Home > Foundational > Advanced Threat Detection

Advanced Threat Detection

Investigate most active threats

A key task among foundational detective controls is to review most Amazon GuardDuty findings (or the tool you use for detecting active threats). In other words, not only take action on critical finding, but also evaluate why medium or low priority findings are being generated, to detect early attempts of compromise, reconnaissance, quickly block the adversary and activate the incident response plan.

For example, when you detect SSH Bruteforce , it indicates that an adversary is trying to access your exposed SSH services, even if the adversary was unable to enter yet, it is an alarm sign that should direct us towards evaluating alternatives to close that attack vector, such as the use of AWS Systems Manager Fleet Manager and closing ingress administration ports in security groups

Review reconnaissance findings to identify attacks as they attempt to expand laterally, pentesting tools, and anomalies.

Leverage GuardDuty Protection Plans for deeper visibility on threats

GuardDuty Protection Plans

GuardDuty Runtime Monitoring

This optional runtime monitoring agent is a component managed by the service, that provides more visibility from inside the host, indicating which process ID, on which task of which container performed the suspicious action, it can detect some additional use cases, and allows the security analyst to isolate the threat faster and more precisely. Available for Amazon EC2, ECS and EKS.

GuardDuty Malware Protection

This optional feature scans snapshots of the EBS volumes of instances that are suspected to be infected, due to a GuardDuty finding coming from that instance (such as TOR Client, connections to command and control, network sweeps). It has no agent, and no impact on performance as the scan is done on a service account.

GuardDuty S3 Protection

This optional feature for customers using Amazon S3 that provides additional visibility potential adverarial use of your S3 buckets.

GuardDuty S3 Protection Findings

GuardDuty RDS Protection

This optional feature for RDS Aurora DB customers that provides additional visibility potential adverarial login attacks to your databases such as password spray, brute force or anomalous login.

Workshops

https://catalog.workshops.aws/guardduty

Pricing

https://aws.amazon.com/guardduty/pricing
The service has a 30-day trial period (free trial)
You can verify current usage and estimate future usage of this service. Optional features have an independent free trial period.