Full Report
Wiz leverages its leading Cloud Security Graph to help Cloud Defenders quickly understand, with the click of a button— what happened, where it happened, and how to respond.
Analysis Summary
# Tool/Technique: Amazon GuardDuty Integration with Wiz CDR
## Overview
The integration between Amazon GuardDuty and Wiz's Cloud Security Graph enables Cloud Security Defenders to achieve risk-oriented threat detection by correlating AWS threat findings with contextual asset and configuration data maintained within the Wiz platform. This aims to significantly decrease alert fatigue and prioritize remediation efforts based on the effective risk and potential blast radius of the detected threats.
## Technical Details
- Type: Tool Integration/Enhancement (GuardDuty findings consumption)
- Platform: AWS Cloud Environments
- Capabilities: Threat detection correlation, risk prioritization, accelerated investigation and response.
- First Seen: Mentioned in an article dated July 27, 2022.
## MITRE ATT&CK Mapping
*(Note: This summary focuses on the *detection and response* capabilities enabled by the integration, which primarily relates to defensive tactics rather than offensive TTPs. Directly mapping an integration correlation feature is difficult, but the underlying tactics observed are summarized below based on the example provided.)*
- **TA0005 - Defense Evasion** (Implied, as context helps understand evasion success)
- **T1027 - Obfuscated Files or Information** (Correlation might reveal subtle activity that bypasses simple AV/EDR)
- **TA0007 - Discovery** (GuardDuty detects reconnaissance activities)
- **T1595 - Active Scanning** (e.g., Brute Force examples mentioned)
- **TA0012 - Investigation** (The goal of the integration)
- **T1484 - Incident Response Management** (Improving triage procedures)
## Functionality
### Core Capabilities
- **Threat Ingestion:** Ingests threat detections generated by Amazon GuardDuty.
- **Contextualization:** Correlates GuardDuty findings with data from the Wiz Security Graph (cloud configurations, network exposure, identity data, running technologies).
- **Alert Prioritization:** Prioritizes threats based on "effective risk," factoring in asset exposure (e.g., externally exposed VM) and potential impact (e.g., lateral movement to an Admin user).
- **Investigation Speed:** Provides all correlated information in a single view, accelerating analysis and response time (claiming a 10x improvement).
### Advanced Features
- **Risk-Oriented Prioritization:** Moves beyond raw alert volume to focus remediation on threats targeting high-risk resources or those demonstrating immediate exploit pathways (e.g., prioritizing a Brute Force attempt on an exposed VM with weak credentials over a common, isolated finding).
- **Asset Insight:** Leverages the Wiz Security Graph to instantly provide insights on the resource associated with the GuardDuty finding (e.g., identifying weak SSH passwords or lateral movement paths).
## Indicators of Compromise
*(This section is not applicable as the article describes a security product integration for *detection* rather than malware or specific malicious artifacts.)*
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: N/A
## Associated Threat Actors
- Not specified. The focus is on defensive capabilities against various threat actors targeting cloud environments detected by GuardDuty.
## Detection Methods
- **GuardDuty:** Native AWS threat detection service.
- **Wiz CDR:** Security Graph analysis used to enrich and prioritize the GuardDuty alerts.
- **Wiz Controls:** Specific, custom detection rules within Wiz (e.g., detecting an externally exposed VM with a weak credential) that are used for correlation.
## Mitigation Strategies
- **Prioritized Remediation:** Focusing efforts first on threats correlated with high-risk security posture factors identified by Wiz (e.g., public exposure, weak authentication).
- **Configuration Hardening:** Addressing underlying weaknesses revealed by the context, such as patching exposed assets or enforcing stronger SSH credentials.
- **Leveraging CSP Native Tools:** Utilizing Amazon GuardDuty for baseline cloud workload protection.
## Related Tools/Techniques
- **Amazon GuardDuty:** The underlying AWS native threat detection service.
- **Cloud Detection and Response (CDR):** The operational paradigm enabled by this integration.
- **Wiz Security Graph:** The data layer providing the critical context for prioritization.