401d8‐read19 - carlosjorr/reading-notes GitHub Wiki

Cloud Detective Controls

What are some of the IoCs that GuardDuty can detect?

Unauthorized access to AWS resources: GuardDuty can detect suspicious login attempts, unusual API calls, and unauthorized access to AWS resources, such as S3 buckets, EC2 instances, etc.

Malware and Trojans: GuardDuty can detect known malware and Trojans based on threat intelligence data.

Cryptocurrency mining activity: GuardDuty can identify instances used for cryptocurrency mining activities, which might indicate unauthorized usage of computing resources.

Unauthorized port scanning and probing: GuardDuty can detect suspicious network activity like port scanning and probing, which might indicate attempts to discover vulnerable services.

Unusual data exfiltration: GuardDuty can identify large data transfers or unusual outbound traffic patterns, which might indicate data exfiltration.

What are some of the data sources which GuardDuty can use?

VPC Flow Logs: GuardDuty analyzes network flow logs to detect suspicious network activities and anomalies.

AWS CloudTrail: GuardDuty leverages CloudTrail logs to monitor API calls and detect unauthorized actions.

DNS logs: GuardDuty uses DNS query logs to identify malicious DNS activity.

AWS CloudWatch Events: GuardDuty integrates with CloudWatch Events to receive security-related alerts.

Threat intelligence feeds: GuardDuty uses third-party threat intelligence feeds to compare against observed activity and detect known malicious behavior.

How does GuardDuty use access behavior to spot potential malicious activity?

Anomalous IP addresses: GuardDuty looks for access from IP addresses that are not part of the usual access patterns.

Suspicious API calls: GuardDuty identifies unusual API call sequences or calls from unusual sources.

Resource Access Anomalies: GuardDuty looks for unusual access patterns to AWS resources, such as large data transfers, unauthorized access attempts, or privilege escalation.