GuardDuty Extended Threat Detection - Amazon GuardDuty

GuardDuty Extended Threat Detection

GuardDuty Extended Threat Detection automatically detects multi-stage attacks that span data sources, multiple types of AWS resources, and time, within an AWS account. With this capability, GuardDuty focuses on the sequence of multiple events that it observes by monitoring different types of data sources. Extended Threat Detection correlates these events to identify scenarios that present themselves as a potential threat to your AWS environment, and then generates an attack sequence finding.

A single finding can encompass an entire attack sequence. For example, it might detect a scenario such as:

  1. A threat actor gaining unauthorized access to a compute workload.

  2. The actor then performing a series of actions such as privilege escalation and establishing persistence.

  3. Finally, the actor exfiltrating data from an Amazon S3 resource.

Extended Threat Detection covers threat scenarios that involve compromise related to AWS credentials misuse, and data compromise attempts in your AWS accounts. For more information, see Attack sequence finding types.

Because of the nature of these threat scenarios, GuardDuty considers all attack sequence finding types as Critical.

The following list provides key information about Extended Threat Detection.

Enabled by default

When you enable Amazon GuardDuty in your account in a specific AWS Region, Extended Threat Detection is also enabled by default. There is no additional cost associated with the usage of Extended Threat Detection. By default, it correlates events across all Foundational data sources. However, when you enable more GuardDuty protection plans, such as S3 Protection, this will open additional types of attack sequence detections by widening the range of event sources. This will potentially help with a more comprehensive threat analysis and better detection of attack sequences. For more information, see Enable related protection plans.

How Extended Threat Detection works?

GuardDuty correlates multiple events, including API activities and GuardDuty findings. These events are called Signals. Sometimes, there might be events in your environment that, on their own, don't present themselves as a clear potential threat. GuardDuty terms them as weak signals. With Extended Threat Detection, GuardDuty identifies when a sequence of multiple actions align to a potentially suspicious activity, and generates an attack sequence finding in your account. These multiple actions can include weak signals and already identified GuardDuty findings in your account.

GuardDuty is also designed to identify potential in-progress or recent attack behaviors (within a 24-hour rolling time window) in your account. For example, an attack could start by an actor gaining unintended access to a compute workload. The actor would then perform a series of steps, including enumeration, escalation of privileges, and exfiltration of AWS credentials. These credentials could potentially be used for further compromise or malicious access to data.

Extended Threat Detection page in GuardDuty console

By default, the Extended Threat Detection page in GuardDuty console displays the Status as Enabled. Use the following steps to access the Extended Threat Detection page in GuardDuty console:

  1. You can open GuardDuty console at https://console.aws.amazon.com/guardduty/.

  2. In the left navigation pane, choose Extended Threat Detection.

    This page provides details about the threat scenarios that Extended Threat Detection covers.

Understanding and managing attack sequence findings

Attack sequence findings are just like other GuardDuty findings in your account. You can view them on the Findings page in the GuardDuty console. For information about viewing findings, see Findings page in GuardDuty console.

Similar to other GuardDuty findings, attack sequence findings are also automatically sent to Amazon EventBridge. Based on your settings, attack sequence findings are also exported to a publishing destination (Amazon S3 bucket). To set a new publishing destination or update an existing one, see Exporting generated findings to Amazon S3.

The following video provides a demonstration of how you can use Extended Threat Detection.

For any GuardDuty account in a Region, the Extended Threat Detection capability gets enabled automatically. By default, this capability takes into consideration the multiple events across all Foundational data sources. To benefit from this capability, you don't need to enable all the use-case focused GuardDuty protection plans.

Extended Threat Detection is designed in a way that if you enable more protection plans, this will enhance the breadth of security signals for comprehensive threat analysis and coverage of attack sequences. GuardDuty recommends enabling GuardDuty S3 Protection in your account because of the following reasons:

Benefit of enabling S3 Protection with Extended Threat Detection

For GuardDuty to detect an attack sequence that potentially includes data compromise in your Amazon Simple Storage Service (Amazon S3) buckets, you must enable S3 Protection in your account. This helps GuardDuty correlate more diverse signals across multiple data sources. GuardDuty uses dedicated S3 Protection plan to identify findings that could potentially be one of the multiple stages in an attack sequence. For example, with GuardDuty foundational threat detection alone, GuardDuty can identify a potential attack sequence starting from IAM privilege discovery activity on Amazon S3 APIs, and detect subsequent S3 control plane alterations, such as changes that make bucket resource policy more permissive. When you enable S3 Protection, GuardDuty expands its threat detection scope. It also gains the ability to detect potential data exfiltration activities that may occur after S3 bucket access becomes more permissive.

If S3 Protection is not enabled, GuardDuty will not be able to generate individual S3 Protection finding types. Therefore, GuardDuty will not be able to detect multi-stage attack sequences that involve associated findings. Therefore, GuardDuty will not be able to generate attack sequences associated to compromise of data.

Additional resources

View the following sections to gain more understanding about attack sequences: