Singapore – Aiming to advance cloud security, Amazon Web Services has recently announced new updates to its Amazon GuardDuty, incorporating advanced AI/ML threat detection capabilities. This new feature allows the use of extensive cloud visibility and scale of AWS to provide improved threat detection for your applications, workloads, and data.
According to the firm, the platform now features new AI/ML capabilities that correlate security signals to identify active attack sequences in your AWS environment. These sequences may involve multiple steps taken by an adversary, including privilege discovery, API manipulation, persistence activities, and data exfiltration.
Moreover, it also introduces new attack sequence findings and improves actionability for existing detections in areas such as credential exfiltration, privilege escalation, and data exfiltration.
With this enhancement, GuardDuty provides composite detections that integrate data across various sources, timelines, and resources, offering a more holistic view of complex cloud attacks within one’s account.
In addition, the new capabilities further bring attack sequence findings to GuardDuty, classified as critical severity. These findings include a natural language summary describing the threat’s nature and impact, observed activities aligned with MITRE ATT&CK tactics and techniques, and prescriptive remediation steps based on AWS best practices.
In terms of functionality, the GuardDuty includes new widgets on the summary page, such as (q) an overview widget showing the number of attack sequences; (2) a widget displaying findings broken down by severity; and (3) the ability to filter for top attack sequences.
On the other hand, types of findings under it encompass indication of potential data compromise, possibly part of a larger ransomware attack, and detection of misuse of compromised credentials in early attack stages.
These findings further provide extensive details such as specific user actions, affected accounts and resources, extended time periods of activity, multiple signals observed over time, and tactics and techniques mapped to the MITRE ATT&CK framework.
Additionally, extended capabilities include automatic activation for all accounts in a region, availability at no extra cost in all supported commercial AWS regions, and integration with existing GuardDuty workflows, such as AWS Security Hub and Amazon EventBridge.
The firm further revealed that said enhancement improves cloud security by automating the detection of sophisticated attack patterns and providing actionable insights, assisting security teams to concentrate on mitigating critical threats effectively.
