TalksAWS re:Invent 2025 -Testing GuardDuty’s Runtime Detections:Hands-on with real world attack scenarios

AWS re:Invent 2025 -Testing GuardDuty’s Runtime Detections:Hands-on with real world attack scenarios

Comprehensive Summary: AWS re:Invent 2025 - Testing GuardDuty's Runtime Detections

Overview of Amazon GuardDuty

  • Amazon GuardDuty is a threat detection service that monitors various log sources in AWS accounts
  • It applies machine learning and detection rules to identify threats in real-time
  • GuardDuty Runtime Monitoring is an optional solution that deploys an eBPF agent to compute workloads to gather OS-level events for monitoring and threat detection

Importance of Testing Runtime Monitoring

  • Testing runtime monitoring is crucial to:
    • Evaluate if it meets requirements
    • Test incident response capabilities
  • Many customers use simplistic tests that only map to a single MITRE technique
    • These tests are not realistic and do not provide insights into noise reduction/management

How GuardDuty Gathers Real-World Threat Intelligence

  1. Customer incident data from the AWSert team
    • Learns about tactics, techniques, and top initial access methods used in attacks
    • Compromised credentials and public-facing application compromise are the top initial access techniques
  2. Threat intelligence from in-house and third-party sources
    • Indicators of compromise (IPs, domains, file hashes)
    • Tactics, techniques, and activity patterns used in real attacks
    • Context around threat targets and attack sequences

Example Real-World Attack Scenario

  • Web application compromise is a common attack vector
  • Typical steps:
    1. Attacker compromises web app vulnerability to deploy a web shell
    2. Downloads and executes a script malware
    3. Downloads and executes a second-stage malware (e.g., crypto miner, DDoS)
    4. Persists the malware execution via cron job or scheduled task
  • These actions map to specific MITRE tactics and techniques
  • GuardDuty learns about these patterns and uses them to develop detections

Testing GuardDuty Runtime Monitoring

  1. Set up the Amazon GuardDuty Tester environment
    • Deploys a lockdown VPC with EC2, ECS, and EKS resources
    • Ensures GuardDuty Runtime Monitoring is enabled
  2. Execute a realistic attack scenario
    • Deploy a vulnerable PHP web application on the EKS cluster
    • Execute an attack to compromise the web app, deploy a web shell, and execute malware
  3. Observe the GuardDuty findings
    • Suspicious command execution, suspicious tool usage, crypto miner detection
    • Attack sequence finding provides a comprehensive view of the detected tactics and techniques

Key Takeaways

  • GuardDuty gathers real-world threat intelligence from customer incidents and threat intelligence sources
  • This information is used to prioritize and develop detections, including for runtime monitoring
  • Realistic attack scenarios can be used to effectively test GuardDuty's runtime monitoring capabilities
  • The Amazon GuardDuty Tester provides pre-built scenarios to simulate real-world attacks

Your Digital Journey deserves a great story.

Build one with us.

Talk to us
Cookies Icon

This website stores cookies on your computer.

These cookies are used to collect information about how you interact with this website and allow us to remember you. We use this information to improve and customize your browsing experience, as well as for analytics.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference.