Posted On: Mar 12, 2021

Amazon GuardDuty has incorporated new machine learning techniques that have proven highly effective at discerning potentially malicious user activity from anomalous, but benign operational behavior within AWS accounts. This new capability continuously models API invocations within an account, incorporating probabilistic predictions to more accurately isolate and alert on highly suspicious user behavior. This new approach has proven to identify malicious activity associated with known attack tactics, including discovery, initial access, persistence, privilege escalation, defense evasion, credential access, impact, and data exfiltration. The new threat detections are available for all existing Amazon GuardDuty customers with no action required and at no additional costs.

This latest enhancement upgrades GuardDuty’s existing AWS CloudTrail-based anomaly threat detections to improve accuracy, broaden AWS service coverage, and provide contextual data to assist in responding to alerts. This enhancement decreases alert volume for suspicious user behavior by over 50%, compared to anomaly detection alone, while also tripling the AWS service coverage that GuardDuty provides. The contextual data produced in these new threat detections are viewable in the GuardDuty console and the finding JSON file pushed out through Amazon EventBridge. With this contextual data, you can quickly answer questions such as, which AWS services may be impacted and what attack tactics are associated with this suspicious behavior? What was anomalous about the activity? And what is the expected behavior for the individual user, as well as all other users that operate in the same AWS account? This capability is now available in all Amazon GuardDuty supported regions, excluding the AWS GovCloud and China regions, which will be added at a later date. The eight new threat detections added are:

  1. Discovery:IAMUser/AnomalousBehavior 
  2. InitialAccess:IAMUser/AnomalousBehavior
  3. Persistence:IAMUser/AnomalousBehavior
  4. PrivilegeEscalation:IAMUser/AnomalousBehavior
  5. DefenseEvasion:IAMUser/AnomalousBehavior
  6. CredentialAccess:IAMUser/AnomalousBehavior
  7. Impact:IAMUser/Anomalous
  8. BehaviorExfiltration:IAMUser/AnomalousBehavior

Available globally, Amazon GuardDuty continuously monitors for malicious or unauthorized behavior to help protect your AWS resources, including your AWS accounts, access keys, and EC2 instances. You can enable your 30-day free trial of Amazon GuardDuty with a single-click in the AWS Management console. To learn more, see Amazon GuardDuty Findings, and to receive programmatic updates on new Amazon GuardDuty features and threat detections, subscribe to the Amazon GuardDuty SNS topic.