Introduction
I was lucky to get the opportunity to try out the new "Extended Threat Protection" feature for Amazon GuardDuty
whilst in beta. With the announcement of this new feature, I wanted to share more around my experience, and the value this new feature brings. Before jumping into this, let's start by providing some background to Amazon GuardDuty
and the benefits it provides, to those who may not be familiar with the service.
Why Amazon GuardDuty?
Amazon GuardDuty
is a threat detection service that continuously monitors, analyses and processes AWS logs and other data sources for malicious and abnormal activity. It uses its own internal feeds, alongside other intelligence feeds from CrowdStrike and Proofpoint to detect the latest threats and attack techniques. As someone who has worked for many years in heavily regulated industries processing sensitive data sets in areas of critical national infrastructure, I have been a huge advocate of Amazon GuardDuty
.
In modern cloud environments, the quantity of logs and events that is captured is enormous. When it comes to threat detection, you require real-time and accurate visibility into this data. When your workloads reside on AWS, shipping this data externally to another cloud provider or back on-premises adds significant egress costs and latency. This is why I always look to use GuardDuty, so the data can be analysed at source, and threat detection can be consumed as a managed service.
GuardDuty uses a baseline of foundational data sources, and processes these logs using independent streams of data so it does not affect existing configurations. These foundational data sources are:
AWS CloudTrail - showing a history of AWS API calls and management events.
VPC Flow Logs - showing details of IP traffic going to and from network interfaces attached to your EC2 instances.
Route 53 Resolver DNS logs - showing a history of DNS queries.
On top of this baseline, you have the option to enable protection plans, which are specialised features within GuardDuty that provide enhanced threat detection for specific AWS services, such as:
S3 Protection - helps detect risks such as data exfiltration and destruction in your S3 buckets.
EKS Protection - monitors EKS audit logs to identify potential security issues such as unauthenticated actor attempts to collect secrets or AWS credentials, and suspicious container deployments with images not commonly used in the cluster.
Runtime Monitoring - observes and analyses operating-system level, networking, and file events to help detect potential threats for EC2 instances and container workloads in EKS and ECS including Fargate.
Malware Protection for EC2 - detect the potential presence of malware by scanning the EBS volumes attached to EC2 instances.
Malware Protection for S3 - detect the potential presence or malware by scanning newly uploaded objects to selected S3 buckets.
RDS Protection - profile and monitor access activity to Aurora databases in your AWS account without impacting database performance, to detect potential threats such as high severity brute force attacks, suspicious logins, and access by known threat actors.
Lambda Protection - identifies potential security threats when an AWS Lambda gets invoked in your AWS environment by monitoring Lambda network activity logs.
Integration with AWS Services
Amazon GuardDuty
is tightly integrated with other AWS services to enable fast responses.
Amazon Detective
Amazon Detective
ingests GuardDuty findings and allows you to quickly analyse and investigate these events.
AWS Security Hub
AWS Security Hub
is a cloud security posture management (CSPM) service. It collects findings from the security services enabled across your AWS accounts, such as intrusion detection findings from GuardDuty, vulnerability scans from Inspector, and sensitive data identification findings from Macie. It runs continuous and automated account and resource-level configuration checks against the controls in the AWS Foundational Security Best Practices standard and other supported industry best practices and standards such as NIST and PCI DSS. The screenshot below shows GuardDuty findings in Security Hub.
Amazon EventBridge
GuardDuty creates an event whenever a new finding occurs. These are routed to the default event bus in Amazon EventBridge
. You can configure an EventBridge rule with a pattern that listens for GuardDuty findings in order to automatically respond to these events.
Common use cases include sending automatic alerts for high severity findings, or automating remediation (e.g. disabling a compromised access key)
Extended Threat Detection with Attack Sequences
GuardDuty Extended Threat Detection is a new feature of Amazon GuardDuty
that uniquely identifies attack sequences spanning multiple AWS data sources and resources within a 24-hour time window within an AWS account.
This addresses the risk where an attack could be comprised of a number of related suspicious activities over a period of time. Each of these suspicious activities may generate their own individual finding. However, these may be of a lower severity and act as a weak signal, and so not seen as presenting a real threat. However, when these weak signals are considered together, and the sequence of these activities align to a more suspicious activity, GuardDuty will generate an attack sequence finding.
In this case, we have triggered a finding of type
. We can see looking at the summary of findings that this has been given a critical severity level.
AttackSequence:IAM/CompromisedCredentials
Clicking into the finding and selection "View details" brings up the overview page. This provides a compact view of the attack sequence details, including signals, MITRE tactics, and potentially impacted resources. In the screenshot below, (1) shows the signals, (2) shows the MITRE tactics, and (3) shows the indicators.
Signals displays a timeline of events that are involved in the attack sequence. Each individual signal could be an API activity or finding that GuardDuty used to detect the attack sequence. Each signal, that is a GuardDuty finding, has it's own severity level and value assigned to it. In the GuardDuty console, you can select each signal to view the associated details.
One of my favourite aspects of the new feature is the mapping of the finding to both MITRE ATT&CK(™️) tactics and techniques. This "compromised credentials" attack sequence was comprised of the following 3 MITRE ATT&CK tactics. GuardDuty uses the MITRE ATT&CK framework to add context to the entire attack sequence. The colours GuardDuty uses to specify the threat purposes used by the threat actor, align with the colours that indicate the critical, high, medium, and low findings severity level.
The indicators section shows observed data that matches the pattern of a security issue, and is the reason why this collection of signals was identified as an attack sequence. For example, the "High risk API" indicator is flagged as the cloudtrail:DeleteTrail
and iam:CreateUser
API calls were made, which are actions commonly used by threat actors.
I setup a rule in EventBridge to capture an attack sequence finding. A small subset of the JSON event message is shown below. This message also provides details of the associated signals.
Overall, this is a fantastic new feature in GuardDuty and I am excited to see more attack sequence detections being added over time.