Today I'm excited to introduce the advanced AI/ML threat detection capabilities in Amazon GuardDuty. This new feature uses comprehensive cloud visibility and AWS scale to provide enhanced threat detection for your applications, workloads, and data. GuardDuty Extended Threat Detection uses cutting-edge AI/ML technology to identify both known and previously unknown attack sequences, providing a more comprehensive and proactive approach to cloud security. This enhancement addresses the increasing complexity of modern cloud environments and the evolving security threat landscape, simplifying threat detection and response.
Many organizations face challenges in efficiently analyzing and responding to the high volume of security events generated across their cloud environments. As security threats become more frequent and more sophisticated, it is becoming more difficult to detect and respond effectively to attacks that occur as a sequence of events over time. Security teams often struggle to piece together related activities that may be part of a larger attack, or potentially ignore serious threats or respond too late to prevent a significant impact.
To address these challenges, we've expanded GuardDuty's threat detection capabilities to include new AI/ML capabilities that correlate security signals to identify active attack sequences in your AWS environment. These sequences can include multiple steps taken by the adversary, such as privilege discovery, API manipulation, persistence activities, and data exfiltration. These detections are represented as the results of the attack sequence, which is a new type of critical GuardDuty detection. Previously, GuardDuty never used Critical Severity, reserving this level for hits with maximum confidence and urgency. These new findings provide critical severity and include a natural language summary of the nature and significance of the threat, observed activities mapped to tactics and techniques from the MITER ATT&CK® framework, and guided remediation recommendations based on AWS best practices.
GuardDuty Extended Threat Detection delivers new attack cascade findings and improves actionability of existing detections in areas such as credential exfiltration, privilege escalation, and data exfiltration. This enhancement enables GuardDuty to deliver composite detections that span multiple data sources, time periods, and resources within an account, providing you with a more comprehensive understanding of evolving cloud attacks.
Let me show you how the new abilities work.
How to use the new AI/ML threat detection in Amazon GuardDuty
To experience the new AI/ML threat detection in GuardDuty, go to the Amazon GuardDuty console and explore the new tools on the summary page. The Overview tool now helps you view the number of attack sequences you have and look at the details of these attack sequences. Cloud results often reveal multi-stage attacks, but these complex attack sequences are low in volume and represent a small fraction of the total number of results. For this particular account, you can observe a variety of results in the cloud environment, but only a few of the actual attack sequences. In a larger cloud environment, you may see hundreds or even thousands of results, but the number of attack sequences will likely still be relatively small in comparison.
We've also added a new tool that helps you view results broken down by severity. This makes it easier to quickly focus on and investigate the specific results that matter to you. Results are now sorted by severity, giving you a clear overview of the most important issues, including an additional Critical severity category, ensuring the most urgent detections are brought to your attention immediately. You can also filter only attack sequences by selecting only the top attack sequences.
This new capability is enabled by default, so you don't need to take any additional steps to get started. There are no additional costs for this feature beyond the basic fees for GuardDuty and associated protection plans. When you enable additional GuardDuty protection plans, this capability will provide more integrated security value, helping you get deeper insights.
You can notice two types of results. The first is a data breach, which refers to a potential data breach that could be part of a larger ransomware attack. Data is one of the most important organizational assets for most clients, making it an important area of ​​interest. The second detection is the type of compromised credentials, which helps you detect misuse of compromised credentials, typically during the early stages of an attack in your cloud environment.
Let me delve into one consequence of the compromise statements. I'll focus on “a potential data breach of one or more S3 buckets that involves a series of actions across multiple signals associated with a user in your account.” This result indicates that we observed data being compromised across multiple Amazon Simple Storage Service (Amazon S3) buckets with multiple associated signals.
The summary provided with this hit gives you key details, including the specific user (identified by their principal ID) who performed the actions, the account and resources affected, and the extended time period (almost a full day) during which the activity occurred. This information can help you quickly understand the scope and severity of a potential settlement.
This discovery contains eight distinct signals observed over approximately 24 hours, indicating the use of multiple tactics and techniques mapped to the MITRE ATT&CK® framework. This broad coverage across the attack chain—from credential access, to detection, evasion, persistence, and even influence and exfiltration—suggests that this may indeed be a real positive incident. This finding also reveals a disturbing method of data destruction, which is particularly worrying.
Additionally, GuardDuty provides additional security context by highlighting sensitive API calls, such as a user deleting an AWS CloudTrail route. This type of evasive behavior, coupled with the creation of new access keys and actions targeting Amazon S3 objects, increases the severity and potential scope of the incident. Based on the information provided in this finding, you will likely want to investigate this incident more thoroughly.
Reviewing the ATT&CK tactics associated with the results provides a clear view of the specific tactics involved, whether one or several tactics. GuardDuty also provides security indicators that explain why activity was flagged as suspicious and assigned a critical severity score, including high-risk APIs called and tactics observed.
Drilling down deeper, you can view details about the responsible actor. The information includes how the user connects to and performs these actions, including network locations. This additional context helps you better understand the full scope and nature of the incident, which is critical to the investigation and response. You can follow guided remediation recommendations based on AWS best practices, providing you with actionable insights to quickly address and resolve specific detections. These personalized recommendations help you improve your cloud security posture and ensure compliance with security guidelines.
The Bookmarks tab can be sorted by newest or oldest first. If responding to an active attack, you'll need to start with the latest signals to quickly understand and mitigate the situation. For post-incident review, you can track initial activities. A dive into each activity provides detailed information about specific outcomes. We also provide a quick look through indicators, actors and endpoints to summarize what happened and who took action.
Another way to keep track of the details is to access the Resources tab, where you can check the different groups involved and their access keys. For each resource, you can check which tactics and techniques have been applied. Select the open resource to point it directly to the relevant console and find out more details.
We've provided a full-page view of GuardDuty results, making it easier to see all the contextual data in one place. However, the traditional results page with side panel remains available if you prefer this layout, which provides a quick view of details of specific results.
GuardDuty Extended Threat Detection is automatically enabled for all GuardDuty accounts in a region, leveraging essential data sources without the need for additional protection plans. Enabling additional protection plans expands the range of security signals analyzed, improving the service's ability to identify complex attack sequences. GuardDuty specifically recommends activating S3 Protection to detect potential data breaches in Amazon S3 buckets. Without S3 Protection enabled, GuardDuty cannot generate S3-specific findings or identify attack sequences involving S3 resources, which limits its ability to detect data breach scenarios in your Amazon S3 environment.
GuardDuty Extended Threat Detection integrates with existing GuardDuty workflows, including AWS Security Hub, Amazon EventBridge, and third-party security event management systems.
Available now
Amazon GuardDuty Extended Threat Detection dramatically enhances cloud security by automating the analysis of complex attack sequences and providing actionable insights, helping you focus on efficiently addressing the most critical threats, and reducing the time and effort required for manual analysis.
These capabilities are automatically enabled for all new and existing GuardDuty customers at no additional cost in all AWS Commercial Regions where GuardDuty is supported.
To learn more and start taking advantage of these new capabilities, visit the Amazon GuardDuty documentation.
– Israa
