Intro to Threat Detection and Remediation on AWS

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Introduction to Threat Detection and Remediation on AWS
Cameron Worrell
Solutions Architect
Amazon Web Services

Agenda
• Quick Intro to Security on AWS
• Overview of Threat Detection and Remediation on AWS
– AWS WAF
– AWS Shield
– Amazon GuardDuty
– Amazon Macie
– AWS Lambda
– AWS Config
– Amazon Inspector
– AWS Systems Manager
– Amazon CloudWatch Events
• Putting it all together

Introduction to Security on AWS

At AWS, cloud security is job zero.
All AWS customers benefit from a data center
and network architecture built to satisfy the
requirements of the most security-sensitive
organizations.

Gain access to a world-class security team
Where would some of the world’s top security
people like to work? At scale on huge challenges
with huge rewards
So AWS has world-class security and compliance
teams watching your back!
Every customer benefits from the tough
scrutiny of other AWS customers

Glacier Vault Lock
& SEC Rule 17a-4(f)
Broad Accreditations & Certifications

AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Shared Responsibility Model
Customers are
responsible for their
security and
compliance IN the
Cloud
AWS is responsible
for the security OF
the Cloud
CustomerAWS

AWS Shared Responsibility Model
Facilities
Physical security
Compute infrastructure
Storage infrastructure
Network infrastructure
Virtualization layer (EC2)
Hardened service endpoints
Rich IAM capabilities
Network configuration
Security groups
OS firewalls
Operating systems
Applications
Proper service configuration
AuthN & acct management
Authorization policies
+ =
Customer
.
• Scope of responsibility depends on the type of service offered by AWS:
Infrastructure, Container, Abstracted Services
• Understanding who is responsible for what is critical to ensuring your AWS data and
systems are secure!

Threat Detection and Remediation on AWS

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is a WAF?
Web Application Firewall
Monitors HTTP/S requests and protects
web applications from malicious
activities
Layer 7 inspection and mitigation tool

What is AWS WAF?
Web traffic filtering with
custom rules
• Rate based rules
• IP Match & Geo-IP filters
• Regex & String Match
• Size constraints
• Action: Allow/Block
Malicious request blocking
• SQLi
• XSS
Active monitoring & tuning
• CloudWatch
Metrics/Alarms
• Sampled Logs
• Count Action mode

Where AWS WAF can help
Application
layer
Bad botsDDoS Application attacks
HTTP floods
Content scrapers
Scanners & probes
CrawlersSQL injection
Application exploits
Social engineering
AWS WAF

AWS WAF benefits
Fast incidence
response
Powerful rule
languageEasy to deploy
AffordableSecurity automation Managed
rules

Managed rules from security leaders

AWS SHIELD
Standard Protection Advanced Protection
Available to ALL AWS customers at
no additional cost
Paid service that provides additional
protections, features, and benefits

• Automatic defense against the most
common network and transport layer DDoS
attacks for any AWS resource, in any AWS
Region
• Comprehensive defense against all known
network and transport layer attacks when
using Amazon CloudFront and Amazon
Route 53
• Application layer defense available when
using AWS WAF
AWS SHIELD
Standard Protection
Automatically provided to all AWS
customers at no additional cost

• Fast escalation to the AWS DDoS
Response Team (DRT) to assist with
complex edge cases
• Attack visibility and enhanced
detection
• Cost Protection to mitigate economic
attack vectors
• AWS WAF for application-layer defense,
at no additional cost
AWS SHIELD
Advanced Protection
Available globally on Amazon
CloudFront, Amazon Route 53, and in
select AWS Regions

Effective Against:
• HTTP Floods
• Bad Bots
• Suspicious IPs
Effective Against:
• SSL Attacks
• Slowloris
• Malformed HTTP
Effective Against:
• SYN Floods
• Reflection Attacks
• Suspicious
Sources
DEFENSE IN DEPTH
Border Network
Network Layer Mitigations
AWS Services
Web Layer Mitigations
Customer Infrastructure
DDoS
Detection
Internet
Internet-
Layer
Mitigations
DDoS
Effective Against:
• Large-scale
attacks
Effective Against:
• Sophisticated
Layer 7 attacks
DDoS
Response
Team

What is Amazon GuardDuty?
• A threat detection service re-imagined for the cloud
• Continuously monitors and protects AWS accounts, along with the
applications and services running within them
• Detects known and unknown threats
• Makes use of artificial intelligence and machine learning
• Integrated threat intelligence
• Operates on CloudTrail, VPC Flow Logs & DNS
• Detailed & Actionable Findings

Detecting Known Threats
Threat intelligence
• GuardDuty consumes feeds from various sources
• AWS Security
• Commercial feeds
• Open source feeds
• Customer provided threat intel (STIX)
• Known malware infected hosts
• Anonymizing proxies
• Sites hosting malware & hacker tools
• Crypto-currency mining pools and wallets
• Great catch-all for suspicious & malicious activity

Detecting Unknown Threats
Anomaly detection
• Algorithms to detect unusual behavior
• Inspecting signal patterns for signatures
• Profiling normal and looking at deviations
• Machine learning classifiers
• Larger R&D effort
• Highly skilled data scientists to study data
• Develop theoretical detection models
• Experiment with implementations
• Testing, tuning, and validation

What can the service detect?
RDP brute
force
RAT Installed
Exfiltrate
temp IAM
creds over
DNS
Probe API
with temp
creds
Attempt to
compromise
account
Malicious or
suspicious IP
Unusual ports DNS exfiltration
RDP brute force
Unusual traffic volumeConnect to blacklisted site
Recon
Anonymizing proxy
Temp credentials
used off-instance
Unusual ISP caller
Bitcoin activity
Unusual instance launch

• Recon
• Port Probe on unprotected port
• Outbound port scans
• Callers from anonymizing proxies
• Backdoor
• Spambot or C&C activity detected
• Exfiltration over DNS channel
• Suspicious domain request
• Trojan
• DGA Domain Request
• Blackhole traffic
• DropPoint
• Unauthorized Access
• Unusual ISP caller
• SSH BruteForce
• RDP Brute Force
• Stealth
• Password Policy Change
• CloudTrail Logging Disabled
• GuardDuty Disabled in member account
• CryptoCurrency
• Communication with Bitcoin DNS pools
• CryptoCurrency related DNS calls
• Connections to Bitcoin mining pools
Finding Type Categories

Demo: Alexa “Ask GuardDuty”
“Get flash briefing”
“Get statistics for Virginia”
“Get medium severity findings for Oregon”
Amazon
Echo
Alexa
Custom
Skill
(Lambda)
GuardDuty
API
Finding Statistics and
Details
“Alexa, Ask GuardDuty”
read only
“Here is your GuardDuty flash
briefing…”
1
2
3
4
5 Alexa
Service

• AMAZON MACIE
• ML-POWERED VISIBILITY SERVICE IDENTIFIES
SENSITIVE INFORMATION TO HELP AUTOMATE
SECURITY AND COMPLIANCE

Macie overview
Understand
your data
Natural Language
Processing (NLP)
Understand data
access
Predictive User
Behavior Analytics
(UBA)

Macie Content Classification
• PII and personal data
• Source code
• SSL certificates, private keys
• iOS and Android app signing keys
• Database backups
• OAuth and Cloud SAAS API Keys

Automated actions on alerts
• Simplify with Lambda
• Delete the object
• Revoke access—bucket or object
• Perimeter guard
• Update IAM policies
• Suspend user

Cost-effective and
efficient
No infrastructure
to manage
Pay only for what you use
Bring your
own code
Productivity-focused compute service to build powerful, dynamic, modular
applications in the cloud
Run code in standard
languages
Focus on business logic
Benefits of AWS Lambda
1 2 3

AWS Lambda: Run Code in Response to Events
FUNCTION SERVICES (ANYTHING)
Changes in
data state
Requests to
endpoints
Changes in
resource state
Node
Python
Java
C#
EVENT SOURCE

• A W S C o n f i g a n d
• A W S C o n f i g R u l e s
• A W S C l o u d T r a i l a n d
• A m a z o n C l o u d W a t c h L o g s
Active Auditing with AWS Lambda

AWS Config & AWS Config Rules
• A continuous recording and continuous assessment service
Changing resources
AWS Config
Config Rules
History, Snapshot
Notifications
API Access
Normalized
Answer the questions:
How are my resources configured over time?
Is a change that just occurred to a resource, compliant?

AWS Lambda as Auditor
App Account 1
App Account n
Security Team Account

Amazon Inspector
• Vulnerability Assessment Service
– Built from the ground up to support DevSecOps
– Automatable via APIs
– Integrates with CI/CD tools
– On-Demand Pricing model
– Static & Dynamic Rules Packages
– Generates Findings

Amazon Inspector
• Rules Packages
– Common Vulnerabilities & Exposures
– CIS Operating System Security Configuration Benchmarks
– Security Best Practices
– Runtime Behavior Analysis

Automating Remediation
• Findings are JSON formatted and taggable
• Name of assessment target & template
• Start time, end time, status
• Name of rule packages
• Name & severity of the finding
• Description & remediation steps
• Lamd-ify your incident response
• Integrate with Jira-like services
• Integrate with Pagerduty-like services

Introducing AWS Systems Manager
• A set of capabilities that:
• enable automated configuration
• support ongoing management of systems at scale
• work across all of your Windows and Linux workloads
• run in Amazon EC2 or on-premises
• carry no additional charge to use

Why should I care?
Support for hybrid
Architecture
Cross-platform Scalable
Secure Easy-to-write
automation
Expected Reduction
in Total Cost of
Ownership (TCO)

AWS Systems Manager capabilities
state manager maintenance
window
inventory
automation parameter store
run command
patch manager

CloudWatch Events
• Delivers a near real-time stream of system events that describe changes in
Amazon Web Services (AWS) resources.
• Using simple rules, you can match events and route them to one or more target
functions or streams.
• CloudWatch Events becomes aware of operational changes as they occur and
responds to these operational changes and takes corrective action as
necessary, by sending messages to respond to the environment, activating
functions, making changes, and capturing state information.

Supported Services
• AWS CodeStar
• AWS Console Sign-In
• Auto Scaling
• Batch
• Certificate Manager
• Chime
• Cloud Directory
• CloudFormation
• CloudFront
• CloudHSM
• CloudSearch
• CloudTrail
• CloudWatch Events
• CloudWatch Logs
• CodeBuild
• CodeCommit
• CodeDeploy
• CodePipeline
• Cognito Identity
• Cognito Sync
• Cognito User Pool
• Config
• Data Pipeline
• Database Migration Service
• Direct Connect
• Directory Service
• DynamoDB
• EC2
• EC2 Container Registry
• EC2 Container Service (ECS)
• EC2 Simple Systems Manager (SSM)
• EMR
• ElastiCache
• Elastic Beanstalk
• Elastic File System (EFS)
• Elastic Load Balancing
• Elastic Map Reduce (EMR)
• Elastic Transcoder
• Elasticsearch
• Gamelift
• Glacier
• Glue
• GuardDuty
• Health
• IAM
• Inspector
• IoT
• Key Management Service (KMS)
• Kinesis
• Kinesis Firehose
• Lambda
• Machine Learning
• Macie
• Managed Services
• MediaConvert
• MediaLive
• Metering Marketplace
• Monitoring
• OpsWorks
• OpsWorks for Chef Automate
• Organizations
• Polly
• RedShift
• Relational Database Service (RDS)
• Route 53
• Security Token Service (STS)
• Server Migration Service (SMS)
• Service Catalog
• Simple Email Service (SES)
• Simple Notification Service (SNS)
• Simple Queue Service (SQS)
• Simple Storage Service (S3)
• Simple Workflow Service (SWF)
• Step Functions
• Storage Gateway
• Support
• Trusted Advisor
• WAF Regional
• Web Application Firewall (WAF)
• WorkDocs
• WorkSpaces
* As of 2/20/18

Supported Targets
• Amazon EC2 instances
• AWS Lambda functions
• Streams in Amazon Kinesis Data Streams
• Delivery streams in Amazon Kinesis Data Firehose
• Amazon ECS tasks
• SSM Run Command
• SSM Automation
• Step Functions state machines
• Pipelines in AWS CodePipeline
• AWS CodeBuild projects
• Amazon Inspector assessment templates
• Amazon SNS topics
• Amazon SQS queues
• Built-in targets
• The default event bus of another AWS account

Not just API

Putting it all together

Service Outputs
Service Outputs
WAF CloudWatch Metrics
Shield CloudWatch Metrics
GuardDuty CloudWatch Events
Macie CloudWatch Events
Lambda CloudWatch Logs
Config Config Rules
Inspector CloudWatch Events
Systems Manager CloudWatch Events

Remediation through CloudWatch Events and Lambda
Remediation
Lambda
function
GuardDuty
Finding
CloudWatch
Event

Remediation through CloudWatch Events and Lambda
Macie Finding
Remediation
Lambda
function
CloudWatch
Event

Multiple Accounts

Threat Detection and Remediation in Multiple Accounts
• GuardDuty and Macie Support Master / Member accounts
– Centralized Console for many accounts, per region
• CloudWatch Events supports receiving events from multiple accounts through
the Event Bus feature
– All CloudWatch Events across your organization can be sent to an Event Bus owned
by your InfoSec team
• CloudFormation
– All services discussed today support CloudFormation directly or through custom
Lambda resources
– CloudFormation allows you to deploy services discussed today as code
– CloudFormation StackSets allows you to centrally deploy templates across accounts
and regions

Wrap Up

AWS Security Center
Comprehensive security portal to provide a variety of security notifications,
information and documentation.
Security Whitepapers
• Overview of Security Process
• AWS Risk and Compliance
• AWS Security Best Practices
Security Bulletin
Security Resources
Vulnerability Reporting
Penetration Testing
Requests
Report Suspicious Emails
http://aws.amazon.com/security

AWS Security Blog
http://blogs.aws.amazon.com/security/
Subscribe to the blog – it’s a great way to stay up-to-date on
AWS security and compliance.
Security Resources
http://aws.amazon.com/security/security-resources/
Developer Information, Articles and Tutorials,
Security Products, and Whitepapers

aws.amazon.com/activate
Everything and Anything Startups
Need to Get Started on AWS

Intro to Threat Detection and Remediation on AWS

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Intro to Threat Detection and Remediation on AWS

Similar to Intro to Threat Detection and Remediation on AWS (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Intro to Threat Detection and Remediation on AWS