Amazon GuardDuty: Introduction to Intelligent Threat Detection for AWS

Amazon GuardDuty

How do businesses collect and monitor large amounts of log data across their cloud accounts and workloads? How can they harden their cloud environment against cyber threats? For AWS users, Amazon GuardDuty is one easy, intelligent, and cost-effective solution. Let’s learn more about threat detection, continuous monitoring, and how GuardDuty enhances security. 

What is Threat Detection?

No matter the industry, employee count, or security posture, every business that holds sensitive information faces cyber threats. As threat actors become more sophisticated, ransomware threats rise, and attack vectors evolve, businesses must put continuous monitoring and intelligent threat detection measures into place. Threat detection tools provide alerts to potential or active malicious behavior. Without the proactive capabilities of threat detection tools, businesses lose the ability to identify and respond to threats before compromise. Early detection of anomalous behavior is the key to stopping threats and initiating incident response or remediation processes.

Threat detection among AWS log data is a tough task. There is an immense amount of data to review – it’s like finding a needle in a haystack. That’s where threat detection tools prove their value. Instead of manual work done by an IT team, security services like Amazon GuardDuty can provide continuous monitoring for log data. 

Why use Amazon GuardDuty? 

When AWS environments require a scalable way to monitor and protect all accounts and workloads, Amazon GuardDuty is a native solution.

What is Amazon GuardDuty?

GuardDuty, a feature of the AWS Security Hub, is an AWS threat detection service that collects and analyzes data from three sources to detect unexpected or unwanted behavior, then deliver findings. GuardDuty uses when businesses need to harden their environment and respond faster to instance compromise, account compromise, or bucket compromise, GuardDuty will support this at scale. 

GuardDuty leverages log data from AWS CloudTrail Event logs, VPC Flow logs, and DNS logs against security and threat detection feeds to find anomalies and known suspicious sources. This enables GuardDuty to detect attacker reconnaissance, compromised resources, or compromised accounts through behavior like unauthorized escalation of privileges or communication with malicious IP addresses.

Understanding Findings from Amazon GuardDuty 

GuardDuty uses machine learning, anomaly detection, and integrated threat intelligence to discover potential security issues among log data and deliver findings in the Management Console. This information provides the context that businesses need to mitigate risk and take action on remediation. 

The finding summary provides the most basic information about each finding, including:

  • Finding type – Represents the type of activity that triggered the finding
  • Finding ID – A way of aggregating similar activity to one ID
  • Severity – Categorizes findings into low, medium, or high severity issues
  • Region – The location where the finding was generated, based on AWS Regions
  • Count – The amount of times certain activity has been aggregated an activity to an ID
  • Account ID – The AWS account where the activity took place 
  • Resource ID – The AWS resource that the activity took action against 
  • Created at – The time and date when this finding was created
  • Updated at – Indicates an ongoing issues that occurs multiple times 

In addition to the summary, the Management Console also provides details like: 

  • The role (TARGET or ACTOR) and type (AccessKey, S3 bucket, KubernetesCluster or Instance) of the affected resource 
  • The IP address, location, organization, port, and domain of the Target or Actor
  • The type of action taken (NETWORK_CONNECTION, PORT_PROBE, DNS_REQUEST, or AWS_API_CALL)
  • Additional information like the name of the threat list that the finding came from or an unusual protocols 

Once an AWS user has its GuardDuty findings, remediation can begin. HTTPS APIs, CLI tools, and Amazon CloudWatch Events will elevate remediation by providing automated security responses to GuardDuty findings. For example, AWS users can use GuardDuty findings to trigger AWS Lambda functions and automate remediation tasks. When AppsFlyer leveraged GuardDuty and Lambda together, their Security Operations Team Leader said, “Amazon GuardDuty reduces the noise. We can fine-tune the alerts so that we only get the most precise detections. Then we can react to each alert with great confidence.”

Integrating Amazon GuardDuty 

Is GuardDuty comparable to other AWS services? How can it be paired with services within AWS Security Hub? Using the right services and understanding their purpose is incredibly important for developing a robust security posture. Let’s look at the differences between Amazon GuardDuty vs. AWS WAF, as well as how Amazon Inspector and Macie differ from GuardDuty. 

Amazon GuardDuty vs. AWS WAF 

As part of your security posture, AWS Web Application Firewall (WAF) provides infrastructure protection by sitting in front of your Application Load Balancer and producing a web ACL to block malicious traffic. By controlling HTTP and HTTPs requests, web applications and APIs are protected. 

AWS Web Application Firewall

Users can leverage Amazon GuardDuty and AWS WAF together to automate responses to GuardDuty findings. If GuardDuty detects suspicious activity, it updates WAF web ACLs and VPC NACLs to block communication from that host. From there, you can focus on further investigation and remediation. 

Amazon GuardDuty vs. Amazon Inspector

Like GuardDuty, Amazon Inspector is a part of AWS Security Hub and provides detection services. But Inspector is more of a security assessment tool that scans your EC2 instances to find areas of exposure. Inspector measures and compares your EC2 instances and their configurations against industry standards like CIS Benchmarks or CVE information. This testing will determine how accessible your network and applications are to malicious actors. 

Although both GuardDuty and Inspector provide detection services, Inspector is focused on vulnerability management for EC2 while GuardDuty is using intelligent threat detection for AWS accounts. AWS users should utilize both services for an enhanced security posture. 

Amazon GuardDuty vs. Amazon Macie 

Also a part of AWS Security Hub, Amazon Macie provides data protection and privacy services through machine learning and pattern matching. Macie gives businesses visibility into where sensitive data is stored – specifically, if sensitive data is stored in unencrypted, publicly accessible, or shared S3 buckets.

GuardDuty and Macie both use machine learning, but in different ways. GuardDuty identifies anomalous behavior with machine learning, but Macie utilizes it to classify objects and data. For an improved data protection strategy, AWS users should utilize both services.

Getting Started with Amazon GuardDuty

Because Amazon GuardDuty is a part of the AWS Security Hub, getting started is actually a fairly simple process that only requires a few clicks in the Management Console or an API call. The first step is signing up for the free 30-day trial, which gives users access to all its features. After the trial, pricing is based on the amount of log data that is analyzed. Once you’ve deployed GuardDuty, it immediately begins threat detection and continuous monitoring. 

Cloud Academy