[AWS re:Invent 2024] Uncovering sophisticated cloud threats with Amazon GuardDuty Session Report

Session Overview

This session was a breakout session on the new GuardDuty features announced on December 1, 2024.
https://aws.amazon.com/about-aws/whats-new/2024/12/amazon-guardduty-extended-threat-detection/

At the beginning of the session, one of the speakers, a senior security specialist, stated that the new features being introduced today are the biggest launch for GuardDuty in recent years, and it was clear to see how useful the features are and how excited he was about them.

The first half of the report explained an overview of GuardDuty itself and its coverage, but we will not cover that here.

Introducing GuardDuty Extended Threat Detection

Cyber attacks generally involve multiple stages (information gathering, intrusion, extraction of confidential data, destruction of evidence logs, etc.).
Until now, GuardDuty judged each activity as a threat individually and output Findings, so security experts had to manually determine whether a Finding was a series of attack sequences in a multi-stage attack.
With this update, GuardDuty can now correlate activity (a combination of multiple security signals) across multiple resources and data sources over a 24-hour time window to determine whether it is an attack sequence.
This feature allows you to reduce the time spent analyzing individual Findings and focus on the highest priority threats.

This feature is enabled by default and there is no additional cost.

The following three attack sequences were listed as detectable:

• Attack sequence related to compromised credentials
• Attack sequences associated with data breaches
• Detecting attacks using runtime monitoring of EC2 instances
  (Coming soon)

The GuardDuty management console displays a timeline of each individual activity in the attack sequence, along with related resources and metrics.

It also maps to the MITRE ATT&CK framework, making it easy to quickly determine what type of threat is currently occurring and what action to take next.

In the second half of the session, a senior principal scientist explained the mechanism used by this feature to detect threats.
Although I wasn't able to get the details, I was told that they use machine learning and representation learning to detect anomalies (for example, even if it is new activity, similar API call patterns or access from the same region do not necessarily indicate a threat).

In addition, the security expert's judgment process is implemented as a function called a marker. The extracted security signals are evaluated with the marker, and the ranking is scored to determine their importance.

Thoughts

Early detection of suspicious activity is essential to prevent cyber attacks, which have been increasing rapidly in recent years.
This GuardDuty update not only makes it easier to understand the threat situation occurring in the systems you operate, but it also reduces the burden of tedious primary analysis that security teams previously performed, allowing them to focus on the highest priority threats, resulting in more efficient response.
This feature is enabled by default and there is no additional cost, so this is a very welcome update for companies that already use GuardDuty!
For companies that aren't using GuardDuty yet, this is an opportunity worth considering.

Related pages

https://note.com/wise_auklet1484/n/ne28a64e92a4f