Recently at its re:Invent 2017 conference, Amazon announced an interesting new security offering called “GuardDuty.”

GuardDuty uses threat intelligence, machine learning and anomaly detection to deliver agentless security findings across a variety of AWS services.

This blog will discuss a bit about GuardDuty and show one example of how to gather custom data within the Cloud Management Assessor.

GuardDuty gathers data from multiple streams, including threat intelligence feeds, and creates a data set that can be compared against DNS logs, VPC flow logs and CloudTrail events. This allows Amazon to report on numerous types of suspicious behavior.

Much of this suspicious behavior detection has previously only been found within complex network security products. For example, Amazon will determine if your ec2 host contacts known botnet command and control IP addresses or DNS lookups using DGAs (Domain Generation Algorithms), alerting you to possible machine compromise.

Amazon will also log findings in GuardDuty if you have hosts communicating with Bitcoin-related sites. This is useful since many attackers will attempt to mine cryptocurrency if they are able to compromise an AWS host or management account.

Other GuardDuty findings are more closely coupled with AWS – for instance, noting suspicious disabling of CloudTrail logs or when credentials generated specifically for an ec2 instance are used from external IP addresses.

Obviously, there are a lot of interesting things that can be found by GuardDuty, and the best part is that you can get these advanced security findings without any third-party hardware or software – It’s all built natively into AWS.

Now that we’ve learned a bit about the GuardDuty, let’s look at how to use the Cloud Management Assessor to alert you to the existence of high severity GuardDuty findings from within Tripwire Enterprise. You will need to know your GuardDuty detector ID, (Read more...)