The THREAT HUNTER of your Cloud
DAY 25 – THE THREAT HUNTER OF CLOUD – Day Twenty Five
- Collect logs from AWS resources
- use Machine Learning , Statistical analysis and graph theory.
- Detect and investigate threats
A fast and effective way to identify a root cause for security issues. Detective can process terabytes of data and comes with data visualization of the vast information from the report.
How to ?
- Enable Amazon Detective from the console
- The Data will be automatically organized into graph model. – investigate using GaurdDuty and AWS Security Hub, ** Amazon Macie**.
- Find the Cause using interactive visualizations.
Lets talk a bit about Amazon GuardDuty
Its a treat detection service from AWS Which continuously monitors malicious activity. This is done with the help of Machine Learning & Anomaly detection.
Data’s from CloudTrail, VPC flow logs, DNS logs are used for analysis to provide graph view.
GaurdDuty have to enabled and wait for 48 hours to enable the Detective
Why should we use ?
- Investigate, determine the cause related to incidents.
- Triage, determine who should look into it.
- Threat Identification , detailed understanding to identify threat.
- Free for 30 days
- Check out this link to understand more about the Detective Pricing on each region.
Works with Services
CloudTrail (AWS api calls), VPC flow logs (traffic on VPC)
- Behavior graph – Generated from incoming data with the account
- Detective source Data – information on AWS Flowlogs, CloudTrail and GaurdDuty Findings.
- Entity – Extracted from source data.
- Finding – issues found by guard duty.
- Investigation – Finding out root cause for issue.
- Profile – Visualizations and supporting information.
- Profile Panel – Visualization on profile.
- Relationship – what’s happening with two individual resources. or how they are related.
You can use a primary account to collect all data to create graph from secondary account. Secondary account will only have data that contributed to primary account.
- Amazon Detective User Guide
- Amazon Detective FAQs
- Amazon Detective Documentation
- GuardDuty finding types