection greatly improves cloud security by freeing up time and effort needed for human analysis and allowing you to concentrate on effectively tackling the most important threats.

In all commercial AWS Regions where GuardDuty is offered, these features are immediately enabled for all new and current GuardDuty customers at no extra cost.

Thota nithya
Thota nithya
Thota Nithya has been writing Cloud Computing articles for govindhtech from APR 2023. She was a science graduate. She was an enthusiast of cloud computing.
RELATED ARTICLES

Recent Posts

Popular Post

Govindhtech.com Would you like to receive notifications on latest updates? No Yes