More Related Content Similar to Scaling threat detection and response on AWS (20) More from Amazon Web Services (20) Scaling threat detection and response on AWS1. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Jesse Fuchs
Security Solutions Architect
Amazon Web Services
February 2019
Scaling threat detection
and response on AWS
Floor28
2. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Workshop Agenda
• Intro
• Module 1: Environment Build and Configuration (35 min)
• Module 2: Attack simulation and presentation (30 min)
• Module 3: Detect, investigate & respond (75 min)
• Module 4: Review, discussion, and cleanup (15 min)
3. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Verizon 2018 Data Breach Investigations Report
https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_en_xg.pdf
Data Breach Patterns
4. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Workload Scenario
What could
possibly go
wrong here?
5. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Module 1
Environment Build and Configuration
6. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Module 1 Agenda
• Run the CloudFormation template (~5 min.)
• Manual Setup Steps (~30 min.)
7. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Environment Build and Configuration
8. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
use
us-west-2
https://awssecworkshops.com/
Directions (35 min):
• Workshops (top navigation)
• Scaling threat detection and response on AWS
• Module 1: Environment Build (bottom right)
• Run the AWS CloudFormation template
• Complete manual setup steps
Environment Build and Configuration
9. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Module 2
Attack Simulation and Presentation
10. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Module 2 Agenda
• Run the CloudFormation template (~5 min.)
• Threat detection and response presentation (~20 min.)
• Environment walk-through (~10 min.)
11. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Attack Simulation Build
https://awssecworkshops.com/
Directions (5 min):
• Workshops (top navigation)
• Scaling threat detection and response on AWS
• Module 1: Environment Build
• Module 2: Attack Simulation (bottom right)
• Run the AWS CloudFormation template
• Stop and wait for presentation
use
us-west-2
12. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Threat Detection and Response
13. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Why is threat detection so hard?
Skills shortageSignal to noiseLarge datasets
14. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Get humans away from the data and analysis
AWS CISO Stephen Schmidt, at re:Invent 2017: “It's people who make mistakes, it's people who have good
intentions but get phished, it's people who use the same credentials in multiple locations and don't use a
hardware token for a multi-factor authentication… Get the humans away from the data.”
15. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Detecting breaches
https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_en_xg.pdf
16. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS CloudTrail
AWS Config Rules
Amazon
CloudWatch Logs
Amazon GuardDuty
VPC Flow Logs
Amazon Macie
AWS Shield
AWS WAF
AWS
Systems Manager
Amazon Inspector
VPC
KMS
AWS CloudHSM
IAM
AWS Organizations
AWS Cognito
AWS Directory Service
AWS Single Sign-On
Certificate Manager
AWS Secrets Manager
AWS Config Rules
AWS Lambda
AWS
Systems Manager
Amazon
CloudWatch Events
Protect RespondDetect RecoverIdentify
AWS Lambda
AWS DR and Backup
Solutions
AWS
Systems Manager
AWS Config
AWS Security Solutions https://www.nist.gov/cyberframework
17. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Threat Detection Services
18. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Threat Detection: Log Data Inputs
AWS CloudTrail VPC Flow Logs CloudWatch Logs DNS Logs
Track user
activity and API
usage
IP traffic to/from
network interfaces
in your VPC
Monitor apps using
log data, store &
access log files
Log of DNS queries
in a VPC when
using the VPC DNS
resolver
19. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Threat Detection: Machine Learning
Amazon
GuardDuty
Intelligent threat detection
and continuous monitoring
to protect your AWS
accounts and workloads
Amazon Macie
Machine learning-powered
security service to discover,
classify & protect sensitive data
20. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Introducing AWS Security Hub – In preview
• Comprehensive view of your security and compliance state within
AWS
• Aggregates security findings generated by other AWS security
services and partners
• Analyze security trends and identify the highest-priority security
issues
Amazon
Inspector
Amazon
GuardDuty
Amazon
Macie
AWS Security Hub
Security
findings
providers
Findings
Insights
&
Standards
Other
AWS
Config
Partner
Solutions
21. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Threat Detection: Evocations/Triggers
Amazon CloudWatch
Events
Delivers a near real-time stream
of system events that describe
changes in AWS resources
AWS Config
Continuously tracks your
resource configuration changes
and if they violate any of the
conditions in your rules
22. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon CloudWatch Events
{
"source": [
"aws.guardduty"
]
}
CloudWatch
Event
GuardDuty
findings
Lambda
function
Alert
(e.g. Slack or PagerDuty)
Automated response
(e.g. Isolate instance)
Send to SIEM
(e.g. Splunk, QRader)
23. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Threat Response Services
24. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Threat Response Services
AWS Systems
Manager
AWS
Lambda
Amazon
Inspector
Run code for virtually
any kind of application
or backend service –
zero administration
Gain operational
insights and take
action on AWS
resources
Automate security
assessments of EC2
instances
25. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
High-Level Playbook
Adversary Your
environment
Lambda
function
CloudWatch
Events
26. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
High-Level Playbook
Amazon
CloudWatch
Events
AWS
CloudTrail
AWS Config
AWS
APIs
Detection
Alerting
Remediation
Countermeasures
Forensics
Team
collaboration
(Slack etc.)
Amazon
GuardDuty
VPC Flow Logs
Amazon
Inspector
AWS
Step
Functions
AWS
Security Hub
27. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Environment Walkthrough
28. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Automated Responses
Amazon
CloudWatch
Event Rule
Macie finding triggers
CloudWatch Event Rule
CloudWatch Event Rule
publishes to an SNS Topic
CloudWatch Event Rule: threat-detection-wksp-macie-alert
Amazon
Macie
Amazon
SNS
You
CloudWatch Event Rule
publishes to an SNS Topic
29. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Automated Responses
Amazon DynamoDB
CloudWatch Event Rule: threat-detection-wksp-macie-alert
Input Transformer
InputTransformer:
InputTemplate: '"Amazon Macie Alert: <macdesc>"'
InputPathsMap:
macdesc: "$.detail.summary.Description"
Event Pattern
{
"detail-type": [
"Macie Alert"
],
"source": [
"aws.macie"
]
}
30. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Automated Responses
Amazon
CloudWatch
Event Rule
GuardDuty IAM/EC2 finding
triggers CloudWatch Event Rule
CloudWatch Event Rule
publishes to an SNS Topic
CloudWatch Event Rule:
Amazon
GuardDuty
Amazon
SNS
You
CloudWatch Event Rule
publishes to an SNS Topic
threat-detection-wksp-guardduty-iam-finding
threat-detection-wksp-guardduty-ec2-finding
31. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Automated Responses
Amazon DynamoDB
CloudWatch Event Rule: threat-detection-wksp-macie-alert
Input Transformer
InputTransformer:
InputTemplate: ""Amazon GuardDuty Finding :
<type>"nn"Account : <account>"n"Region :
<region>"n"Description : <description>"n"Access Key ID :
<accessKey>"n"User Type : <userType>""
InputPathsMap:
type: "$.detail.type"
description: "$.detail.description"
account: "$.account"
region: "$.region"
accessKey: "$.detail.resource.accessKeyDetails.accessKeyId"
userType: "$.detail.resource.accessKeyDetails.userType"
Event Pattern
{
"detail-type": [
"GuardDuty Finding"
],
"source": [
"aws.guardduty"
],
"detail": {
"resource": {
"resourceType": [
"AccessKey"
]
}
}
}
32. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Automated Responses
CloudWatch Event Rule: threat-detection-wksp-guardduty-finding-ec2-maliciousip
Amazon
CloudWatch
Event Rule
GuardDuty EC2 malicious
finding triggers CloudWatch
Event Rule
CloudWatch Event Rule
triggers a Lambda function
Amazon
GuardDuty
AWS
Lambda
Network Access
Control List
Function modifies a NACL
Outbound Rule to Deny
Destination IP
33. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Automated Responses
CloudWatch Event Rule: threat-detection-wksp-guardduty-finding-sshbruteforce
Amazon
CloudWatch
Event Rule
GuardDuty SSH bruteforce
finding triggers CloudWatch
Event Rule
Amazon
GuardDuty
CloudWatch Event Rule
triggers a Lambda function
AWS
Lambda
Network Access
Control List
Function modifies a NACL Inbound
Rule to Deny Destination IP
AWS
Lambda
Amazon EC2
Function adds a unique tag
to the EC2 instance listed
in the finding
Function creates and initiates
an Inspector scan
Inspector scans
EC2 instance
34. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Automated Responses
CloudWatch Event Rule: threat-detection-wksp-guardduty-finding-sshbruteforce
Event Pattern
{
"source": [
"aws.guardduty"
],
"detail": {
"type": [
"UnauthorizedAccess:EC2/SSHBruteForce"
]
}
}
35. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Review Questions
• How can you create custom rules for Config?
• How do GuardDuty and Macie differ when it comes to CloudTrail analysis?
• What services are important for the automation of responses?
• What performance impact does GuardDuty have on your account if you
have more then 100 VPCs?
• Which of the services discussed have direct access to your EC2 Instances?
36. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Module 3
Detection and Response
37. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Detect and Respond
https://awssecworkshops.com/
Directions (75 min):
• Workshops (top navigation)
• Scaling threat detection and response on AWS
• Module 1: Environment Build
• Module 2: Attack Simulation
• Module 3: Detect & Respond (bottom right)
• Part 1: Compromised AWS IAM Credential
• Part 2: Compromised EC2 instance
• Part 3: Compromised S3 Bucket
use
us-west-2
38. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Module 4
Review, Discussion, & Cleanup
39. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Module 4 Agenda
• Review ( 5 min)
• Questions ( 10 min)
• Cleanup
40. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Start Module 4
https://awssecworkshops.com/
Directions (45 min):
• Workshops (top navigation)
• Scaling threat detection and response on AWS
• Module 1: Environment Build
• Module 2: Attack Simulation
• Module 3: Detect & Respond
• Module 4: Discussion (bottom right)
use
us-west-2
41. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The Attack
42. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What
really
happened?
43. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Workshop Questions
44. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Question 1
Why did the AWS API calls from the “malicious
host” generate GuardDuty findings?
45. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Question 2
How many unique AWS API calls were made from
the “malicious host” and how did you identify
them?
46. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Question 3
The lab mentions you can ignore the high severity
SSH brute force attack finding.
Why can you ignore it and how is it different from
the low severity brute force finding?
47. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Question 4
When you revoke all sessions for the IAM Role you
run the risk of affecting the availability of your
application. What can you change in the
remediation to mitigate this?
48. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Question 4
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"*"
],
"Resource": [
"*"
],
"Condition": {
"DateLessThan": {
"aws:TokenIssueTime": "2018-12-30T04:29:04.801Z"
},
"StringEquals": {
"aws:userId": ["AROAI47FH4JKLKEU4833D:i-06123456789098765"]
}
}
}
]
49. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Question 5
What control can you put in place to prevent
someone from making a S3 bucket or object
anonymously accessible?
50. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Question 5
Block public access
51. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Question 6
What type of server-side encryption was used to
encrypt the objects in the data bucket?
Would Macie be able to classify the objects if you
were to use SSE-KMS?
52. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Question 7
Macie had an alert for “S3 Bucket IAM policy
grants global read rights.” We investigated that
bucket in the workshop. Were the objects in the
bucket actually publicly accessible?
If the bucket had a policy that allowed for global
read rights, would the encrypted objects be
accessible?
53. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Cleanup
54. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!
Floor28