Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Scaling threat detection and response on AWS

379 views

Published on

Join us for this hands-on workshop where you will learn about a number of AWS services you can use to identify and respond to threats in your AWS environments. Learn about the capabilities of Amazon GuardDuty, Amazon Macie, Amazon Inspector, and AWS Security Hub as you walk through real-world threat scenarios. For each scenario, we will review methods to detect and respond to threats both manually and automated using services like Amazon CloudWatch Events and AWS Lambda.

  • Be the first to comment

Scaling threat detection and response on AWS

  1. 1. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Jesse Fuchs Security Solutions Architect Amazon Web Services February 2019 Scaling threat detection and response on AWS Floor28
  2. 2. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Workshop Agenda • Intro • Module 1: Environment Build and Configuration (35 min) • Module 2: Attack simulation and presentation (30 min) • Module 3: Detect, investigate & respond (75 min) • Module 4: Review, discussion, and cleanup (15 min)
  3. 3. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Verizon 2018 Data Breach Investigations Report https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_en_xg.pdf Data Breach Patterns
  4. 4. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Workload Scenario What could possibly go wrong here?
  5. 5. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Module 1 Environment Build and Configuration
  6. 6. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Module 1 Agenda • Run the CloudFormation template (~5 min.) • Manual Setup Steps (~30 min.)
  7. 7. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Environment Build and Configuration
  8. 8. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. use us-west-2 https://awssecworkshops.com/ Directions (35 min): • Workshops (top navigation) • Scaling threat detection and response on AWS • Module 1: Environment Build (bottom right) • Run the AWS CloudFormation template • Complete manual setup steps Environment Build and Configuration
  9. 9. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Module 2 Attack Simulation and Presentation
  10. 10. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Module 2 Agenda • Run the CloudFormation template (~5 min.) • Threat detection and response presentation (~20 min.) • Environment walk-through (~10 min.)
  11. 11. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Attack Simulation Build https://awssecworkshops.com/ Directions (5 min): • Workshops (top navigation) • Scaling threat detection and response on AWS • Module 1: Environment Build • Module 2: Attack Simulation (bottom right) • Run the AWS CloudFormation template • Stop and wait for presentation use us-west-2
  12. 12. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Threat Detection and Response
  13. 13. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Why is threat detection so hard? Skills shortageSignal to noiseLarge datasets
  14. 14. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Get humans away from the data and analysis AWS CISO Stephen Schmidt, at re:Invent 2017: “It's people who make mistakes, it's people who have good intentions but get phished, it's people who use the same credentials in multiple locations and don't use a hardware token for a multi-factor authentication… Get the humans away from the data.”
  15. 15. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Detecting breaches https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_en_xg.pdf
  16. 16. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS CloudTrail AWS Config Rules Amazon CloudWatch Logs Amazon GuardDuty VPC Flow Logs Amazon Macie AWS Shield AWS WAF AWS Systems Manager Amazon Inspector VPC KMS AWS CloudHSM IAM AWS Organizations AWS Cognito AWS Directory Service AWS Single Sign-On Certificate Manager AWS Secrets Manager AWS Config Rules AWS Lambda AWS Systems Manager Amazon CloudWatch Events Protect RespondDetect RecoverIdentify AWS Lambda AWS DR and Backup Solutions AWS Systems Manager AWS Config AWS Security Solutions https://www.nist.gov/cyberframework
  17. 17. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Threat Detection Services
  18. 18. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Threat Detection: Log Data Inputs AWS CloudTrail VPC Flow Logs CloudWatch Logs DNS Logs Track user activity and API usage IP traffic to/from network interfaces in your VPC Monitor apps using log data, store & access log files Log of DNS queries in a VPC when using the VPC DNS resolver
  19. 19. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Threat Detection: Machine Learning Amazon GuardDuty Intelligent threat detection and continuous monitoring to protect your AWS accounts and workloads Amazon Macie Machine learning-powered security service to discover, classify & protect sensitive data
  20. 20. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Introducing AWS Security Hub – In preview • Comprehensive view of your security and compliance state within AWS • Aggregates security findings generated by other AWS security services and partners • Analyze security trends and identify the highest-priority security issues Amazon Inspector Amazon GuardDuty Amazon Macie AWS Security Hub Security findings providers Findings Insights & Standards Other AWS Config Partner Solutions
  21. 21. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Threat Detection: Evocations/Triggers Amazon CloudWatch Events Delivers a near real-time stream of system events that describe changes in AWS resources AWS Config Continuously tracks your resource configuration changes and if they violate any of the conditions in your rules
  22. 22. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon CloudWatch Events { "source": [ "aws.guardduty" ] } CloudWatch Event GuardDuty findings Lambda function Alert (e.g. Slack or PagerDuty) Automated response (e.g. Isolate instance) Send to SIEM (e.g. Splunk, QRader)
  23. 23. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Threat Response Services
  24. 24. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Threat Response Services AWS Systems Manager AWS Lambda Amazon Inspector Run code for virtually any kind of application or backend service – zero administration Gain operational insights and take action on AWS resources Automate security assessments of EC2 instances
  25. 25. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. High-Level Playbook Adversary Your environment Lambda function CloudWatch Events
  26. 26. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. High-Level Playbook Amazon CloudWatch Events AWS CloudTrail AWS Config AWS APIs Detection Alerting Remediation Countermeasures Forensics Team collaboration (Slack etc.) Amazon GuardDuty VPC Flow Logs Amazon Inspector AWS Step Functions AWS Security Hub
  27. 27. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Environment Walkthrough
  28. 28. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Automated Responses Amazon CloudWatch Event Rule Macie finding triggers CloudWatch Event Rule CloudWatch Event Rule publishes to an SNS Topic CloudWatch Event Rule: threat-detection-wksp-macie-alert Amazon Macie Amazon SNS You CloudWatch Event Rule publishes to an SNS Topic
  29. 29. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Automated Responses Amazon DynamoDB CloudWatch Event Rule: threat-detection-wksp-macie-alert Input Transformer InputTransformer: InputTemplate: '"Amazon Macie Alert: <macdesc>"' InputPathsMap: macdesc: "$.detail.summary.Description" Event Pattern { "detail-type": [ "Macie Alert" ], "source": [ "aws.macie" ] }
  30. 30. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Automated Responses Amazon CloudWatch Event Rule GuardDuty IAM/EC2 finding triggers CloudWatch Event Rule CloudWatch Event Rule publishes to an SNS Topic CloudWatch Event Rule: Amazon GuardDuty Amazon SNS You CloudWatch Event Rule publishes to an SNS Topic threat-detection-wksp-guardduty-iam-finding threat-detection-wksp-guardduty-ec2-finding
  31. 31. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Automated Responses Amazon DynamoDB CloudWatch Event Rule: threat-detection-wksp-macie-alert Input Transformer InputTransformer: InputTemplate: ""Amazon GuardDuty Finding : <type>"nn"Account : <account>"n"Region : <region>"n"Description : <description>"n"Access Key ID : <accessKey>"n"User Type : <userType>"" InputPathsMap: type: "$.detail.type" description: "$.detail.description" account: "$.account" region: "$.region" accessKey: "$.detail.resource.accessKeyDetails.accessKeyId" userType: "$.detail.resource.accessKeyDetails.userType" Event Pattern { "detail-type": [ "GuardDuty Finding" ], "source": [ "aws.guardduty" ], "detail": { "resource": { "resourceType": [ "AccessKey" ] } } }
  32. 32. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Automated Responses CloudWatch Event Rule: threat-detection-wksp-guardduty-finding-ec2-maliciousip Amazon CloudWatch Event Rule GuardDuty EC2 malicious finding triggers CloudWatch Event Rule CloudWatch Event Rule triggers a Lambda function Amazon GuardDuty AWS Lambda Network Access Control List Function modifies a NACL Outbound Rule to Deny Destination IP
  33. 33. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Automated Responses CloudWatch Event Rule: threat-detection-wksp-guardduty-finding-sshbruteforce Amazon CloudWatch Event Rule GuardDuty SSH bruteforce finding triggers CloudWatch Event Rule Amazon GuardDuty CloudWatch Event Rule triggers a Lambda function AWS Lambda Network Access Control List Function modifies a NACL Inbound Rule to Deny Destination IP AWS Lambda Amazon EC2 Function adds a unique tag to the EC2 instance listed in the finding Function creates and initiates an Inspector scan Inspector scans EC2 instance
  34. 34. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Automated Responses CloudWatch Event Rule: threat-detection-wksp-guardduty-finding-sshbruteforce Event Pattern { "source": [ "aws.guardduty" ], "detail": { "type": [ "UnauthorizedAccess:EC2/SSHBruteForce" ] } }
  35. 35. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Review Questions • How can you create custom rules for Config? • How do GuardDuty and Macie differ when it comes to CloudTrail analysis? • What services are important for the automation of responses? • What performance impact does GuardDuty have on your account if you have more then 100 VPCs? • Which of the services discussed have direct access to your EC2 Instances?
  36. 36. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Module 3 Detection and Response
  37. 37. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Detect and Respond https://awssecworkshops.com/ Directions (75 min): • Workshops (top navigation) • Scaling threat detection and response on AWS • Module 1: Environment Build • Module 2: Attack Simulation • Module 3: Detect & Respond (bottom right) • Part 1: Compromised AWS IAM Credential • Part 2: Compromised EC2 instance • Part 3: Compromised S3 Bucket use us-west-2
  38. 38. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Module 4 Review, Discussion, & Cleanup
  39. 39. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Module 4 Agenda • Review ( 5 min) • Questions ( 10 min) • Cleanup
  40. 40. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Start Module 4 https://awssecworkshops.com/ Directions (45 min): • Workshops (top navigation) • Scaling threat detection and response on AWS • Module 1: Environment Build • Module 2: Attack Simulation • Module 3: Detect & Respond • Module 4: Discussion (bottom right) use us-west-2
  41. 41. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The Attack
  42. 42. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What really happened?
  43. 43. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Workshop Questions
  44. 44. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Question 1 Why did the AWS API calls from the “malicious host” generate GuardDuty findings?
  45. 45. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Question 2 How many unique AWS API calls were made from the “malicious host” and how did you identify them?
  46. 46. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Question 3 The lab mentions you can ignore the high severity SSH brute force attack finding. Why can you ignore it and how is it different from the low severity brute force finding?
  47. 47. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Question 4 When you revoke all sessions for the IAM Role you run the risk of affecting the availability of your application. What can you change in the remediation to mitigate this?
  48. 48. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Question 4 "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "*" ], "Resource": [ "*" ], "Condition": { "DateLessThan": { "aws:TokenIssueTime": "2018-12-30T04:29:04.801Z" }, "StringEquals": { "aws:userId": ["AROAI47FH4JKLKEU4833D:i-06123456789098765"] } } } ]
  49. 49. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Question 5 What control can you put in place to prevent someone from making a S3 bucket or object anonymously accessible?
  50. 50. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Question 5 Block public access
  51. 51. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Question 6 What type of server-side encryption was used to encrypt the objects in the data bucket? Would Macie be able to classify the objects if you were to use SSE-KMS?
  52. 52. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Question 7 Macie had an alert for “S3 Bucket IAM policy grants global read rights.” We investigated that bucket in the workshop. Were the objects in the bucket actually publicly accessible? If the bucket had a policy that allowed for global read rights, would the encrypted objects be accessible?
  53. 53. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cleanup
  54. 54. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you! Floor28

×