Today, AWS announces further enhancements to Amazon GuardDuty Extended Threat Detection. This capability now includes coverage for multi-stage attacks targeting Amazon Elastic Kubernetes Service (EKS) clusters in your AWS environment. GuardDuty correlates multiple security signals across Amazon EKS audit logs, runtime behavior of processes, malware execution, and AWS API activity to detect sophisticated attack patterns that might otherwise go unnoticed. These new attack sequence findings cover multiple resources and data sources over an extensive time period, allowing you to spend less time on first-level analysis and more time responding to critical severity threats, thereby minimizing business impact.
GuardDuty Extended Threat Detection uses artificial intelligence and machine learning algorithms trained at AWS scale to automatically correlate security signals to detect critical threats. For example, it can identify an anomalous deployment of a privileged container followed by persistence attempts, crypto mining, and reverse shell creation, representing these related events as a single, critical-severity finding. You can then take action based on a new attack sequence finding type of critical severity. Each finding includes an incident summary, detailed events timeline, mapping to MITRE ATT&CK® tactics and techniques, and remediation recommendations.
This capability is automatically enabled for all GuardDuty customers at no additional cost in all Regions where GuardDuty is available. To detect attack sequences involving Amazon EKS clusters, you must enable GuardDuty EKS Protection, and GuardDuty recommends to also enable GuardDuty Runtime Monitoring for EKS for a more comprehensive security coverage. Take action on findings directly from the GuardDuty console or via integrations with AWS Security Hub and Amazon EventBridge.
To get started, visit the Amazon GuardDuty product page or try GuardDuty free for 30 days on the AWS Free Tier.
Source:: Amazon AWS