AWS re:Invent 2025 - Supercharge security investigations with custom detection & analytics (SEC350)

AWS re:Invent 2025 - Supercharge security investigations with custom detection & analytics (SEC350)

Overview of Amazon Guard Duty

• Amazon Guard Duty is a native AWS threat detection service used by 95% of AWS's top 2,000 customers
• It monitors millions of EC2 instances and S3 buckets to detect account and resource-level compromises
• Guard Duty leverages internal threat intelligence and detection algorithms to identify sophisticated cloud threats
• It automatically consumes IOCs (IPs, domains, file hashes) from various internal threat detection systems

Malware Protection Offerings in Guard Duty

EC2 and Container Workload Scanning

• In 2022, Guard Duty launched an agentless malware scanning solution for EC2 and container workloads
• This allows customers to get malware protection coverage for all accounts and workloads with a single click
• It provides centralized monitoring of malware findings with contextual data on the malware family and source
• There is no performance impact on live workloads as no agents are installed

S3 Bucket Scanning for Untrusted Uploads

• Guard Duty offers a fully managed solution to scan S3 objects for malware upon upload
• This helps establish trust in data uploaded by external vendors or internal users
• Scanned objects are tagged, allowing bucket policies to quarantine or restrict access to infected files
• The scanning engine is automatically updated to detect the latest malware threats

Backup Scanning for Malware

• Guard Duty recently expanded to scan AWS Backup resources (EBS, EC2 AMIs, S3 recovery points) for malware
• This addresses a blind spot where malware can slip into backups undetected by live workload scanning
• Automatic scanning of backups upon completion provides assurance of a "clean" restore point
• Incremental scanning is used for cost efficiency, with periodic full scans to rebaseline the security status

Technical Details of the Guard Duty Malware Scanning Engine

Hash-based Engine

• Used primarily to suppress false positives by excluding specific files
• Resilient to minor file changes by hashing around variable sections

Pattern Matching Engine

• Supports traditional signature-based scanning as well as more advanced conditional evaluations
• Can extract bit-level characteristics for fine-grained pattern matching
• Enables generic detections that cover multiple malware variants

Machine Learning Engine

• Focused on detecting cryptocurrency miners, which are a significant problem in the AWS environment
• Complements the hash and pattern matching engines to provide comprehensive malware detection

Third-Party Engine

• Integrates a vendor-provided SDK to leverage their historical detection knowledge
• Runs in an isolated instance to minimize data exfiltration risks
• Provides a baseline of heuristic and machine learning-based detections

Runtime Monitoring and Network-level Scanning

• Guard Duty's runtime service provides system-wide visibility into file system and network events
• It can detect indicators like newly downloaded files, reverse shells, and anomalous network connections
• For customers without the runtime service, network-level scanning monitors for suspicious activities

Business Impact and Use Case

• New Bank, a large multinational bank, implemented Guard Duty's malware protection offerings
• This allowed them to streamline their malware analysis process and improve cloud security coverage
• By enabling automated scanning of S3 uploads and backups, they achieved global compliance and reduced operational overhead
• The seamless integration with their existing environment caused no disruption to production teams

Key Takeaways

• Guard Duty's fully managed malware protection offerings reduce the cost of ownership for customers
• The combination of live workload scanning and backup scanning provides comprehensive protection against malware threats
• The multi-engine malware detection approach (hash, pattern matching, ML) ensures high efficacy and low false positives
• Integrating Guard Duty's findings with other security signals provides valuable context for security investigations
• Customers like New Bank have successfully implemented Guard Duty's malware protection to improve their cloud security posture