# AWS active threat defense for AWS Network Firewall
The active threat defense managed rule group provides advanced network threat protection for your Network Firewall firewall policies. AWS continuously updates these rules based on Amazon threat intelligence to protect against active threats and cloud-specific attack patterns. While complementing existing AWS managed rule groups, active threat defense specifically uses Amazon threat intelligence from MadPot, an internal AWS threat intelligence and disruption service. For more information about MadPot, see [ Meet MadPot, a threat intelligence tool Amazon uses to protect customers from cybercrime](https://www.aboutamazon.com/news/aws/amazon-madpot-stops-cybersecurity-crime).
AWS Network Firewall currently supports the `AttackInfrastructure` active threat defense rule group.
Each rule group name in the table below is appended by either `StrictOrder` or `ActionOrder`. A firewall policy's *rule evaluation order* determines whether you can add `StrictOrder` or `ActionOrder` managed rule groups to the policy. For example, you can only add a rule group appended with `StrictOrder` if the policy uses strict order for its rule evaluation order.
**Note**
In the console, Network Firewall automatically filters the managed rule groups available for you to add to your policy. For information about rule evaluation order, see [Managing evaluation order for Suricata compatible rules in AWS Network Firewall](suricata-rule-evaluation-order.md).
| Rule group name | Maximum rule capacity per rule group | Description |
| --- | --- | --- |
| `AttackInfrastructureStrictOrder`, `AttackInfrastructureActionOrder` | 15,000 | Protects against threat activity by blocking communication with known harmful infrastructure tracked by AWS. This includes: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/network-firewall/latest/developerguide/aws-managed-rule-groups-atd.html) Implements comprehensive filtering of both inbound and outbound traffic for multiple protocols, including TCP, TLS, HTTP, and outbound UDP. Uses verified threat indicators to ensure high accuracy and minimize false positives. AWS automatically removes threat indicators when there is no evidence of related threat activity. |
**Important**
Network Firewall active threat defense managed rule groups have rule capacity limits that differ from the rule capacity limits that apply to other rule groups.
## Get started with active threat defense
To start using the active threat defense, complete the following tasks:
1. Add the `AttackInfrastructure` rule group to your firewall policy. For instructions, see [Working with AWS managed rule groups in the Network Firewall console](nwfw-using-managed-rule-groups-console.md).
**Tip**
After you add the rule group to your policy, you don't need to take any action to receive updates. AWS automatically updates the rules based on the latest threat intelligence.
1. Configure your firewall policy to use either strict order or action order evaluation. This determines which version of the rule group you can add. For more information, see [Managing evaluation order for Suricata compatible rules in AWS Network Firewall](suricata-rule-evaluation-order.md).
1. Optionally monitor your firewall's activity using CloudWatch Logs. For information about monitoring Network Firewall, see [AWS Network Firewall metrics in Amazon CloudWatch](monitoring-cloudwatch.md).
To learn more about active threat defense managed rule groups, review the topics in this guide:
**Topics**
+ [
## Get started with active threat defense
](#atd-next-steps)
+ [
# Understanding active threat defense managed rule group indicators
](atd-indicators.md)
+ [
# Deep threat inspection for active threat defense managed rule groups
](atd-deep-threat-inspection.md)
# Understanding active threat defense managed rule group indicators
A threat indicator is a unique identifier of potentially malicious infrastructure or threat activity. active threat defense managed rule groups match traffic for IP address, domain name, and URL indicators that are associated with known threats.
**Tip**
If you use Amazon GuardDuty, you can strengthen your security by using active threat defense managed rule group to automatically block the threats that Amazon GuardDuty detects. For information, see [Working with active threat defense indicators in Amazon GuardDuty](nwfw-atd-guardduty-use-case.md).
AWS groups threat indicators into categories based on observed attack patterns. The following table describes each indicator group available in the active threat defense managed rule group:
| Indicator group and description | Traffic direction | Indicator types |
| --- | --- | --- |
| **Command and control** Infrastructure that malicious actors use to remotely control compromised systems. | Egress | IPs, domains |
| **Malware staging** Infrastructure that facilitates the distribution of malware and attack tooling. | Ingress/Egress | URLs |
| **Sinkholes** Previously abused infrastructure used for malicious purposes. | Egress | Domains |
| **Out-of-band application security testing** A technique where injected payloads make an outbound connection to external infrastructure that validates the existence of a vulnerability. | Egress | IPs, domains |
| **Crypto-mining pool** Infrastructure used by crypto-miners. | Egress | IPs, domains |
# Working with active threat defense indicators in Amazon GuardDuty
If you use Amazon GuardDuty, you can strengthen your security by using active threat defense managed rule group to automatically block the threats that Amazon GuardDuty detects. Amazon GuardDuty can generate findings with the threat list name `Amazon Active Threat Defense`. You can block these threats by implementing the `AttackInfrastructure` active threat defense rule group in your Network Firewall firewall policy.
**Note**
The active threat defense managed rule group can block threats regardless of whether you use Amazon GuardDuty. This information is relevant only if you already use Amazon GuardDuty for threat detection.
The following Amazon GuardDuty finding types may indicate threats that active threat defense managed rule group can block:
Command and control related findings
+ Backdoor:EC2/C&CActivity.B
+ Backdoor:EC2/C&CActivity.B\$1DNS
+ Backdoor:Lambda/C&CActivity.B
+ Backdoor:Runtime/C&CActivity.B
+ Backdoor:Runtime/C&CActivity.B\$1DNS
Cryptocurrency related findings
+ CryptoCurrency:EC2/BitcoinTool.B
+ CryptoCurrency:EC2/BitcoinTool.B\$1DNS
+ CryptoCurrency:Lambda/BitcoinTool.B
+ CryptoCurrency:Runtime/BitcoinTool.B
+ CryptoCurrency:Runtime/BitcoinTool.B\$1DNS
+ Impact:EC2/BitcoinDomainRequest.Reputation
Other threat findings
+ Trojan:EC2/BlackholeTraffic\$1DNS
+ Trojan:Runtime/BlackholeTraffic\$1DNS
+ UnauthorizedAccess:EC2/MaliciousIPCaller.Custom
For more information about Amazon GuardDuty finding types, see [Active findings](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html) in the *Amazon GuardDuty User Guide*.
# Deep threat inspection for active threat defense managed rule groups
AWS Network Firewall plans to augment the active threat defense managed rule group with an additional deep threat inspection capability. When this capability is released, AWS will analyze service logs of network traffic processed by these rule groups to identify threat indicators across customers. AWS will use these threat indicators to improve the active threat defense managed rule groups and protect the security of AWS customers and services.
**Note**
Customers can opt-out of deep threat inspection at any time through the AWS Network Firewall console or API. When customers opt out, AWS Network Firewall will not use the network traffic processed by those customers' active threat defense rule groups for rule group improvement.