Amazon GuardDuty’s extended threat detection capabilities was one of the highlights at AWS reinvent 2024. By leveraging advanced AI and ML algorithms, GuardDuty now delivers comprehensive protection against sophisticated attack vectors, including threats targeting serverless applications, storage systems, and containerised workloads.
What is Extended Threat Detection?
GuardDuty Extended Threat Detection automatically identifies multi-stage attacks by correlating events across different AWS resources and data sources over time. It tracks sequences of actions, such as unauthorised access, privilege escalation, and data exfiltration, and flags them as critical attack sequences, helping detect complex threats like AWS credential misuse and data compromise attempts.
What are the key features of Extended Threat Detection?
- Enabled by Default: When GuardDuty is activated in a region, Extended Threat Detection is automatically enabled with no additional cost, correlating events across all GuardDuty foundational data sources.
- Event Correlation and Signals: Extended Threat Detection analyses multiple events (called “Signals”), including weak signals and GuardDuty findings, to detect attack sequences. It identifies patterns that may not be immediately suspicious on their own but become concerning when combined.
- Attack Sequence Findings: GuardDuty generates attack sequence findings, which encompass multiple stages of an attack, such as unauthorised access, privilege escalation, and data exfiltration. These findings help detect sophisticated, multi-stage attacks.
- Real-Time Detection: It detects in-progress or recent attacks within a 24-hour rolling window, improving its ability to identify ongoing malicious activities.
- Integration with Protection Plans: Enabling additional protection plans, such as S3 Protection, expands the range of data sources and signals GuardDuty can analyse, leading to more comprehensive threat detection. For example, S3 Protection helps GuardDuty identify potential data exfiltration from permissive S3 bucket configurations.
- Findings Management: Attack sequence findings are displayed in the GuardDuty console and sent to Amazon EventBridge. These findings can be exported to an S3 bucket for further analysis and response.
- Security Coverage Expansion: GuardDuty recommends enabling additional protection plans (like S3 Protection) for broader security coverage, especially in scenarios involving data compromise or S3-related attack stages.
How GuardDuty’s extended features would handle a hypothetical real-time attack:
Scenario: A threat actor deploys a crypto mining script via a compromised lambda function.
A threat actor exploits weak IAM policies to gain unauthorised access to an AWS Lambda function and deploys a crypto mining script, hijacking compute resources.
GuardDuty detects this using Lambda Malware Detection, identifying the malicious script, and flags unusual IAM activity, such as unauthorised API calls, through its IAM Anomaly Detection.
With its Extended Threat Detection enabled (by default), GuardDuty generates high-severity findings, detailing the compromised resources (Lambda function and IAM role) and associated indicators of compromise. With the help of EventBridge, an automated workflow isolates the function, revokes permissions and notifies the security team. At the Post-incident, GuardDuty preserves logs and snapshots for forensic analysis, ensuring a thorough investigation of the attack.
Here is a hypothetical cost breakdown for the scenario where a crypto mining script is deployed via a compromised AWS Lambda function:
Component | Details | Hypothetical Costs |
AWS Lambda | Charges based on execution time (memory and duration) | $0.20 per 1M requests + $0.00001667 per GB-second. If the Lambda function runs for 1 hour using 1 GB of memory: 1 GB × 3600 seconds × $0.00001667 = $0.06 |
Data Transfer (S3 or other services) | Charges for data transfer between AWS services (e.g., to/from S3, EC2) | $0.09 per GB for data transfer out of AWS (e.g., if 10 GB of data is transferred externally: 10 GB × $0.09 = $0.90) |
GuardDuty Detection | Charges based on volume of events analysed | $1.00 per million events. For 1 million events analysed due to the attack: 1M × $1 = $1.00 |
S3 Storage for Logs/Forensics | Charges for storing logs for forensic analysis | $0.023 per GB per month. For 5 GB of logs stored: 5 GB × $0.023 = $0.115 |
EventBridge (Automation) | Triggering automated workflows | EventBridge pricing is based on the number of events published (e.g., $1.00 per million events) |
Example Total for a 1-Hour Crypto Mining Attack:
- Lambda Execution (1 GB, 1 hour): $0.06
- Data Transfer (10 GB out): $0.90
- GuardDuty Detection (1 million events): $1.00
- S3 Storage (5 GB): $0.115
- EventBridge (1M events): $1.00
Estimated Total: $3.07 for the entire attack scenario, excluding human security response costs.
*This is a hypothetical example, and actual costs will vary based on usage, AWS region, and other factors like the specifics of the workload and response actions.
Conclusion
Overall, GuardDuty provides proactive detection through AI-driven insights to identify threats early, integrated automation with AWS services for swift containment and recovery, broad coverage extending protection across serverless functions, containers and storage, and scalability to efficiently manage complex, multi-account and multi-region AWS environments.
For detailed technical guidance, explore the official GuardDuty documentation.