Cloud Detective Controls

Why does this topic matter?

• Cloud Detective Controls matter because they provide a proactive and responsive security framework for organizations operating in cloud environments.
• These controls are essential for safeguarding sensitive data, meeting compliance requirements, and maintaining the integrity and availability of cloud services.

What are some of the IoCs that GuardDuty can detect?

• AWS GuardDuty uses threat intelligence feeds to detect indicators of compromise such as
  • Malicious IP addresses
  • Malicious domains
  • Discovery of unusual patterns of login events on the database.
• For example, GuardDuty can detect compromised EC2 instances and container workloads serving malware.

What are some of the data sources which GuardDuty can use?

• AWS GuardDuty uses foundational data source to detect communication with known malicious domains and IP addresses. Here are the foundational data sources.
  • AWS CloudTrail event logs
  • AWS CloudTrail management events
  • VPC Flow Logs
  • DNS logs

How does GuardDuty use access behavior to spot potential malicious activity?

• According to AWS GuardDuty user guide, Findings types that end in AnomalousBehavior indicates that the machine learning model identified events that are associated with tactics used by adversaries. The machine learning model tracks various factors such as the user that made the request, the location the request was made, and specific requests.

Things I want to learn more about

• I would like to learn about various detection techniques used by GuardDuty.
• It would be interesting to learn about anomaly detection, threat intelligence feeds, and machine learning algorithms.