Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Automating Threat Detection and Remediation at ZocDoc

150 views

Published on

by Brian Lozada, CISO, ZocDoc

Join Zocdoc CISO Brian Lozada to see how Zocdoc uses AWS security services to seamlessly automatically monitor, audit, and enforce their security policies within all their AWS environments. They'll share how they use AWS security services such as AWS Config, Amazon Guard Duty, and AWS Lambda functions to augment their Security team, all without slowing down their developers. This is Security as Code.

  • Be the first to comment

  • Be the first to like this

Automating Threat Detection and Remediation at ZocDoc

  1. 1. This document and its contents are proprietary and confidential of Zocdoc, Inc. and may not be reproduced or shared, in whole or in part, without the express written authorization of Zocdoc, Inc. Automating Threat Detection & Remediation June 2018 www.zocdoc.com
  2. 2. Zocdoc Brings Marketplace Efficiencies To HealthCare 24 Days 24 Hours For healthcare 30% unbooked, cancelled or rescheduled
  3. 3. 3 Building Our Supply of Care Since 2007 2017 ALL IN 2016 Zocdoc 2.0 2007 Private Medical Practices 2015 Larger Health Systems
  4. 4. 4 Zocdoc AWS Goals Scale Horizontally Diversify Tech Stack Open Source Data Liberation Elevate Security
  5. 5. 5 Certification Achievement
  6. 6. 6
  7. 7. 7 Zocdoc AWS Goals Scale Horizontally Diversify Tech Stack Open Source Data Liberation Elevate Security
  8. 8. 8 Security Controls Monitor Alert Investigate Prevent/ Block
  9. 9. 9 Amazon CloudWatch AWS Trusted Advisor Lambda Function AWS GuardDuty AWS CloudTrail
  10. 10. 10 Automation in AWS Today Automated Remediation Automated Alerting Automated Monitoring
  11. 11. 11 Security as Code: Automating with AWS Jay Ball, Head of Application Security
  12. 12. 12 Case 1: Unencrypted S3 Buckets Issue: How do we make sure S3 buckets are always encrypted? Decision: Automatic encryption upon detection where lacking.
  13. 13. 13 Scenarios
  14. 14. 14 Encryption Automation Process Lambda Function Unencrypted S3 detected, calls function Encrypts S3 bucket events logged S3 Bucket AWS CloudTrail Amazon CloudWatch Processed in CloudWatch
  15. 15. 15 Automated Detection in CloudTrail
  16. 16. CloudWatch Configuration { "source": [ "aws.s3" ], "detail-type": [ "AWS API Call via CloudTrail" ], "detail": { "eventSource": [ "s3.amazonaws.com" ], "eventName": [ "CreateBucket", "PutBucketAcl", "PutBucketPolicy" ] } }
  17. 17. 17
  18. 18. Code: Setup & Test # a bunch of imports s3 = boto3.client('s3') sns = boto3.client('sns') def lambda_handler(event, context): bucket_name = (event['detail']['requestParameters']['bucketName']) bucket_creator = (event['detail']['userIdentity']['principalId']) bucket_user = bucket_creator.split(":",1) try: currEncrypt = s3.get_bucket_encryption (Bucket=bucket_name)
  19. 19. Code: Encrypt except ClientError as e: toEncrypt = s3.put_bucket_encryption ( Bucket=bucket_name, ServerSideEncryptionConfiguration = { 'Rules':[ { 'ApplyServerSideEncryptionByDefault': { 'SSEAlgorithm': 'AES256' } }] } ) response = sns.publish( TopicArn= 'arn:aws:sns:us-east-1: … 000012345678:unEncryptedS3BucketCreated', Message= 'Unencrypted Bucket by '+ bucket_user[1] ) else: return currEncrypt
  20. 20. 20 Case 2: Malicious Activity on EC2 Issue: Malware infection is calling out to command & control. Decision: Kill the instance.
  21. 21. 21 Automated Detection & Response AWS GuardDuty Amazon CloudWatch Lambda Function Processed by CloudWatch Call to run lambda Kills EC2 instance DNS lookup of malicious hostname detected AWS EC2
  22. 22. 22 Post Automation Review • CloudWatch and CloudTrail log analysis and machine forensics • Automated instance rebuild with CloudFormation
  23. 23. 23 Automated Detection Leveraging GuardDuty Detection
  24. 24. 24 GuardDuty Configuration Configure IAM Permissions for GuardDuty Sign in & Enable GuardDuty Watch the Data Flow 1 2 3
  25. 25. CloudWatch Configuration { "source": [ "aws.guardduty" ], "detail-type": [ "GuardDuty Finding" ], "detail": { "type": [ "Backdoor:EC2/C&CActivity.B!DNS" ] } }
  26. 26. 26 Video Slide
  27. 27. Code: Initial Sanity Checks # lots of imports def lambda_handler(event, context): source = event['source'] if source != "aws.guardduty": # wrong caller, just silently return return detail_type = event['detail-type'] if detail_type != 'GuardDuty Finding': # wrong caller, just silently return return event_type = event['detail']['type’] bad_event_list = [ 'Backdoor:EC2/C&CActivity.B!DNS’ ] if not(event_type in bad_event_list): # wrong event type, silently return return
  28. 28. Code: Event Processing instance_id = event['detail']['resource']['instanceDetails']['instanceId'] # only shutdown certain tags: taglist= event['detail']['resource']['instanceDetails']['tags'] runme=False for nvp in taglist: if "security_guillotine" == nvp['key'].lower(): runme=True if not(runme): # We are not part of our auto-shutdown EC2 group, return return
  29. 29. Code: Euthanize It print("Shutting down instance ", instance_id) ec2 = boto3.client('ec2') try: response = ec2.stop_instances( InstanceIds=[ instance_id ] # , DryRun=True ) except ClientError as e: if 'DryRunOperation' not in str(e): print("No permission to reboot instances.") raise else: print('Error', e)
  30. 30. 30 GuardDuty Event Detection GuardDuty reports on many events for which we want to kill the instance. 'Backdoor:EC2/XORDDOS', 'Backdoor:EC2/Spambot', 'Backdoor:EC2/C&CActivity.B!DNS', 'CryptoCurrency:EC2/BitcoinTool.B!DNS', 'Trojan:EC2/BlackholeTraffic', 'Trojan:EC2/DropPoint', 'Trojan:EC2/BlackholeTraffic!DNS', 'Trojan:EC2/DriveBySourceTraffic!DNS', 'Trojan:EC2/DropPoint!DNS', 'Trojan:EC2/DGADomainRequest.B', 'Trojan:EC2/DGADomainRequest.C!DNS', 'Trojan:EC2/DNSDataExfiltration', 'Trojan:EC2/PhishingDomainRequest!DNS'
  31. 31. 31 Case 3: Sensitive Ports Opened Issue: Someone opens sensitive ports to the entire Internet. Decision: Modify the security group to remove the rule that opens the sensitive ports.
  32. 32. 32 Automated Response Amazon CloudWatch Lambda Function Alert raised in CloudWatch Call to run lambda Remove bad CIDR from security group Disallowed CIDR used Security Group server AWS CloudTrail
  33. 33. 33 Automated Detection in Cloud Trail
  34. 34. CloudWatch Configuration { "source": [ "aws.cloudtrail" ], "detail-type": [ "AWS API Call via CloudTrail" ], "detail": { "eventSource": [ "ec2.amazonaws.com" ], "eventName": [ "CreateSecurityGroup", "AuthorizeSecurityGroupIngress" ] } }
  35. 35. 35 Video Slide
  36. 36. Code: Initial Sanity Checks def lambda_handler(event, context): source = event['detail']['eventSource'] if source != "ec2.amazonaws.com": # wrong caller, just silently return return allowed_event_list = [ 'CreateSecurityGroup', "AuthorizeSecurityGroupIngress" ] event_name = event['detail']['eventName'] if not(event_name in allowed_event_list): # wrong event, just silently return print("Wrong Filter: source=", source, " / event_name=", event_name) return
  37. 37. Code: Get SecurityGroup ID resp = event['detail']['responseElements'] if (resp["_return"] != True): # event was not a successful update, so we can ignore it. return SG_id = 'invalid' if event_name == 'CreateSecurityGroup': SG_id = resp["groupId"] elif event_name == 'AuthorizeSecurityGroupIngress': SG_id = event['detail']['requestParameters']['groupId'] else: # We shouldn't actually get here. return
  38. 38. Code: Group Sensitivity Training ec2 = boto3.resource('ec2') security_group = ec2.SecurityGroup(SG_id) sensitive_ports = [ 22, 3389, 54321 ] ingress_list = security_group.ip_permissions for perm in ingress_list: fromport=0 ; toport=0 ; ipprot=0 ; sensitive=False if 'FromPort' in perm: fromport = perm['FromPort'] if 'ToPort' in perm: toport = perm['ToPort'] if 'IpProtocol' in perm: ipprot = perm['IpProtocol'] if ipprot == "-1": sensitive = True if fromport > 0: for p in sensitive_ports: if fromport <= p and p <= toport: sensitive = True
  39. 39. Code: Test For Zero CIDR if sensitive: for r in perm['IpRanges']: # this could be more complex, but 0000/0 catches 95% of the cases if r['CidrIp'] == "0.0.0.0/0": print("Removing Ingress Rule violation: ", json.dumps(perm)) try: security_group.revoke_ingress( CidrIp = r['CidrIp'], IpProtocol = perm['IpProtocol'], FromPort = fromport, ToPort = toport # , DryRun = True ) except ClientError as e: if 'DryRunOperation' not in str(e): print("Error: ", e) raise else: print('DryRun: ', e)
  40. 40. 40 The Future of Security • Reduce inefficiencies of manual work through automation • Reduce alert traffic through automation • Drives business enablement
  41. 41. 41 Amazon CloudWatch AWS Trusted Advisor Lambda Function AWS GuardDuty AWS CloudTrail AWS Shield Amazon Inspector
  42. 42. Interested in the code? github.com/Zocdoc/ ZocSec.SecurityAsCode.AWS
  43. 43. 43 We’re Hiring!
  44. 44. Q&A
  45. 45. 45 Visit us at Zocdoc.com Brian Lozada Chief Information Security Officer @BrianL1775 blozada Jay Ball Head of Application Security @veggiespam veggiespam

×