1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Threat detection on AWS: An
introduction to Amazon GuardDuty
Ryan Holland
Principal Industry Specialist
AWS
F N D 2 1 6

2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
The AWS security services ecosystem
Protect Detect Respond
Automate
Investigate
RecoverIdentify
AWS
Systems
Manager
AWS Config
AWS
Lambda
Amazon
CloudWatch
Amazon
Inspector
Amazon
Macie
Amazon
GuardDuty
AWS
Security Hub
AWS IoT
Device
Defender
KMSIAM
AWS
Single
Sign-On
Snapshot ArchiveAWS
CloudTrail
Amazon
CloudWatch
Amazon
VPC
AWS
WAF
AWS
Shield
AWS
Secrets
Manager
AWS
Firewall
Manager
AWS
Organizations
Personal
Health
Dashboard
Amazon
Route 53
AWS
Direct
Connect
AWS Transit
Gateway
Amazon
VPC
PrivateLink
AWS Step
Functions
Amazon
Cloud
Directory
AWS
CloudHSM
AWS
Certificate
Manager
AWS
Control
Tower
AWS
Service
Catalog
AWS Well-
Architected
Tool
AWS
Trusted
Advisor
Resource
Access
manager
AWS
Directory
Service
Amazon
Cognito
Amazon S3
Glacier
AWS
Security Hub
AWS
Systems
Manager

3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon GuardDuty: Threat detection and notification
GuardDuty is a managed threat detection service that continuously monitors for
malicious or unusual behavior to help you protect your AWS accounts and
workloads
GuardDuty monitors
• Unusual API calls
• Potentially unauthorized deployments that indicate a possible account
compromise
• Potentially compromised instances or reconnaissance by attackers

4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon GuardDuty: Threat detection and notification
Detect Notify
Amazon
GuardDuty
VPC flow logs
DNS logs
AWS CloudTrail
events
High
Medium
Low
FindingsData sources

5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon GuardDuty data sources
VPC flow logs
VPC flow logs do not need to be
turned on to generate findings; data
is consumed through independent
duplicate stream
Provides information about network
communications for threat intel and
behavioral detections
DNS logs
DNS logs are based on queries
made from Amazon EC2 instances
to known and unknown
questionable domains
DNS logs are in addition to Amazon
Route 53 query logs; Route 53 is
not required for Amazon GuardDuty
to generate DNS-based findings
AWS CloudTrail events
AWS CloudTrail history of AWS API
calls that are used to access the
AWS Management Console, SDKs,
AWS CLI, etc.
Identification of user and account
activity, including source IP address
used to make the calls

6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon GuardDuty service benefits
Continuous monitoring
of your AWS accounts
and resources
Detects
unknown threats
(behavior-based)
Detects known threats
(threat
intel-based)
Global coverage with
regional results
One-click activation
with no architectural or
performance impact
Managed threat detection service
Enterprise-wide
consolidation and
management

7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
What can Amazon GuardDuty detect?
Detecting known threats using threat intelligence
• Amazon GuardDuty leverages threat intelligence from
various sources
• AWS security intel
• Open source and AWS partners
• Customer-provided threat intel
• Threat intelligence enables Amazon GuardDuty to identify
the following
• Known malware-infected hosts
• Anonymizing proxies
• Sites hosting malware and hacker tools
• Cryptocurrency mining pools and wallets

8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Unknown threats using machine learning
Algorithms to detect unusual behavior
• Inspecting signal patterns for heuristics
• Profiling normal and looking at deviations
• Machine learning classifiers

9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Threat detection classes
Reconnaissance
• Unprotected port probed
• Port scan performed
• User permissions discovery
• Network permissions discovery
• Resource permissions discovery
• Inbound Tor traffic
• Denial of service traffic
• Spam activity
• C&C activity
• Network port unusual
• Traffic volume unusual
• Bitcoin activity
• Black hole DNS address
• DGA domain
• DNS data exfiltration
• Drop point DNS
• Phishing domain
• Outbound brute force
• Outbound Tor traffic
Instance compromise Account compromise
• Unusual network permission change
• Unusual resource permission change
• Unusual compute resources launch
• AWS CloudTrail logging disabled
• Password policy change
• Unusual console login attempts
• Unusual console login successful
• Instance credentials exfiltration

10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Threat detection classification
• Backdoor: resource compromised and capable of contacting source home
• Behavior: activity that differs from established baseline
• Cryptocurrency: detected software associated with cryptocurrencies
• Pentest: activity detected similar to that generated by known penetration testing tools
• Persistence: established a presence in the environment
• Recon: attack scoping vulnerabilities by probing ports, listening, using database tables, etc.
• Resource consumption: activity that differs from established baseline
• Stealth: attack trying to hide actions/tracks
• Trojan: program detected carrying out suspicious activity
• Unauthorized access: suspicious activity/pattern by unauthorized user
Threat purpose class

11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Reviewing findings: Amazon GuardDuty console

12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Reviewing findings: API/JSON findings details
AWS Management Console API/JSON format
Threat information
• Severity
• Region
• Count/frequency
• Threat type
• Affected resource
• Source information
• Viewable via Amazon
CloudWatch Events

13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Reviewing findings: Amazon CloudWatch Events
• Amazon GuardDuty
aggregates all changes to
findings that take place in
five-minute intervals into
a single event
• Amazon CloudWatch
Events can be graphed,
stored, exported, and
further analyzed
Example GuardDuty-related CloudWatch event

14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Rich integration via Amazon CloudWatch and AWS Lambda
GuardDuty CloudWatch Events Lambda
Amazon
GuardDuty
Amazon
CloudWatch
CloudWatch Events AWS Lambda
function
AWS Lambda
Act on findings
• Integrate with SIEM or other security technologies
• Remediate compromised instance or AWS credentials
• Employ AWS Lambda to automate further

15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Automating incident response
AWS Systems
Manager
AWS
Lambda
Amazon
Inspector
Run code for virtually
any kind of application
or backend service—
zero administration
Gain operational
insights, and take action
on AWS resources
Automate security
assessments of Amazon
EC2 instances

16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Automating incident response
Amazon
CloudWatch
Events
Amazon GuardDuty findings
AWS Lambda
function
Partner
solutions
Automated
response
Anything
else

17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Incident response: Network ACL and AWS WAF rules
AWS Step
Functions
AWS WAF
Application requests
(static + dynamic)
AWS Lambda
AWS Lambda
Amazon GuardDuty
Amazon
CloudWatch
Application
Load Balancer
AWS ShieldAmazon
CloudFront
Network access control list

18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Automating data collection: AWS Lambda + AWS Systems
Manager
Systems Manager
Documents
Amazon
CloudWatch
Rule
Amazon EC2
instance contents
Instance:~ ec2-user$ top
Instance:~ ec2-user$ pcap
Instance:~ ec2-user$ lime
AWS LambdaAmazon
GuardDuty
AWS
Lambda
function
Amazon EBS
volume
Amazon EBS
forensicsAmazon EBS
snapshot

19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Automatic remediation examples
Amazon
CloudWatch
Rule
1. Detach instance from Auto Scaling
group and Elastic Load Balancing
2. Remove IAM role
3. Snapshot volume
4. Replace security group on elastic
network interface(s) to disallow all
traffic
5. Attach forensics network interface
Amazon
GuardDuty
AWS
Lambda
function
1. Terminate instance

20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Enabling automated remediation
Pick the right action based on affected resource; one size does not fit all
Notify/ticket
Isolate
Terminate/replace
A well-defined and consistently enforced tagging strategy is key to enabling
remediation
Security needs to work with application owners (we should be doing this anyway!)
Start with notifications, move deliberately toward more assertive actions

21. Thank you!
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.