To better protect your AWS accounts and workloads, Amazon Web Services unveiled Amazon GuardDuty at Invent 2017. This managed threat detection solution offers a precise and user-friendly way to continuously watch for illegal or unauthorised conduct. Users of AWS accounts can utilise Amazon GuardDuty to keep an eye out for odd or unexpected behaviour in one or more AWS accounts. To do this, logs including DNS logs, VPC flow logs, and CloudTrail event logs are analysed and kept track of. Aside from that, Amazon GuardDuty examines data from various sources. With an emphasis on threat detection by looking for anomalies and known malicious IP addresses and URLs.
What Is Amazon Guardduty?
There are some of the data sources that Amazon GuardDuty analyses and processes. such as AWS CloudTrail data events for Amazon S3 logs, CloudTrail management event logs, DNS logs, Amazon EBS volume data, Amazon EKS audit logs, and Amazon VPC flow logs. To find unexpected, possibly unauthorised, and harmful activities within your AWS environment, it leverages machine learning and threat intelligence feeds, such as lists of rogue IP addresses and domains. This can involve problems like privilege escalation, the use of exposed credentials, contact with malicious IP addresses and domains, the presence of malware on your Amazon EC2 instances and container workloads, or even communication with one of these.
For instance, GuardDuty can identify hacked EC2 instances, container workloads, and malware servers or bitcoin miners. Additionally, it keeps an eye out for suspicious AWS account access behaviour, such as unlawful infrastructure deployments like instances placed in a Region that has never been utilised or strange API requests like a change in password policy that weakens passwords.
Amazon GuardDuty was created and enhanced exclusively for the cloud. An ever-growing library of potential vulnerabilities and the patterns each one shows has been created by AWS Security in collaboration with industry-leading third-party security partners. This programme may proactively discover potential vulnerabilities in your whole infrastructure and categorise them according to their appropriate severity level by applying machine learning.
With this in mind, you can build a vast array of custom rules and your own database of known dangerous IPs. To help you create your own unique automated functions to address any threats that have been identified, Amazon GuardDuty provides CloudWatch Events, CLI tools, and HTTPS APIs.
Three Levels Of Severity
GuardDuty has three levels of severity, which we will examine in more detail in a moment, to assist you in deciding what action you should take for each alert.
Low severity: denotes the removal or blocking of threats before compromising any resource.
Medium severity: Indicates questionable activity, such as a surge in traffic that is specifically directed to domains that are associated with bitcoin, for example, which suggests cryptocurrency mining.
High severity: Denotes a resource that is completely compromised and is frequently being utilised against its intended use.
Detecting Threats Accurately At The Account Level
Amazon If you are not continuously monitoring variables in close to real-time. It might be challenging to discover compromised accounts as soon as they are hacked. GuardDuty enables you precise threat detection of compromised accounts. GuardDuty can spot indications of account breach, such as access to AWS resources from a strange geolocation and at an odd hour of the day. For AWS accounts that are managed programmatically. GuardDuty scans for odd application programming interface (API) calls. Such as attempts to hide account activity by turning off CloudTrail recording. Or taking database snapshots from a malicious IP address.
Continuous Monitoring Without Additional Costs Or Complexity Across All AWS Accounts
Your AWS account and workload event data available in AWS CloudTrail, VPC Flow Logs, and DNS Logs are continuously monitored and analysed by Amazon GuardDuty. There is no additional security infrastructure or software to set up and maintain. Instead of handling threat detection one account at a time, you can aggregate it across your AWS accounts. You also don’t need to gather, examine, and correlate a lot of AWS data from several accounts. Pay attention to how to react swiftly, maintain company security, and carry on scaling and innovating on AWS.
Built For The Cloud And Optimised Threat Detection
You have access to built-in detection methods using Amazon GuardDuty, which were created and optimised for the cloud. The detection algorithms used by AWS Security are regularly updated and enhanced. The main categories of detection include:
Activity that may indicate reconnaissance by an attacker. Such as unexpected API activity, intra-VPC port scanning, peculiar patterns of failed login requests, or unblocked port probing from a known malicious IP address.
Instance compromise: Cryptocurrency mining, backdoor C&C activity, malware using domain generation algorithms (DGA), outbound denial of service activity, unusually high network traffic volume, unusual network protocols, outbound instance communication with a known malicious IP address, temporary Amazon EC2 credentials used by an external IP address, and data exfiltration using DNS are all examples of activity that points to an instance compromise.
Account compromise: Attempts to stop AWS CloudTrail logging, changes that weakened the account password policy, odd instances or infrastructure starts. Also, infrastructure deployments in an unusual area, and API calls from known malicious IP addresses are common patterns suggestive of account breach.
Bucket compromise: Activity that suggests a bucket compromise, such as unexpected Amazon S3 API activity from a remote server. Unauthorised S3 access from known malicious IP addresses, and API calls to get data in S3 buckets from a user who has never accessed the bucket before or invoked from an unusual place. Amazon GuardDuty regularly scans and examines AWS CloudTrail S3 data events. Such as GetObject, ListObjects, and DeleteObject to find suspicious activity across all of your Amazon S3 buckets.
how does it work?
These sophisticated detections from GuardDuty take advantage of machine learning and anomaly detection to spot threats. These threats were previously hard to find. Such as suspicious API call patterns or bad AWS Identity and Access Management (IAM) user behaviour. GuardDuty also features built-in threat intelligence. Which includes AWS Security’s lists of dangerous domains and IP addresses. Those from top third-party security partners like Proofpoint and CrowdStrike.
You have a choice between using GuardDuty or establishing your own threat intelligence of known malicious IP addresses. And maintaining intricate custom rules, or constructing in-house solutions. By monitoring and safeguarding your AWS accounts and workloads, GuardDuty eliminates the needless complexity and undifferentiated heavy lifting.
want to read more interesting article?Amazon EFS Vs. EBS Vs. S3: Select The Best AWS Storage Choice For Your Business
Levels Of Threat Severities For Effective Prioritising
Three severity levels are offered by Amazon GuardDuty (Low, Medium, and High). Which helps users prioritise their responses to possible attacks. A “Low” severity level denotes activity that was flagged as suspicious or malicious before it might affect your resource. Suspicious activity is indicated by a “Medium” severity level. For instance, a lot of traffic was sent to a distant host that was hidden by the Tor network. Or there was an activity that wasn’t as it should have been. A resource with a “High” severity level has been compromised and is currently being used for illegal purposes. Such as an Amazon EC2 instance or a set of IAM user credentials. Threat response and remediation automation
CLI tools, HTTPS APIs, and Amazon CloudWatch Events are all provided by Amazon GuardDuty. These are given to assist automated security responses to security findings. By leveraging CloudWatch Events as an event source to launch an AWS Lambda function. For instance, you may automate the response procedure.
High-Quality Threat Detection
Amazon Using data from your AWS accounts, workloads, and Amazon S3 data, GuardDuty can automatically control resource use. When capacity is no longer required, GuardDuty reduces utilisation rather than adding more detection capacity. You now have a financially sound design that nevertheless provides the necessary processing power for security. Only the detecting capacity that is used is charged for. Regardless of your size, GuardDuty offers you scaleable security.
Single Click Deployment And No Need For Extra Infrastructure Or Software
You can enable Amazon GuardDuty on a single account with a single click in the AWS Management Console or a single API request. GuardDuty can be enabled across many accounts with a few more mouse clicks in the terminal. Both natively within GuardDuty and through the interface with AWS Organizations, Amazon GuardDuty enables numerous accounts. GuardDuty immediately begins analysing continuous streams of account and network activity after being enabled, doing so at scale and in close to real-time. There is no need to implement or administer any extra security software, sensors, or network appliances. The service already includes threat intelligence, which is regularly updated and maintained.
Testing Results
Low Severity
We chose to invoke a low severity response from Amazon GuardDuty for our initial test to keep things straightforward. To achieve this, we established an EC2 instance with SSH port 22. Which is generally used to securely log in and transmit files, available to the public. After establishing the vulnerable environment. We probed the EC2 instance using a proxy server running ProxyChains on Kali Linux from an odd source IP address.
Medium Seriousness
In the sample below, we utilised Kali Linux, a popular distribution used by attackers, pen testers, and security experts to find holes to obtain unauthorised access to your environment. We made some API requests to our AWS account using Kali Linux.
Extreme Severity
What if a harmful operation like a port scan or brute force assault was carried out using one of your instances as a platform? The example below shows how we used one of our EC2 instances to launch an SSH brute force attack on one of our test servers.
As your instance has already been compromised, this problem is rated as having high severity. Attack types vary, and AWS and their security partners are always updating their knowledge of them.
Pricing
When the service is first activated, AWS offers a free 30-day trial period with full access so you can decide if it’s a suitable fit for you. Amazon GuardDuty calculates an anticipated price based on what you would have paid in the absence of the free trial to determine the subsequent expenditures.
Your AWS log data analysis usage will determine how much you pay. The CloudTrail Event Logs will be charged per 1,000,000 events/month, while the VPC Flow Logs, DNS Logs, and DNS Logs will be charged per GB/month.
Analysis Of DNS Logs And VPC Flow Logs
GuardDuty constantly examines your infrastructure and determines the precise amount of detection capacity needed at any given time to prevent wasting money. In other words, you only pay for the capacity that you use.
Starting Off
In the AWS Management Console, it only takes a few clicks to enable Amazon GuardDuty. AWS CloudTrail, Amazon VPC Flow Logs, and DNS logs are used by the service to analyse billions of events, which it begins doing as soon as it is enabled.
It’s incredibly simple to enable the service in your account. Within the service dashboard of the AWS management console, merely click “Enable GuardDuty”:
When enabled, the service will start performing the analysis right away. Any discoveries will be shown on the dashboard and categorised according to the proper severity level. The specifics of each discovery provide you with insightful information that enables you to investigate the potential problem further.
Conclusion
After examining the new Amazon GuardDuty threat detection services, we’re impressed by a lot of the capability. It’s simple to use, easy to install, deeply integrated with a variety of AWS services, uses machine learning to identify risks (which is fantastic), and allows people of any skill level to quickly identify security flaws.
Because this service is now restricted to AWS environments, you cannot use its machine learning threat detection on any other cloud platform. AWS should expand this functionality outside of AWS. Because of this, we believe Amazon GuardDuty is a great complement to the AWS service offering, and we are eager to put it into use.
