AWS Advanced Threat Intelligence
Introduction
AWS Advanced Threat Intelligence leverages a combination of real-time data analysis, machine learning, and global threat feeds to detect, analyze, and respond to security threats targeting AWS environments. This article provides a deeper look at the mechanisms, services, and practical examples that illustrate AWS’s approach to proactive and automated cloud security.
How AWS Collects and Uses Threat Intelligence
AWS gathers threat intelligence from a vast array of sources, including internet threat sensors, active network probes, and internal telemetry. For example, AWS’s MadPot system deploys honeypots and sensors globally to monitor and analyze threat actor behavior in real time. Within minutes of deploying a new sensor, AWS observes automated scanning and exploitation attempts, highlighting the speed and sophistication of modern threat actors. This intelligence is not only used to protect AWS infrastructure but is also shared with the broader security community to disrupt malicious activities at scale.
Core AWS Services for Threat Intelligence
Amazon GuardDuty
Amazon GuardDuty is a managed threat detection service that continuously monitors AWS accounts and workloads for signs of malicious activity and unauthorized behavior. It uses machine learning and integrated threat intelligence feeds to detect anomalies, such as unusual API calls, communication with known malicious IPs/domains, and signs of compromised credentials.
Key Features:
- Automated detection of threats like EC2 instance compromise, credential theft, and data exfiltration.
- Integration with AWS Lambda for automated remediation (e.g., isolating instances, revoking credentials).
- Customizable detection thresholds and suppression rules to fine-tune alerting and reduce noise.
Example Use Case: GuardDuty detects an SSH brute force attempt on an EC2 instance. An automated Lambda function updates a WAF IPSet to block the attacker’s IP, as shown below:
1
2
3
4
5
6
7
8
9
10
import boto3
def lambda_handler(event, context):
guardduty_findings = event['detail']['findings']
waf = boto3.client('wafv2')
for finding in guardduty_findings:
if finding['Type'] == 'UnauthorizedAccess:EC2/SSHBruteForce':
ip_set = waf.get_ip_set(Name='blocked_ips', Scope='REGIONAL')
new_ips = ip_set['IPSet']['Addresses'] + [finding['Resource']['InstanceDetails']['IpAddress']]
waf.update_ip_set(Name='blocked_ips', Addresses=new_ips, LockToken=ip_set['LockToken'])
This workflow demonstrates dynamic, intelligence-driven response to real threats.
AWS Security Hub
Security Hub aggregates and prioritizes findings from GuardDuty, AWS Inspector, and other sources, providing a unified view of security posture. It enables automation of incident response through custom rules, such as suppressing low-priority findings or escalating critical ones for immediate action.
Example Automation: Automatically update the status or severity of findings based on organizational policies, reducing manual workload and focusing attention on the most pressing alerts.
AWS WAF and Managed Rules
AWS WAF uses threat intelligence to block malicious web traffic. Managed rule groups incorporate real-time intelligence on DDoS, botnets, and malware, automatically updating to defend against emerging threats. Organizations can also automate the creation and updating of custom WAF rules based on GuardDuty findings or external threat feeds.
Example Use Case: Automatically add IPs associated with known botnets to a WAF IPSet, blocking them at the edge before they reach application resources.
Threat Intelligence Lifecycle in AWS
AWS supports the full threat intelligence lifecycle, from ingestion of cyber threat intelligence (CTI) feeds to automated enforcement and alerting:
- Collection: Ingest CTI from trusted communities and external sources.
- Processing: Analyze and correlate threats using machine learning and analytics.
- Action: Implement preventative controls (e.g., blocking IPs) and detective controls (e.g., alerting on suspicious activity).
- Sharing: Collaborate with ISPs, registrars, and CERTs to dismantle threat infrastructure.
Advanced Configurations and Best Practices
- Fine-tune detection thresholds in GuardDuty for your organization’s risk profile.
- Integrate GuardDuty findings with SIEM solutions (e.g., Splunk, Sumo Logic) for centralized visibility and advanced analytics.
- Automate incident response using AWS Step Functions, Lambda, and Security Hub automation rules.
- Continuously monitor and review post-incident findings to improve detection and response strategies.
Real-World Scenario
“Within approximately 90 seconds of launching a new sensor within our MadPot simulated workload, we can observe that the workload has been discovered by probes scanning the internet. From there, it takes only three minutes on average before attempts are made to penetrate and exploit it… This clearly demonstrates the voracity of scanning taking place and the high degree of automation that threat actors employ to find their next target.
This speed of attack underscores the necessity of automated, intelligence-driven defenses in cloud environments.
Conclusion
AWS Advanced Threat Intelligence is not just about detection—it’s a comprehensive, automated approach to identifying, analyzing, and responding to threats at cloud scale. By leveraging services like GuardDuty, Security Hub, and WAF, and by integrating real-time intelligence and automation, organizations can significantly reduce their risk and improve their security posture in the face of rapidly evolving threats.