Threat Detection in AWS

As more and more companies start to adopt cloud services to enable remote work and reduce the need for on-prem solutions more and more attackers are starting to target cloud environments. Since cloud is still relatively new a lot of companies make simple mistakes that enable attackers to easily steal sensitive information or pivot from cloud infrastructure to internal applications/systems. As these attacks started to increase cloud providers started to offer solutions to natively detect possible malicious activity within the cloud environments. A reasonably good solution by AWS is GuardDuty.

“Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3". The service is not free, however, its a great way to quickly increase threat detection capabilities within your AWS environments.

What does it detect?

GuardDuty, at the time of this writing (8/2021), has 74 unique signatures/detections ranging from low severity alerts that will alert you when a CloudTrail logging policy has been disabled to more severe alerts that can alert you to backdoor behavior/C2 traffic. A full list of the detections can be found HERE. A useful github repo conveniently maps these detections to MITRE (found HERE). An example of the MITRE Navigator output is seen below.