Amazon GuardDuty Extended Threat Detection now supports Amazon EC2 and Amazon ECS
AWS announces further enhancements to Amazon GuardDuty Extended Threat Detection with new capabilities to detect multistage attacks targeting Amazon Elastic Compute Cloud (Amazon EC2) instances and Amazon Elastic Container Service (Amazon ECS) clusters running on AWS Fargate or Amazon EC2. GuardDuty Extended Threat Detection uses artificial intelligence and machine learning algorithms trained at AWS scale to automatically correlate security signals and detect critical threats. It analyzes multiple security signals across network activity, process runtime behavior, malware execution, and AWS API activity over extended periods to detect sophisticated attack patterns that might otherwise go unnoticed.
With this launch, GuardDuty introduces two new critical-severity findings: AttackSequence:EC2/CompromisedInstanceGroup and AttackSequence:ECS/CompromisedCluster. These findings provide attack sequence information, allowing you to spend less time on initial analysis and more time responding to critical threats, minimizing business impact. For example, GuardDuty can identify suspicious processes followed by persistence attempts, crypto-mining activities, and reverse shell creation, representing these related events as a single, critical-severity finding. Each finding includes a detailed summary, events timeline, mapping to MITRE ATT&CK® tactics and techniques, and remediation recommendations.
While GuardDuty Extended Threat Detection is automatically enabled for GuardDuty customers at no additional cost, its detection comprehensiveness depends on your enabled GuardDuty protection plans. To improve attack sequence coverage and threat analysis of Amazon EC2 instances, enable Runtime Monitoring for EC2. To enable detection of compromised ECS clusters, enable Runtime Monitoring for Fargate or EC2 depending on your infrastructure type.
To get started, enable GuardDuty protection plans via the Console or API. New GuardDuty customers can start with a 30-day free trial, and existing customers who haven't used Runtime Monitoring can also try it free for 30 days. For additional information, visit the blog post and Amazon Guard Duty product page.