Category:
Introducing Amazon GuardDuty Extended Threat Detection: AI/ML attack sequence identification for enhanced cloud security

Introducing Amazon GuardDuty Extended Threat Detection: AI/ML attack sequence identification for enhanced cloud security

Amazon GuardDuty Unveils Advanced AI/ML Threat Detection for Enhanced Cloud Security

Amazon Web Services (AWS) has taken a significant leap forward in cloud security with the introduction of advanced AI/ML threat detection capabilities in Amazon GuardDuty. This new feature, called GuardDuty Extended Threat Detection, leverages the vast scale and visibility of AWS to identify both known and previously unknown attack sequences. By employing sophisticated artificial intelligence and machine learning, this enhancement offers a more proactive and comprehensive approach to safeguarding applications, workloads, and data in the cloud. It addresses the increasing complexity of modern cloud environments and the ever-evolving landscape of security threats, simplifying the process of threat detection and response for organizations.

The Growing Challenge of Cloud Security

As cloud environments grow more complex, organizations face mounting challenges in analyzing and responding to the high volume of security events generated daily. The frequency and sophistication of cyberattacks have made it increasingly difficult for security teams to detect and respond to threats that unfold as sequences of events over time. Often, these teams struggle to connect the dots between related activities, potentially missing critical threats or responding too late to mitigate significant damage.

To address these challenges, AWS has expanded GuardDuty’s capabilities to include AI/ML-driven threat detection that correlates security signals to identify active attack sequences. These sequences may involve multiple steps taken by an adversary, such as privilege discovery, API manipulation, persistence activities, and data exfiltration. The new feature introduces a critical severity level for findings, a first for GuardDuty, which had previously reserved this level for the most urgent and high-confidence threats. Each critical finding includes a natural language summary of the threat, observed activities mapped to the MITRE ATT&CK® framework, and prescriptive remediation recommendations based on AWS best practices.

What’s New in GuardDuty Extended Threat Detection?

GuardDuty Extended Threat Detection introduces several key enhancements:

  • Attack Sequence Findings: These findings provide a comprehensive view of multistage attacks, correlating data from multiple sources, time periods, and resources within an account.
  • Improved Actionability: Enhanced detections for credential exfiltration, privilege escalation, and data exfiltration make it easier for security teams to respond effectively.
  • Critical Severity Level: A new severity category ensures that the most urgent threats are immediately brought to attention.
  • Natural Language Summaries: Findings now include detailed summaries that explain the nature and significance of the threat, along with actionable remediation steps.

How to Use the New Capabilities

To explore the new AI/ML threat detection features, users can visit the Amazon GuardDuty console. The updated Summary page includes new widgets that provide an overview of attack sequences and findings broken down by severity. Users can filter findings to focus on the most critical issues or view only the top attack sequences.

One of the standout features is the ability to identify multistage attacks, which are relatively rare but highly significant. For example, in a large cloud environment, there may be thousands of findings, but only a handful of actual attack sequences. This capability helps security teams prioritize their efforts on the most impactful threats.

Real-World Example: Data Compromise Detection

One of the new findings introduced by GuardDuty is the detection of potential data compromise across multiple Amazon S3 buckets. For instance, a finding might indicate that data was compromised over a 24-hour period, involving multiple signals and tactics mapped to the MITRE ATT&CK® framework. This could include activities such as credential access, discovery, evasion, persistence, and data exfiltration.

In one example, GuardDuty flagged a series of suspicious activities, including the deletion of an AWS CloudTrail trail, the creation of new access keys, and actions targeting S3 objects. These activities were linked to a specific user, identified by their principal ID, and provided detailed information about the affected resources and time frame. The finding also highlighted sensitive API calls and tactics such as data destruction, underscoring the severity of the incident.

Enhanced Investigation and Response

GuardDuty’s new features make it easier for security teams to investigate and respond to threats. Key enhancements include:

  • ATT&CK Tactics: Findings are mapped to specific tactics, providing visibility into the methods used by attackers.
  • Security Indicators: Detailed explanations of why an activity was flagged as suspicious, including high-risk APIs and observed tactics.
  • Actor Details: Information about the user or entity responsible for the activity, including network locations and connection methods.
  • Prescriptive Recommendations: Actionable insights based on AWS best practices to help organizations swiftly address and resolve threats.

The new Signals tab allows users to sort findings by newest or oldest, making it easier to respond to active attacks or conduct post-incident reviews. Additional tabs, such as Indicators, Actors, and Endpoints, provide quick summaries of what occurred and who was involved. The Resources tab offers details about affected buckets and access keys, enabling users to pivot directly to the relevant console for further investigation.

Seamless Integration and Cost Efficiency

GuardDuty Extended Threat Detection is automatically enabled for all GuardDuty accounts in supported AWS Regions. There are no additional costs for this feature beyond the underlying charges for GuardDuty and its associated protection plans. Enabling additional protection plans, such as S3 Protection, expands the range of security signals analyzed, improving the service’s ability to detect complex attack sequences.

GuardDuty integrates seamlessly with existing workflows, including the AWS Security Hub, Amazon EventBridge, and third-party security event management systems. This ensures that organizations can incorporate the new capabilities into their existing security operations without disruption.

Now Available

Amazon GuardDuty Extended Threat Detection is now available at no additional cost for all new and existing GuardDuty customers in commercial AWS Regions where GuardDuty is supported. By automating the analysis of complex attack sequences and providing actionable insights, this enhancement helps organizations focus on addressing the most critical threats efficiently, reducing the time and effort required for manual analysis.

To learn more about these new capabilities, visit the Amazon GuardDuty documentation.

Original source article rewritten by our AI can be read here.
Originally Written by: Esra

Share

Related

Popular

bytefeed

By clicking “Accept”, you agree to the use of cookies on your device in accordance with our Privacy and Cookie policies