More Related Content Similar to Detecting and mitigating threats with AWS - SEC301 - Chicago AWS Summit (20) More from Amazon Web Services (20) Detecting and mitigating threats with AWS - SEC301 - Chicago AWS Summit1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Detecting and mitigating threats with
AWS
Nathan Case
Solutions architect
Security
S E C 3 0 1
2. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Identity & Access
Management (IAM)
AWS Organizations
Amazon Cognito
AWS Directory Service
AWS Single Sign-On
AWS CloudTrail
AWS Config
Amazon
CloudWatch
Amazon GuardDuty
VPC Flow Logs
Amazon EC2
Systems Manager
AWS Shield
AWS Web Application Firewall
(AWS WAF)
Amazon Inspector
Amazon Virtual Private Cloud
(Amazon VPC)
AWS Key Management Service
(AWS KMS)
AWS CloudHSM
Amazon Macie
AWS Certificate Manager
Server-side encryption
AWS Config rules
AWS Lambda
AWS Enterprise Support
Identity
Detective
control
Infrastructure
security
Incident
response
Data
protection
AWS security solutions
3. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why is traditional threat detection so hard?
CostSignal to noiseLarge datasets
4. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Humans and data don’t mix
5. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS CloudTrail
Track user activity
and API usage
Threat detection: Log data inputs
VPC Flow Logs
IP traffic to/from
network interfaces in
your VPC
CloudWatch Logs
Monitor apps using
log data, store &
access log files
DNS logs
Log of DNS queries in
a VPC when using the
VPC DNS resolver
6. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS CloudTrail
7. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Detect with VPC Flow Logs
AWS
account
Source IP
Destination IP
Source port
Destination port
Interface Protocol Packets
Bytes Start and end time
Accept or
reject
8. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
• Real-time feed of log events
• Delivered to an AWS Lambda function
or an Amazon Kinesis Data Stream
• Supports custom processing, analysis,
loading into other systems
• Cross-account data sharing for
centralized log processing
Amazon CloudWatch Logs subscriptions
9. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Threat detection
Amazon
GuardDuty
Intelligent threat detection and
continuous monitoring to
protect your AWS accounts and
workloads
10. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon GuardDuty threat detection and notification
11. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Rabbit hole!
What can you detect using AWS services?
Infrastructure
VPC resources
Connectivity
On instance
...
Service
IAM
S3 buckets
Billing
...
Application
Patching
Coding hole
...
Other?
12. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Availability Zone C
Availability Zone B
VPC CIDR: 10.0.0.0/16
Availability Zone A
10.0.0.0/19
Public subnet
10.0.32.0/20
Private subnet
10.0.48.0/21
Sensitive subnet
Security groups
Route table
NACLs
Internet gateway
Instance
Amazon
S3
Amazon
RDS
AWS
CloudHSM AWSKMS
AWS Directory
Service
Infrastructure and application domains
AWS
Organizations
IAM
13. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Services DomainServices domains
Availability Zone C
Availability Zone B
VPC CIDR: 10.0.0.0/16
Availability Zone A
10.0.0.0/19
Public subnet
10.0.32.0/20
Private subnet
10.0.48.0/21
Sensitive subnet
Security groups
Route table
NACLs
Instance
Amazon
S3
Amazon
RDS
AWS
CloudHSM AWSKMS
AWS Directory
Service
AWS
Organizations
IAM
Internet gateway
14. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
All DomainsWhat can you detect using AWS services?
Availability Zone C
Availability Zone B
VPC CIDR: 10.0.0.0/16
Availability Zone A
10.0.0.0/19
Public subnet
10.0.32.0/20
Private subnet
10.0.48.0/21
Sensitive subnet
Security groups
Route table
NACLs
Internet gateway
Instance
Amazon
S3
Amazon
RDS
AWS
CloudHSM AWSKMS
AWS Directory
Service
AWS
Organizations
IAM
15. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Detecting unknown threats
Anomaly detection
• Algorithms to detect unusual behavior
o Inspecting signal patterns for signatures
o Profiling normal activity and looking at deviations
o Machine learning classifiers
16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Visibility to answer the tough questions
• What data do I have in the cloud?
• Where is it located?
• Where does my sensitive data exist?
• What’s sensitive about the data?
• What PII/PHI is possibly exposed?
• How is data being shared and stored?
• How and where is my data accessed?
• How can I classify data in near-real time?
• How do I build workflow remediation for my security and compliance needs?
17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Visibility to answer the tough questions
Amazon Web Services has opened case ******** on your behalf.
The details of the case are as follows:
Case ID: ********
Subject: Your AWS account ******** is compromised
Severity: Urgent
Correspondence: Dear AWS Customer,
Your AWS Account is compromised! Please review the following notice and take
immediate action to secure your account.
Your security is important to us. We have become aware that the AWS Access
Key ******** along with the corresponding Secret Key is publicly available
online at ********….
18. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Threat detection: Triggers
Amazon CloudWatch Events
Delivers a near real-time stream of system events
that describe changes in AWS resources
AWS Config rules
Continuously tracks your resource
configuration changes and if they violate any of
the conditions in your rules
19. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Config rules
A continuous recording and assessment service
Changing resources
AWS Config
AWS Config rules
History
snapshot
Notifications
API access
Normalized
• How are my resources configured over time?
• Is a change that just occurred to a resource compliant?
20. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon CloudWatch Events
{
"source": [
"aws.guardduty"
]
}
CloudWatch Event
GuardDuty findings
Lambda
function
21. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Threat remediation: Automation
AWS Systems Manager
Automates patching and
proactively mitigates threats at
the instance level
AWS Lambda
Captures info about the IP
traffic going to and from
network interfaces in your
VPC
22. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
High-level playbook
Adversary or intern Your
environment
Lambda
responder
CloudWatch
Events
Step
Function
23. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon
CloudWatch
AWS
CloudTrail
AWS Config
Lambda
function
AWS APIs
AWS WAF
AWS Shield
Detection
Alerting
Remediation
Countermeasures
Forensics
Team collaboration
(Slack etc.)
Amazon GuardDuty
VPC Flow Logs
AWS Step
Functions
Amazon EC2
Systems Manager
Amazon EC2
Responding to findings: Remediation
24. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
AWS Landing Zone structure: Basic
Amazon S3 Bucket
(manifest file)
AWS CodePipeline
AWS
Service Catalog
Account
baseline
Core OU
AWS SSOAWS
Organizations
AWS Organizations account
Shared services account Log archive account
Account
baseline
Security account
Network
baseline
Account
baseline
Aggregate
CloudTrail and
Config logs
Account
baseline
Security cross-
account roles
Security
notifications
Organizations account
• Account Provisioning
• Account Access (SSO)
Shared Services account
• Active Directory
• Log Analytics
Log archive
• Security logs
Security account
• Audit/break-glassAmazon GuardDuty
master
Parameter
store
26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
The AWS Landing Zone pipeline
Source Validate/build/test
Deploy core account
structure
Deploy core
resources
Deploy Service Catalog
portfolio/products
Deploy baseline
resources
Launch AVM for core
accounts
AWS
Organizations
AWS Account
Baseline StackSets
Logging Security
credentials
AWS Service
Catalog
StackSet AWS Service
Catalog
Core
Amazon S3
bucket
Vended
accounts
AWS
CloudFormation
templates
Manifest fileAWS Landing
Zone .zip file
AWS CodeBuild
27. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
29. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
Documents
Amazon
CloudWatch
Rule AWS
Lambda
Amazon
GuardDuty
Lambda
function
AWS Step
Functions
31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
Documents
Amazon
CloudWatch
Rule AWS
Lambda
Amazon
GuardDuty
Lambda
function
AWS Step
Functions
BACKDOOR:EC2/XORDDOS
32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
Documents
Amazon
CloudWatch
Rule AWS
Lambda
Amazon
GuardDuty
Lambda
function
AWS Step
Functions
GuardDuty findings
33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
Documents
Amazon
CloudWatch
Rule AWS
Lambda
Amazon
GuardDuty
Lambda
function
AWS Step
Functions
BACKDOOR:EC2/XORDDOS
34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
Documents
Amazon
CloudWatch
Rule AWS
Lambda
Amazon
GuardDuty
Lambda
function
AWS Step
Functions
BACKDOOR:EC2/XORDDOS
Communications
Manual action
35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
Documents
Amazon
CloudWatch
Rule AWS
Lambda
Amazon
GuardDuty
Lambda
function
AWS Step
Functions
BACKDOOR:EC2/XORDDOS
Communications
Manual action
Via Amazon API Gateway*
36. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
Documents
Amazon
CloudWatch
Rule AWS
Lambda
Amazon
GuardDuty
Lambda
function
AWS Step
Functions
BACKDOOR:EC2/XORDDOS
Instance:~ ec2-user$
Elastic
network
interface
Security group
EBS
volume
IAM
profile
EC2 instance contents
37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
Documents
Amazon
CloudWatch
Rule AWS
Lambda
Amazon
GuardDuty
Lambda
function
AWS Step
Functions
BACKDOOR:EC2/XORDDOS
38. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
Documents
Amazon
CloudWatch
Rule AWS
Lambda
Amazon
GuardDuty
Lambda
function
AWS Step
Functions
BACKDOOR:EC2/XORDDOS EC2 instance contents
Instance:~ ec2-user$
Elastic
network
interface
Security group
EBS
volume
IAM
profile
EBS snapshot
39. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
Documents
Amazon
CloudWatch
Rule AWS
Lambda
Amazon
GuardDuty
Lambda
function
AWS Step
Functions
BACKDOOR:EC2/XORDDOS EC2 instance contents
Instance:~ ec2-user$
Elastic
network
interface
Security group
EBS
volume
IAM
profile
EBS snapshot Amazon S3
bucket
AWS
CloudTrail
40. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
Documents
Amazon
CloudWatch
Rule AWS
Lambda
Amazon
GuardDuty
Lambda
function
AWS Step
Functions
BACKDOOR:EC2/XORDDOS EC2 instance contents
Instance:~ ec2-user$
Elastic
network
interface
Security group
EBS
volume
IAM
profile
EBS snapshot Amazon S3
bucket
AWS
CloudTrail
Forensics account
41. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
Documents
Amazon
CloudWatch
Rule AWS
Lambda
Amazon
GuardDuty
Lambda
function
AWS Step
Functions
BACKDOOR:EC2/XORDDOS EC2 instance contents
Instance:~ ec2-user$
42. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
Documents
Amazon
CloudWatch
Rule AWS
Lambda
Amazon
GuardDuty
Lambda
function
AWS Step
Functions
BACKDOOR:EC2/XORDDOS EC2 instance contents
Instance:~ ec2-user$
Instance:~ ec2-user$ top
Instance:~ ec2-user$ pcap
Instance:~ ec2-user$ lime
Instance:~ ec2-user$ dd
EBS
volume IAM profile
43. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
Documents
Amazon
CloudWatch
Rule AWS
Lambda
Amazon
GuardDuty
Lambda
function
AWS Step
Functions
BACKDOOR:EC2/XORDDOS EC2 instance contents
Instance:~ ec2-user$
Instance:~ ec2-user$ top
Instance:~ ec2-user$ pcap
Instance:~ ec2-user$ lime
Instance:~ ec2-user$ dd
EBS
volume IAM profile
Forensics
EBS
44. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
Documents
Amazon
CloudWatch
Rule AWS
Lambda
Amazon
GuardDuty
Lambda
function
AWS Step
Functions
BACKDOOR:EC2/XORDDOS
Forensics
EBS
EBS
snapshot
Amazon S3
bucket
Forensics account
45. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
Documents
Amazon
CloudWatch
Rule AWS
Lambda
Amazon
GuardDuty
Lambda
function
AWS Step
Functions
BACKDOOR:EC2/XORDDOS
Forensics
EBS
EBS
snapshot
Amazon S3
bucket
Forensics account
46. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
Documents
Amazon
CloudWatch
Rule AWS
Lambda
Amazon
GuardDuty
Lambda
function
AWS Step
Functions
BACKDOOR:EC2/XORDDOS
Forensics
EBS
EBS
snapshot
Amazon S3
bucket
Forensics account
Easier done than said
47. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
48. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Responding to findings: Remediation
Amazon
CloudWatch
AWS
CloudTrail
AWS Config
Lambda
function
AWS APIs
AWS WAF
AWS Shield
Detection
Alerting
Remediation
Countermeasures
Forensics
Team collaboration
(Slack, etc.)
Amazon GuardDuty
VPC Flow Logs
AWS Step
Functions
Amazon EC2
Systems Manager
Amazon EC2
49. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Remediating threats on Amazon EC2 instances
• Asynchronously execute
commands
• No need to SSH/RDP
• Commands and output
logged
Amazon EC2 Systems
Manager: Run
command
EC2 instances
Lambda
function
AWS Systems
Manager
Amazon
EC2
50. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Threat detection and remediation partner solutions
Consulting, data analysis, threat detection, and managed security operations
51. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Open source resources
ThreatResponse
https://threatresponse.cloud
Cloud Custodian
https://github.com/capitalone/cloud-custodian
Security Monkey
https://github.com/Netflix/security_monkey
Scout 2
https://github.com/nccgroup/Scout2
StreamAlert
https://github.com/airbnb/streamalert
AWS CIS Foundation Framework
https://github.com/awslabs/aws-security-benchmark
AWS IR
https://github.com/ThreatResponse/aws_ir
52. Thank you!
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Nathan Case
Contact information