Key Features of GuardDuty – Event Management with Security Hub and GuardDuty – SCS-C02 Study Guide

Key Features of GuardDuty

As a managed threat detection service, GuardDuty provides the following key features:

  • One-click activation with no impact on either architecture or performance
  • Constant monitoring of your AWS resources and accounts, including users and roles
  • Global coverage with results categorized regionally
  • The ability to detect intel-based known threats
  • The ability to detect behavior-based unknown threats through machine learning
  • The ability to manage security across accounts, using a single security account through linking so that the security team can see all threats in a single place

Now that you have an idea of the key features that GuardDuty offers, the next sections will help you dive deeper into those features.

Data Sources for GuardDuty

The Amazon GuardDuty service derives most of its information from three primary sources of data – VPC Flow Logs, DNS logs, and AWS CloudTrail events. All these sources are logging files that GuardDuty correlates with, and then it parses that information to look for events.

VPC Flow Logs

VPC Flow Logs provide details about network communications, especially regarding behavioral detections and unknown threats. When GuardDuty analyses the flow logs, it gets information similar to NetFlow data that captures the IP you are communicating with, along with the origin IP address, the amount of data transferred, and the direction the traffic was flowing. Using this information, the GuardDuty service can detect whether the instance or service communicates with the IP address of a known bad actor on the threat intelligence list. This data is also used to feed the data models that detect unknown threat intelligence behavior. An example of this would be an EC2 instance that suddenly starts transferring an unusually large amount of data for a particular workload.

While VPC flow logs need to be turned on for you as a user to look at and parse to view the data, this is not the case with the GuardDuty service. GuardDuty uses an independent duplicate VPC flow log stream to gather and collect information. Thus, the flow logs you are charged for can be turned off at any point, which will not affect the GuardDuty findings.

AWS CloudTrail Events

Similar to CloudTrail logs, all API calls used to access the AWS Management Console, any SDK usage, and any usage of the AWS command line are recorded and stored for future reference. This allows user and account activity identification, including source IP addresses, to be captured and analyzed by GuardDuty. The data from the CloudTrail logs helps build a profile for your account to assist GuardDuty in understanding what normal activity is. As the model evolves, it understands the usage patterns and can more readily pick up on abnormal activity.

DNS logs

When an Amazon EC2 instance requests the fully qualified domain name (FQDN) of known and unknown instances, those instances generate a DNS log entry. DNS logs are obtained through a query resolver in your VPC, which is one of the reserved addresses in your VPC residing at the .2 address.

Note

You will learn more about the different address spaces that are reserved when creating a VPC in Chapter 10, Configuring Infrastructure Security.

Using the DNS logs, GuardDuty can analyze all the domains that your instances query and then compare them against the threat intelligence lists that AWS has compiled.

You are not required to enable the Amazon Route 53 service or stand up any hosted zones to generate DNS logs. The Amazon GuardDuty service can generate DNS-based findings with or without Route 53 enabled.