AWS Threat Detection & IR

AWS Threat Detection & IR


Re:Inforce 2021 Presentation Notes

The “Auto-Enable” in Organizations from a root account enables services below if enabled on new and existing member accounts. A brief touchpoint on each AWS security related service for Threat Detection & IR is provided below.

GuardDuty - Uses ML to present security alerts for your account, you can define suppression rules to quiet down alert noise. Prioritize by severity, but do not simply ignore low or medium alerts as they can often lead to escalation of risk. Operation is key, utilize Event Bridge for notifications and/or automations. Work to define run-books and response actions for different situations or categories. Start small and expand your automation and response strategy. Alerts for the following are available once enabled:

  • Instance Credential Exfiltration
  • Command and Control
  • Tor Usage
  • Domain Name Reputation
  • Crypto Mining
  • EMR Port Probe
  • Denial of Service
  • Root Credential Usage

Detective - Useful for deeper dive on Root Cause Analysis for alerts that occur across your account. 12 months of historical data is kept here from across multiple AWS services to aide in investigation.

Example Scenarios:

  • Is the country or ASN somewhere unexpected for users?
  • Does the finding request or access sensitive APIs?

Security Hub - Aggregates findings across numerous AWS resources and services. This also displays best practice checks for resources within your account. Enables you to use automated remediation for high-severity configuration findings. For example, public S3 buckets or publicly available security groups. You can use security hub to write custom actions for operators to execute. This defines a response process and ensures it’s repeated for remediation the same way each time by operations that occur in the AWS account.