AWS Guard Duty is essential for any organization seeking to secure its Amazon Web Services (AWS) environment. As a threat detection tool, it leverages anomaly detection, machine learning (ML), and integrated threat intelligence to continuously monitor for potentially malicious behaviors and activities within AWS workloads, accounts, and data.
However, as AWS adoption continues to increase, with its revenue growing 17% in the financial year 2023-24, so too has the number of alerts generated by tools like AWS Guard Duty. This fact and the omnipresent cybersecurity skills shortage have left many security teams struggling to keep pace with alerts and protect their AWS environments.
Security teams increasingly turn to artificial intelligence (AI) to overcome this challenge and investigate AWS GuardDuty findings. This blog will explain how.
Translating GuardDuty Findings
AWS GuardDuty alerts contain complex, technical information that more junior analysts may need help understanding. AI-powered large language models (LLMs) can help remediate this issue by translating alerts into natural language. All an analyst would need to do is input the alert into their LLM of choice, along with a prompt something along the lines of “You're an AWS security expert explaining a GuardDuty finding to a junior analyst that is easily understandable. How would you summarize this alert in 4 sentences or less?” and the tool will explain the alert in terms the analyst can understand.
Translating GuardDuty findings into language a junior analyst can understand is important because while the cybersecurity sector saw a record number of entry-level staff in 2023, it suffers from a shortage of more skilled professionals. By translating findings, junior analysts can take on more work, freeing time for senior staff to handle more complex tasks.
Providing an Investigation Plan
LLMs can also provide a high-level investigation plan for AWS GuardDuty alerts. In translating the alert, suppose the LLM suggests the analyst investigate it further. In that case, they can input a prompt like “What plan of action should I take as a more junior investigator to investigate this alert completely?” the LLM will provide an overview of a suggested investigation plan. Again, this allows more junior analysts to carry out more complex tasks, relieving some of the burden on senior staff.
Triaging and Prioritizing Alerts
AI can also help triage and prioritize AWS GuardDuty alerts. By evaluating factors such as threat type, impacted assets, historical incident data, and potential impacts, AI models can assign risk scores to AWS GuardDuty findings. This helps security teams prioritize alerts, allowing them to spend time on more critical alerts. These technologies improve the accuracy of prioritizations by incorporating context from recent security events and known vulnerabilities.
Correlating Threats
Security teams may also use AI to correlate AWS GuardDuty alerts with other security data sources, such as AWS Cloud Trail and VPC Flow Logs. This process provides further context for alerts and helps security teams detect and understand potential threats they would not have when examining a single finding in isolation.
Automating Incident Response
AI is also capable of automating incident response actions. Security teams can develop predefined response playbooks that AI initiates when GuardDuty detects a specific threat/ These playbooks typically include actions such as:
- Instance Isolation: AI isolates the compromised instance to prevent further threat spread.
- Credential Revocation: AI revokes credentials associated with the compromised instance.
- Security Team Notification: AI alerts the security team with detailed incident information.
Additionally, AI continuously learns from incidents over time, improving its ability to recognize patterns and optimize response strategies. AI can adapt its actions based on what has been most effective for specific threats, making real-time adjustments during ongoing incidents if needed. AI can also update playbooks dynamically based on insights, ensuring that incident response processes evolve to meet emerging threats.
Challenges and Considerations
While using AI to investigate AWS GuardDuty findings can significantly reduce the burden on security teams, streamline incident response, and improve security postures overall, organizations must practice human oversight when integrating AI into the investigation process.
AI models might generate false positives, flagging benign activities as threats. This can lead to unnecessary alerts and increase the workload for security teams. Conversely, AI might miss certain threats or anomalies, especially if they don't fit established patterns. As such, analysts must confirm that the results are legitimate and accurate.
It's also crucial to ensure the data inputted into AI models is accurate. AI relies on high-quality, consistent data from various sources. Inaccurate or incomplete logs from AWS CloudTrail, VPC Flow Logs, or other sources can lead to erroneous conclusions or missed threats.
Conclusion
Overall, AI can be a powerful tool for investigating AWS GuardDuty findings, but only with adequate human oversight. Your cloud environment is likely complex and likely to become more complex, so why not experiment with investigating AWS GuardDuty findings with AI?
About the author:
Josh is a Content writer at Bora. He graduated with a degree in Journalism in 2021 and has a background in cybersecurity PR. He's written on a wide range of topics, from AI to Zero Trust, and is particularly interested in the impacts of cybersecurity on the wider economy.
0 Comments