TalksAWS re:Invent 2025 - Supercharge security investigations with custom detection & analytics (SEC350)

AWS re:Invent 2025 - Supercharge security investigations with custom detection & analytics (SEC350)

AWS re:Invent 2025 - Supercharge security investigations with custom detection & analytics (SEC350)

Overview of Amazon Guard Duty

  • Amazon Guard Duty is a native AWS threat detection service used by 95% of AWS's top 2,000 customers
  • It monitors millions of EC2 instances and S3 buckets to detect account and resource-level compromises
  • Guard Duty leverages internal threat intelligence and detection algorithms to identify sophisticated cloud threats
  • It automatically consumes IOCs (IPs, domains, file hashes) from various internal threat detection systems

Malware Protection Offerings in Guard Duty

EC2 and Container Workload Scanning

  • In 2022, Guard Duty launched an agentless malware scanning solution for EC2 and container workloads
  • This allows customers to get malware protection coverage for all accounts and workloads with a single click
  • It provides centralized monitoring of malware findings with contextual data on the malware family and source
  • There is no performance impact on live workloads as no agents are installed

S3 Bucket Scanning for Untrusted Uploads

  • Guard Duty offers a fully managed solution to scan S3 objects for malware upon upload
  • This helps establish trust in data uploaded by external vendors or internal users
  • Scanned objects are tagged, allowing bucket policies to quarantine or restrict access to infected files
  • The scanning engine is automatically updated to detect the latest malware threats

Backup Scanning for Malware

  • Guard Duty recently expanded to scan AWS Backup resources (EBS, EC2 AMIs, S3 recovery points) for malware
  • This addresses a blind spot where malware can slip into backups undetected by live workload scanning
  • Automatic scanning of backups upon completion provides assurance of a "clean" restore point
  • Incremental scanning is used for cost efficiency, with periodic full scans to rebaseline the security status

Technical Details of the Guard Duty Malware Scanning Engine

Hash-based Engine

  • Used primarily to suppress false positives by excluding specific files
  • Resilient to minor file changes by hashing around variable sections

Pattern Matching Engine

  • Supports traditional signature-based scanning as well as more advanced conditional evaluations
  • Can extract bit-level characteristics for fine-grained pattern matching
  • Enables generic detections that cover multiple malware variants

Machine Learning Engine

  • Focused on detecting cryptocurrency miners, which are a significant problem in the AWS environment
  • Complements the hash and pattern matching engines to provide comprehensive malware detection

Third-Party Engine

  • Integrates a vendor-provided SDK to leverage their historical detection knowledge
  • Runs in an isolated instance to minimize data exfiltration risks
  • Provides a baseline of heuristic and machine learning-based detections

Runtime Monitoring and Network-level Scanning

  • Guard Duty's runtime service provides system-wide visibility into file system and network events
  • It can detect indicators like newly downloaded files, reverse shells, and anomalous network connections
  • For customers without the runtime service, network-level scanning monitors for suspicious activities

Business Impact and Use Case

  • New Bank, a large multinational bank, implemented Guard Duty's malware protection offerings
  • This allowed them to streamline their malware analysis process and improve cloud security coverage
  • By enabling automated scanning of S3 uploads and backups, they achieved global compliance and reduced operational overhead
  • The seamless integration with their existing environment caused no disruption to production teams

Key Takeaways

  • Guard Duty's fully managed malware protection offerings reduce the cost of ownership for customers
  • The combination of live workload scanning and backup scanning provides comprehensive protection against malware threats
  • The multi-engine malware detection approach (hash, pattern matching, ML) ensures high efficacy and low false positives
  • Integrating Guard Duty's findings with other security signals provides valuable context for security investigations
  • Customers like New Bank have successfully implemented Guard Duty's malware protection to improve their cloud security posture

Your Digital Journey deserves a great story.

Build one with us.

Talk to us
Cookies Icon

This website stores cookies on your computer.

These cookies are used to collect information about how you interact with this website and allow us to remember you. We use this information to improve and customize your browsing experience, as well as for analytics.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference.