Study Guides/AWS Cybersecurity Notes/Security Hub & Guard Duty

From Cramsession
Jump to navigationJump to search
✍️ Verified Author: MflavellClick to view professional profile & credentials

Amazon Guard Duty

This is a managed threat detection service.

  • Uses machine learning
  • Can process millions of events, captured by:
  • CloudTrail
  • DNS (Route 53)
  • VPC Flow longs


This service learns what is normal in the account to find abnormal actions.

  • Can detect connections with unisal sources.
  • EG: data been exfiltrated to a remote FTP server


This is a always on service:

  • Issues can be found without incurring a performance hit.
  • No local agentds are requires - this is Security as a Service.
  • No upfront costs with GuardDuty.
  • Installs in One Click no configuration nightmares.


Additionally:

  • Coverage is global.
  • Can detect intel-based well known threats
  • Can find behaviour based threats
  • Can monitor security over different accounts


Guard Duty Data Sources

Once enabling guard duty, it will use these data sources...


  • VPC Flow logs
Provide details about network communication
VPC flow logs can be turned off - because of this Guard Duty uses its onwn flow log stream.


  • CloudTrail Events
Stores SDK / Command line use for future reference.
Helps build a profile of your account to understand norms.


  • DNS logs
Checks for queries of known and unknown instances.
Can look at domains queries and compre them to threat intelligence.
Can be done with or without route 53 enabled.


GuardDuty Alerts

All detections are ranked: High, Medium or Low

This lets you know what items to address first.


Findings are devliered to three places:

Your secutiy hub.
A designated s3 bucket.
CloudWarch Events or Eventbridge


  • For this setup you must have security hub up and running.


Why use these:

Security hub - lets you see everything in one place.
Cloudwatch / Eventbridge can provide near realtime alerts using SNS.
S3 Keeps an audutable log of alerts.


Where does infomaton come from

Guard duty uses these sources:

AWS security intelegence
AWS Partners such as CrowdString and Proofpoint
Customer provided infomration.


What can be detected

Using this intelgence GuardDuty can detect:

Hosts infected with known malware.
Proxies or TOR gateways
Crypto mining or wallets
Hosting of malware or hacking tools
Retrieved from "https://cramsession.net/index.php?title=Study_Guides/AWS_Cybersecurity_Notes/Security_Hub_%26_Guard_Duty&oldid=1625"