Why did GuardDuty fail to alert to this behavior?

By:
On:
In: SCS-C01
Tagged:
With: 0 Comments
A company has Windows Amazon EC2 instances in a VPC that are joined to on-premises Active Directory servers for domain services.The security team has enabled Amazon GuardDuty on the AWS account to alert on issues with the instances.During a weekly audit of network traffic, the Security Engineer notices that one of the EC2 instances is attempting to communicate with a known command-and- control server but failing.This alert does not show up in GuardDuty.

Why did GuardDuty fail to alert to this behavior?

GuardDuty did not have the appropriate alerts activated.

GuardDuty does not see these DNS requests.

GuardDuty only monitors active network traffic flow for command-and-control activity.

GuardDuty does not report on command-and-control activity.

Explanations:

GuardDuty has a range of built-in alerts for various types of suspicious activities, including command-and-control communications. The absence of an alert is not necessarily due to deactivated alerts.

GuardDuty relies on AWS flow logs and VPC flow logs to analyze traffic. If the EC2 instance is attempting to communicate using DNS requests that are not logged in the flow logs, GuardDuty would not detect this activity, leading to the lack of an alert.

GuardDuty does monitor network traffic flow for command-and-control activity, but it requires that the relevant traffic be captured in logs. The failure to alert in this scenario does not stem from GuardDuty’s monitoring capabilities but rather from the nature of the communication attempt.

GuardDuty is designed to report on command-and-control activity among other threats. Therefore, the statement that GuardDuty does not report on command-and-control activity is false.

Leave a Reply

Your email address will not be published. Required fields are marked *

10 + 20 =